Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[node] Enable openssl legacy provider #163190

Merged
merged 10 commits into from
Aug 30, 2023

Conversation

jbudz
Copy link
Member

@jbudz jbudz commented Aug 4, 2023

This is to prevent a breaking change in a minor release of Kibana due to an underlying upgrade of Node.js to v18.
The legacy provider can be disabled by removing --openssl-legacy-provider in config/node.options.

Node.js documentation
OpenSSL documentation

@jbudz jbudz added Team:Operations Team label for Operations Team release_note:skip Skip the PR/issue when compiling release notes labels Aug 4, 2023
@watson
Copy link
Contributor

watson commented Aug 7, 2023

  1. Ensure this can be overridden

    I think we need a way for admins to easily undo setting this flag. I'm not sure if there's a better way for admins to set Node.js options in Kibana, but they should be able to use NODE_OPTIONS="--no-openssl-legacy-provider" to undo the effects of us setting this flag in config/node.options (or can they edit the node.options file directly? I can't seem to find any docs on that).

    This can easily be tested using the following snippet, where this will work

    node --openssl-legacy-provider -p 'crypto.createHash("md4")' 

    And this will fail:

    node --openssl-legacy-provider --no-openssl-legacy-provider -p 'crypto.createHash("md4")' 

    So as long as setting --no-openssl-legacy-provider after --openssl-legacy-provider, it will have effect.

  2. Document how to override

    We also need to document how to override this default config where it's also explained why it's enabled by default.

  3. Log when set

    Finally, we should log something when --openssl-legacy-provider is set saying something along the lines of:

    Kibana is currently running with legacy OpenSSL providers enabled! For details on how to disable, see https://...

@jbudz jbudz force-pushed the node-openssl-legacy-provider branch from ee1ff44 to 8ef4d5f Compare August 24, 2023 19:44
@jbudz jbudz marked this pull request as ready for review August 28, 2023 19:00
@jbudz jbudz requested review from a team as code owners August 28, 2023 19:00
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-operations (Team:Operations)

var openSSLLegacyProviderEnabled = require('./openssl_legacy_provider_enabled')();

if (openSSLLegacyProviderEnabled) {
console.log(
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@elastic/kibana-core any thoughts on where I can put this check to hook into the core logger? This is currently pre-startup, where we have similar node checks such as validating node.js's version, not running as root etc.

The difference is this doesn't need to prevent startup, and the default experience with this log looks out of place.

@jbudz jbudz added ci:build-all-platforms ci:cloud-deploy Create or update a Cloud deployment labels Aug 29, 2023
This is to prevent a breaking change in a minor release of Kibana.  The
legacy provider can be disabled by removing `--openssl-legacy-provider`
in `config/node.options`.

[Node.js documentation](https://nodejs.org/docs/latest-v18.x/api/cli.html#--openssl-legacy-provider)
[OpenSSL documentation](https://www.openssl.org/docs/man3.0/man7/OSSL_PROVIDER-legacy.html)
@jbudz jbudz force-pushed the node-openssl-legacy-provider branch from ecbed14 to e6de936 Compare August 29, 2023 17:22
@jbudz
Copy link
Member Author

jbudz commented Aug 29, 2023

Sorry about the force push, there's no changes since the recent reviews. I squashed the commits to get started on the 7.17 backport in parallel.

@watson when you can a chance can you take another look?

@kibana-ci
Copy link
Collaborator

kibana-ci commented Aug 30, 2023

💚 Build Succeeded

Metrics [docs]

✅ unchanged

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@jbudz jbudz enabled auto-merge (squash) August 30, 2023 18:50
@jbudz jbudz merged commit aebd6f3 into elastic:main Aug 30, 2023
@jbudz jbudz added the auto-backport Deprecated - use backport:version if exact versions are needed label Aug 30, 2023
kibanamachine pushed a commit that referenced this pull request Aug 30, 2023
This is to prevent a breaking change in a minor release of Kibana due to
an underlying upgrade of Node.js to v18.
The legacy provider can be disabled by removing
`--openssl-legacy-provider` in `config/node.options`.

[Node.js
documentation](https://nodejs.org/docs/latest-v18.x/api/cli.html#--openssl-legacy-provider)
[OpenSSL
documentation](https://www.openssl.org/docs/man3.0/man7/OSSL_PROVIDER-legacy.html)

---------

Co-authored-by: Thomas Watson <[email protected]>
(cherry picked from commit aebd6f3)
@kibanamachine
Copy link
Contributor

💔 Some backports could not be created

Status Branch Result
8.10
7.17 Backport failed because of merge conflicts

You might need to backport the following PRs to 7.17:
- [ci] Verify docker contexts (#122897)

Note: Successful backport PRs will be merged automatically after passing CI.

