honeymoose/OpenSearch
1
0
Fork 0
mirror of https://github.com/honeymoose/OpenSearch.git synced 2025-04-09 16:58:33 +00:00
Code Issues Packages Projects Releases Wiki Activity
OpenSearch/server/src/main/java/org/elasticsearch/bootstrap/Bootstrap.java

472 lines
18 KiB
Java
Raw Normal View History

initial commit
2010-02-08 15:30:06 +02:00
/*
Fix ASL Header in source files to reflect s/ElasticSearch/Elasticsearch This commit also removes the license to Shay Banon in favor of soley Elasticsearch. Thanks Shay for this awesome product you took it far! Closes #4636
2014-01-06 22:48:02 +01:00
* Licensed to Elasticsearch under one or more contributor
* license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright
* ownership. Elasticsearch licenses this file to you under
* the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
* You may obtain a copy of the License at
initial commit
2010-02-08 15:30:06 +02:00
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.elasticsearch.bootstrap;
Revert "Workaround for JDK 14 EA FileChannel.map issue (#50523)" (#51323) This reverts commit c7fd24ca1569a809b499caf34077599e463bb8d6. Now that JDK-8236582 is fixed in JDK 14 EA, we can revert the workaround. Relates #50523 and #50512
2020-01-23 11:25:19 +01:00
import org.apache.logging.log4j.LogManager;
Do not create two loggers for DeprecationLogger backport(#58435) (#61530) DeprecationLogger's constructor should not create two loggers. It was taking parent logger instance, changing its name with a .deprecation prefix and creating a new logger. Most of the time parent logger was not needed. It was causing Log4j to unnecessarily cache the unused parent logger instance. depends on #61515 backports #58435
2020-08-26 16:04:02 +02:00
import org.apache.logging.log4j.Logger;
Disable console logging Previously we would disable console logging in certain circumstances (for example, if Elasticsearch is not in the foreground, or if Elasticsearch is in the foreground but an exception was thrown during bootstrap). This commit makes this handling work with Log4j 2. This will prevent users from seeing double bootstrap check failure messages. Relates #20387
2016-09-09 09:15:35 -04:00
import org.apache.logging.log4j.core.Appender;
Do not prematurely shutdown Log4j When a node closes, we shutdown logging as the last statement. This statement must be last lest any subsequent attempts to log will blow up by running into security permissions. Yet, in the case of a tribe node this isn't enough. The first internal tribe node to close will shutdown logging, and subsequent node closes will blow up with the aforementioned problem. This commit migrate the Log4j shutdown to occur as part of the shutdown hook that closes the node, after all nodes have closed. Consequently, we can remove a hack in the test infrastructure to prevent Log4j shutdowns when internal test nodes close and instead just register a single shutdown hook that runs when the test JVM exits. Relates #21519
2016-11-13 17:27:30 -05:00
import org.apache.logging.log4j.core.LoggerContext;
Disable console logging Previously we would disable console logging in certain circumstances (for example, if Elasticsearch is not in the foreground, or if Elasticsearch is in the foreground but an exception was thrown during bootstrap). This commit makes this handling work with Log4j 2. This will prevent users from seeing double bootstrap check failure messages. Relates #20387
2016-09-09 09:15:35 -04:00
import org.apache.logging.log4j.core.appender.ConsoleAppender;
Do not prematurely shutdown Log4j When a node closes, we shutdown logging as the last statement. This statement must be last lest any subsequent attempts to log will blow up by running into security permissions. Yet, in the case of a tribe node this isn't enough. The first internal tribe node to close will shutdown logging, and subsequent node closes will blow up with the aforementioned problem. This commit migrate the Log4j shutdown to occur as part of the shutdown hook that closes the node, after all nodes have closed. Consequently, we can remove a hack in the test infrastructure to prevent Log4j shutdowns when internal test nodes close and instead just register a single shutdown hook that runs when the test JVM exits. Relates #21519
2016-11-13 17:27:30 -05:00
import org.apache.logging.log4j.core.config.Configurator;
Revert "Revert "VirtualLock implementation for Windows (mlockall equivalent)"" This reverts commit 5dc8b99365723154670f120e67c7479efdd542da.
2015-05-11 10:17:28 -04:00
import org.apache.lucene.util.Constants;
Startup: Remove getopt parsing in shell script, use java CLITool In order to ensure, we have the same experience across operating systems and shells, this commit uses the java CLI parser instead of the shell getopt parsing to parse arguments. This also allows for support for paths, which contain spaces. Also commons-cli depdency was upgraded to 1.3.1 and tests have been added. Changes * new exit code, OK_AND_EXIT, allowing to tell the caller to exit, as everything went as expected (e.g. when running a version output) BWC breaking: * execute() returns an ExitStatus instead of an integer, otherwise there is no possibility to signal by a command, if the JVM should be exited after a run. This affects plugins, that have command line tools * -v used to be version, but is a verbose flag by default in the current CLI infra, must be -V or --version now * -X has been removed - the current implementation was useless anyway, as it prefixed those properties with "es.". You should use ES_JAVA_OPTS/JAVA_OPTS for JVM configuration
2015-07-30 10:28:18 +02:00
import org.apache.lucene.util.StringHelper;
[Rename] o.e.cluster (#297) This commit refactors the remaining o.e.cluster packages to o.opensearch.cluster. All references throughout the codebase are also refactored. Signed-off-by: Nicholas Knize <nknize@amazon.com>
2021-03-15 13:32:28 -05:00
import org.opensearch.OpenSearchException;
initial commit
2010-02-08 15:30:06 +02:00
import org.elasticsearch.Version;
[Rename] server cli and client (#254) This commit refactors the o.e.cli and o.e.client packages from elasticsearch to o.opensearch.cli and o.opensearch.client packages in the server module, respectively. Signed-off-by: Nicholas Knize <nknize@amazon.com>
2021-03-12 16:25:00 -06:00
import org.opensearch.cli.KeyStoreAwareCommand;
[Rename] refactor libs/cli module. (#255) Refactor the `libs/cli` module to rename the package name from `org.elasticsearch.cli` to `org.opensearch.cli` as part of the rename to OpenSearch work. Signed-off-by: Rabi Panda <adnapibar@gmail.com>
2021-03-11 13:07:47 -08:00
import org.opensearch.cli.Terminal;
import org.opensearch.cli.UserException;
Factor out PID file creation and add tests This commit factors out the PID file creation from bootstrap and adds tests for error conditions etc. We also can't rely on DELETE_ON_CLOSE since it might not even write the file depending on the OS and JVM implementation. This impl uses a shutdown hook to best-effort remove the pid file if it was written. Closes #8771
2014-12-04 10:20:05 +01:00
import org.elasticsearch.common.PidFile;
[BUILD] Use SuppressFrobidden annotation instead of class level excludes Forbidden APIs 1.8 allows excludes based on annotations which can now be on methods etc. for more find grained control. Closes #10560
2015-04-13 10:03:50 +02:00
import org.elasticsearch.common.SuppressForbidden;
Don't log multi-megabyte guice exceptions. Instead just log the same thing we print to the startup console for that case (magic logic), it sucks to do this, but guice exceptions are too much. All other non-guice exceptions will still be fully logged. Closes #13782
2015-09-25 14:46:12 -04:00
import org.elasticsearch.common.inject.CreationException;
Deprecate versions of Java prior to Java 11 (#40756) This commit deprecates versions of Java prior to Java 11. This commit will cause a warning to be printed to standard error when any command line tool is invoked, or when Elasticsearch is started. Additionally, we log a deprecation message when Elasticsearch is started.
2019-04-03 06:39:40 -04:00
import org.elasticsearch.common.logging.DeprecationLogger;
Remove optional logger wrappers Removes all our logger wrappers except the wrapper for log4j1.2. If you depend on Elasticsearch's jar in your application you'll need to declare log4j 1.2 and/or some bridge to your favorite logger. We did this to simplify our builds and code. No more commons-logging like log implementation sniffing. No more optional dependency hacks in gradle. We might one day want to use j.u.l instead of log4j. If we do want that we can recover its wrapper by studying this commit. We didn't go directly to j.u.l in this commit because that is a bigger change. Our logging configuration is based on log4j1.2 and people are used to it. So it'd be a much more fraught breaking change to do that conversion.
2016-02-16 08:46:03 -05:00
import org.elasticsearch.common.logging.LogConfigurator;
big refactoring thanks to proper jarjar built from source with asm 3.3 allowing to jarjar guice and others, includes package relocations
2010-06-15 16:51:38 +03:00
import org.elasticsearch.common.logging.Loggers;
Move IfConfig.logIfNecessary call into bootstrap (#22455) This is related to #22116. A logIfNecessary() call makes a call to NetworkInterface.getInterfaceAddresses() requiring SocketPermission connect privileges. By moving this to bootstrap the logging call can be made before installing the SecurityManager.
2017-01-06 11:10:53 -06:00
import org.elasticsearch.common.network.IfConfig;
Settings: Add infrastructure for elasticsearch keystore This change is the first towards providing the ability to store sensitive settings in elasticsearch. It adds the `elasticsearch-keystore` tool, which allows managing a java keystore. The keystore is loaded upon node startup in Elasticsearch, and used by the Setting infrastructure when a setting is configured as secure. There are a lot of caveats to this PR. The most important is it only provides the tool and setting infrastructure for secure strings. It does not yet provide for keystore passwords, keypairs, certificates, or even convert any existing string settings to secure string settings. Those will all come in follow up PRs. But this PR was already too big, so this at least gets a basic version of the infrastructure in. The two main things to look at. The first is the `SecureSetting` class, which extends `Setting`, but removes the assumption for the raw value of the setting to be a string. SecureSetting provides, for now, a single helper, `stringSetting()` to create a SecureSetting which will return a SecureString (which is like String, but is closeable, so that the underlying character array can be cleared). The second is the `KeyStoreWrapper` class, which wraps the java `KeyStore` to provide a simpler api (we do not need the entire keystore api) and also extend the serialized format to add metadata needed for loading the keystore with no assumptions about keystore type (so that we can change this in the future) as well as whether the keystore has a password (so that we can know whether prompting is necessary when we add support for keystore passwords).
2016-12-22 16:28:34 -08:00
import org.elasticsearch.common.settings.KeyStoreWrapper;
Make s3 repository sensitive settings use secure settings (#22479) * Settings: Make s3 repository sensitive settings use secure settings This change converts repository-s3 to use the new secure settings. In order to support the multiple ways we allow aws creds to be configured, it also moves the main methods for the keystore wrapper into a SecureSettings interface, in order to allow settings prefixing to work.
2017-01-11 11:19:46 -08:00
import org.elasticsearch.common.settings.SecureSettings;
Do not create two loggers for DeprecationLogger backport(#58435) (#61530) DeprecationLogger's constructor should not create two loggers. It was taking parent logger instance, changing its name with a .deprecation prefix and creating a new logger. Most of the time parent logger was not needed. It was causing Log4j to unnecessarily cache the unused parent logger instance. depends on #61515 backports #58435
2020-08-26 16:04:02 +02:00
import org.elasticsearch.common.settings.SecureString;
big refactoring thanks to proper jarjar built from source with asm 3.3 allowing to jarjar guice and others, includes package relocations
2010-06-15 16:51:38 +03:00
import org.elasticsearch.common.settings.Settings;
Move bootstrap checks to node start This commit moves the execution of the bootstrap checks to after network services are started. This gives us the flexibility to not merely check if any of the network settings are set, but instead be smarter about it and check if the network settings are set in a way that means that the node will be communicating over an external network (either directly, or via a proxy). As an bonanza, executing the bootstrap checks in this way enables us to have the node name in the logs! Closes #17570
2016-04-07 09:10:46 -04:00
import org.elasticsearch.common.transport.BoundTransportAddress;
Do not create two loggers for DeprecationLogger backport(#58435) (#61530) DeprecationLogger's constructor should not create two loggers. It was taking parent logger instance, changing its name with a .deprecation prefix and creating a new logger. Most of the time parent logger was not needed. It was causing Log4j to unnecessarily cache the unused parent logger instance. depends on #61515 backports #58435
2020-08-26 16:04:02 +02:00
import org.elasticsearch.core.internal.io.IOUtils;
initial commit
2010-02-08 15:30:06 +02:00
import org.elasticsearch.env.Environment;
add the version to the jvm info, and, warn if running using the client vm
2011-03-23 18:06:29 +02:00
import org.elasticsearch.monitor.jvm.JvmInfo;
Update OS stats
2015-07-06 14:22:01 +02:00
import org.elasticsearch.monitor.os.OsProbe;
Process Stats: remove sigar specific stats from APIs and add JMX implementation
2015-07-06 09:37:11 +02:00
import org.elasticsearch.monitor.process.ProcessProbe;
Remove some unused code (#27792) This commit removes some unused code.
2017-12-13 16:45:55 +01:00
import org.elasticsearch.node.InternalSettingsPreparer;
rename Server to Node to better reflect its usage (it can be a client node), also add on the NodeBuilder helper methods to set common settings
2010-04-09 00:54:54 +03:00
import org.elasticsearch.node.Node;
Do not log full bootstrap checks exception By default, when an exception causes the JVM to terminate, the stack trace is printed. In the case of failing bootstrap checks, this stack trace is useless to the user, and might even distract them from seeing that the bootstrap checks failed for reasons under their control. With this commit, we cause the stack trace for a failing bootstrap check to be truncated. We also modify some methods to not declare that they throw the top level checked exception type Exception, but instead explicitly declare the exceptions that they throw. These exceptions are caught and wrapped in a BootstrapException so that we can percolate only two exception types out of Bootstrap#init as checked exception, BootstrapException and NodeValidationException. Relates #19989
2016-09-08 10:56:11 -04:00
import org.elasticsearch.node.NodeValidationException;
initial commit
2010-02-08 15:30:06 +02:00
Bootstrap does not set system properties Today, certain bootstrap properties are set and read via system properties. This action-at-distance way of managing these properties is rather confusing, and completely unnecessary. But another problem exists with setting these as system properties. Namely, these system properties are interpreted as Elasticsearch settings, not all of which are registered. This leads to Elasticsearch failing to startup if any of these special properties are set. Instead, these properties should be kept as local as possible, and passed around as method parameters where needed. This eliminates the action-at-distance way of handling these properties, and eliminates the need to register these non-setting properties. This commit does exactly that. Additionally, today we use the "-D" command line flag to set the properties, but this is confusing because "-D" is a special flag to the JVM for setting system properties. This creates confusion because some "-D" properties should be passed via arguments to the JVM (so via ES_JAVA_OPTS), and some should be passed as arguments to Elasticsearch. This commit changes the "-D" flag for Elasticsearch settings to "-E".
2016-03-13 09:10:56 -04:00
import java.io.ByteArrayOutputStream;
import java.io.IOException;
Password-protected Keystore Feature Branch PR (#51123) (#51510) * Reload secure settings with password (#43197) If a password is not set, we assume an empty string to be compatible with previous behavior. Only allow the reload to be broadcast to other nodes if TLS is enabled for the transport layer. * Add passphrase support to elasticsearch-keystore (#38498) This change adds support for keystore passphrases to all subcommands of the elasticsearch-keystore cli tool and adds a subcommand for changing the passphrase of an existing keystore. The work to read the passphrase in Elasticsearch when loading, which will be addressed in a different PR. Subcommands of elasticsearch-keystore can handle (open and create) passphrase protected keystores When reading a keystore, a user is only prompted for a passphrase only if the keystore is passphrase protected. When creating a keystore, a user is allowed (default behavior) to create one with an empty passphrase Passphrase can be set to be empty when changing/setting it for an existing keystore Relates to: #32691 Supersedes: #37472 * Restore behavior for force parameter (#44847) Turns out that the behavior of `-f` for the add and add-file sub commands where it would also forcibly create the keystore if it didn't exist, was by design - although undocumented. This change restores that behavior auto-creating a keystore that is not password protected if the force flag is used. The force OptionSpec is moved to the BaseKeyStoreCommand as we will presumably want to maintain the same behavior in any other command that takes a force option. * Handle pwd protected keystores in all CLI tools (#45289) This change ensures that `elasticsearch-setup-passwords` and `elasticsearch-saml-metadata` can handle a password protected elasticsearch.keystore. For setup passwords the user would be prompted to add the elasticsearch keystore password upon running the tool. There is no option to pass the password as a parameter as we assume the user is present in order to enter the desired passwords for the built-in users. For saml-metadata, we prompt for the keystore password at all times even though we'd only need to read something from the keystore when there is a signing or encryption configuration. * Modify docs for setup passwords and saml metadata cli (#45797) Adds a sentence in the documentation of `elasticsearch-setup-passwords` and `elasticsearch-saml-metadata` to describe that users would be prompted for the keystore's password when running these CLI tools, when the keystore is password protected. Co-Authored-By: Lisa Cawley <lcawley@elastic.co> * Elasticsearch keystore passphrase for startup scripts (#44775) This commit allows a user to provide a keystore password on Elasticsearch startup, but only prompts when the keystore exists and is encrypted. The entrypoint in Java code is standard input. When the Bootstrap class is checking for secure keystore settings, it checks whether or not the keystore is encrypted. If so, we read one line from standard input and use this as the password. For simplicity's sake, we allow a maximum passphrase length of 128 characters. (This is an arbitrary limit and could be increased or eliminated. It is also enforced in the keystore tools, so that a user can't create a password that's too long to enter at startup.) In order to provide a password on standard input, we have to account for four different ways of starting Elasticsearch: the bash startup script, the Windows batch startup script, systemd startup, and docker startup. We use wrapper scripts to reduce systemd and docker to the bash case: in both cases, a wrapper script can read a passphrase from the filesystem and pass it to the bash script. In order to simplify testing the need for a passphrase, I have added a has-passwd command to the keystore tool. This command can run silently, and exit with status 0 when the keystore has a password. It exits with status 1 if the keystore doesn't exist or exists and is unencrypted. A good deal of the code-change in this commit has to do with refactoring packaging tests to cleanly use the same tests for both the "archive" and the "package" cases. This required not only moving tests around, but also adding some convenience methods for an abstraction layer over distribution-specific commands. * Adjust docs for password protected keystore (#45054) This commit adds relevant parts in the elasticsearch-keystore sub-commands reference docs and in the reload secure settings API doc. * Fix failing Keystore Passphrase test for feature branch (#50154) One problem with the passphrase-from-file tests, as written, is that they would leave a SystemD environment variable set when they failed, and this setting would cause elasticsearch startup to fail for other tests as well. By using a try-finally, I hope that these tests will fail more gracefully. It appears that our Fedora and Ubuntu environments may be configured to store journald information under /var rather than under /run, so that it will persist between boots. Our destructive tests that read from the journal need to account for this in order to avoid trying to limit the output we check in tests. * Run keystore management tests on docker distros (#50610) * Add Docker handling to PackagingTestCase Keystore tests need to be able to run in the Docker case. We can do this by using a DockerShell instead of a plain Shell when Docker is running. * Improve ES startup check for docker Previously we were checking truncated output for the packaged JDK as an indication that Elasticsearch had started. With new preliminary password checks, we might get a false positive from ES keystore commands, so we have to check specifically that the Elasticsearch class from the Bootstrap package is what's running. * Test password-protected keystore with Docker (#50803) This commit adds two tests for the case where we mount a password-protected keystore into a Docker container and provide a password via a Docker environment variable. We also fix a logging bug where we were logging the identifier for an array of strings rather than the contents of that array. * Add documentation for keystore startup prompting (#50821) When a keystore is password-protected, Elasticsearch will prompt at startup. This commit adds documentation for this prompt for the archive, systemd, and Docker cases. Co-authored-by: Lisa Cawley <lcawley@elastic.co> * Warn when unable to upgrade keystore on debian (#51011) For Red Hat RPM upgrades, we warn if we can't upgrade the keystore. This commit brings the same logic to the code for Debian packages. See the posttrans file for gets executed for RPMs. * Restore handling of string input Adds tests that were mistakenly removed. One of these tests proved we were not handling the the stdin (-x) option correctly when no input was added. This commit restores the original approach of reading stdin one char at a time until there is no more (-1, \r, \n) instead of using readline() that might return null * Apply spotless reformatting * Use '--since' flag to get recent journal messages When we get Elasticsearch logs from journald, we want to fetch only log messages from the last run. There are two reasons for this. First, if there are many logs, we might get a string that's too large for our utility methods. Second, when we're looking for a specific message or error, we almost certainly want to look only at messages from the last execution. Previously, we've been trying to do this by clearing out the physical files under the journald process. But there seems to be some contention over these directories: if journald writes a log file in between when our deletion command deletes the file and when it deletes the log directory, the deletion will fail. It seems to me that we might be able to use journald's "--since" flag to retrieve only log messages from the last run, and that this might be less likely to fail due to race conditions in file deletion. Unfortunately, it looks as if the "--since" flag has a granularity of one-second. I've added a two-second sleep to make sure that there's a sufficient gap between the test that will read from journald and the test before it. * Use new journald wrapper pattern * Update version added in secure settings request Co-authored-by: Lisa Cawley <lcawley@elastic.co> Co-authored-by: Ioannis Kakavas <ikakavas@protonmail.com>
2020-01-28 05:32:32 -05:00
import java.io.InputStream;
import java.io.InputStreamReader;
Bootstrap does not set system properties Today, certain bootstrap properties are set and read via system properties. This action-at-distance way of managing these properties is rather confusing, and completely unnecessary. But another problem exists with setting these as system properties. Namely, these system properties are interpreted as Elasticsearch settings, not all of which are registered. This leads to Elasticsearch failing to startup if any of these special properties are set. Instead, these properties should be kept as local as possible, and passed around as method parameters where needed. This eliminates the action-at-distance way of handling these properties, and eliminates the need to register these non-setting properties. This commit does exactly that. Additionally, today we use the "-D" command line flag to set the properties, but this is confusing because "-D" is a special flag to the JVM for setting system properties. This creates confusion because some "-D" properties should be passed via arguments to the JVM (so via ES_JAVA_OPTS), and some should be passed as arguments to Elasticsearch. This commit changes the "-D" flag for Elasticsearch settings to "-E".
