Commit Graph

448 Commits

Author SHA1 Message Date
Eddie Turizo 27673aa59c [DOCS] Fix ulimit value in system settings docs (#56973)
Correctly documents the ulimit value as 65535.

The limit was lowered as part of #37537.
2020-05-20 08:44:07 -04:00
Adam Mohammed fd84fdf581 [DOCS] Fix typo in secure settings docs (#56778) 2020-05-19 12:04:25 -04:00
Jake Landis 5f5a648b9a
[7.x] remove the term 'system' from indicies doc (#56367) (#56375)
'system' indices will carry special meaning in the future this commit
removes the system from the name to avoid confusion. (technically
these indices will be hidden not system)
2020-05-12 14:44:50 -05:00
Ioannis Kakavas 7a8a66d9ae
[7.x] Fix ReloadSecureSettings API to consume password (#54771) (#55059)
The secure_settings_password was never taken into consideration in
the ReloadSecureSettings API. This commit fixes that and adds
necessary REST layer testing. Doing so, it also:

- Allows TestClusters to have a password protected keystore
so that it can be set for tests.
- Adds a parameter to the run task so that elastisearch can
be run with a password protected keystore from source.
2020-04-13 09:50:55 +03:00
Leaf-Lin b649b0d273
Update jvm options doc
There's a typo with extra `
2020-03-19 12:00:01 +11:00
Rory Hunter b1be7dcd2d Document how to change GC logging behaviour (#52879)
Closes #43990. Describe how to change the default GC settings without changing
the default `jvm.options`. Give examples using `jvm.options.d`, and
`ES_JAVA_OPTS` with Docker.
2020-02-28 21:27:45 +00:00
David Turner 69b78f7f8a "Adding nodes" instructions only work on localhost (#52677)
The introductory sections of the reference manual contains some simplified
instructions for adding a node to the cluster. Unfortunately they are a little
too simplified and only really work for clusters running on `localhost`. If you
try and follow these instructions for a distributed cluster then the new node
will, confusingly, auto-bootstrap itself into a distinct one-node cluster.

Multiple nodes running on localhost is a valid config, of course, but we should
spell out that these instructions are really only for experimentation and that
it takes a bit more work to add nodes to a distributed cluster. This commit
does so.

Also, the "important config" instructions for discovery say that you MUST set
`discovery.seed_hosts` whereas in fact it is fine to ignore this setting and
use a dynamic discovery mechanism instead. This commit weakens this statement
and links to the docs for dynamic discovery mechanisms.

Finally, this section is also overloaded with some technical details that are
not important for this context and are adequately covered elsewhere, and
completely fails to note that the default discovery port is 9300. This commit
addresses this.
2020-02-27 09:18:37 +00:00
Nik Richers 101bca86d2 [DOCS] Switch to standard ESS trial links (#52552)
Switches ESS trial sign-up links over to a standard attribute. This provides better metrics for how effective these links are.
2020-02-21 12:07:10 -05:00
Jason Tedor c4c0db6f21
Introduce jvm.options.d for customizing JVM options (#51882)
This commit introduces the ability to override JVM options by adding
custom JVM options files to a jvm.options.d directory. This simplifies
administration of Elasticsearch by not requiring administrators to keep
the root jvm.options file in sync with changes that we make to the root
jvm.options file. Instead, they are not expected to modify this file but
instead supply their own in jvm.options.d. In Docker installations, this
means they can bind mount this directory in. In future versions of
Elasticsearch, we can consider removing the root jvm.options file
(instead, providing all options there as system JVM options).
2020-02-08 18:50:14 -05:00
Rory Hunter cdb9862495
Clarify use of ES_JAVA_OPTS and Docker (#51984)
Backport of #51867.

Tweak the documentation around configuring the heap size when using
Docker, to state that:

- using `ES_JAVA_OPTS` is the preferred method
- Any `ES_JAVA_OPTS` overrides the defaults in `jvm.options`
- It's possible to bind-mount a custom `jvm.options`
2020-02-06 10:00:14 +00:00
William Brafford ba2810f23d
Use standard format for reload settings API (#51560) (#51828)
* Use standard format for reload settings API

The reload-secure-settings API page was not reorganized for the standard
API format, so this commit is reorganizing the page and adding some
links to the page in related documentation.