2016-03-13 09:10:56 -04:00
import java.io.PrintStream;
Do not log full bootstrap checks exception By default, when an exception causes the JVM to terminate, the stack trace is printed. In the case of failing bootstrap checks, this stack trace is useless to the user, and might even distract them from seeing that the bootstrap checks failed for reasons under their control. With this commit, we cause the stack trace for a failing bootstrap check to be truncated. We also modify some methods to not declare that they throw the top level checked exception type Exception, but instead explicitly declare the exceptions that they throw. These exceptions are caught and wrapped in a BootstrapException so that we can percolate only two exception types out of Bootstrap#init as checked exception, BootstrapException and NodeValidationException. Relates #19989
2016-09-08 10:56:11 -04:00
import java.io.UnsupportedEncodingException;
import java.net.URISyntaxException;
Password-protected Keystore Feature Branch PR (#51123) (#51510) * Reload secure settings with password (#43197) If a password is not set, we assume an empty string to be compatible with previous behavior. Only allow the reload to be broadcast to other nodes if TLS is enabled for the transport layer. * Add passphrase support to elasticsearch-keystore (#38498) This change adds support for keystore passphrases to all subcommands of the elasticsearch-keystore cli tool and adds a subcommand for changing the passphrase of an existing keystore. The work to read the passphrase in Elasticsearch when loading, which will be addressed in a different PR. Subcommands of elasticsearch-keystore can handle (open and create) passphrase protected keystores When reading a keystore, a user is only prompted for a passphrase only if the keystore is passphrase protected. When creating a keystore, a user is allowed (default behavior) to create one with an empty passphrase Passphrase can be set to be empty when changing/setting it for an existing keystore Relates to: #32691 Supersedes: #37472 * Restore behavior for force parameter (#44847) Turns out that the behavior of `-f` for the add and add-file sub commands where it would also forcibly create the keystore if it didn't exist, was by design - although undocumented. This change restores that behavior auto-creating a keystore that is not password protected if the force flag is used. The force OptionSpec is moved to the BaseKeyStoreCommand as we will presumably want to maintain the same behavior in any other command that takes a force option. * Handle pwd protected keystores in all CLI tools (#45289) This change ensures that `elasticsearch-setup-passwords` and `elasticsearch-saml-metadata` can handle a password protected elasticsearch.keystore. For setup passwords the user would be prompted to add the elasticsearch keystore password upon running the tool. There is no option to pass the password as a parameter as we assume the user is present in order to enter the desired passwords for the built-in users. For saml-metadata, we prompt for the keystore password at all times even though we'd only need to read something from the keystore when there is a signing or encryption configuration. * Modify docs for setup passwords and saml metadata cli (#45797) Adds a sentence in the documentation of `elasticsearch-setup-passwords` and `elasticsearch-saml-metadata` to describe that users would be prompted for the keystore's password when running these CLI tools, when the keystore is password protected. Co-Authored-By: Lisa Cawley <lcawley@elastic.co> * Elasticsearch keystore passphrase for startup scripts (#44775) This commit allows a user to provide a keystore password on Elasticsearch startup, but only prompts when the keystore exists and is encrypted. The entrypoint in Java code is standard input. When the Bootstrap class is checking for secure keystore settings, it checks whether or not the keystore is encrypted. If so, we read one line from standard input and use this as the password. For simplicity's sake, we allow a maximum passphrase length of 128 characters. (This is an arbitrary limit and could be increased or eliminated. It is also enforced in the keystore tools, so that a user can't create a password that's too long to enter at startup.) In order to provide a password on standard input, we have to account for four different ways of starting Elasticsearch: the bash startup script, the Windows batch startup script, systemd startup, and docker startup. We use wrapper scripts to reduce systemd and docker to the bash case: in both cases, a wrapper script can read a passphrase from the filesystem and pass it to the bash script. In order to simplify testing the need for a passphrase, I have added a has-passwd command to the keystore tool. This command can run silently, and exit with status 0 when the keystore has a password. It exits with status 1 if the keystore doesn't exist or exists and is unencrypted. A good deal of the code-change in this commit has to do with refactoring packaging tests to cleanly use the same tests for both the "archive" and the "package" cases. This required not only moving tests around, but also adding some convenience methods for an abstraction layer over distribution-specific commands. * Adjust docs for password protected keystore (#45054) This commit adds relevant parts in the elasticsearch-keystore sub-commands reference docs and in the reload secure settings API doc. * Fix failing Keystore Passphrase test for feature branch (#50154) One problem with the passphrase-from-file tests, as written, is that they would leave a SystemD environment variable set when they failed, and this setting would cause elasticsearch startup to fail for other tests as well. By using a try-finally, I hope that these tests will fail more gracefully. It appears that our Fedora and Ubuntu environments may be configured to store journald information under /var rather than under /run, so that it will persist between boots. Our destructive tests that read from the journal need to account for this in order to avoid trying to limit the output we check in tests. * Run keystore management tests on docker distros (#50610) * Add Docker handling to PackagingTestCase Keystore tests need to be able to run in the Docker case. We can do this by using a DockerShell instead of a plain Shell when Docker is running. * Improve ES startup check for docker Previously we were checking truncated output for the packaged JDK as an indication that Elasticsearch had started. With new preliminary password checks, we might get a false positive from ES keystore commands, so we have to check specifically that the Elasticsearch class from the Bootstrap package is what's running. * Test password-protected keystore with Docker (#50803) This commit adds two tests for the case where we mount a password-protected keystore into a Docker container and provide a password via a Docker environment variable. We also fix a logging bug where we were logging the identifier for an array of strings rather than the contents of that array. * Add documentation for keystore startup prompting (#50821) When a keystore is password-protected, Elasticsearch will prompt at startup. This commit adds documentation for this prompt for the archive, systemd, and Docker cases. Co-authored-by: Lisa Cawley <lcawley@elastic.co> * Warn when unable to upgrade keystore on debian (#51011) For Red Hat RPM upgrades, we warn if we can't upgrade the keystore. This commit brings the same logic to the code for Debian packages. See the posttrans file for gets executed for RPMs. * Restore handling of string input Adds tests that were mistakenly removed. One of these tests proved we were not handling the the stdin (-x) option correctly when no input was added. This commit restores the original approach of reading stdin one char at a time until there is no more (-1, \r, \n) instead of using readline() that might return null * Apply spotless reformatting * Use '--since' flag to get recent journal messages When we get Elasticsearch logs from journald, we want to fetch only log messages from the last run. There are two reasons for this. First, if there are many logs, we might get a string that's too large for our utility methods. Second, when we're looking for a specific message or error, we almost certainly want to look only at messages from the last execution. Previously, we've been trying to do this by clearing out the physical files under the journald process. But there seems to be some contention over these directories: if journald writes a log file in between when our deletion command deletes the file and when it deletes the log directory, the deletion will fail. It seems to me that we might be able to use journald's "--since" flag to retrieve only log messages from the last run, and that this might be less likely to fail due to race conditions in file deletion. Unfortunately, it looks as if the "--since" flag has a granularity of one-second. I've added a two-second sleep to make sure that there's a sufficient gap between the test that will read from journald and the test before it. * Use new journald wrapper pattern * Update version added in secure settings request Co-authored-by: Lisa Cawley <lcawley@elastic.co> Co-authored-by: Ioannis Kakavas <ikakavas@protonmail.com>
2020-01-28 05:32:32 -05:00
import java.nio.charset.StandardCharsets;
Bootstrap does not set system properties Today, certain bootstrap properties are set and read via system properties. This action-at-distance way of managing these properties is rather confusing, and completely unnecessary. But another problem exists with setting these as system properties. Namely, these system properties are interpreted as Elasticsearch settings, not all of which are registered. This leads to Elasticsearch failing to startup if any of these special properties are set. Instead, these properties should be kept as local as possible, and passed around as method parameters where needed. This eliminates the action-at-distance way of handling these properties, and eliminates the need to register these non-setting properties. This commit does exactly that. Additionally, today we use the "-D" command line flag to set the properties, but this is confusing because "-D" is a special flag to the JVM for setting system properties. This creates confusion because some "-D" properties should be passed via arguments to the JVM (so via ES_JAVA_OPTS), and some should be passed as arguments to Elasticsearch. This commit changes the "-D" flag for Elasticsearch settings to "-E".
2016-03-13 09:10:56 -04:00
import java.nio.file.Path;
Do not log full bootstrap checks exception By default, when an exception causes the JVM to terminate, the stack trace is printed. In the case of failing bootstrap checks, this stack trace is useless to the user, and might even distract them from seeing that the bootstrap checks failed for reasons under their control. With this commit, we cause the stack trace for a failing bootstrap check to be truncated. We also modify some methods to not declare that they throw the top level checked exception type Exception, but instead explicitly declare the exceptions that they throw. These exceptions are caught and wrapped in a BootstrapException so that we can percolate only two exception types out of Bootstrap#init as checked exception, BootstrapException and NodeValidationException. Relates #19989
2016-09-08 10:56:11 -04:00
import java.security.NoSuchAlgorithmException;
Internal: Refactor SettingCommand into EnvironmentAwareCommand (#22175) * Internal: Refactor SettingCommand into EnvironmentAwareCommand This change renames and changes the behavior of SettingCommand to have its primary method take in a fully initialized Environment for elasticsearch instead of just a map of settings. All of the subclasses of SettingCommand already did this at some point, so this just removes duplication.
2016-12-19 15:23:44 -08:00
import java.util.Collections;
Remove some unused code (#27792) This commit removes some unused code.
2017-12-13 16:45:55 +01:00
import java.util.List;
Deprecate versions of Java prior to Java 11 (#40756) This commit deprecates versions of Java prior to Java 11. This commit will cause a warning to be printed to standard error when any command line tool is invoked, or when Elasticsearch is started. Additionally, we log a deprecation message when Elasticsearch is started.
2019-04-03 06:39:40 -04:00
import java.util.Locale;
Bootstrap does not set system properties Today, certain bootstrap properties are set and read via system properties. This action-at-distance way of managing these properties is rather confusing, and completely unnecessary. But another problem exists with setting these as system properties. Namely, these system properties are interpreted as Elasticsearch settings, not all of which are registered. This leads to Elasticsearch failing to startup if any of these special properties are set. Instead, these properties should be kept as local as possible, and passed around as method parameters where needed. This eliminates the action-at-distance way of handling these properties, and eliminates the need to register these non-setting properties. This commit does exactly that. Additionally, today we use the "-D" command line flag to set the properties, but this is confusing because "-D" is a special flag to the JVM for setting system properties. This creates confusion because some "-D" properties should be passed via arguments to the JVM (so via ES_JAVA_OPTS), and some should be passed as arguments to Elasticsearch. This commit changes the "-D" flag for Elasticsearch settings to "-E".
2016-03-13 09:10:56 -04:00
import java.util.concurrent.CountDownLatch;
Clean up Node#close. (#39317) (#41301) `Node#close` is pretty hard to rely on today: - it might swallow exceptions - it waits for 10 seconds for threads to terminate but doesn't signal anything if threads are still not terminated after 10 seconds This commit makes `IOException`s propagated and splits `Node#close` into `Node#close` and `Node#awaitClose` so that the decision what to do if a node takes too long to close can be done on top of `Node#close`. It also adds synchronization to lifecycle transitions to make them atomic. I don't think it is a source of problems today, but it makes things easier to reason about.
2019-04-17 16:10:53 +02:00
import java.util.concurrent.TimeUnit;
initial commit
2010-02-08 15:30:06 +02:00
/**
Cleanup bootstrap package. * makes most classes final and package private * removes duplicate and confusing multiple entry points * adds javadocs to some classes like JarHell,Security * adds a public class BootStrapInfo that exposes any stats needed by outside code.
2015-08-21 23:28:56 -04:00
* Internal startup code.
initial commit
2010-02-08 15:30:06 +02:00
*/
Cleanup bootstrap package. * makes most classes final and package private * removes duplicate and confusing multiple entry points * adds javadocs to some classes like JarHell,Security * adds a public class BootStrapInfo that exposes any stats needed by outside code.
2015-08-21 23:28:56 -04:00
final class Bootstrap {
initial commit
2010-02-08 15:30:06 +02:00
Remove exitVM permission
2015-05-04 14:06:32 -04:00
private static volatile Bootstrap INSTANCE;
Improve path management on init: * Properly support symlinks (e.g. /tmp -> /mnt/tmp) * Check all configured paths up front and deliver the best exception we can when things are wrong * Initialize securitymanager earlier * Fix too-loud error logging of Natives root check
2015-05-12 00:20:52 -04:00
private volatile Node node;
Remove exitVM permission
2015-05-04 14:06:32 -04:00
private final CountDownLatch keepAliveLatch = new CountDownLatch(1);
private final Thread keepAliveThread;
Adjust bootstrap sequence (#21543) Added the ability for plugins to spawn a controller process at startup
2016-11-17 09:58:09 +00:00
private final Spawner spawner = new Spawner();
Remove exitVM permission
2015-05-04 14:06:32 -04:00
/** creates a new instance */
Bootstrap() {
keepAliveThread = new Thread(new Runnable() {
@Override
public void run() {
try {
keepAliveLatch.await();
} catch (InterruptedException e) {
// bail out
}
}
[Rename] Refactor ES and Elasticsearch classes in server module bootstrap package (#197) This commit refactors the heavily used ESPolicy, Elasticsearch (main class), and Elasticsearch prefixed test classes used in the bootstrap package under the server module. Refactoring the namespace will come in a separate commit. Signed-off-by: Nicholas Knize <nknize@amazon.com>
2021-03-12 11:53:55 -06:00
}, "opensearch[keepAlive/" + Version.CURRENT + "]");
Remove exitVM permission
2015-05-04 14:06:32 -04:00
keepAliveThread.setDaemon(false);
// keep this thread alive (non daemon thread) until we shutdown
Runtime.getRuntime().addShutdownHook(new Thread() {
@Override
public void run() {
keepAliveLatch.countDown();
}
});
}
Remove NodeBuilder The NodeBuilder is currently used to construct a Node. However, this is really just yet-another-builder that wraps around a Settings.Builder witha couple convenience methods. But there are very few uses of these convenience methods. This change removes NodeBuilder, in favor of just using the Node constructor.
2015-12-09 23:57:14 -08:00
Remove JNI permissions, improve JNI testing.
2015-05-04 12:30:03 -04:00
/** initialize native resources */
Refer to system call filter instead of seccomp Today in the codebase we refer to seccomp everywhere instead of system call filter even if we are not specifically referring to Linux. This commit is a purely mechanical change to refer to system call filter where appropriate instead of the general seccomp, and only leaves seccomp in place when actually referring to the Linux implementation. Relates #22243
2016-12-16 18:30:19 -05:00
public static void initializeNatives(Path tmpFile, boolean mlockAll, boolean systemCallFilter, boolean ctrlHandler) {
Logging: server: clean up logging (#34593) Replace internal deprecated calls to `Loggers.getLogger(Class)` with direct calls to log4j `LogManager.getLogger(Class)`
2018-10-25 15:52:50 +02:00
final Logger logger = LogManager.getLogger(Bootstrap.class);
Remove NodeBuilder The NodeBuilder is currently used to construct a Node. However, this is really just yet-another-builder that wraps around a Settings.Builder witha couple convenience methods. But there are very few uses of these convenience methods. This change removes NodeBuilder, in favor of just using the Node constructor.
2015-12-09 23:57:14 -08:00
bail if ES is run as root
2015-05-05 01:29:57 -04:00
// check if the user is running as root, and bail
if (Natives.definitelyRunningAsRoot()) {
[Rename] Refactor ES and Elasticsearch classes in server module bootstrap package (#197) This commit refactors the heavily used ESPolicy, Elasticsearch (main class), and Elasticsearch prefixed test classes used in the bootstrap package under the server module. Refactoring the namespace will come in a separate commit. Signed-off-by: Nicholas Knize <nknize@amazon.com>
2021-03-12 11:53:55 -06:00
throw new RuntimeException("can not run opensearch as root");
bail if ES is run as root
2015-05-05 01:29:57 -04:00
}
Remove NodeBuilder The NodeBuilder is currently used to construct a Node. However, this is really just yet-another-builder that wraps around a Settings.Builder witha couple convenience methods. But there are very few uses of these convenience methods. This change removes NodeBuilder, in favor of just using the Node constructor.
2015-12-09 23:57:14 -08:00
Refer to system call filter instead of seccomp Today in the codebase we refer to seccomp everywhere instead of system call filter even if we are not specifically referring to Linux. This commit is a purely mechanical change to refer to system call filter where appropriate instead of the general seccomp, and only leaves seccomp in place when actually referring to the Linux implementation. Relates #22243
2016-12-16 18:30:19 -05:00
// enable system call filter
if (systemCallFilter) {
Natives.tryInstallSystemCallFilter(tmpFile);
Block process execution with seccomp on linux/amd64 Block execve(), fork(), and vfork() system calls, returning EACCES instead, on kernels that support seccomp-bpf: either via seccomp() or falling back to prctl(). Only linux/amd64 is supported. This feature can be disabled (in case of problems) with bootstrap.seccomp=false. Closes #13753 Squashed commit of the following: commit 92cee05c72b49e532d41be7b16709e1c9f919fa9 Author: Robert Muir <rmuir@apache.org> Date: Thu Sep 24 10:12:51 2015 -0400 Add a note about why we don't parse uname() or anything commit b427971f45cbda4d0b964ddc4a55fae638880335 Author: Robert Muir <rmuir@apache.org> Date: Thu Sep 24 09:44:31 2015 -0400 style only: we already pull errno into a local, use it for catch-all case commit ddf93305525ed1546baf91f7902148a8f5b1ad06 Author: Robert Muir <rmuir@apache.org> Date: Thu Sep 24 08:36:01 2015 -0400 add TODO commit f29d1b7b809a9d4c1fcf15f6064e43f7d1b24696 Author: Robert Muir <rmuir@apache.org> Date: Thu Sep 24 08:33:28 2015 -0400 Add full stacktrace at debug level always commit a3c991ff8b0b16dc5e128af8fb3dfa6346c6d6f1 Author: Robert Muir <rmuir@apache.org> Date: Thu Sep 24 00:08:19 2015 -0400 Add missing check just in case. commit 628ed9c77603699aa9c67890fe7632b0e662a911 Author: Robert Muir <rmuir@apache.org> Date: Wed Sep 23 22:47:16 2015 -0400 Add public getter, for stats or whatever if they need to know this commit 3e2265b5f89d42043d9a07d4525ce42e2cb1c727 Author: Robert Muir <rmuir@apache.org> Date: Wed Sep 23 22:43:06 2015 -0400 Enable use of seccomp(2) on Linux 3.17+ which provides more protection. Add nice errors. Add all kinds of checks and paranoia. Add documentation. Add boolean switch. commit 0e421f7fa2d5236c8fa2cd073bcb616f5bcd2d23 Author: Robert Muir <rmuir@apache.org> Date: Wed Sep 23 21:36:32 2015 -0400 Add defensive checks and nice error messages commit 6231c3b7c96a81af8460cde30135e077f60a3f39 Author: Robert Muir <rmuir@apache.org> Date: Wed Sep 23 20:52:40 2015 -0400 clean up JNA and BPF. block fork and vfork too. commit bb31e8a6ef03ceeb1d5137c84d50378c270af85a Author: Robert Muir <rmuir@apache.org> Date: Wed Sep 23 19:00:32 2015 -0400 order is LE already for the JNA buffer, but be explicit about it commit 10456d2f08f12ddc3d60989acb86b37be6a4b12b Author: Robert Muir <rmuir@apache.org> Date: Wed Sep 23 17:47:07 2015 -0400 block process execution with seccomp on linux/amd64
2015-09-24 12:17:21 -04:00
}
Remove NodeBuilder The NodeBuilder is currently used to construct a Node. However, this is really just yet-another-builder that wraps around a Settings.Builder witha couple convenience methods. But there are very few uses of these convenience methods. This change removes NodeBuilder, in favor of just using the Node constructor.