* Fix broken links

* Reorder examples to correctly check API response

* Note that only certain settings are reloadable

* [DOCS] Edits layout

* [DOCS] Removes unnecessary callouts

Co-authored-by: Lisa Cawley <lcawley@elastic.co>

Co-authored-by: Lisa Cawley <lcawley@elastic.co>
2020-02-03 18:07:26 -05:00
Dan Hermann 4083eae0b7
[7.x] Secure password for monitoring HTTP exporter (#51775)
Adds a secure and reloadable SECURE_AUTH_PASSWORD setting to allow keystore entries in the form "xpack.monitoring.exporters.*.auth.secure_password" to securely supply passwords for monitoring HTTP exporters. Also deprecates the insecure `AUTH_PASSWORD` setting.
2020-02-03 07:42:30 -06:00
William Brafford 9efa5be60e
Password-protected Keystore Feature Branch PR (#51123) (#51510)
* Reload secure settings with password (#43197)

If a password is not set, we assume an empty string to be
compatible with previous behavior.
Only allow the reload to be broadcast to other nodes if TLS is
enabled for the transport layer.

* Add passphrase support to elasticsearch-keystore (#38498)

This change adds support for keystore passphrases to all subcommands
of the elasticsearch-keystore cli tool and adds a subcommand for
changing the passphrase of an existing keystore.
The work to read the passphrase in Elasticsearch when
loading, which will be addressed in a different PR.

Subcommands of elasticsearch-keystore can handle (open and create)
passphrase protected keystores

When reading a keystore, a user is only prompted for a passphrase
only if the keystore is passphrase protected.

When creating a keystore, a user is allowed (default behavior) to create one with an
empty passphrase

Passphrase can be set to be empty when changing/setting it for an
existing keystore

Relates to: #32691
Supersedes: #37472

* Restore behavior for force parameter (#44847)

Turns out that the behavior of `-f` for the add and add-file sub
commands where it would also forcibly create the keystore if it
didn't exist, was by design - although undocumented.
This change restores that behavior auto-creating a keystore that
is not password protected if the force flag is used. The force
OptionSpec is moved to the BaseKeyStoreCommand as we will presumably
want to maintain the same behavior in any other command that takes
a force option.

*  Handle pwd protected keystores in all CLI tools  (#45289)

This change ensures that `elasticsearch-setup-passwords` and
`elasticsearch-saml-metadata` can handle a password protected
elasticsearch.keystore.
For setup passwords the user would be prompted to add the
elasticsearch keystore password upon running the tool. There is no
option to pass the password as a parameter as we assume the user is
present in order to enter the desired passwords for the built-in
users.
For saml-metadata, we prompt for the keystore password at all times
even though we'd only need to read something from the keystore when
there is a signing or encryption configuration.

* Modify docs for setup passwords and saml metadata cli (#45797)

Adds a sentence in the documentation of `elasticsearch-setup-passwords`
and `elasticsearch-saml-metadata` to describe that users would be
prompted for the keystore's password when running these CLI tools,
when the keystore is password protected.

Co-Authored-By: Lisa Cawley <lcawley@elastic.co>

* Elasticsearch keystore passphrase for startup scripts (#44775)

This commit allows a user to provide a keystore password on Elasticsearch
startup, but only prompts when the keystore exists and is encrypted.

The entrypoint in Java code is standard input. When the Bootstrap class is
checking for secure keystore settings, it checks whether or not the keystore
is encrypted. If so, we read one line from standard input and use this as the
password. For simplicity's sake, we allow a maximum passphrase length of 128
characters. (This is an arbitrary limit and could be increased or eliminated.
It is also enforced in the keystore tools, so that a user can't create a
password that's too long to enter at startup.)

In order to provide a password on standard input, we have to account for four
different ways of starting Elasticsearch: the bash startup script, the Windows
batch startup script, systemd startup, and docker startup. We use wrapper
scripts to reduce systemd and docker to the bash case: in both cases, a
wrapper script can read a passphrase from the filesystem and pass it to the
bash script.

In order to simplify testing the need for a passphrase, I have added a
has-passwd command to the keystore tool. This command can run silently, and
exit with status 0 when the keystore has a password. It exits with status 1 if
the keystore doesn't exist or exists and is unencrypted.

A good deal of the code-change in this commit has to do with refactoring
packaging tests to cleanly use the same tests for both the "archive" and the
"package" cases. This required not only moving tests around, but also adding
some convenience methods for an abstraction layer over distribution-specific
commands.

* Adjust docs for password protected keystore (#45054)

This commit adds relevant parts in the elasticsearch-keystore
sub-commands reference docs and in the reload secure settings API
doc.

* Fix failing Keystore Passphrase test for feature branch (#50154)

One problem with the passphrase-from-file tests, as written, is that
they would leave a SystemD environment variable set when they failed,
and this setting would cause elasticsearch startup to fail for other
tests as well. By using a try-finally, I hope that these tests will fail
more gracefully.

It appears that our Fedora and Ubuntu environments may be configured to
store journald information under /var rather than under /run, so that it
will persist between boots. Our destructive tests that read from the
journal need to account for this in order to avoid trying to limit the
output we check in tests.

* Run keystore management tests on docker distros (#50610)

* Add Docker handling to PackagingTestCase

Keystore tests need to be able to run in the Docker case. We can do this
by using a DockerShell instead of a plain Shell when Docker is running.

* Improve ES startup check for docker

Previously we were checking truncated output for the packaged JDK as
an indication that Elasticsearch had started. With new preliminary
password checks, we might get a false positive from ES keystore
commands, so we have to check specifically that the Elasticsearch
class from the Bootstrap package is what's running.

* Test password-protected keystore with Docker (#50803)

This commit adds two tests for the case where we mount a
password-protected keystore into a Docker container and provide a
password via a Docker environment variable.

We also fix a logging bug where we were logging the identifier for an
array of strings rather than the contents of that array.

* Add documentation for keystore startup prompting (#50821)

When a keystore is password-protected, Elasticsearch will prompt at
startup. This commit adds documentation for this prompt for the archive,
systemd, and Docker cases.

Co-authored-by: Lisa Cawley <lcawley@elastic.co>

* Warn when unable to upgrade keystore on debian (#51011)

For Red Hat RPM upgrades, we warn if we can't upgrade the keystore. This
commit brings the same logic to the code for Debian packages. See the
posttrans file for gets executed for RPMs.

* Restore handling of string input

Adds tests that were mistakenly removed. One of these tests proved
we were not handling the the stdin (-x) option correctly when no
input was added. This commit restores the original approach of
reading stdin one char at a time until there is no more (-1, \r, \n)
instead of using readline() that might return null

* Apply spotless reformatting

* Use '--since' flag to get recent journal messages

When we get Elasticsearch logs from journald, we want to fetch only log
messages from the last run. There are two reasons for this. First, if
there are many logs, we might get a string that's too large for our
utility methods. Second, when we're looking for a specific message or
error, we almost certainly want to look only at messages from the last
execution.

Previously, we've been trying to do this by clearing out the physical
files under the journald process. But there seems to be some contention
over these directories: if journald writes a log file in between when
our deletion command deletes the file and when it deletes the log
directory, the deletion will fail.

It seems to me that we might be able to use journald's "--since" flag to
retrieve only log messages from the last run, and that this might be
less likely to fail due to race conditions in file deletion.

Unfortunately, it looks as if the "--since" flag has a granularity of
one-second. I've added a two-second sleep to make sure that there's a
sufficient gap between the test that will read from journald and the
test before it.

* Use new journald wrapper pattern

* Update version added in secure settings request

Co-authored-by: Lisa Cawley <lcawley@elastic.co>
Co-authored-by: Ioannis Kakavas <ikakavas@protonmail.com>
2020-01-28 05:32:32 -05:00
Lisa Cawley a82ddfb182 [DOCS] Adds elasticsearch-keystore command reference (#50872) 2020-01-13 13:08:21 -08:00
Nik Everett 01293ebad5
Fix docs typos (#50365) (#50464)
Fixes a few typos in the docs.