2015-12-09 23:57:14 -08:00
Do the root check first, so resource limits arent confusing if you are root.
2015-05-30 11:20:20 -04:00
// mlockall if requested
if (mlockAll) {
if (Constants.WINDOWS) {
Natives.tryVirtualLock();
} else {
Natives.tryMlockall();
}
}
initial commit
2010-02-08 15:30:06 +02:00
Remove JNI permissions, improve JNI testing.
2015-05-04 12:30:03 -04:00
// listener for windows close event
if (ctrlHandler) {
Shutdown: Add support for Ctrl-Close event on Windows platforms to gracefully shutdown node This commit adds the support for the Ctrl-Close event on Windows using native system calls. This way, it is possible to catch the Ctrl-Close event sent by a 'taskill /pid' command (or when the user closes the console window where elasticsearch.bat was started) and gracefully close the node. Before this commit, the node was simply killed on taskkill/window closing.
2014-12-17 18:00:53 +01:00
Natives.addConsoleCtrlHandler(new ConsoleCtrlHandler() {
@Override
public boolean handle(int code) {
if (CTRL_CLOSE_EVENT == code) {
logger.info("running graceful exit on windows");
Ensure all resoruces are closed on Node#close() We are leaking all kinds of resources if something during Node#close() barfs. This commit cuts over to a list of closeables to release resources that also closed remaining services if one or more services fail to close. Closes #13685
2016-01-29 16:18:21 +01:00
try {
Bootstrap.stop();
} catch (IOException e) {
[Rename] ElasticsearchException class in server module (#165) This commit refactors the ElasticsearchException class located in the server module to OpenSearchException. References and usages throughout the rest of the codebase are fully refactored. Signed-off-by: Nicholas Knize <nknize@amazon.com>
2021-03-03 14:27:14 -06:00
throw new OpenSearchException("failed to stop node", e);
Ensure all resoruces are closed on Node#close() We are leaking all kinds of resources if something during Node#close() barfs. This commit cuts over to a list of closeables to release resources that also closed remaining services if one or more services fail to close. Closes #13685
2016-01-29 16:18:21 +01:00
}
Shutdown: Add support for Ctrl-Close event on Windows platforms to gracefully shutdown node This commit adds the support for the Ctrl-Close event on Windows using native system calls. This way, it is possible to catch the Ctrl-Close event sent by a 'taskill /pid' command (or when the user closes the console window where elasticsearch.bat was started) and gracefully close the node. Before this commit, the node was simply killed on taskkill/window closing.
2014-12-17 18:00:53 +01:00
return true;
}
return false;
}
});
}
ensure JNA is fully loaded when its avail, but don't fail its not
2015-05-05 11:49:40 -04:00
// force remainder of JNA to be loaded (if available).
try {
make JNA optional for tests and move classes to bootstrap package Today, JNA is a optional dependency in the build but when running tests or running with mlockall set to true, JNA must be on the classpath for Windows systems since we always try to load JNA classes when using mlockall. The old Natives class was renamed to JNANatives, and a new Natives class is introduced without any direct imports on JNA classes. The Natives class checks to see if JNA classes are available at startup. If the classes are available the Natives class will delegate to the JNANatives class. If the classes are not available the Natives class will not use the JNANatives class, which results in no additional attempts to load JNA classes. Additionally, all of the JNA classes were moved to the bootstrap package and made package private as this is the only place they should be called from. Closes #11360
2015-05-27 09:14:01 -04:00
JNAKernel32Library.getInstance();
Do not catch throwable Today throughout the codebase, catch throwable is used with reckless abandon. This is dangerous because the throwable could be a fatal virtual machine error resulting from an internal error in the JVM, or an out of memory error or a stack overflow error that leaves the virtual machine in an unstable and unpredictable state. This commit removes catch throwable from the codebase and removes the temptation to use it by modifying listener APIs to receive instances of Exception instead of the top-level Throwable. Relates #19231
2016-07-04 08:41:06 -04:00
} catch (Exception ignored) {
ensure JNA is fully loaded when its avail, but don't fail its not
2015-05-05 11:49:40 -04:00
// we've already logged this.
}
Allow disabling of sigar via settings Sigar can only be disabled by removing the binaries. This is tricky for our tests and might cause a lot of trouble if a user wants or needs to do it. This commit allows to disable sigar with a simple boolean flag in the settings. Closes #9582
2015-05-22 09:16:23 +02:00
Make JNA calls optional The introduction of max number of processes and max size virtual memory checks inadvertently made JNA non-optional on OS X and Linux. This commit wraps these calls in a check to see if JNA is available so that JNA remains optional. Closes #17492
2016-04-02 11:21:27 -04:00
Natives.trySetMaxNumberOfThreads();
Natives.trySetMaxSizeVirtualMemory();
Add max file size bootstrap check This commit adds a bootstrap check for the maximum file size, and ensures the limit is set correctly when Elasticsearch is installed as a service on systemd-based systems. Relates #25974
2017-07-31 21:01:47 +09:00
Natives.trySetMaxFileSize();
Add max size virtual memory check This commit adds a bootstrap check on Linux and OS X for the max size of virtual memory (address space) to the user running the Elasticsearch process. Closes #16935
2016-03-03 12:51:00 -05:00
Remove JNI permissions, improve JNI testing.
2015-05-04 12:30:03 -04:00
// init lucene random seed. it will use /dev/urandom where available:
StringHelper.randomId();
}
Process Stats: remove sigar specific stats from APIs and add JMX implementation
2015-07-06 09:37:11 +02:00
static void initializeProbes() {
// Force probes to be loaded
ProcessProbe.getInstance();
Update OS stats
2015-07-06 14:22:01 +02:00
OsProbe.getInstance();
Ban write access to system properties * Forbid System.setProperties & co in forbidden APIs. * Ban property write access at runtime with security manager. Plugins that need to modify system properties will need to request permission in their plugin-security.policy
2015-11-21 22:33:06 -05:00
JvmInfo.jvmInfo();
Process Stats: remove sigar specific stats from APIs and add JMX implementation
2015-07-06 09:37:11 +02:00
}
Do not log full bootstrap checks exception By default, when an exception causes the JVM to terminate, the stack trace is printed. In the case of failing bootstrap checks, this stack trace is useless to the user, and might even distract them from seeing that the bootstrap checks failed for reasons under their control. With this commit, we cause the stack trace for a failing bootstrap check to be truncated. We also modify some methods to not declare that they throw the top level checked exception type Exception, but instead explicitly declare the exceptions that they throw. These exceptions are caught and wrapped in a BootstrapException so that we can percolate only two exception types out of Bootstrap#init as checked exception, BootstrapException and NodeValidationException. Relates #19989
2016-09-08 10:56:11 -04:00
private void setup(boolean addShutdownHook, Environment environment) throws BootstrapException {
Persistent Node Names (#19456) With #19140 we started persisting the node ID across node restarts. Now that we have a "stable" anchor, we can use it to generate a stable default node name and make it easier to track nodes over a restarts. Sadly, this means we will not have those random fun Marvel characters but we feel this is the right tradeoff. On the implementation side, this requires a bit of juggling because we now need to read the node id from disk before we can log as the node node is part of each log message. The PR move the initialization of NodeEnvironment as high up in the starting sequence as possible, with only one logging message before it to indicate we are initializing. Things look now like this: ``` [2016-07-15 19:38:39,742][INFO ][node ] [_unset_] initializing ... [2016-07-15 19:38:39,826][INFO ][node ] [aAmiW40] node name set to [aAmiW40] by default. set the [node.name] settings to change it [2016-07-15 19:38:39,829][INFO ][env ] [aAmiW40] using [1] data paths, mounts [[ /(/dev/disk1)]], net usable_space [5.5gb], net total_space [232.6gb], spins? [unknown], types [hfs] [2016-07-15 19:38:39,830][INFO ][env ] [aAmiW40] heap size [1.9gb], compressed ordinary object pointers [true] [2016-07-15 19:38:39,837][INFO ][node ] [aAmiW40] version[5.0.0-alpha5-SNAPSHOT], pid[46048], build[473d3c0/2016-07-15T17:38:06.771Z], OS[Mac OS X/10.11.5/x86_64], JVM[Oracle Corporation/Java HotSpot(TM) 64-Bit Server VM/1.8.0_51/25.51-b03] [2016-07-15 19:38:40,980][INFO ][plugins ] [aAmiW40] modules [percolator, lang-mustache, lang-painless, reindex, aggs-matrix-stats, lang-expression, ingest-common, lang-groovy, transport-netty], plugins [] [2016-07-15 19:38:43,218][INFO ][node ] [aAmiW40] initialized ``` Needless to say, settings `node.name` explicitly still works as before. The commit also contains some clean ups to the relationship between Environment, Settings and Plugins. The previous code suggested the path related settings could be changed after the initial Environment was changed. This did not have any effect as the security manager already locked things down.
2016-07-23 22:46:48 +02:00
Settings settings = environment.settings();
Adjust bootstrap sequence (#21543) Added the ability for plugins to spawn a controller process at startup
2016-11-17 09:58:09 +00:00
try {
Prevent unexpected native controller output hanging the process (#56685) In normal operation native controllers are not expected to write anything to stdout or stderr. However, if due to an error or something unexpected with the environment a native controller does write something to stdout or stderr then it will block if nothing is reading that output. This change makes the stdout and stderr of native controllers reuse the same stdout and stderr as the Elasticsearch JVM (which are by default redirected to es.stdout.log and es.stderr.log) so that if something unexpected is written to native controller output then: 1. The native controller process does not block, waiting for something to read the output 2. We can see what the output was, making it easier to debug obscure environmental problems Backport of #56491 Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
2020-05-13 22:57:00 +01:00
spawner.spawnNativeControllers(environment, true);
Adjust bootstrap sequence (#21543) Added the ability for plugins to spawn a controller process at startup
2016-11-17 09:58:09 +00:00
} catch (IOException e) {
throw new BootstrapException(e);
}
Register bootstrap settings This commit registers bootstrap settings used on startup. Without registration, setting any of these settings causes node startup to fail. By registering these settings (rather than clearing) after use, we enable them to be visible in any APIs that show all settings. Closes #16513
2016-02-08 13:13:32 -05:00
initializeNatives(
environment.tmpFile(),
Rename boostrap.mlockall to bootstrap.memory_lock The setting bootstrap.mlockall is useful on both POSIX-like systems (POSIX mlockall) and Windows (Win32 VirtualLock). But mlockall is really a POSIX only thing so the name should not be tied POSIX. This commit renames the setting to "bootstrap.memory_lock". Relates #18669
2016-06-01 16:25:51 -04:00
BootstrapSettings.MEMORY_LOCK_SETTING.get(settings),
Rename bootstrap.seccomp to bootstrap.system_call_filter We try to install a system call filter on various operating systems (Linux, macOS, BSD, Solaris, and Windows) but the setting (bootstrap.seccomp) to control this is named after the Linux implementation (seccomp). This commit replaces this setting with bootstrap.system_call_filter. For backwards compatibility reasons, we fallback to bootstrap.seccomp and log a deprecation message if bootstrap.seccomp is set. We intend to remove this fallback in 6.0.0. Note that now is the time to make this change it's likely that most users are not making this setting anyway as prior to version 5.2.0 (currently unreleased) it was not necessary to configure anything to enable a node to start up if the system call filter failed to install (we marched on anyway) but starting in 5.2.0 it will be necessary in this case. Relates #22226
2016-12-16 18:20:11 -05:00
BootstrapSettings.SYSTEM_CALL_FILTER_SETTING.get(settings),
Register bootstrap settings This commit registers bootstrap settings used on startup. Without registration, setting any of these settings causes node startup to fail. By registering these settings (rather than clearing) after use, we enable them to be visible in any APIs that show all settings. Closes #16513
2016-02-08 13:13:32 -05:00
BootstrapSettings.CTRLHANDLER_SETTING.get(settings));
Remove JNI permissions, improve JNI testing.
2015-05-04 12:30:03 -04:00
Process Stats: remove sigar specific stats from APIs and add JMX implementation
2015-07-06 09:37:11 +02:00
// initialize probes before the security manager is installed
initializeProbes();
Remove JNI permissions, improve JNI testing.
2015-05-04 12:30:03 -04:00
if (addShutdownHook) {
Runtime.getRuntime().addShutdownHook(new Thread() {
@Override
public void run() {
Use IOUtils#close() where needed
2016-01-29 16:26:37 +01:00
try {
Avoid race when shutting down controller processes (#24579) This commit terminates any controller processes plugins might have after the node has been closed. This gives the plugins a chance to shut down their controllers gracefully. Previously there was a race condition where controller processes could be shut down gracefully and terminated by two threads running in parallel, leading to non-deterministic outcomes. Additionally, controller processes that failed to shut down gracefully were not forcibly terminated when running as a Windows service; there was a reliance on the plugin to shut down its controller gracefully in this situation. This commit also fixes this problem.
2017-05-10 14:59:14 +01:00
IOUtils.close(node, spawner);
Do not prematurely shutdown Log4j When a node closes, we shutdown logging as the last statement. This statement must be last lest any subsequent attempts to log will blow up by running into security permissions. Yet, in the case of a tribe node this isn't enough. The first internal tribe node to close will shutdown logging, and subsequent node closes will blow up with the aforementioned problem. This commit migrate the Log4j shutdown to occur as part of the shutdown hook that closes the node, after all nodes have closed. Consequently, we can remove a hack in the test infrastructure to prevent Log4j shutdowns when internal test nodes close and instead just register a single shutdown hook that runs when the test JVM exits. Relates #21519
2016-11-13 17:27:30 -05:00
LoggerContext context = (LoggerContext) LogManager.getContext(false);
Configurator.shutdown(context);
Clean up Node#close. (#39317) (#41301) `Node#close` is pretty hard to rely on today: - it might swallow exceptions - it waits for 10 seconds for threads to terminate but doesn't signal anything if threads are still not terminated after 10 seconds This commit makes `IOException`s propagated and splits `Node#close` into `Node#close` and `Node#awaitClose` so that the decision what to do if a node takes too long to close can be done on top of `Node#close`. It also adds synchronization to lifecycle transitions to make them atomic. I don't think it is a source of problems today, but it makes things easier to reason about.
2019-04-17 16:10:53 +02:00
if (node != null && node.awaitClose(10, TimeUnit.SECONDS) == false) {
throw new IllegalStateException("Node didn't stop within 10 seconds. " +
"Any outstanding requests or tasks might get killed.");
}
Use IOUtils#close() where needed
2016-01-29 16:26:37 +01:00
} catch (IOException ex) {
[Rename] ElasticsearchException class in server module (#165) This commit refactors the ElasticsearchException class located in the server module to OpenSearchException. References and usages throughout the rest of the codebase are fully refactored. Signed-off-by: Nicholas Knize <nknize@amazon.com>
2021-03-03 14:27:14 -06:00
throw new OpenSearchException("failed to stop node", ex);
Clean up Node#close. (#39317) (#41301) `Node#close` is pretty hard to rely on today: - it might swallow exceptions - it waits for 10 seconds for threads to terminate but doesn't signal anything if threads are still not terminated after 10 seconds This commit makes `IOException`s propagated and splits `Node#close` into `Node#close` and `Node#awaitClose` so that the decision what to do if a node takes too long to close can be done on top of `Node#close`. It also adds synchronization to lifecycle transitions to make them atomic. I don't think it is a source of problems today, but it makes things easier to reason about.
2019-04-17 16:10:53 +02:00
} catch (InterruptedException e) {
LogManager.getLogger(Bootstrap.class).warn("Thread got interrupted while waiting for the node to shutdown.");
Thread.currentThread().interrupt();
Improve path management on init: * Properly support symlinks (e.g. /tmp -> /mnt/tmp) * Check all configured paths up front and deliver the best exception we can when things are wrong * Initialize securitymanager earlier * Fix too-loud error logging of Natives root check
2015-05-12 00:20:52 -04:00
}
Remove JNI permissions, improve JNI testing.
2015-05-04 12:30:03 -04:00
}
});
}
Refactor pluginservice Closes #12367 Squashed commit of the following: commit 9453c411798121aa5439c52e95301f60a022ba5f Merge: 3511a9c 828d8c7 Author: Robert Muir <rmuir@apache.org> Date: Wed Jul 22 08:22:41 2015 -0400 Merge branch 'master' into refactor_pluginservice commit 3511a9c616503c447de9f0df9b4e9db3e22abd58 Author: Ryan Ernst <ryan@iernst.net> Date: Tue Jul 21 21:50:15 2015 -0700 Remove duplicated constant commit 4a9b5b4621b0ef2e74c1e017d9c8cf624dd27713 Author: Ryan Ernst <ryan@iernst.net> Date: Tue Jul 21 21:01:57 2015 -0700 Add check that plugin must specify at least site or jvm commit 19aef2f0596153a549ef4b7f4483694de41e101b Author: Ryan Ernst <ryan@iernst.net> Date: Tue Jul 21 20:52:58 2015 -0700 Change plugin "plugin" property to "classname" commit 07ae396f30ed592b7499a086adca72d3f327fe4c Author: Robert Muir <rmuir@apache.org> Date: Tue Jul 21 23:36:05 2015 -0400 remove test with no methods commit 550e73bf3d0f94562f4dde95239409dc5a24ce25 Author: Robert Muir <rmuir@apache.org> Date: Tue Jul 21 23:31:58 2015 -0400 fix loading to use classname commit 04463aed12046da0da5cac2a24c3ace51a79f799 Author: Robert Muir <rmuir@apache.org> Date: Tue Jul 21 23:24:19 2015 -0400 rename to classname commit 9f3afadd1caf89448c2eb913757036da48758b2d Author: Ryan Ernst <ryan@iernst.net> Date: Tue Jul 21 20:18:46 2015 -0700 moved PluginInfo and refactored parsing from properties file commit df63ccc1b8b7cc64d3e59d23f6c8e827825eba87 Author: Robert Muir <rmuir@apache.org> Date: Tue Jul 21 23:08:26 2015 -0400 fix test commit c7febd844be358707823186a8c7a2d21e37540c9 Author: Robert Muir <rmuir@apache.org> Date: Tue Jul 21 23:03:44 2015 -0400 remove test commit 017b3410cf9d2b7fca1b8653e6f1ebe2f2519257 Author: Robert Muir <rmuir@apache.org> Date: Tue Jul 21 22:58:31 2015 -0400 fix test commit c9922938df48041ad43bbb3ed6746f71bc846629 Merge: ad59af4 01ea89a Author: Robert Muir <rmuir@apache.org> Date: Tue Jul 21 22:37:28 2015 -0400 Merge branch 'master' into refactor_pluginservice commit ad59af465e1f1ac58897e63e0c25fcce641148a7 Author: Areek Zillur <areek.zillur@elasticsearch.com> Date: Tue Jul 21 19:30:26 2015 -0400 [TEST] Verify expected number of nodes in cluster before issuing shardStores request commit f0f5a1e087255215b93656550fbc6bd89b8b3205 Author: Lee Hinman <lee@writequit.org> Date: Tue Jul 21 11:27:28 2015 -0600 Ignore EngineClosedException during translog fysnc When performing an operation on a primary, the state is captured and the operation is performed on the primary shard. The original request is then modified to increment the version of the operation as preparation for it to be sent to the replicas. If the request first fails on the primary during the translog sync (because the Engine is already closed due to shadow primaries closing the engine on relocation), then the operation is retried on the new primary after being modified for the replica shards. It will then fail due to the version being incorrect (the document does not yet exist but the request expects a version of "1"). Order of operations: - Request is executed against primary - Request is modified (version incremented) so it can be sent to replicas - Engine's translog is fsync'd if necessary (failing, and throwing an exception) - Modified request is retried against new primary This change ignores the exception where the engine is already closed when syncing the translog (similar to how we ignore exceptions when refreshing the shard if the ?refresh=true flag is used). commit 4ac68bb1658688550ced0c4f479dee6d8b617777 Author: Shay Banon <kimchy@gmail.com> Date: Tue Jul 21 22:37:29 2015 +0200 Replica allocator unit tests First batch of unit tests to verify the behavior of replica allocator commit 94609fc5943c8d85adc751b553847ab4cebe58a3 Author: Jason Tedor <jason@tedor.me> Date: Tue Jul 21 14:04:46 2015 -0400 Correctly list blobs in Azure storage to prevent snapshot corruption and do not unnecessarily duplicate Lucene segments in Azure Storage This commit addresses an issue that was leading to snapshot corruption for snapshots stored as blobs in Azure Storage. The underlying issue is that in cases when multiple snapshots of an index were taken and persisted into Azure Storage, snapshots subsequent to the first would repeatedly overwrite the snapshot files. This issue does render useless all snapshots except the final snapshot. The root cause of this is due to String concatenation involving null. In particular, to list all of the blobs in a snapshot directory in Azure the code would use the method listBlobsByPrefix where the prefix is null. In the listBlobsByPrefix method, the path keyPath + prefix is constructed. However, per 5.1.11, 5.4 and 15.18.1 of the Java Language Specification, the reference null is first converted to the string "null" before performing the concatenation. This leads to no blobs being returned and therefore the snapshot mechanism would operate as if it were writing the first snapshot of the index. The fix is simply to check if prefix is null and handle the concatenation accordingly. Upon fixing this issue so that subsequent snapshots would no longer overwrite earlier snapshots, it was discovered that the snapshot metadata returned by the listBlobsByPrefix method was not sufficient for the snapshot layer to detect whether or not the Lucene segments had already been copied to the Azure storage layer in an earlier snapshot. This led the snapshot layer to unnecessarily duplicate these Lucene segments in Azure Storage. The root cause of this is due to known behavior in the CloudBlobContainer.getBlockBlobReference method in the Azure API. Namely, this method does not fetch blob attributes from Azure. As such, the lengths of all the blobs appeared to the snapshot layer to be of length zero and therefore they would compare as not equal to any new blobs that the snapshot layer is going to persist. To remediate this, the method CloudBlockBlob.downloadAttributes must be invoked. This will fetch the attributes from Azure Storage so that a proper comparison of the blobs can be performed. Closes elastic/elasticsearch-cloud-azure#51, closes elastic/elasticsearch-cloud-azure#99 commit cf1d481ce5dda0a45805e42f3b2e0e1e5d028b9e Author: Lee Hinman <lee@writequit.org> Date: Mon Jul 20 08:41:55 2015 -0600 Unit tests for `nodesAndVersions` on shared filesystems With the `recover_on_any_node` setting, these unit tests check that the correct node list and versions are returned. commit 3c27cc32395c3624f7c794904d9ea4faf2eccbfb Author: Robert Muir <rmuir@apache.org> Date: Tue Jul 21 14:15:59 2015 -0400 don't fail junit4 integration tests if there are no tests. instead fail the failsafe plugin, which means the external cluster will still get shut down commit 95d2756c5a8c21a157fa844273fc83dfa3c00aea Author: Alexander Reelsen <alexander@reelsen.net> Date: Tue Jul 21 17:16:53 2015 +0200 Testing: Fix help displaying tests under windows The help files are using a unix based file separator, where as the test relies on the help being based on the file system separator. This commit fixes the test to remove all `\r` characters before comparing strings. The test has also been moved into its own CliToolTestCase, as it does not need to be an integration test. commit 944f06ea36bd836f007f8eaade8f571d6140aad9 Author: Clinton Gormley <clint@traveljury.com> Date: Tue Jul 21 18:04:52 2015 +0200 Refactored check_license_and_sha.pl to accept a license dir and package path In preparation for the move to building the core zip, tar.gz, rpm, and deb as separate modules, refactored check_license_and_sha.pl to: * accept a license dir and path to the package to check on the command line * to be able to extract zip, tar.gz, deb, and rpm * all packages except rpm will work on Windows commit 2585431e8dfa5c82a2cc5b304cd03eee9bed7a4c Author: Chris Earle <pickypg@users.noreply.github.com> Date: Tue Jul 21 08:35:28 2015 -0700 Updating breaking changes - field names cannot be mapped with `.` in them - fixed asciidoc issue where the list was not recognized as a list commit de299b9d3f4615b12e2226a1e2eff5a38ecaf15f Author: Shay Banon <kimchy@gmail.com> Date: Tue Jul 21 13:27:52 2015 +0200 Replace primaryPostAllocated flag and use UnassignedInfo There is no need to maintain additional state as to if a primary was allocated post api creation on the index routing table, we hold all this information already in the UnassignedInfo class. closes #12374 commit 43080bff40f60bedce5bdbc92df302f73aeb9cae Author: Alexander Reelsen <alexander@reelsen.net> Date: Tue Jul 21 15:45:05 2015 +0200 PluginManager: Fix bin/plugin calls in scripts/bats test The release and smoke test python scripts used to install plugins in the old fashion. Also the BATS testing suite installed/removed plugins in that way. Here the marvel tests have been removed, as marvel currently does not work with the master branch. In addition documentation has been updated as well, where it was still missing. commit b81ccba48993bc13c7678e6d979fd96998499233 Author: Boaz Leskes <b.leskes@gmail.com> Date: Tue Jul 21 11:37:50 2015 +0200 Discovery: make sure NodeJoinController.ElectionCallback is always called from the update cluster state thread This is important for correct handling of the joining thread. This causes assertions to trip in our test runs. See http://build-us-00.elastic.co/job/es_g1gc_master_metal/11653/ as an example Closes #12372 commit 331853790bf29e34fb248ebc4c1ba585b44f5cab Author: Boaz Leskes <b.leskes@gmail.com> Date: Tue Jul 21 15:54:36 2015 +0200 Remove left over no commit from TransportReplicationAction It asks to double check thread pool rejection. I did and don't see problems with it. commit e5724931bbc1603e37faa977af4235507f4811f5 Author: Alexander Reelsen <alexander@reelsen.net> Date: Tue Jul 21 15:31:57 2015 +0200 CliTool: Various PluginManager fixes The new plugin manager parser was not called correctly in the scripts. In addition the plugin manager now creates a plugins/ directory in case it does not exist. Also the integration tests called the plugin manager in the deprecated way. commit 7a815a370f83ff12ffb12717ac2fe62571311279 Author: Alexander Reelsen <alexander@reelsen.net> Date: Tue Jul 21 13:54:18 2015 +0200 CLITool: Port PluginManager to use CLITool In order to unify the handling and reuse the CLITool infrastructure the plugin manager should make use of this as well. This obsolets the -i and --install options but requires the user to use `install` as the first argument of the CLI. This is basically just a port of the existing functionality, which is also the reason why this is not a refactoring of the plugin manager, which will come in a separate commit. commit 7f171eba7b71ac5682a355684b6da703ffbfccc7 Author: Martijn van Groningen <martijn.v.groningen@gmail.com> Date: Tue Jul 21 10:44:21 2015 +0200 Remove custom execute local logic in TransportSingleShardAction and TransportInstanceSingleOperationAction and rely on transport service to execute locally. (forking thread etc.) Change TransportInstanceSingleOperationAction to have shardActionHandler to, so we can execute locally without endless spinning. commit 0f38e3eca6b570f74b552e70b4673f47934442e1 Author: Ryan Ernst <ryan@iernst.net> Date: Tue Jul 21 17:36:12 2015 -0700 More readMetadata tests and pickiness commit 880b47281bd69bd37807e8252934321b089c9f8e Author: Ryan Ernst <ryan@iernst.net> Date: Tue Jul 21 14:42:09 2015 -0700 Started unit tests for plugin service commit cd7c8ddd7b8c4f3457824b493bffb19c156c7899 Author: Robert Muir <rmuir@apache.org> Date: Tue Jul 21 07:21:07 2015 -0400 fix tests commit 673454f0b14f072f66ed70e32110fae4f7aad642 Author: Robert Muir <rmuir@apache.org> Date: Tue Jul 21 06:58:25 2015 -0400 refactor pluginservice
2015-07-22 10:44:52 -04:00
Do not log full bootstrap checks exception By default, when an exception causes the JVM to terminate, the stack trace is printed. In the case of failing bootstrap checks, this stack trace is useless to the user, and might even distract them from seeing that the bootstrap checks failed for reasons under their control. With this commit, we cause the stack trace for a failing bootstrap check to be truncated. We also modify some methods to not declare that they throw the top level checked exception type Exception, but instead explicitly declare the exceptions that they throw. These exceptions are caught and wrapped in a BootstrapException so that we can percolate only two exception types out of Bootstrap#init as checked exception, BootstrapException and NodeValidationException. Relates #19989
2016-09-08 10:56:11 -04:00
try {
// look for jar hell
Logging: Make ESLoggerFactory package private (#34199) Since all calls to `ESLoggerFactory` outside of the logging package were deprecated, it seemed like it'd simplify things to migrate all of the deprecated calls and declare `ESLoggerFactory` to be package private. This does that.
2018-10-06 09:54:08 -04:00
final Logger logger = LogManager.getLogger(JarHell.class);
Remove log4j dependency from elasticsearch-core (#28705) * Remove log4j dependency from elasticsearch-core This removes the log4j dependency from our elasticsearch-core project. It was originally necessary only for our jar classpath checking. It is now replaced by a `Consumer<String>` so that the es-core dependency doesn't have external dependencies. The parts of #28191 which were moved in conjunction (like `ESLoggerFactory` and `Loggers`) have been moved back where appropriate, since they are not required in the core jar. This is tangentially related to #28504 * Add javadocs for `output` parameter * Change @code to @link
2018-02-20 09:15:54 -07:00
JarHell.checkJarHell(logger::debug);
Do not log full bootstrap checks exception By default, when an exception causes the JVM to terminate, the stack trace is printed. In the case of failing bootstrap checks, this stack trace is useless to the user, and might even distract them from seeing that the bootstrap checks failed for reasons under their control. With this commit, we cause the stack trace for a failing bootstrap check to be truncated. We also modify some methods to not declare that they throw the top level checked exception type Exception, but instead explicitly declare the exceptions that they throw. These exceptions are caught and wrapped in a BootstrapException so that we can percolate only two exception types out of Bootstrap#init as checked exception, BootstrapException and NodeValidationException. Relates #19989
2016-09-08 10:56:11 -04:00
} catch (IOException | URISyntaxException e) {
throw new BootstrapException(e);
}
Process Stats: remove sigar specific stats from APIs and add JMX implementation
2015-07-06 09:37:11 +02:00
Move IfConfig.logIfNecessary call into bootstrap (#22455) This is related to #22116. A logIfNecessary() call makes a call to NetworkInterface.getInterfaceAddresses() requiring SocketPermission connect privileges. By moving this to bootstrap the logging call can be made before installing the SecurityManager.
2017-01-06 11:10:53 -06:00
// Log ifconfig output before SecurityManager is installed
IfConfig.logIfNecessary();
Remove JNI permissions, improve JNI testing.
2015-05-04 12:30:03 -04:00
// install SM after natives, shutdown hooks, etc.
Do not log full bootstrap checks exception By default, when an exception causes the JVM to terminate, the stack trace is printed. In the case of failing bootstrap checks, this stack trace is useless to the user, and might even distract them from seeing that the bootstrap checks failed for reasons under their control. With this commit, we cause the stack trace for a failing bootstrap check to be truncated. We also modify some methods to not declare that they throw the top level checked exception type Exception, but instead explicitly declare the exceptions that they throw. These exceptions are caught and wrapped in a BootstrapException so that we can percolate only two exception types out of Bootstrap#init as checked exception, BootstrapException and NodeValidationException. Relates #19989
2016-09-08 10:56:11 -04:00
try {
Security.configure(environment, BootstrapSettings.SECURITY_FILTER_BAD_DEFAULTS_SETTING.get(settings));
} catch (IOException | NoSuchAlgorithmException e) {
throw new BootstrapException(e);
}
add ability to prompt for selected settings on startup Some settings may be considered sensitive, such as passwords, and storing them in the configuration file on disk is not good from a security perspective. This change allows settings to have a special value, `${prompt::text}` or `${prompt::secret}`, to indicate that elasticsearch should prompt the user for the actual value on startup. This only works when started in the foreground. In cases where elasticsearch is started as a service or in the background, an exception will be thrown. Closes #10838
2015-04-30 13:14:05 -04:00
Persistent Node Names (#19456) With #19140 we started persisting the node ID across node restarts. Now that we have a "stable" anchor, we can use it to generate a stable default node name and make it easier to track nodes over a restarts. Sadly, this means we will not have those random fun Marvel characters but we feel this is the right tradeoff. On the implementation side, this requires a bit of juggling because we now need to read the node id from disk before we can log as the node node is part of each log message. The PR move the initialization of NodeEnvironment as high up in the starting sequence as possible, with only one logging message before it to indicate we are initializing. Things look now like this: ``` [2016-07-15 19:38:39,742][INFO ][node ] [_unset_] initializing ... [2016-07-15 19:38:39,826][INFO ][node ] [aAmiW40] node name set to [aAmiW40] by default. set the [node.name] settings to change it [2016-07-15 19:38:39,829][INFO ][env ] [aAmiW40] using [1] data paths, mounts [[ /(/dev/disk1)]], net usable_space [5.5gb], net total_space [232.6gb], spins? [unknown], types [hfs] [2016-07-15 19:38:39,830][INFO ][env ] [aAmiW40] heap size [1.9gb], compressed ordinary object pointers [true] [2016-07-15 19:38:39,837][INFO ][node ] [aAmiW40] version[5.0.0-alpha5-SNAPSHOT], pid[46048], build[473d3c0/2016-07-15T17:38:06.771Z], OS[Mac OS X/10.11.5/x86_64], JVM[Oracle Corporation/Java HotSpot(TM) 64-Bit Server VM/1.8.0_51/25.51-b03] [2016-07-15 19:38:40,980][INFO ][plugins ] [aAmiW40] modules [percolator, lang-mustache, lang-painless, reindex, aggs-matrix-stats, lang-expression, ingest-common, lang-groovy, transport-netty], plugins [] [2016-07-15 19:38:43,218][INFO ][node ] [aAmiW40] initialized ``` Needless to say, settings `node.name` explicitly still works as before. The commit also contains some clean ups to the relationship between Environment, Settings and Plugins. The previous code suggested the path related settings could be changed after the initial Environment was changed. This did not have any effect as the security manager already locked things down.
2016-07-23 22:46:48 +02:00
node = new Node(environment) {
Move bootstrap checks to node start This commit moves the execution of the bootstrap checks to after network services are started. This gives us the flexibility to not merely check if any of the network settings are set, but instead be smarter about it and check if the network settings are set in a way that means that the node will be communicating over an external network (either directly, or via a proxy). As an bonanza, executing the bootstrap checks in this way enables us to have the node name in the logs! Closes #17570
2016-04-07 09:10:46 -04:00
@Override
Do not log full bootstrap checks exception By default, when an exception causes the JVM to terminate, the stack trace is printed. In the case of failing bootstrap checks, this stack trace is useless to the user, and might even distract them from seeing that the bootstrap checks failed for reasons under their control. With this commit, we cause the stack trace for a failing bootstrap check to be truncated. We also modify some methods to not declare that they throw the top level checked exception type Exception, but instead explicitly declare the exceptions that they throw. These exceptions are caught and wrapped in a BootstrapException so that we can percolate only two exception types out of Bootstrap#init as checked exception, BootstrapException and NodeValidationException. Relates #19989
2016-09-08 10:56:11 -04:00
protected void validateNodeBeforeAcceptingRequests(
Add BootstrapContext to expose settings and recovered state to bootstrap checks (#26628) This exposes the node settings and the persistent part of the cluster state to the bootstrap checks to allow plugins to enforce certain preconditions based on the recovered state.
2017-09-13 22:14:17 +02:00
final BootstrapContext context,
Allow plugins to install bootstrap checks (#22110) Plugins also have the need to provide better OOTB experience by configuring defaults unless the plugin is used in _production_ mode. This change exposes the bootstrap check infrastructure as part of the plugin API to allow plugins to specify / install their own bootstrap checks if necessary.
2016-12-12 17:35:00 +01:00
final BoundTransportAddress boundTransportAddress, List<BootstrapCheck> checks) throws NodeValidationException {
Add BootstrapContext to expose settings and recovered state to bootstrap checks (#26628) This exposes the node settings and the persistent part of the cluster state to the bootstrap checks to allow plugins to enforce certain preconditions based on the recovered state.
2017-09-13 22:14:17 +02:00
BootstrapChecks.check(context, boundTransportAddress, checks);
Move bootstrap checks to node start This commit moves the execution of the bootstrap checks to after network services are started. This gives us the flexibility to not merely check if any of the network settings are set, but instead be smarter about it and check if the network settings are set in a way that means that the node will be communicating over an external network (either directly, or via a proxy). As an bonanza, executing the bootstrap checks in this way enables us to have the node name in the logs! Closes #17570
2016-04-07 09:10:46 -04:00
}
};
fix problem with outputting proper error when failing to parse configuration on startup
2010-03-20 00:28:15 +02:00
}
Remove NodeBuilder The NodeBuilder is currently used to construct a Node. However, this is really just yet-another-builder that wraps around a Settings.Builder witha couple convenience methods. But there are very few uses of these convenience methods. This change removes NodeBuilder, in favor of just using the Node constructor.
2015-12-09 23:57:14 -08:00
Persist created keystore on startup unless keystore is present (#26253) We already added the functionality to create a new keystore on startup in #26126 but apparently missed to persist the keystore. This change adds peristence and adds a test for the boostrap loading.
2017-08-17 15:32:23 +02:00
static SecureSettings loadSecureSettings(Environment initialEnv) throws BootstrapException {
Settings: Add infrastructure for elasticsearch keystore This change is the first towards providing the ability to store sensitive settings in elasticsearch. It adds the `elasticsearch-keystore` tool, which allows managing a java keystore. The keystore is loaded upon node startup in Elasticsearch, and used by the Setting infrastructure when a setting is configured as secure. There are a lot of caveats to this PR. The most important is it only provides the tool and setting infrastructure for secure strings. It does not yet provide for keystore passwords, keypairs, certificates, or even convert any existing string settings to secure string settings. Those will all come in follow up PRs. But this PR was already too big, so this at least gets a basic version of the infrastructure in. The two main things to look at. The first is the `SecureSetting` class, which extends `Setting`, but removes the assumption for the raw value of the setting to be a string. SecureSetting provides, for now, a single helper, `stringSetting()` to create a SecureSetting which will return a SecureString (which is like String, but is closeable, so that the underlying character array can be cleared). The second is the `KeyStoreWrapper` class, which wraps the java `KeyStore` to provide a simpler api (we do not need the entire keystore api) and also extend the serialized format to add metadata needed for loading the keystore with no assumptions about keystore type (so that we can change this in the future) as well as whether the keystore has a password (so that we can know whether prompting is necessary when we add support for keystore passwords).
2016-12-22 16:28:34 -08:00
final KeyStoreWrapper keystore;
try {
more renames
2017-01-06 01:03:45 -08:00
keystore = KeyStoreWrapper.load(initialEnv.configFile());
Settings: Add infrastructure for elasticsearch keystore This change is the first towards providing the ability to store sensitive settings in elasticsearch. It adds the `elasticsearch-keystore` tool, which allows managing a java keystore. The keystore is loaded upon node startup in Elasticsearch, and used by the Setting infrastructure when a setting is configured as secure. There are a lot of caveats to this PR. The most important is it only provides the tool and setting infrastructure for secure strings. It does not yet provide for keystore passwords, keypairs, certificates, or even convert any existing string settings to secure string settings. Those will all come in follow up PRs. But this PR was already too big, so this at least gets a basic version of the infrastructure in. The two main things to look at. The first is the `SecureSetting` class, which extends `Setting`, but removes the assumption for the raw value of the setting to be a string. SecureSetting provides, for now, a single helper, `stringSetting()` to create a SecureSetting which will return a SecureString (which is like String, but is closeable, so that the underlying character array can be cleared). The second is the `KeyStoreWrapper` class, which wraps the java `KeyStore` to provide a simpler api (we do not need the entire keystore api) and also extend the serialized format to add metadata needed for loading the keystore with no assumptions about keystore type (so that we can change this in the future) as well as whether the keystore has a password (so that we can know whether prompting is necessary when we add support for keystore passwords).