Co-authored-by: Xiang Dai <764524258@qq.com>
2019-12-23 12:38:17 -05:00
Lisa Cawley 2106a7b02a
[7.x][DOCS] Updates ML links (#50387) (#50409) 2019-12-20 10:01:19 -08:00
Kevin Woblick cbffd127d5 [DOCS] Add warning about Docker port exposure (#50169)
Docker bypasses the Uncomplicated Firewall (UFW) on Linux by editing the `iptables` config directly, which leads to the exposure of port 9200, even if you blocked it via UFW.

This adds a warning along with work-arounds to the docs.

Signed-off-by: Kovah <mail@kovah.de>
2019-12-18 09:16:36 -05:00
Ryan Ernst e66cfc4369 Fix incorrect use of multiline NOTE in rpm docs (#49962)
This was a copy/paste error from #49893. This commit converts the NOTE
to use inline style instead of one needing closing linebreak.
2019-12-06 17:43:51 -08:00
Ryan Ernst d29f04209b Disable repo configuration for rpm based systems (#49893)
This commit changes the recommended repository file for rpm based
systems to be disabled by default. This is a safer practice so upgrades
of the system do no accidentally upgrade elasticsearch itself.

closes #30660
2019-12-06 15:56:18 -08:00
Ryan Ernst f288696040 Remove legacy referene to file scripts (#49339)
This commit removes outdated documentation about a path setting for file
scripts which no longer exist.

closes #45827
2019-11-27 10:42:33 -08:00
Ryan Ernst 297efa8324 Add JAVA_HOME env override location to docs (#49565)
This commit clarifies how to override JAVA_HOME from the bundled jdk for
deb and rpm installs, which each have their own file that is sourced
upon service startup.

closes #49068
2019-11-27 10:40:30 -08:00
Xiang Dai 15342c4dd2 [DOCS] Clarify how to update max memory size in bootstrap checks (#48975) 2019-11-27 09:40:00 -05:00
glerb d1ed2ae25b [Docs] Correct typo in log file name (#49620) 2019-11-27 14:37:47 +01:00
Dimitrios Liappis 4b6915ea41
Clarify gid used by docker image process and bind-mount method (#49632)
Fix reference about the uid:gid that Elasticsearch runs as inside
the Docker container and add a packaging test to ensure that bind
mounting a data dir with a random uid and gid:0 works as
expected.

Backport of #49529
Closes #47929
2019-11-27 13:42:54 +02:00
Rory Hunter e84e21174b
Support `_FILE` suffixed env vars in Docker entrypoint (#49182)
Backport of #47573.

Closes #43603. Allow environment variables to be passed to ES in a Docker
container via a file, by setting an environment variable with the `_FILE`
suffix that points to the file with the intended value of the env var.
2019-11-18 08:22:35 +00:00
István Zoltán Szabó b55022b59f [DOCS] Adds test clause to the code snippets in the cluster restart page (#49023) 2019-11-13 14:36:44 +01:00
István Zoltán Szabó fc145575c4 [DOCS] Creates a cluster restart documentation page (#48583)
Co-Authored-By: James Rodewig <james.rodewig@elastic.co>
2019-11-12 14:50:53 +01:00
Arne Welzel f642baa9fb [DOCS] Remove extra "when" (#48926) 2019-11-11 10:11:02 +01:00
debadair b9f4b32892 [DOCS] Fix cross-doc link. (#48783)
* [DOCS] Fix cross-doc link.

* Fixed xref
2019-10-31 18:59:17 -07:00
debadair 457379e74e [DOCS] Edited Docker install & tweaked Docker compose file. (#47715)
* [DOCS] Edited Docker install & tweaked Docker compose file.

* Synced with Docker GS in SO

* Incorporated review comments
2019-10-31 18:12:39 -07:00
David Turner ecb20ebc6c More bootstrap docs tweaks (#47809)
Clarifies not to set `cluster.initial_master_nodes` on nodes that are joining
an existing cluster.