2016-12-22 16:28:34 -08:00
} catch (IOException e) {
throw new BootstrapException(e);
}
Password-protected Keystore Feature Branch PR (#51123) (#51510) * Reload secure settings with password (#43197) If a password is not set, we assume an empty string to be compatible with previous behavior. Only allow the reload to be broadcast to other nodes if TLS is enabled for the transport layer. * Add passphrase support to elasticsearch-keystore (#38498) This change adds support for keystore passphrases to all subcommands of the elasticsearch-keystore cli tool and adds a subcommand for changing the passphrase of an existing keystore. The work to read the passphrase in Elasticsearch when loading, which will be addressed in a different PR. Subcommands of elasticsearch-keystore can handle (open and create) passphrase protected keystores When reading a keystore, a user is only prompted for a passphrase only if the keystore is passphrase protected. When creating a keystore, a user is allowed (default behavior) to create one with an empty passphrase Passphrase can be set to be empty when changing/setting it for an existing keystore Relates to: #32691 Supersedes: #37472 * Restore behavior for force parameter (#44847) Turns out that the behavior of `-f` for the add and add-file sub commands where it would also forcibly create the keystore if it didn't exist, was by design - although undocumented. This change restores that behavior auto-creating a keystore that is not password protected if the force flag is used. The force OptionSpec is moved to the BaseKeyStoreCommand as we will presumably want to maintain the same behavior in any other command that takes a force option. * Handle pwd protected keystores in all CLI tools (#45289) This change ensures that `elasticsearch-setup-passwords` and `elasticsearch-saml-metadata` can handle a password protected elasticsearch.keystore. For setup passwords the user would be prompted to add the elasticsearch keystore password upon running the tool. There is no option to pass the password as a parameter as we assume the user is present in order to enter the desired passwords for the built-in users. For saml-metadata, we prompt for the keystore password at all times even though we'd only need to read something from the keystore when there is a signing or encryption configuration. * Modify docs for setup passwords and saml metadata cli (#45797) Adds a sentence in the documentation of `elasticsearch-setup-passwords` and `elasticsearch-saml-metadata` to describe that users would be prompted for the keystore's password when running these CLI tools, when the keystore is password protected. Co-Authored-By: Lisa Cawley <lcawley@elastic.co> * Elasticsearch keystore passphrase for startup scripts (#44775) This commit allows a user to provide a keystore password on Elasticsearch startup, but only prompts when the keystore exists and is encrypted. The entrypoint in Java code is standard input. When the Bootstrap class is checking for secure keystore settings, it checks whether or not the keystore is encrypted. If so, we read one line from standard input and use this as the password. For simplicity's sake, we allow a maximum passphrase length of 128 characters. (This is an arbitrary limit and could be increased or eliminated. It is also enforced in the keystore tools, so that a user can't create a password that's too long to enter at startup.) In order to provide a password on standard input, we have to account for four different ways of starting Elasticsearch: the bash startup script, the Windows batch startup script, systemd startup, and docker startup. We use wrapper scripts to reduce systemd and docker to the bash case: in both cases, a wrapper script can read a passphrase from the filesystem and pass it to the bash script. In order to simplify testing the need for a passphrase, I have added a has-passwd command to the keystore tool. This command can run silently, and exit with status 0 when the keystore has a password. It exits with status 1 if the keystore doesn't exist or exists and is unencrypted. A good deal of the code-change in this commit has to do with refactoring packaging tests to cleanly use the same tests for both the "archive" and the "package" cases. This required not only moving tests around, but also adding some convenience methods for an abstraction layer over distribution-specific commands. * Adjust docs for password protected keystore (#45054) This commit adds relevant parts in the elasticsearch-keystore sub-commands reference docs and in the reload secure settings API doc. * Fix failing Keystore Passphrase test for feature branch (#50154) One problem with the passphrase-from-file tests, as written, is that they would leave a SystemD environment variable set when they failed, and this setting would cause elasticsearch startup to fail for other tests as well. By using a try-finally, I hope that these tests will fail more gracefully. It appears that our Fedora and Ubuntu environments may be configured to store journald information under /var rather than under /run, so that it will persist between boots. Our destructive tests that read from the journal need to account for this in order to avoid trying to limit the output we check in tests. * Run keystore management tests on docker distros (#50610) * Add Docker handling to PackagingTestCase Keystore tests need to be able to run in the Docker case. We can do this by using a DockerShell instead of a plain Shell when Docker is running. * Improve ES startup check for docker Previously we were checking truncated output for the packaged JDK as an indication that Elasticsearch had started. With new preliminary password checks, we might get a false positive from ES keystore commands, so we have to check specifically that the Elasticsearch class from the Bootstrap package is what's running. * Test password-protected keystore with Docker (#50803) This commit adds two tests for the case where we mount a password-protected keystore into a Docker container and provide a password via a Docker environment variable. We also fix a logging bug where we were logging the identifier for an array of strings rather than the contents of that array. * Add documentation for keystore startup prompting (#50821) When a keystore is password-protected, Elasticsearch will prompt at startup. This commit adds documentation for this prompt for the archive, systemd, and Docker cases. Co-authored-by: Lisa Cawley <lcawley@elastic.co> * Warn when unable to upgrade keystore on debian (#51011) For Red Hat RPM upgrades, we warn if we can't upgrade the keystore. This commit brings the same logic to the code for Debian packages. See the posttrans file for gets executed for RPMs. * Restore handling of string input Adds tests that were mistakenly removed. One of these tests proved we were not handling the the stdin (-x) option correctly when no input was added. This commit restores the original approach of reading stdin one char at a time until there is no more (-1, \r, \n) instead of using readline() that might return null * Apply spotless reformatting * Use '--since' flag to get recent journal messages When we get Elasticsearch logs from journald, we want to fetch only log messages from the last run. There are two reasons for this. First, if there are many logs, we might get a string that's too large for our utility methods. Second, when we're looking for a specific message or error, we almost certainly want to look only at messages from the last execution. Previously, we've been trying to do this by clearing out the physical files under the journald process. But there seems to be some contention over these directories: if journald writes a log file in between when our deletion command deletes the file and when it deletes the log directory, the deletion will fail. It seems to me that we might be able to use journald's "--since" flag to retrieve only log messages from the last run, and that this might be less likely to fail due to race conditions in file deletion. Unfortunately, it looks as if the "--since" flag has a granularity of one-second. I've added a two-second sleep to make sure that there's a sufficient gap between the test that will read from journald and the test before it. * Use new journald wrapper pattern * Update version added in secure settings request Co-authored-by: Lisa Cawley <lcawley@elastic.co> Co-authored-by: Ioannis Kakavas <ikakavas@protonmail.com>
2020-01-28 05:32:32 -05:00
SecureString password;
Settings: Add infrastructure for elasticsearch keystore This change is the first towards providing the ability to store sensitive settings in elasticsearch. It adds the `elasticsearch-keystore` tool, which allows managing a java keystore. The keystore is loaded upon node startup in Elasticsearch, and used by the Setting infrastructure when a setting is configured as secure. There are a lot of caveats to this PR. The most important is it only provides the tool and setting infrastructure for secure strings. It does not yet provide for keystore passwords, keypairs, certificates, or even convert any existing string settings to secure string settings. Those will all come in follow up PRs. But this PR was already too big, so this at least gets a basic version of the infrastructure in. The two main things to look at. The first is the `SecureSetting` class, which extends `Setting`, but removes the assumption for the raw value of the setting to be a string. SecureSetting provides, for now, a single helper, `stringSetting()` to create a SecureSetting which will return a SecureString (which is like String, but is closeable, so that the underlying character array can be cleared). The second is the `KeyStoreWrapper` class, which wraps the java `KeyStore` to provide a simpler api (we do not need the entire keystore api) and also extend the serialized format to add metadata needed for loading the keystore with no assumptions about keystore type (so that we can change this in the future) as well as whether the keystore has a password (so that we can know whether prompting is necessary when we add support for keystore passwords).
2016-12-22 16:28:34 -08:00
try {
Password-protected Keystore Feature Branch PR (#51123) (#51510) * Reload secure settings with password (#43197) If a password is not set, we assume an empty string to be compatible with previous behavior. Only allow the reload to be broadcast to other nodes if TLS is enabled for the transport layer. * Add passphrase support to elasticsearch-keystore (#38498) This change adds support for keystore passphrases to all subcommands of the elasticsearch-keystore cli tool and adds a subcommand for changing the passphrase of an existing keystore. The work to read the passphrase in Elasticsearch when loading, which will be addressed in a different PR. Subcommands of elasticsearch-keystore can handle (open and create) passphrase protected keystores When reading a keystore, a user is only prompted for a passphrase only if the keystore is passphrase protected. When creating a keystore, a user is allowed (default behavior) to create one with an empty passphrase Passphrase can be set to be empty when changing/setting it for an existing keystore Relates to: #32691 Supersedes: #37472 * Restore behavior for force parameter (#44847) Turns out that the behavior of `-f` for the add and add-file sub commands where it would also forcibly create the keystore if it didn't exist, was by design - although undocumented. This change restores that behavior auto-creating a keystore that is not password protected if the force flag is used. The force OptionSpec is moved to the BaseKeyStoreCommand as we will presumably want to maintain the same behavior in any other command that takes a force option. * Handle pwd protected keystores in all CLI tools (#45289) This change ensures that `elasticsearch-setup-passwords` and `elasticsearch-saml-metadata` can handle a password protected elasticsearch.keystore. For setup passwords the user would be prompted to add the elasticsearch keystore password upon running the tool. There is no option to pass the password as a parameter as we assume the user is present in order to enter the desired passwords for the built-in users. For saml-metadata, we prompt for the keystore password at all times even though we'd only need to read something from the keystore when there is a signing or encryption configuration. * Modify docs for setup passwords and saml metadata cli (#45797) Adds a sentence in the documentation of `elasticsearch-setup-passwords` and `elasticsearch-saml-metadata` to describe that users would be prompted for the keystore's password when running these CLI tools, when the keystore is password protected. Co-Authored-By: Lisa Cawley <lcawley@elastic.co> * Elasticsearch keystore passphrase for startup scripts (#44775) This commit allows a user to provide a keystore password on Elasticsearch startup, but only prompts when the keystore exists and is encrypted. The entrypoint in Java code is standard input. When the Bootstrap class is checking for secure keystore settings, it checks whether or not the keystore is encrypted. If so, we read one line from standard input and use this as the password. For simplicity's sake, we allow a maximum passphrase length of 128 characters. (This is an arbitrary limit and could be increased or eliminated. It is also enforced in the keystore tools, so that a user can't create a password that's too long to enter at startup.) In order to provide a password on standard input, we have to account for four different ways of starting Elasticsearch: the bash startup script, the Windows batch startup script, systemd startup, and docker startup. We use wrapper scripts to reduce systemd and docker to the bash case: in both cases, a wrapper script can read a passphrase from the filesystem and pass it to the bash script. In order to simplify testing the need for a passphrase, I have added a has-passwd command to the keystore tool. This command can run silently, and exit with status 0 when the keystore has a password. It exits with status 1 if the keystore doesn't exist or exists and is unencrypted. A good deal of the code-change in this commit has to do with refactoring packaging tests to cleanly use the same tests for both the "archive" and the "package" cases. This required not only moving tests around, but also adding some convenience methods for an abstraction layer over distribution-specific commands. * Adjust docs for password protected keystore (#45054) This commit adds relevant parts in the elasticsearch-keystore sub-commands reference docs and in the reload secure settings API doc. * Fix failing Keystore Passphrase test for feature branch (#50154) One problem with the passphrase-from-file tests, as written, is that they would leave a SystemD environment variable set when they failed, and this setting would cause elasticsearch startup to fail for other tests as well. By using a try-finally, I hope that these tests will fail more gracefully. It appears that our Fedora and Ubuntu environments may be configured to store journald information under /var rather than under /run, so that it will persist between boots. Our destructive tests that read from the journal need to account for this in order to avoid trying to limit the output we check in tests. * Run keystore management tests on docker distros (#50610) * Add Docker handling to PackagingTestCase Keystore tests need to be able to run in the Docker case. We can do this by using a DockerShell instead of a plain Shell when Docker is running. * Improve ES startup check for docker Previously we were checking truncated output for the packaged JDK as an indication that Elasticsearch had started. With new preliminary password checks, we might get a false positive from ES keystore commands, so we have to check specifically that the Elasticsearch class from the Bootstrap package is what's running. * Test password-protected keystore with Docker (#50803) This commit adds two tests for the case where we mount a password-protected keystore into a Docker container and provide a password via a Docker environment variable. We also fix a logging bug where we were logging the identifier for an array of strings rather than the contents of that array. * Add documentation for keystore startup prompting (#50821) When a keystore is password-protected, Elasticsearch will prompt at startup. This commit adds documentation for this prompt for the archive, systemd, and Docker cases. Co-authored-by: Lisa Cawley <lcawley@elastic.co> * Warn when unable to upgrade keystore on debian (#51011) For Red Hat RPM upgrades, we warn if we can't upgrade the keystore. This commit brings the same logic to the code for Debian packages. See the posttrans file for gets executed for RPMs. * Restore handling of string input Adds tests that were mistakenly removed. One of these tests proved we were not handling the the stdin (-x) option correctly when no input was added. This commit restores the original approach of reading stdin one char at a time until there is no more (-1, \r, \n) instead of using readline() that might return null * Apply spotless reformatting * Use '--since' flag to get recent journal messages When we get Elasticsearch logs from journald, we want to fetch only log messages from the last run. There are two reasons for this. First, if there are many logs, we might get a string that's too large for our utility methods. Second, when we're looking for a specific message or error, we almost certainly want to look only at messages from the last execution. Previously, we've been trying to do this by clearing out the physical files under the journald process. But there seems to be some contention over these directories: if journald writes a log file in between when our deletion command deletes the file and when it deletes the log directory, the deletion will fail. It seems to me that we might be able to use journald's "--since" flag to retrieve only log messages from the last run, and that this might be less likely to fail due to race conditions in file deletion. Unfortunately, it looks as if the "--since" flag has a granularity of one-second. I've added a two-second sleep to make sure that there's a sufficient gap between the test that will read from journald and the test before it. * Use new journald wrapper pattern * Update version added in secure settings request Co-authored-by: Lisa Cawley <lcawley@elastic.co> Co-authored-by: Ioannis Kakavas <ikakavas@protonmail.com>
2020-01-28 05:32:32 -05:00
if (keystore != null && keystore.hasPassword()) {
password = readPassphrase(System.in, KeyStoreAwareCommand.MAX_PASSPHRASE_LENGTH);
} else {
password = new SecureString(new char[0]);
}
} catch (IOException e) {
throw new BootstrapException(e);
}
try{
Create keystore on package install (#28928) This commit removes the ability to specify that a plugin requires the keystore and instead creates the keystore on package installation or when Elasticsearch is started for the first time. The reason that we opt to create the keystore on package installation is to ensure that the keystore has the correct permissions (the package installation scripts run as root as opposed to Elasticsearch running as the elasticsearch user) and to enable removing the keystore on package removal if the keystore is not modified.
2018-03-12 12:48:00 -04:00
if (keystore == null) {
final KeyStoreWrapper keyStoreWrapper = KeyStoreWrapper.create();
keyStoreWrapper.save(initialEnv.configFile(), new char[0]);
return keyStoreWrapper;
} else {
Password-protected Keystore Feature Branch PR (#51123) (#51510) * Reload secure settings with password (#43197) If a password is not set, we assume an empty string to be compatible with previous behavior. Only allow the reload to be broadcast to other nodes if TLS is enabled for the transport layer. * Add passphrase support to elasticsearch-keystore (#38498) This change adds support for keystore passphrases to all subcommands of the elasticsearch-keystore cli tool and adds a subcommand for changing the passphrase of an existing keystore. The work to read the passphrase in Elasticsearch when loading, which will be addressed in a different PR. Subcommands of elasticsearch-keystore can handle (open and create) passphrase protected keystores When reading a keystore, a user is only prompted for a passphrase only if the keystore is passphrase protected. When creating a keystore, a user is allowed (default behavior) to create one with an empty passphrase Passphrase can be set to be empty when changing/setting it for an existing keystore Relates to: #32691 Supersedes: #37472 * Restore behavior for force parameter (#44847) Turns out that the behavior of `-f` for the add and add-file sub commands where it would also forcibly create the keystore if it didn't exist, was by design - although undocumented. This change restores that behavior auto-creating a keystore that is not password protected if the force flag is used. The force OptionSpec is moved to the BaseKeyStoreCommand as we will presumably want to maintain the same behavior in any other command that takes a force option. * Handle pwd protected keystores in all CLI tools (#45289) This change ensures that `elasticsearch-setup-passwords` and `elasticsearch-saml-metadata` can handle a password protected elasticsearch.keystore. For setup passwords the user would be prompted to add the elasticsearch keystore password upon running the tool. There is no option to pass the password as a parameter as we assume the user is present in order to enter the desired passwords for the built-in users. For saml-metadata, we prompt for the keystore password at all times even though we'd only need to read something from the keystore when there is a signing or encryption configuration. * Modify docs for setup passwords and saml metadata cli (#45797) Adds a sentence in the documentation of `elasticsearch-setup-passwords` and `elasticsearch-saml-metadata` to describe that users would be prompted for the keystore's password when running these CLI tools, when the keystore is password protected. Co-Authored-By: Lisa Cawley <lcawley@elastic.co> * Elasticsearch keystore passphrase for startup scripts (#44775) This commit allows a user to provide a keystore password on Elasticsearch startup, but only prompts when the keystore exists and is encrypted. The entrypoint in Java code is standard input. When the Bootstrap class is checking for secure keystore settings, it checks whether or not the keystore is encrypted. If so, we read one line from standard input and use this as the password. For simplicity's sake, we allow a maximum passphrase length of 128 characters. (This is an arbitrary limit and could be increased or eliminated. It is also enforced in the keystore tools, so that a user can't create a password that's too long to enter at startup.) In order to provide a password on standard input, we have to account for four different ways of starting Elasticsearch: the bash startup script, the Windows batch startup script, systemd startup, and docker startup. We use wrapper scripts to reduce systemd and docker to the bash case: in both cases, a wrapper script can read a passphrase from the filesystem and pass it to the bash script. In order to simplify testing the need for a passphrase, I have added a has-passwd command to the keystore tool. This command can run silently, and exit with status 0 when the keystore has a password. It exits with status 1 if the keystore doesn't exist or exists and is unencrypted. A good deal of the code-change in this commit has to do with refactoring packaging tests to cleanly use the same tests for both the "archive" and the "package" cases. This required not only moving tests around, but also adding some convenience methods for an abstraction layer over distribution-specific commands. * Adjust docs for password protected keystore (#45054) This commit adds relevant parts in the elasticsearch-keystore sub-commands reference docs and in the reload secure settings API doc. * Fix failing Keystore Passphrase test for feature branch (#50154) One problem with the passphrase-from-file tests, as written, is that they would leave a SystemD environment variable set when they failed, and this setting would cause elasticsearch startup to fail for other tests as well. By using a try-finally, I hope that these tests will fail more gracefully. It appears that our Fedora and Ubuntu environments may be configured to store journald information under /var rather than under /run, so that it will persist between boots. Our destructive tests that read from the journal need to account for this in order to avoid trying to limit the output we check in tests. * Run keystore management tests on docker distros (#50610) * Add Docker handling to PackagingTestCase Keystore tests need to be able to run in the Docker case. We can do this by using a DockerShell instead of a plain Shell when Docker is running. * Improve ES startup check for docker Previously we were checking truncated output for the packaged JDK as an indication that Elasticsearch had started. With new preliminary password checks, we might get a false positive from ES keystore commands, so we have to check specifically that the Elasticsearch class from the Bootstrap package is what's running. * Test password-protected keystore with Docker (#50803) This commit adds two tests for the case where we mount a password-protected keystore into a Docker container and provide a password via a Docker environment variable. We also fix a logging bug where we were logging the identifier for an array of strings rather than the contents of that array. * Add documentation for keystore startup prompting (#50821) When a keystore is password-protected, Elasticsearch will prompt at startup. This commit adds documentation for this prompt for the archive, systemd, and Docker cases. Co-authored-by: Lisa Cawley <lcawley@elastic.co> * Warn when unable to upgrade keystore on debian (#51011) For Red Hat RPM upgrades, we warn if we can't upgrade the keystore. This commit brings the same logic to the code for Debian packages. See the posttrans file for gets executed for RPMs. * Restore handling of string input Adds tests that were mistakenly removed. One of these tests proved we were not handling the the stdin (-x) option correctly when no input was added. This commit restores the original approach of reading stdin one char at a time until there is no more (-1, \r, \n) instead of using readline() that might return null * Apply spotless reformatting * Use '--since' flag to get recent journal messages When we get Elasticsearch logs from journald, we want to fetch only log messages from the last run. There are two reasons for this. First, if there are many logs, we might get a string that's too large for our utility methods. Second, when we're looking for a specific message or error, we almost certainly want to look only at messages from the last execution. Previously, we've been trying to do this by clearing out the physical files under the journald process. But there seems to be some contention over these directories: if journald writes a log file in between when our deletion command deletes the file and when it deletes the log directory, the deletion will fail. It seems to me that we might be able to use journald's "--since" flag to retrieve only log messages from the last run, and that this might be less likely to fail due to race conditions in file deletion. Unfortunately, it looks as if the "--since" flag has a granularity of one-second. I've added a two-second sleep to make sure that there's a sufficient gap between the test that will read from journald and the test before it. * Use new journald wrapper pattern * Update version added in secure settings request Co-authored-by: Lisa Cawley <lcawley@elastic.co> Co-authored-by: Ioannis Kakavas <ikakavas@protonmail.com>
2020-01-28 05:32:32 -05:00
keystore.decrypt(password.getChars());
KeyStoreWrapper.upgrade(keystore, initialEnv.configFile(), password.getChars());
Create keystore on package install (#28928) This commit removes the ability to specify that a plugin requires the keystore and instead creates the keystore on package installation or when Elasticsearch is started for the first time. The reason that we opt to create the keystore on package installation is to ensure that the keystore has the correct permissions (the package installation scripts run as root as opposed to Elasticsearch running as the elasticsearch user) and to enable removing the keystore on package removal if the keystore is not modified.