Co-Authored-By: James Rodewig <james.rodewig@elastic.co>
2019-10-10 09:55:30 +01:00
Lisa Cawley 39ef795085
[DOCS] Cleans up links to security content (#47610) (#47703) 2019-10-07 15:23:19 -07:00
Przemyslaw Gomulka 63bb4c91eb
Update deprecation logging doc with logger configuration (#47649) Backport#47508
Explicitly adds a configuration snippet to change logging level
2019-10-07 14:41:22 +02:00
AndyHunt66 4a516f4ae2 [DOCS] Remove duplicated half-sentence from secure settings docs (#47498) 2019-10-03 08:41:06 -04:00
Lisa Cawley 0c3ee0b15c
[DOCS] Moves Watcher content into Elasticsearch book (#47147) (#47255)
Co-Authored-By: James Rodewig <james.rodewig@elastic.co>
2019-09-30 10:18:50 -07:00
James Rodewig f04573f8e8
[DOCS] [5 of 5] Change // TESTRESPONSE comments to [source,console-results] (#46449) (#46459) 2019-09-06 16:09:09 -04:00
Jason Tedor af1516a377
Add docs on upgrading the keystore (#46331)
This commit adds a note to the docs regarding upgrading the keystore.
2019-09-05 14:41:31 -04:00
Lisa Cawley e078d62247 [DOCS] Identify reloadable Azure repository plugin settings (#46358) 2019-09-05 11:25:26 -07:00
James Rodewig 1f36c4e50c
[DOCS] Replace "// CONSOLE" comments with [source,console] (#46159) (#46332) 2019-09-05 10:11:25 -04:00
Przemyslaw Gomulka 9563d65d1e
Improve documentation for X-Opaque-ID (#46167) (#46333)
this field can be present in search slow logs and deprecation logs. The
docs describes how to enable this functionality and what expect in logs.
closes #44851
2019-09-05 08:50:35 +02:00
Lisa Cawley da5618cbf4 [DOCS] Identify reloadable GCS repository plugin settings (#46352) 2019-09-04 16:28:44 -07:00
Lisa Cawley 9faf1d956f [DOCS] Identify reloadable S3 repository plugin settings (#46349) 2019-09-04 14:46:51 -07:00
Lisa Cawley 9f9dbcf4b7 [DOCS] Identify reloadable EC2 Discovery Plugin settings (#46102) 2019-09-04 10:16:55 -07:00
Ryan Ernst e25f1ac8a2 Add package docs for bundled jdk location (#46153)
This commit expands the documented directory layout of the rpm and deb
packages to include the bundled jdk.

closes #45150
2019-08-29 14:14:02 -07:00
Lisa Cawley 899c62ad02 [DOCS] Remove xpack terminology from installation pages (#44973) 2019-07-30 15:29:59 -07:00
David Turner 40d43e3f87 Avoid IP addresses for bootstrapping in setup docs (#43802)
Removes the suggestion to use IP addresses for `cluster.initial_master_nodes`
in the "important settings" discovery docs, leaving only the suggestion to use
node names.

Relates #41179, #41569
2019-07-01 12:39:54 +01:00
Ryan Ernst 7b0a259b2c Clarify unsupported secure settings behavior (#43454)
This commit tweaks the docs for secure settings to ensure the user is
aware adding non secure settings to the keystore will result in
elasticsearch not starting.

fixes #43328

Co-Authored-By: James Rodewig <james.rodewig@elastic.co>
2019-06-20 14:27:27 -07:00
debadair 2319fe74c3 [DOCS] Fixed path to install directory. (#43443) 2019-06-20 10:36:28 -07:00
debadair 7b740b4ea3 [DOCS] Add brew install instructions. Closes #42914 (#42915) 2019-06-20 07:56:49 -07:00
Dimitrios Liappis 00f01aaece Clarify heap setting in Docker docs (#42754)
Add note in the Docker docs that even when container memory is limited,
we still require specifying -Xms/-Xmx using one of the supported
methods.
2019-06-05 09:44:43 +03:00