2018-03-12 12:48:00 -04:00
}
Settings: Add infrastructure for elasticsearch keystore This change is the first towards providing the ability to store sensitive settings in elasticsearch. It adds the `elasticsearch-keystore` tool, which allows managing a java keystore. The keystore is loaded upon node startup in Elasticsearch, and used by the Setting infrastructure when a setting is configured as secure. There are a lot of caveats to this PR. The most important is it only provides the tool and setting infrastructure for secure strings. It does not yet provide for keystore passwords, keypairs, certificates, or even convert any existing string settings to secure string settings. Those will all come in follow up PRs. But this PR was already too big, so this at least gets a basic version of the infrastructure in. The two main things to look at. The first is the `SecureSetting` class, which extends `Setting`, but removes the assumption for the raw value of the setting to be a string. SecureSetting provides, for now, a single helper, `stringSetting()` to create a SecureSetting which will return a SecureString (which is like String, but is closeable, so that the underlying character array can be cleared). The second is the `KeyStoreWrapper` class, which wraps the java `KeyStore` to provide a simpler api (we do not need the entire keystore api) and also extend the serialized format to add metadata needed for loading the keystore with no assumptions about keystore type (so that we can change this in the future) as well as whether the keystore has a password (so that we can know whether prompting is necessary when we add support for keystore passwords).
2016-12-22 16:28:34 -08:00
} catch (Exception e) {
throw new BootstrapException(e);
Password-protected Keystore Feature Branch PR (#51123) (#51510) * Reload secure settings with password (#43197) If a password is not set, we assume an empty string to be compatible with previous behavior. Only allow the reload to be broadcast to other nodes if TLS is enabled for the transport layer. * Add passphrase support to elasticsearch-keystore (#38498) This change adds support for keystore passphrases to all subcommands of the elasticsearch-keystore cli tool and adds a subcommand for changing the passphrase of an existing keystore. The work to read the passphrase in Elasticsearch when loading, which will be addressed in a different PR. Subcommands of elasticsearch-keystore can handle (open and create) passphrase protected keystores When reading a keystore, a user is only prompted for a passphrase only if the keystore is passphrase protected. When creating a keystore, a user is allowed (default behavior) to create one with an empty passphrase Passphrase can be set to be empty when changing/setting it for an existing keystore Relates to: #32691 Supersedes: #37472 * Restore behavior for force parameter (#44847) Turns out that the behavior of `-f` for the add and add-file sub commands where it would also forcibly create the keystore if it didn't exist, was by design - although undocumented. This change restores that behavior auto-creating a keystore that is not password protected if the force flag is used. The force OptionSpec is moved to the BaseKeyStoreCommand as we will presumably want to maintain the same behavior in any other command that takes a force option. * Handle pwd protected keystores in all CLI tools (#45289) This change ensures that `elasticsearch-setup-passwords` and `elasticsearch-saml-metadata` can handle a password protected elasticsearch.keystore. For setup passwords the user would be prompted to add the elasticsearch keystore password upon running the tool. There is no option to pass the password as a parameter as we assume the user is present in order to enter the desired passwords for the built-in users. For saml-metadata, we prompt for the keystore password at all times even though we'd only need to read something from the keystore when there is a signing or encryption configuration. * Modify docs for setup passwords and saml metadata cli (#45797) Adds a sentence in the documentation of `elasticsearch-setup-passwords` and `elasticsearch-saml-metadata` to describe that users would be prompted for the keystore's password when running these CLI tools, when the keystore is password protected. Co-Authored-By: Lisa Cawley <lcawley@elastic.co> * Elasticsearch keystore passphrase for startup scripts (#44775) This commit allows a user to provide a keystore password on Elasticsearch startup, but only prompts when the keystore exists and is encrypted. The entrypoint in Java code is standard input. When the Bootstrap class is checking for secure keystore settings, it checks whether or not the keystore is encrypted. If so, we read one line from standard input and use this as the password. For simplicity's sake, we allow a maximum passphrase length of 128 characters. (This is an arbitrary limit and could be increased or eliminated. It is also enforced in the keystore tools, so that a user can't create a password that's too long to enter at startup.) In order to provide a password on standard input, we have to account for four different ways of starting Elasticsearch: the bash startup script, the Windows batch startup script, systemd startup, and docker startup. We use wrapper scripts to reduce systemd and docker to the bash case: in both cases, a wrapper script can read a passphrase from the filesystem and pass it to the bash script. In order to simplify testing the need for a passphrase, I have added a has-passwd command to the keystore tool. This command can run silently, and exit with status 0 when the keystore has a password. It exits with status 1 if the keystore doesn't exist or exists and is unencrypted. A good deal of the code-change in this commit has to do with refactoring packaging tests to cleanly use the same tests for both the "archive" and the "package" cases. This required not only moving tests around, but also adding some convenience methods for an abstraction layer over distribution-specific commands. * Adjust docs for password protected keystore (#45054) This commit adds relevant parts in the elasticsearch-keystore sub-commands reference docs and in the reload secure settings API doc. * Fix failing Keystore Passphrase test for feature branch (#50154) One problem with the passphrase-from-file tests, as written, is that they would leave a SystemD environment variable set when they failed, and this setting would cause elasticsearch startup to fail for other tests as well. By using a try-finally, I hope that these tests will fail more gracefully. It appears that our Fedora and Ubuntu environments may be configured to store journald information under /var rather than under /run, so that it will persist between boots. Our destructive tests that read from the journal need to account for this in order to avoid trying to limit the output we check in tests. * Run keystore management tests on docker distros (#50610) * Add Docker handling to PackagingTestCase Keystore tests need to be able to run in the Docker case. We can do this by using a DockerShell instead of a plain Shell when Docker is running. * Improve ES startup check for docker Previously we were checking truncated output for the packaged JDK as an indication that Elasticsearch had started. With new preliminary password checks, we might get a false positive from ES keystore commands, so we have to check specifically that the Elasticsearch class from the Bootstrap package is what's running. * Test password-protected keystore with Docker (#50803) This commit adds two tests for the case where we mount a password-protected keystore into a Docker container and provide a password via a Docker environment variable. We also fix a logging bug where we were logging the identifier for an array of strings rather than the contents of that array. * Add documentation for keystore startup prompting (#50821) When a keystore is password-protected, Elasticsearch will prompt at startup. This commit adds documentation for this prompt for the archive, systemd, and Docker cases. Co-authored-by: Lisa Cawley <lcawley@elastic.co> * Warn when unable to upgrade keystore on debian (#51011) For Red Hat RPM upgrades, we warn if we can't upgrade the keystore. This commit brings the same logic to the code for Debian packages. See the posttrans file for gets executed for RPMs. * Restore handling of string input Adds tests that were mistakenly removed. One of these tests proved we were not handling the the stdin (-x) option correctly when no input was added. This commit restores the original approach of reading stdin one char at a time until there is no more (-1, \r, \n) instead of using readline() that might return null * Apply spotless reformatting * Use '--since' flag to get recent journal messages When we get Elasticsearch logs from journald, we want to fetch only log messages from the last run. There are two reasons for this. First, if there are many logs, we might get a string that's too large for our utility methods. Second, when we're looking for a specific message or error, we almost certainly want to look only at messages from the last execution. Previously, we've been trying to do this by clearing out the physical files under the journald process. But there seems to be some contention over these directories: if journald writes a log file in between when our deletion command deletes the file and when it deletes the log directory, the deletion will fail. It seems to me that we might be able to use journald's "--since" flag to retrieve only log messages from the last run, and that this might be less likely to fail due to race conditions in file deletion. Unfortunately, it looks as if the "--since" flag has a granularity of one-second. I've added a two-second sleep to make sure that there's a sufficient gap between the test that will read from journald and the test before it. * Use new journald wrapper pattern * Update version added in secure settings request Co-authored-by: Lisa Cawley <lcawley@elastic.co> Co-authored-by: Ioannis Kakavas <ikakavas@protonmail.com>
2020-01-28 05:32:32 -05:00
} finally {
password.close();
Settings: Add infrastructure for elasticsearch keystore This change is the first towards providing the ability to store sensitive settings in elasticsearch. It adds the `elasticsearch-keystore` tool, which allows managing a java keystore. The keystore is loaded upon node startup in Elasticsearch, and used by the Setting infrastructure when a setting is configured as secure. There are a lot of caveats to this PR. The most important is it only provides the tool and setting infrastructure for secure strings. It does not yet provide for keystore passwords, keypairs, certificates, or even convert any existing string settings to secure string settings. Those will all come in follow up PRs. But this PR was already too big, so this at least gets a basic version of the infrastructure in. The two main things to look at. The first is the `SecureSetting` class, which extends `Setting`, but removes the assumption for the raw value of the setting to be a string. SecureSetting provides, for now, a single helper, `stringSetting()` to create a SecureSetting which will return a SecureString (which is like String, but is closeable, so that the underlying character array can be cleared). The second is the `KeyStoreWrapper` class, which wraps the java `KeyStore` to provide a simpler api (we do not need the entire keystore api) and also extend the serialized format to add metadata needed for loading the keystore with no assumptions about keystore type (so that we can change this in the future) as well as whether the keystore has a password (so that we can know whether prompting is necessary when we add support for keystore passwords).
2016-12-22 16:28:34 -08:00
}
return keystore;
}
Password-protected Keystore Feature Branch PR (#51123) (#51510) * Reload secure settings with password (#43197) If a password is not set, we assume an empty string to be compatible with previous behavior. Only allow the reload to be broadcast to other nodes if TLS is enabled for the transport layer. * Add passphrase support to elasticsearch-keystore (#38498) This change adds support for keystore passphrases to all subcommands of the elasticsearch-keystore cli tool and adds a subcommand for changing the passphrase of an existing keystore. The work to read the passphrase in Elasticsearch when loading, which will be addressed in a different PR. Subcommands of elasticsearch-keystore can handle (open and create) passphrase protected keystores When reading a keystore, a user is only prompted for a passphrase only if the keystore is passphrase protected. When creating a keystore, a user is allowed (default behavior) to create one with an empty passphrase Passphrase can be set to be empty when changing/setting it for an existing keystore Relates to: #32691 Supersedes: #37472 * Restore behavior for force parameter (#44847) Turns out that the behavior of `-f` for the add and add-file sub commands where it would also forcibly create the keystore if it didn't exist, was by design - although undocumented. This change restores that behavior auto-creating a keystore that is not password protected if the force flag is used. The force OptionSpec is moved to the BaseKeyStoreCommand as we will presumably want to maintain the same behavior in any other command that takes a force option. * Handle pwd protected keystores in all CLI tools (#45289) This change ensures that `elasticsearch-setup-passwords` and `elasticsearch-saml-metadata` can handle a password protected elasticsearch.keystore. For setup passwords the user would be prompted to add the elasticsearch keystore password upon running the tool. There is no option to pass the password as a parameter as we assume the user is present in order to enter the desired passwords for the built-in users. For saml-metadata, we prompt for the keystore password at all times even though we'd only need to read something from the keystore when there is a signing or encryption configuration. * Modify docs for setup passwords and saml metadata cli (#45797) Adds a sentence in the documentation of `elasticsearch-setup-passwords` and `elasticsearch-saml-metadata` to describe that users would be prompted for the keystore's password when running these CLI tools, when the keystore is password protected. Co-Authored-By: Lisa Cawley <lcawley@elastic.co> * Elasticsearch keystore passphrase for startup scripts (#44775) This commit allows a user to provide a keystore password on Elasticsearch startup, but only prompts when the keystore exists and is encrypted. The entrypoint in Java code is standard input. When the Bootstrap class is checking for secure keystore settings, it checks whether or not the keystore is encrypted. If so, we read one line from standard input and use this as the password. For simplicity's sake, we allow a maximum passphrase length of 128 characters. (This is an arbitrary limit and could be increased or eliminated. It is also enforced in the keystore tools, so that a user can't create a password that's too long to enter at startup.) In order to provide a password on standard input, we have to account for four different ways of starting Elasticsearch: the bash startup script, the Windows batch startup script, systemd startup, and docker startup. We use wrapper scripts to reduce systemd and docker to the bash case: in both cases, a wrapper script can read a passphrase from the filesystem and pass it to the bash script. In order to simplify testing the need for a passphrase, I have added a has-passwd command to the keystore tool. This command can run silently, and exit with status 0 when the keystore has a password. It exits with status 1 if the keystore doesn't exist or exists and is unencrypted. A good deal of the code-change in this commit has to do with refactoring packaging tests to cleanly use the same tests for both the "archive" and the "package" cases. This required not only moving tests around, but also adding some convenience methods for an abstraction layer over distribution-specific commands. * Adjust docs for password protected keystore (#45054) This commit adds relevant parts in the elasticsearch-keystore sub-commands reference docs and in the reload secure settings API doc. * Fix failing Keystore Passphrase test for feature branch (#50154) One problem with the passphrase-from-file tests, as written, is that they would leave a SystemD environment variable set when they failed, and this setting would cause elasticsearch startup to fail for other tests as well. By using a try-finally, I hope that these tests will fail more gracefully. It appears that our Fedora and Ubuntu environments may be configured to store journald information under /var rather than under /run, so that it will persist between boots. Our destructive tests that read from the journal need to account for this in order to avoid trying to limit the output we check in tests. * Run keystore management tests on docker distros (#50610) * Add Docker handling to PackagingTestCase Keystore tests need to be able to run in the Docker case. We can do this by using a DockerShell instead of a plain Shell when Docker is running. * Improve ES startup check for docker Previously we were checking truncated output for the packaged JDK as an indication that Elasticsearch had started. With new preliminary password checks, we might get a false positive from ES keystore commands, so we have to check specifically that the Elasticsearch class from the Bootstrap package is what's running. * Test password-protected keystore with Docker (#50803) This commit adds two tests for the case where we mount a password-protected keystore into a Docker container and provide a password via a Docker environment variable. We also fix a logging bug where we were logging the identifier for an array of strings rather than the contents of that array. * Add documentation for keystore startup prompting (#50821) When a keystore is password-protected, Elasticsearch will prompt at startup. This commit adds documentation for this prompt for the archive, systemd, and Docker cases. Co-authored-by: Lisa Cawley <lcawley@elastic.co> * Warn when unable to upgrade keystore on debian (#51011) For Red Hat RPM upgrades, we warn if we can't upgrade the keystore. This commit brings the same logic to the code for Debian packages. See the posttrans file for gets executed for RPMs. * Restore handling of string input Adds tests that were mistakenly removed. One of these tests proved we were not handling the the stdin (-x) option correctly when no input was added. This commit restores the original approach of reading stdin one char at a time until there is no more (-1, \r, \n) instead of using readline() that might return null * Apply spotless reformatting * Use '--since' flag to get recent journal messages When we get Elasticsearch logs from journald, we want to fetch only log messages from the last run. There are two reasons for this. First, if there are many logs, we might get a string that's too large for our utility methods. Second, when we're looking for a specific message or error, we almost certainly want to look only at messages from the last execution. Previously, we've been trying to do this by clearing out the physical files under the journald process. But there seems to be some contention over these directories: if journald writes a log file in between when our deletion command deletes the file and when it deletes the log directory, the deletion will fail. It seems to me that we might be able to use journald's "--since" flag to retrieve only log messages from the last run, and that this might be less likely to fail due to race conditions in file deletion. Unfortunately, it looks as if the "--since" flag has a granularity of one-second. I've added a two-second sleep to make sure that there's a sufficient gap between the test that will read from journald and the test before it. * Use new journald wrapper pattern * Update version added in secure settings request Co-authored-by: Lisa Cawley <lcawley@elastic.co> Co-authored-by: Ioannis Kakavas <ikakavas@protonmail.com>
2020-01-28 05:32:32 -05:00
// visible for tests
/**
* Read from an InputStream up to the first carriage return or newline,
* returning no more than maxLength characters.
*/
static SecureString readPassphrase(InputStream stream, int maxLength) throws IOException {
SecureString passphrase;
try(InputStreamReader reader = new InputStreamReader(stream, StandardCharsets.UTF_8)) {
passphrase = new SecureString(Terminal.readLineToCharArray(reader, maxLength));
} catch (RuntimeException e) {
if (e.getMessage().startsWith("Input exceeded maximum length")) {
throw new IllegalStateException("Password exceeded maximum length of " + maxLength, e);
}
throw e;
}
if (passphrase.length() == 0) {
passphrase.close();
throw new IllegalStateException("Keystore passphrase required but none provided.");
}
return passphrase;
}
Remove path.conf setting This commit removes path.conf as a valid setting and replaces it with a command-line flag for specifying a non-default path for configuration. Relates #25392
2017-06-26 15:18:29 -04:00
private static Environment createEnvironment(
final Path pidFile,
final SecureSettings secureSettings,
final Settings initialSettings,
final Path configPath) {
Bootstrap does not set system properties Today, certain bootstrap properties are set and read via system properties. This action-at-distance way of managing these properties is rather confusing, and completely unnecessary. But another problem exists with setting these as system properties. Namely, these system properties are interpreted as Elasticsearch settings, not all of which are registered. This leads to Elasticsearch failing to startup if any of these special properties are set. Instead, these properties should be kept as local as possible, and passed around as method parameters where needed. This eliminates the action-at-distance way of handling these properties, and eliminates the need to register these non-setting properties. This commit does exactly that. Additionally, today we use the "-D" command line flag to set the properties, but this is confusing because "-D" is a special flag to the JVM for setting system properties. This creates confusion because some "-D" properties should be passed via arguments to the JVM (so via ES_JAVA_OPTS), and some should be passed as arguments to Elasticsearch. This commit changes the "-D" flag for Elasticsearch settings to "-E".
2016-03-13 09:10:56 -04:00
Settings.Builder builder = Settings.builder();
Dependencies: Update to jopt-5.0 (#19278) The new version of jopt allows us to remove a couple of TODOs in the code. Closes #12368
2016-07-07 08:50:10 +02:00
if (pidFile != null) {
Deprecate the pidfile setting (#45938) This commit deprecates the pidfile setting in favor of node.pidfile.
2019-08-23 21:27:55 -04:00
builder.put(Environment.NODE_PIDFILE_SETTING.getKey(), pidFile);
Bootstrap does not set system properties Today, certain bootstrap properties are set and read via system properties. This action-at-distance way of managing these properties is rather confusing, and completely unnecessary. But another problem exists with setting these as system properties. Namely, these system properties are interpreted as Elasticsearch settings, not all of which are registered. This leads to Elasticsearch failing to startup if any of these special properties are set. Instead, these properties should be kept as local as possible, and passed around as method parameters where needed. This eliminates the action-at-distance way of handling these properties, and eliminates the need to register these non-setting properties. This commit does exactly that. Additionally, today we use the "-D" command line flag to set the properties, but this is confusing because "-D" is a special flag to the JVM for setting system properties. This creates confusion because some "-D" properties should be passed via arguments to the JVM (so via ES_JAVA_OPTS), and some should be passed as arguments to Elasticsearch. This commit changes the "-D" flag for Elasticsearch settings to "-E".
2016-03-13 09:10:56 -04:00
}
Internal: Refactor SettingCommand into EnvironmentAwareCommand (#22175) * Internal: Refactor SettingCommand into EnvironmentAwareCommand This change renames and changes the behavior of SettingCommand to have its primary method take in a fully initialized Environment for elasticsearch instead of just a map of settings. All of the subclasses of SettingCommand already did this at some point, so this just removes duplication.
2016-12-19 15:23:44 -08:00
builder.put(initialSettings);
Make s3 repository sensitive settings use secure settings (#22479) * Settings: Make s3 repository sensitive settings use secure settings This change converts repository-s3 to use the new secure settings. In order to support the multiple ways we allow aws creds to be configured, it also moves the main methods for the keystore wrapper into a SecureSettings interface, in order to allow settings prefixing to work.
2017-01-11 11:19:46 -08:00
if (secureSettings != null) {
builder.setSecureSettings(secureSettings);
fix NPE
2017-01-06 09:11:07 -08:00
}
Core: Default node.name to the hostname (#33677) Changes the default of the `node.name` setting to the hostname of the machine on which Elasticsearch is running. Previously it was the first 8 characters of the node id. This had the advantage of producing a unique name even when the node name isn't configured but the disadvantage of being unrecognizable and not being available until fairly late in the startup process. Of particular interest is that it isn't available until after logging is configured. This forces us to use a volatile read whenever we add the node name to the log. Using the hostname is available immediately on startup and is generally recognizable but has the disadvantage of not being unique when run on machines that don't set their hostname or when multiple elasticsearch processes are run on the same host. I believe that, taken together, it is better to default to the hostname. 1. Running multiple copies of Elasticsearch on the same node is a fairly advanced feature. We do it all the as part of the elasticsearch build for testing but we make sure to set the node name then. 2. That the node.name defaults to some flavor of "localhost" on an unconfigured box feels like it isn't going to come up too much in production. I expect most production deployments to at least set the hostname. As a bonus, production deployments need no longer set the node name in most cases. At least in my experience most folks set it to the hostname anyway.
2018-09-19 15:21:29 -04:00
return InternalSettingsPreparer.prepareEnvironment(builder.build(), Collections.emptyMap(), configPath,
// HOSTNAME is set by elasticsearch-env and elasticsearch-env.bat so it is always available
() -> System.getenv("HOSTNAME"));
initial commit
2010-02-08 15:30:06 +02:00
}
Do not log full bootstrap checks exception By default, when an exception causes the JVM to terminate, the stack trace is printed. In the case of failing bootstrap checks, this stack trace is useless to the user, and might even distract them from seeing that the bootstrap checks failed for reasons under their control. With this commit, we cause the stack trace for a failing bootstrap check to be truncated. We also modify some methods to not declare that they throw the top level checked exception type Exception, but instead explicitly declare the exceptions that they throw. These exceptions are caught and wrapped in a BootstrapException so that we can percolate only two exception types out of Bootstrap#init as checked exception, BootstrapException and NodeValidationException. Relates #19989
2016-09-08 10:56:11 -04:00
private void start() throws NodeValidationException {
rename Server to Node to better reflect its usage (it can be a client node), also add on the NodeBuilder helper methods to set common settings
2010-04-09 00:54:54 +03:00
node.start();
Remove exitVM permission
2015-05-04 14:06:32 -04:00
keepAliveThread.start();
initial commit
2010-02-08 15:30:06 +02:00
}
Ensure all resoruces are closed on Node#close() We are leaking all kinds of resources if something during Node#close() barfs. This commit cuts over to a list of closeables to release resources that also closed remaining services if one or more services fail to close. Closes #13685
2016-01-29 16:18:21 +01:00
static void stop() throws IOException {
Remove exitVM permission
2015-05-04 14:06:32 -04:00
try {
Avoid race when shutting down controller processes (#24579) This commit terminates any controller processes plugins might have after the node has been closed. This gives the plugins a chance to shut down their controllers gracefully. Previously there was a race condition where controller processes could be shut down gracefully and terminated by two threads running in parallel, leading to non-deterministic outcomes. Additionally, controller processes that failed to shut down gracefully were not forcibly terminated when running as a Windows service; there was a reliance on the plugin to shut down its controller gracefully in this situation. This commit also fixes this problem.
2017-05-10 14:59:14 +01:00
IOUtils.close(INSTANCE.node, INSTANCE.spawner);
Clean up Node#close. (#39317) (#41301) `Node#close` is pretty hard to rely on today: - it might swallow exceptions - it waits for 10 seconds for threads to terminate but doesn't signal anything if threads are still not terminated after 10 seconds This commit makes `IOException`s propagated and splits `Node#close` into `Node#close` and `Node#awaitClose` so that the decision what to do if a node takes too long to close can be done on top of `Node#close`. It also adds synchronization to lifecycle transitions to make them atomic. I don't think it is a source of problems today, but it makes things easier to reason about.
2019-04-17 16:10:53 +02:00
if (INSTANCE.node != null && INSTANCE.node.awaitClose(10, TimeUnit.SECONDS) == false) {
throw new IllegalStateException("Node didn't stop within 10 seconds. Any outstanding requests or tasks might get killed.");
}
} catch (InterruptedException e) {
LogManager.getLogger(Bootstrap.class).warn("Thread got interrupted while waiting for the node to shutdown.");
Thread.currentThread().interrupt();
Remove exitVM permission
2015-05-04 14:06:32 -04:00
} finally {
Packaging: Fix Windows service start/stop issues This commit addresses several bugs that prevented the Windows service from being started or stopped: - Extra white space in the concatenation of java options in elasticsearch.in.bat which tripped up Apache Commons Daemon and caused ES to startup without any params, eventually leading to the "path.home is not configured" exception. - service.bat was not passing the start argument to ES - The service could not be stopped gracefully via the stop command because there wasn't a method for procrun to call. Closes #13247 Closes #13401
2015-09-08 10:38:12 -04:00
INSTANCE.keepAliveLatch.countDown();
Remove exitVM permission
2015-05-04 14:06:32 -04:00
}
add static close methods to main class entry point
2011-10-17 20:25:41 +02:00
}
initial commit
2010-02-08 15:30:06 +02:00
Cleanup bootstrap package. * makes most classes final and package private * removes duplicate and confusing multiple entry points * adds javadocs to some classes like JarHell,Security * adds a public class BootStrapInfo that exposes any stats needed by outside code.
2015-08-21 23:28:56 -04:00
/**
[Rename] Refactor ES and Elasticsearch classes in server module bootstrap package (#197) This commit refactors the heavily used ESPolicy, Elasticsearch (main class), and Elasticsearch prefixed test classes used in the bootstrap package under the server module. Refactoring the namespace will come in a separate commit. Signed-off-by: Nicholas Knize <nknize@amazon.com>
2021-03-12 11:53:55 -06:00
* This method is invoked by {@link OpenSearch#main(String[])} to startup opensearch.
Cleanup bootstrap package. * makes most classes final and package private * removes duplicate and confusing multiple entry points * adds javadocs to some classes like JarHell,Security * adds a public class BootStrapInfo that exposes any stats needed by outside code.
2015-08-21 23:28:56 -04:00
*/
Bootstrap does not set system properties Today, certain bootstrap properties are set and read via system properties. This action-at-distance way of managing these properties is rather confusing, and completely unnecessary. But another problem exists with setting these as system properties. Namely, these system properties are interpreted as Elasticsearch settings, not all of which are registered. This leads to Elasticsearch failing to startup if any of these special properties are set. Instead, these properties should be kept as local as possible, and passed around as method parameters where needed. This eliminates the action-at-distance way of handling these properties, and eliminates the need to register these non-setting properties. This commit does exactly that. Additionally, today we use the "-D" command line flag to set the properties, but this is confusing because "-D" is a special flag to the JVM for setting system properties. This creates confusion because some "-D" properties should be passed via arguments to the JVM (so via ES_JAVA_OPTS), and some should be passed as arguments to Elasticsearch. This commit changes the "-D" flag for Elasticsearch settings to "-E".
2016-03-13 09:10:56 -04:00
static void init(
Rename "daemonize" to "foreground" This commit renames the Bootstrap#init parameter "daemonize" to "foreground" for clarity.
2016-03-15 09:27:01 -04:00
final boolean foreground,
Dependencies: Update to jopt-5.0 (#19278) The new version of jopt allows us to remove a couple of TODOs in the code. Closes #12368
2016-07-07 08:50:10 +02:00
final Path pidFile,
Add quiet option to disable console logging (#20422) This commit adds a -q/--quiet option to Elasticsearch so that it does not log anything in the console and closes stdout & stderr streams. This is useful for SystemD to avoid duplicate logs in both journalctl and /var/log/elasticsearch/elasticsearch.log while still allows the JVM to print error messages in stdout/stderr if needed. closes #17220
2016-09-12 16:56:13 +02:00
final boolean quiet,
more renames
2017-01-06 01:03:45 -08:00
final Environment initialEnv) throws BootstrapException, NodeValidationException, UserException {
Remove settings and system properties entanglement Today when parsing settings during bootstrap, we add a system property for every Elasticsearch setting. Additionally, settings can be set via system properties. This commit simplifies this situation. - settings are no longer propogated to system properties - system properties can not be used to set settings - the "es." prefix on settings is no longer required (nor permitted) - test logging has a dedicated system property (tests.logger.level) Relates #18198
2016-05-19 14:08:08 -04:00
// force the class initializer for BootstrapInfo to run before
// the security manager is installed
BootstrapInfo.init();
More tests
2016-03-08 17:27:53 -08:00
Remove exitVM permission
2015-05-04 14:06:32 -04:00
INSTANCE = new Bootstrap();
initial commit
2010-02-08 15:30:06 +02:00
Make s3 repository sensitive settings use secure settings (#22479) * Settings: Make s3 repository sensitive settings use secure settings This change converts repository-s3 to use the new secure settings. In order to support the multiple ways we allow aws creds to be configured, it also moves the main methods for the keystore wrapper into a SecureSettings interface, in order to allow settings prefixing to work.
2017-01-11 11:19:46 -08:00
final SecureSettings keystore = loadSecureSettings(initialEnv);
Remove some unused code (#27792) This commit removes some unused code.
2017-12-13 16:45:55 +01:00
final Environment environment = createEnvironment(pidFile, keystore, initialEnv.settings(), initialEnv.configFile());
Logging: Make node name consistent in logger (#31588) First, some background: we have 15 different methods to get a logger in Elasticsearch but they can be broken down into three broad categories based on what information is provided when building the logger. Just a class like: ``` private static final Logger logger = ESLoggerFactory.getLogger(ActionModule.class); ``` or: ``` protected final Logger logger = Loggers.getLogger(getClass()); ``` The class and settings: ``` this.logger = Loggers.getLogger(getClass(), settings); ``` Or more information like: ``` Loggers.getLogger("index.store.deletes", settings, shardId) ``` The goal of the "class and settings" variant is to attach the node name to the logger. Because we don't always have the settings available, we often use the "just a class" variant and get loggers without node names attached. There isn't any real consistency here. Some loggers get the node name because it is convenient and some do not. This change makes the node name available to all loggers all the time. Almost. There are some caveats are testing that I'll get to. But in *production* code the node name is node available to all loggers. This means we can stop using the "class and settings" variants to fetch loggers which was the real goal here, but a pleasant side effect is that the ndoe name is now consitent on every log line and optional by editing the logging pattern. This is all powered by setting the node name statically on a logging formatter very early in initialization. Now to tests: tests can't set the node name statically because subclasses of `ESIntegTestCase` run many nodes in the same jvm, even in the same class loader. Also, lots of tests don't run with a real node so they don't *have* a node name at all. To support multiple nodes in the same JVM tests suss out the node name from the thread name which works surprisingly well and easy to test in a nice way. For those threads that are not part of an `ESIntegTestCase` node we stick whatever useful information we can get form the thread name in the place of the node name. This allows us to keep the logger format consistent.
2018-07-31 10:54:24 -04:00
Core: Default node.name to the hostname (#33677) Changes the default of the `node.name` setting to the hostname of the machine on which Elasticsearch is running. Previously it was the first 8 characters of the node id. This had the advantage of producing a unique name even when the node name isn't configured but the disadvantage of being unrecognizable and not being available until fairly late in the startup process. Of particular interest is that it isn't available until after logging is configured. This forces us to use a volatile read whenever we add the node name to the log. Using the hostname is available immediately on startup and is generally recognizable but has the disadvantage of not being unique when run on machines that don't set their hostname or when multiple elasticsearch processes are run on the same host. I believe that, taken together, it is better to default to the hostname. 1. Running multiple copies of Elasticsearch on the same node is a fairly advanced feature. We do it all the as part of the elasticsearch build for testing but we make sure to set the node name then. 2. That the node.name defaults to some flavor of "localhost" on an unconfigured box feels like it isn't going to come up too much in production. I expect most production deployments to at least set the hostname. As a bonus, production deployments need no longer set the node name in most cases. At least in my experience most folks set it to the hostname anyway.
2018-09-19 15:21:29 -04:00
LogConfigurator.setNodeName(Node.NODE_NAME_SETTING.get(environment.settings()));
Do not log full bootstrap checks exception By default, when an exception causes the JVM to terminate, the stack trace is printed. In the case of failing bootstrap checks, this stack trace is useless to the user, and might even distract them from seeing that the bootstrap checks failed for reasons under their control. With this commit, we cause the stack trace for a failing bootstrap check to be truncated. We also modify some methods to not declare that they throw the top level checked exception type Exception, but instead explicitly declare the exceptions that they throw. These exceptions are caught and wrapped in a BootstrapException so that we can percolate only two exception types out of Bootstrap#init as checked exception, BootstrapException and NodeValidationException. Relates #19989
2016-09-08 10:56:11 -04:00
try {
Ensure logging is initialized in CLI tools Today when CLI tools are executed, logging statements can intentionally or unintentionally be executed when logging is not configured. This leads to log messages that the status logger is not configured. This commit reworks logging configuration for CLI tools so that logging is always configured. Relates #20575
2016-09-20 08:28:27 -04:00
LogConfigurator.configure(environment);
Do not log full bootstrap checks exception By default, when an exception causes the JVM to terminate, the stack trace is printed. In the case of failing bootstrap checks, this stack trace is useless to the user, and might even distract them from seeing that the bootstrap checks failed for reasons under their control. With this commit, we cause the stack trace for a failing bootstrap check to be truncated. We also modify some methods to not declare that they throw the top level checked exception type Exception, but instead explicitly declare the exceptions that they throw. These exceptions are caught and wrapped in a BootstrapException so that we can percolate only two exception types out of Bootstrap#init as checked exception, BootstrapException and NodeValidationException. Relates #19989
2016-09-08 10:56:11 -04:00
} catch (IOException e) {
throw new BootstrapException(e);
}
Deprecate versions of Java prior to Java 11 (#40756) This commit deprecates versions of Java prior to Java 11. This commit will cause a warning to be printed to standard error when any command line tool is invoked, or when Elasticsearch is started. Additionally, we log a deprecation message when Elasticsearch is started.
2019-04-03 06:39:40 -04:00
if (JavaVersion.current().compareTo(JavaVersion.parse("11")) < 0) {
final String message = String.format(
Locale.ROOT,
[Rename] Refactor ES and Elasticsearch classes in server module bootstrap package (#197) This commit refactors the heavily used ESPolicy, Elasticsearch (main class), and Elasticsearch prefixed test classes used in the bootstrap package under the server module. Refactoring the namespace will come in a separate commit. Signed-off-by: Nicholas Knize <nknize@amazon.com>
2021-03-12 11:53:55 -06:00
"future versions of OpenSearch will require Java 11; " +
Deprecate versions of Java prior to Java 11 (#40756) This commit deprecates versions of Java prior to Java 11. This commit will cause a warning to be printed to standard error when any command line tool is invoked, or when Elasticsearch is started. Additionally, we log a deprecation message when Elasticsearch is started.
2019-04-03 06:39:40 -04:00
"your Java version from [%s] does not meet this requirement",
System.getProperty("java.home"));
Do not create two loggers for DeprecationLogger backport(#58435) (#61530) DeprecationLogger's constructor should not create two loggers. It was taking parent logger instance, changing its name with a .deprecation prefix and creating a new logger. Most of the time parent logger was not needed. It was causing Log4j to unnecessarily cache the unused parent logger instance. depends on #61515 backports #58435
2020-08-26 16:04:02 +02:00
DeprecationLogger.getLogger(Bootstrap.class).deprecate("java_version_11_required", message);
Deprecate versions of Java prior to Java 11 (#40756) This commit deprecates versions of Java prior to Java 11. This commit will cause a warning to be printed to standard error when any command line tool is invoked, or when Elasticsearch is started. Additionally, we log a deprecation message when Elasticsearch is started.
2019-04-03 06:39:40 -04:00
}
Fix Bootstrap to not call System.exit Its not going to work: its blocked by security policy and will just add a confusing SecurityException to the mix, and bogusly give an exit status of 0 when in fact something bad happened. Finally, if ES can't startup, it is a serious problem, there is no sense in hiding the reason why: deliver the full stack trace.
2015-07-31 14:00:18 -04:00
if (environment.pidFile() != null) {
Do not log full bootstrap checks exception By default, when an exception causes the JVM to terminate, the stack trace is printed. In the case of failing bootstrap checks, this stack trace is useless to the user, and might even distract them from seeing that the bootstrap checks failed for reasons under their control. With this commit, we cause the stack trace for a failing bootstrap check to be truncated. We also modify some methods to not declare that they throw the top level checked exception type Exception, but instead explicitly declare the exceptions that they throw. These exceptions are caught and wrapped in a BootstrapException so that we can percolate only two exception types out of Bootstrap#init as checked exception, BootstrapException and NodeValidationException. Relates #19989
2016-09-08 10:56:11 -04:00
try {
PidFile.create(environment.pidFile(), true);
} catch (IOException e) {
throw new BootstrapException(e);
}
fix problem with outputting proper error when failing to parse configuration on startup
2010-03-20 00:28:15 +02:00
}
Add quiet option to disable console logging (#20422) This commit adds a -q/--quiet option to Elasticsearch so that it does not log anything in the console and closes stdout & stderr streams. This is useful for SystemD to avoid duplicate logs in both journalctl and /var/log/elasticsearch/elasticsearch.log while still allows the JVM to print error messages in stdout/stderr if needed. closes #17220
2016-09-12 16:56:13 +02:00
final boolean closeStandardStreams = (foreground == false) || quiet;
initial commit
2010-02-08 15:30:06 +02:00
try {
Add quiet option to disable console logging (#20422) This commit adds a -q/--quiet option to Elasticsearch so that it does not log anything in the console and closes stdout & stderr streams. This is useful for SystemD to avoid duplicate logs in both journalctl and /var/log/elasticsearch/elasticsearch.log while still allows the JVM to print error messages in stdout/stderr if needed. closes #17220
2016-09-12 16:56:13 +02:00
if (closeStandardStreams) {
Logging: Drop two deprecated methods (#34055) This drops two deprecated methods from `ESLoggerFactory`, switching all calls to those methods to calls to methods of the same name on `LogManager`.
2018-09-26 11:20:52 -04:00
final Logger rootLogger = LogManager.getRootLogger();
Remove log4j dependency from elasticsearch-core (#28705) * Remove log4j dependency from elasticsearch-core This removes the log4j dependency from our elasticsearch-core project. It was originally necessary only for our jar classpath checking. It is now replaced by a `Consumer<String>` so that the es-core dependency doesn't have external dependencies. The parts of #28191 which were moved in conjunction (like `ESLoggerFactory` and `Loggers`) have been moved back where appropriate, since they are not required in the core jar. This is tangentially related to #28504 * Add javadocs for `output` parameter * Change @code to @link
2018-02-20 09:15:54 -07:00
final Appender maybeConsoleAppender = Loggers.findAppender(rootLogger, ConsoleAppender.class);
Disable console logging Previously we would disable console logging in certain circumstances (for example, if Elasticsearch is not in the foreground, or if Elasticsearch is in the foreground but an exception was thrown during bootstrap). This commit makes this handling work with Log4j 2. This will prevent users from seeing double bootstrap check failure messages. Relates #20387
2016-09-09 09:15:35 -04:00
if (maybeConsoleAppender != null) {
Remove log4j dependency from elasticsearch-core (#28705) * Remove log4j dependency from elasticsearch-core This removes the log4j dependency from our elasticsearch-core project. It was originally necessary only for our jar classpath checking. It is now replaced by a `Consumer<String>` so that the es-core dependency doesn't have external dependencies. The parts of #28191 which were moved in conjunction (like `ESLoggerFactory` and `Loggers`) have been moved back where appropriate, since they are not required in the core jar. This is tangentially related to #28504 * Add javadocs for `output` parameter * Change @code to @link
2018-02-20 09:15:54 -07:00
Loggers.removeAppender(rootLogger, maybeConsoleAppender);
Disable console logging Previously we would disable console logging in certain circumstances (for example, if Elasticsearch is not in the foreground, or if Elasticsearch is in the foreground but an exception was thrown during bootstrap). This commit makes this handling work with Log4j 2. This will prevent users from seeing double bootstrap check failure messages. Relates #20387
2016-09-09 09:15:35 -04:00
}
[BUILD] Use SuppressFrobidden annotation instead of class level excludes Forbidden APIs 1.8 allows excludes based on annotations which can now be on methods etc. for more find grained control. Closes #10560
2015-04-13 10:03:50 +02:00
closeSystOut();
initial commit
2010-02-08 15:30:06 +02:00
}
[Bootstrap] Throw exception if the JVM will corrupt data. Detect the worst-offenders, all IBM versions and several known hotspot versions that can cause index corruption, and fail on startup. Provide/detect compiler workarounds when they exist, but warn about performance degradation. In all cases the check can be bypassed completely with a safety switch via undocumented system property (es.bypass.vm.check=true) Closes #7580
2015-03-21 02:47:44 -04:00
Add a hard check to ensure we are running with the expected lucene version Closes #16301
2016-01-29 11:35:20 +01:00
// fail if somebody replaced the lucene jars
checkLucene();
Die with dignity Today when a thread encounters a fatal unrecoverable error that threatens the stability of the JVM, Elasticsearch marches on. This includes out of memory errors, stack overflow errors and other errors that leave the JVM in a questionable state. Instead, the Elasticsearch JVM should die when these errors are encountered. This commit causes this to be the case. Relates #19272
2016-07-07 14:44:03 -04:00
// install the default uncaught exception handler; must be done before security is
// initialized as we do not want to grant the runtime permission
// setDefaultUncaughtExceptionHandler
[Rename] Refactor ES and Elasticsearch classes in server module bootstrap package (#197) This commit refactors the heavily used ESPolicy, Elasticsearch (main class), and Elasticsearch prefixed test classes used in the bootstrap package under the server module. Refactoring the namespace will come in a separate commit. Signed-off-by: Nicholas Knize <nknize@amazon.com>
2021-03-12 11:53:55 -06:00
Thread.setDefaultUncaughtExceptionHandler(new OpenSearchUncaughtExceptionHandler());
Die with dignity Today when a thread encounters a fatal unrecoverable error that threatens the stability of the JVM, Elasticsearch marches on. This includes out of memory errors, stack overflow errors and other errors that leave the JVM in a questionable state. Instead, the Elasticsearch JVM should die when these errors are encountered. This commit causes this to be the case. Relates #19272
2016-07-07 14:44:03 -04:00
Persistent Node Names (#19456) With #19140 we started persisting the node ID across node restarts. Now that we have a "stable" anchor, we can use it to generate a stable default node name and make it easier to track nodes over a restarts. Sadly, this means we will not have those random fun Marvel characters but we feel this is the right tradeoff. On the implementation side, this requires a bit of juggling because we now need to read the node id from disk before we can log as the node node is part of each log message. The PR move the initialization of NodeEnvironment as high up in the starting sequence as possible, with only one logging message before it to indicate we are initializing. Things look now like this: ``` [2016-07-15 19:38:39,742][INFO ][node ] [_unset_] initializing ... [2016-07-15 19:38:39,826][INFO ][node ] [aAmiW40] node name set to [aAmiW40] by default. set the [node.name] settings to change it [2016-07-15 19:38:39,829][INFO ][env ] [aAmiW40] using [1] data paths, mounts [[ /(/dev/disk1)]], net usable_space [5.5gb], net total_space [232.6gb], spins? [unknown], types [hfs] [2016-07-15 19:38:39,830][INFO ][env ] [aAmiW40] heap size [1.9gb], compressed ordinary object pointers [true] [2016-07-15 19:38:39,837][INFO ][node ] [aAmiW40] version[5.0.0-alpha5-SNAPSHOT], pid[46048], build[473d3c0/2016-07-15T17:38:06.771Z], OS[Mac OS X/10.11.5/x86_64], JVM[Oracle Corporation/Java HotSpot(TM) 64-Bit Server VM/1.8.0_51/25.51-b03] [2016-07-15 19:38:40,980][INFO ][plugins ] [aAmiW40] modules [percolator, lang-mustache, lang-painless, reindex, aggs-matrix-stats, lang-expression, ingest-common, lang-groovy, transport-netty], plugins [] [2016-07-15 19:38:43,218][INFO ][node ] [aAmiW40] initialized ``` Needless to say, settings `node.name` explicitly still works as before. The commit also contains some clean ups to the relationship between Environment, Settings and Plugins. The previous code suggested the path related settings could be changed after the initial Environment was changed. This did not have any effect as the security manager already locked things down.
2016-07-23 22:46:48 +02:00
INSTANCE.setup(true, environment);
remove shutdownHooks permission
2015-05-04 10:18:09 -04:00
Settings: Add infrastructure for elasticsearch keystore This change is the first towards providing the ability to store sensitive settings in elasticsearch. It adds the `elasticsearch-keystore` tool, which allows managing a java keystore. The keystore is loaded upon node startup in Elasticsearch, and used by the Setting infrastructure when a setting is configured as secure. There are a lot of caveats to this PR. The most important is it only provides the tool and setting infrastructure for secure strings. It does not yet provide for keystore passwords, keypairs, certificates, or even convert any existing string settings to secure string settings. Those will all come in follow up PRs. But this PR was already too big, so this at least gets a basic version of the infrastructure in. The two main things to look at. The first is the `SecureSetting` class, which extends `Setting`, but removes the assumption for the raw value of the setting to be a string. SecureSetting provides, for now, a single helper, `stringSetting()` to create a SecureSetting which will return a SecureString (which is like String, but is closeable, so that the underlying character array can be cleared). The second is the `KeyStoreWrapper` class, which wraps the java `KeyStore` to provide a simpler api (we do not need the entire keystore api) and also extend the serialized format to add metadata needed for loading the keystore with no assumptions about keystore type (so that we can change this in the future) as well as whether the keystore has a password (so that we can know whether prompting is necessary when we add support for keystore passwords).
2016-12-22 16:28:34 -08:00
try {
// any secure settings must be read during node construction
IOUtils.close(keystore);
} catch (IOException e) {
throw new BootstrapException(e);
S3 Repository: Eagerly load static settings (#23910) The S3 repostiory has many levels of settings it looks at to create a repository, and these settings were read at repository creation time. This meant secure settings like access and secret keys had to be available after node construction. This change makes setting loading for every except repository level settings eager, so that secure settings can be stashed, and the keystore can once again be closed after bootstrapping the node is complete.
2017-04-11 15:42:56 -07:00
}
Settings: Add infrastructure for elasticsearch keystore This change is the first towards providing the ability to store sensitive settings in elasticsearch. It adds the `elasticsearch-keystore` tool, which allows managing a java keystore. The keystore is loaded upon node startup in Elasticsearch, and used by the Setting infrastructure when a setting is configured as secure. There are a lot of caveats to this PR. The most important is it only provides the tool and setting infrastructure for secure strings. It does not yet provide for keystore passwords, keypairs, certificates, or even convert any existing string settings to secure string settings. Those will all come in follow up PRs. But this PR was already too big, so this at least gets a basic version of the infrastructure in. The two main things to look at. The first is the `SecureSetting` class, which extends `Setting`, but removes the assumption for the raw value of the setting to be a string. SecureSetting provides, for now, a single helper, `stringSetting()` to create a SecureSetting which will return a SecureString (which is like String, but is closeable, so that the underlying character array can be cleared). The second is the `KeyStoreWrapper` class, which wraps the java `KeyStore` to provide a simpler api (we do not need the entire keystore api) and also extend the serialized format to add metadata needed for loading the keystore with no assumptions about keystore type (so that we can change this in the future) as well as whether the keystore has a password (so that we can know whether prompting is necessary when we add support for keystore passwords).
2016-12-22 16:28:34 -08:00
Remove exitVM permission
2015-05-04 14:06:32 -04:00
INSTANCE.start();
remove shutdownHooks permission
2015-05-04 10:18:09 -04:00
Don't close stderr under `--quiet` (#49431) Backport of #47208. Closes #46900. When running ES with `--quiet`, if ES then exits abnormally, a user has to go hunting in the logs for the error. Instead, never close System.err, and print more information to it if ES encounters a fatal error e.g. config validation, or some fatal runtime exception. This is useful when running under e.g. systemd, since the error will go into the journal. Note that stderr is still closed in daemon (`-d`) mode.
2019-11-22 14:58:17 +00:00
// We don't close stderr if `--quiet` is passed, because that
[Rename] Refactor ES and Elasticsearch classes in server module bootstrap package (#197) This commit refactors the heavily used ESPolicy, Elasticsearch (main class), and Elasticsearch prefixed test classes used in the bootstrap package under the server module. Refactoring the namespace will come in a separate commit. Signed-off-by: Nicholas Knize <nknize@amazon.com>
2021-03-12 11:53:55 -06:00
// hides fatal startup errors. For example, if OpenSearch is
Don't close stderr under `--quiet` (#49431) Backport of #47208. Closes #46900. When running ES with `--quiet`, if ES then exits abnormally, a user has to go hunting in the logs for the error. Instead, never close System.err, and print more information to it if ES encounters a fatal error e.g. config validation, or some fatal runtime exception. This is useful when running under e.g. systemd, since the error will go into the journal. Note that stderr is still closed in daemon (`-d`) mode.
2019-11-22 14:58:17 +00:00
// running via systemd, the init script only specifies
// `--quiet`, not `-d`, so we want users to be able to see
// startup errors via journalctl.
if (foreground == false) {
remove shutdownHooks permission
2015-05-04 10:18:09 -04:00
closeSysError();
}
Do not log full bootstrap checks exception By default, when an exception causes the JVM to terminate, the stack trace is printed. In the case of failing bootstrap checks, this stack trace is useless to the user, and might even distract them from seeing that the bootstrap checks failed for reasons under their control. With this commit, we cause the stack trace for a failing bootstrap check to be truncated. We also modify some methods to not declare that they throw the top level checked exception type Exception, but instead explicitly declare the exceptions that they throw. These exceptions are caught and wrapped in a BootstrapException so that we can percolate only two exception types out of Bootstrap#init as checked exception, BootstrapException and NodeValidationException. Relates #19989
2016-09-08 10:56:11 -04:00
} catch (NodeValidationException | RuntimeException e) {
Improve console logging on startup exception Today we show the exception twice: once by the logger and then again by the JVM. This is too noisy, and easy to avoid.
2015-08-18 22:27:39 -04:00
// disable console logging, so user does not see the exception twice (jvm will show it already)
Logging: Drop two deprecated methods (#34055) This drops two deprecated methods from `ESLoggerFactory`, switching all calls to those methods to calls to methods of the same name on `LogManager`.
2018-09-26 11:20:52 -04:00
final Logger rootLogger = LogManager.getRootLogger();
Remove log4j dependency from elasticsearch-core (#28705) * Remove log4j dependency from elasticsearch-core This removes the log4j dependency from our elasticsearch-core project. It was originally necessary only for our jar classpath checking. It is now replaced by a `Consumer<String>` so that the es-core dependency doesn't have external dependencies. The parts of #28191 which were moved in conjunction (like `ESLoggerFactory` and `Loggers`) have been moved back where appropriate, since they are not required in the core jar. This is tangentially related to #28504 * Add javadocs for `output` parameter * Change @code to @link
2018-02-20 09:15:54 -07:00
final Appender maybeConsoleAppender = Loggers.findAppender(rootLogger, ConsoleAppender.class);
Disable console logging Previously we would disable console logging in certain circumstances (for example, if Elasticsearch is not in the foreground, or if Elasticsearch is in the foreground but an exception was thrown during bootstrap). This commit makes this handling work with Log4j 2. This will prevent users from seeing double bootstrap check failure messages. Relates #20387
2016-09-09 09:15:35 -04:00
if (foreground && maybeConsoleAppender != null) {
Remove log4j dependency from elasticsearch-core (#28705) * Remove log4j dependency from elasticsearch-core This removes the log4j dependency from our elasticsearch-core project. It was originally necessary only for our jar classpath checking. It is now replaced by a `Consumer<String>` so that the es-core dependency doesn't have external dependencies. The parts of #28191 which were moved in conjunction (like `ESLoggerFactory` and `Loggers`) have been moved back where appropriate, since they are not required in the core jar. This is tangentially related to #28504 * Add javadocs for `output` parameter * Change @code to @link
2018-02-20 09:15:54 -07:00
Loggers.removeAppender(rootLogger, maybeConsoleAppender);
Improve console logging on startup exception Today we show the exception twice: once by the logger and then again by the JVM. This is too noisy, and easy to avoid.
2015-08-18 22:27:39 -04:00
}
Core: Remove some logging constructors (#32513) Remove a few of the logger constructors that aren't widely used or aren't used at all and deprecate a few more logger constructors in favor of log4j2's `LogManager`.
2018-08-09 16:11:48 -04:00
Logger logger = LogManager.getLogger(Bootstrap.class);
Don't log multi-megabyte guice exceptions. Instead just log the same thing we print to the startup console for that case (magic logic), it sucks to do this, but guice exceptions are too much. All other non-guice exceptions will still be fully logged. Closes #13782
2015-09-25 14:46:12 -04:00
// HACK, it sucks to do this, but we will run users out of disk space otherwise
if (e instanceof CreationException) {
// guice: log the shortened exc to the log file
ByteArrayOutputStream os = new ByteArrayOutputStream();
Do not log full bootstrap checks exception By default, when an exception causes the JVM to terminate, the stack trace is printed. In the case of failing bootstrap checks, this stack trace is useless to the user, and might even distract them from seeing that the bootstrap checks failed for reasons under their control. With this commit, we cause the stack trace for a failing bootstrap check to be truncated. We also modify some methods to not declare that they throw the top level checked exception type Exception, but instead explicitly declare the exceptions that they throw. These exceptions are caught and wrapped in a BootstrapException so that we can percolate only two exception types out of Bootstrap#init as checked exception, BootstrapException and NodeValidationException. Relates #19989
2016-09-08 10:56:11 -04:00
PrintStream ps = null;
try {
ps = new PrintStream(os, false, "UTF-8");
} catch (UnsupportedEncodingException uee) {
assert false;
e.addSuppressed(uee);
}
Rename StartupError to StartupException This commit renames StartupError to StartupException. This rename is due to the fact that this class inherits from Exception not Error in the Throwable class hierarchy.
2016-08-19 14:51:54 -04:00
new StartupException(e).printStackTrace(ps);
Don't log multi-megabyte guice exceptions. Instead just log the same thing we print to the startup console for that case (magic logic), it sucks to do this, but guice exceptions are too much. All other non-guice exceptions will still be fully logged. Closes #13782
2015-09-25 14:46:12 -04:00
ps.flush();
Do not log full bootstrap checks exception By default, when an exception causes the JVM to terminate, the stack trace is printed. In the case of failing bootstrap checks, this stack trace is useless to the user, and might even distract them from seeing that the bootstrap checks failed for reasons under their control. With this commit, we cause the stack trace for a failing bootstrap check to be truncated. We also modify some methods to not declare that they throw the top level checked exception type Exception, but instead explicitly declare the exceptions that they throw. These exceptions are caught and wrapped in a BootstrapException so that we can percolate only two exception types out of Bootstrap#init as checked exception, BootstrapException and NodeValidationException. Relates #19989
2016-09-08 10:56:11 -04:00
try {
logger.error("Guice Exception: {}", os.toString("UTF-8"));
} catch (UnsupportedEncodingException uee) {
assert false;
e.addSuppressed(uee);
}
} else if (e instanceof NodeValidationException) {
logger.error("node validation exception\n{}", e.getMessage());
Don't log multi-megabyte guice exceptions. Instead just log the same thing we print to the startup console for that case (magic logic), it sucks to do this, but guice exceptions are too much. All other non-guice exceptions will still be fully logged. Closes #13782
2015-09-25 14:46:12 -04:00
} else {
// full exception
logger.error("Exception", e);
}
Improve console logging on startup exception Today we show the exception twice: once by the logger and then again by the JVM. This is too noisy, and easy to avoid.
2015-08-18 22:27:39 -04:00
// re-enable it if appropriate, so they can see any logging during the shutdown process
Disable console logging Previously we would disable console logging in certain circumstances (for example, if Elasticsearch is not in the foreground, or if Elasticsearch is in the foreground but an exception was thrown during bootstrap). This commit makes this handling work with Log4j 2. This will prevent users from seeing double bootstrap check failure messages. Relates #20387
2016-09-09 09:15:35 -04:00
if (foreground && maybeConsoleAppender != null) {
Remove log4j dependency from elasticsearch-core (#28705) * Remove log4j dependency from elasticsearch-core This removes the log4j dependency from our elasticsearch-core project. It was originally necessary only for our jar classpath checking. It is now replaced by a `Consumer<String>` so that the es-core dependency doesn't have external dependencies. The parts of #28191 which were moved in conjunction (like `ESLoggerFactory` and `Loggers`) have been moved back where appropriate, since they are not required in the core jar. This is tangentially related to #28504 * Add javadocs for `output` parameter * Change @code to @link
2018-02-20 09:15:54 -07:00
Loggers.addAppender(rootLogger, maybeConsoleAppender);
Improve console logging on startup exception Today we show the exception twice: once by the logger and then again by the JVM. This is too noisy, and easy to avoid.
2015-08-18 22:27:39 -04:00
}
Remove NodeBuilder The NodeBuilder is currently used to construct a Node. However, this is really just yet-another-builder that wraps around a Settings.Builder witha couple convenience methods. But there are very few uses of these convenience methods. This change removes NodeBuilder, in favor of just using the Node constructor.
2015-12-09 23:57:14 -08:00
Use StartupError to format all exceptions hitting the console
2015-08-21 11:05:31 -04:00
throw e;
initial commit
2010-02-08 15:30:06 +02:00
}
}
fix problem with outputting proper error when failing to parse configuration on startup
2010-03-20 00:28:15 +02:00
[BUILD] Use SuppressFrobidden annotation instead of class level excludes Forbidden APIs 1.8 allows excludes based on annotations which can now be on methods etc. for more find grained control. Closes #10560
2015-04-13 10:03:50 +02:00
@SuppressForbidden(reason = "System#out")
private static void closeSystOut() {
System.out.close();
}
@SuppressForbidden(reason = "System#err")
private static void closeSysError() {
System.err.close();
}
Add a hard check to ensure we are running with the expected lucene version Closes #16301
2016-01-29 11:35:20 +01:00
private static void checkLucene() {
if (Version.CURRENT.luceneVersion.equals(org.apache.lucene.util.Version.LATEST) == false) {
[Rename] Refactor ES and Elasticsearch classes in server module bootstrap package (#197) This commit refactors the heavily used ESPolicy, Elasticsearch (main class), and Elasticsearch prefixed test classes used in the bootstrap package under the server module. Refactoring the namespace will come in a separate commit. Signed-off-by: Nicholas Knize <nknize@amazon.com>
2021-03-12 11:53:55 -06:00
throw new AssertionError("Lucene version mismatch this version of OpenSearch requires lucene version ["
Add a hard check to ensure we are running with the expected lucene version Closes #16301
2016-01-29 11:35:20 +01:00
+ Version.CURRENT.luceneVersion + "] but the current lucene version is [" + org.apache.lucene.util.Version.LATEST + "]");
}
}
Enforce node level limits if node is started in production env This commit tries to 'guess' if a user starts a node in production by checking if any network host is configured. If that is the case soft-limits that are only logged otherwise are enforced like number of open file descriptors. Closes #16727
2016-02-19 09:06:21 -08:00
initial commit
2010-02-08 15:30:06 +02:00
}
Reference in New Issue Copy Permalink