Manual backport

To create the backport manually run:

node scripts/backport --pr 163190

Questions ?

Please refer to the Backport tool documentation and see the Github Action logs for details

kibanamachine pushed a commit to kibanamachine/kibana that referenced this pull request Aug 30, 2023
This is to prevent a breaking change in a minor release of Kibana due to
an underlying upgrade of Node.js to v18.
The legacy provider can be disabled by removing
`--openssl-legacy-provider` in `config/node.options`.

[Node.js
documentation](https://nodejs.org/docs/latest-v18.x/api/cli.html#--openssl-legacy-provider)
[OpenSSL
documentation](https://www.openssl.org/docs/man3.0/man7/OSSL_PROVIDER-legacy.html)

---------

Co-authored-by: Thomas Watson <[email protected]>
(cherry picked from commit aebd6f3)
@kibanamachine

This comment was marked as duplicate.

jbudz added a commit to jbudz/kibana that referenced this pull request Aug 30, 2023
This is to prevent a breaking change in a minor release of Kibana due to
an underlying upgrade of Node.js to v18.
The legacy provider can be disabled by removing
`--openssl-legacy-provider` in `config/node.options`.

[Node.js
documentation](https://nodejs.org/docs/latest-v18.x/api/cli.html#--openssl-legacy-provider)
[OpenSSL
documentation](https://www.openssl.org/docs/man3.0/man7/OSSL_PROVIDER-legacy.html)

---------

Co-authored-by: Thomas Watson <[email protected]>
jbudz added a commit that referenced this pull request Aug 30, 2023
kibanamachine added a commit that referenced this pull request Aug 30, 2023
# Backport

This will backport the following commits from `main` to `8.10`:
- [[node] Enable openssl legacy provider
(#163190)](#163190)

<!--- Backport version: 8.9.7 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT
[{"author":{"name":"Jon","email":"[email protected]"},"sourceCommit":{"committedDate":"2023-08-30T18:51:10Z","message":"[node]
Enable openssl legacy provider (#163190)\n\nThis is to prevent a
breaking change in a minor release of Kibana due to\r\nan underlying
upgrade of Node.js to v18.\r\nThe legacy provider can be disabled by
removing\r\n`--openssl-legacy-provider` in
`config/node.options`.\r\n\r\n[Node.js\r\ndocumentation](https://nodejs.org/docs/latest-v18.x/api/cli.html#--openssl-legacy-provider)\r\n[OpenSSL\r\ndocumentation](https://www.openssl.org/docs/man3.0/man7/OSSL_PROVIDER-legacy.html)\r\n\r\n---------\r\n\r\nCo-authored-by:
Thomas Watson
<[email protected]>","sha":"aebd6f392384b4e36241f1a1ad5f3c615b42bcca","branchLabelMapping":{"^v8.11.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["Team:Operations","release_note:skip","auto-backport","ci:build-all-platforms","ci:cloud-deploy","v8.10.0","v7.17.13","v8.11.0"],"number":163190,"url":"https://github.com/elastic/kibana/pull/163190","mergeCommit":{"message":"[node]
Enable openssl legacy provider (#163190)\n\nThis is to prevent a
breaking change in a minor release of Kibana due to\r\nan underlying
upgrade of Node.js to v18.\r\nThe legacy provider can be disabled by
removing\r\n`--openssl-legacy-provider` in
`config/node.options`.\r\n\r\n[Node.js\r\ndocumentation](https://nodejs.org/docs/latest-v18.x/api/cli.html#--openssl-legacy-provider)\r\n[OpenSSL\r\ndocumentation](https://www.openssl.org/docs/man3.0/man7/OSSL_PROVIDER-legacy.html)\r\n\r\n---------\r\n\r\nCo-authored-by:
Thomas Watson
<[email protected]>","sha":"aebd6f392384b4e36241f1a1ad5f3c615b42bcca"}},"sourceBranch":"main","suggestedTargetBranches":["8.10","7.17"],"targetPullRequestStates":[{"branch":"8.10","label":"v8.10.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"7.17","label":"v7.17.13","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.11.0","labelRegex":"^v8.11.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/163190","number":163190,"mergeCommit":{"message":"[node]
Enable openssl legacy provider (#163190)\n\nThis is to prevent a
breaking change in a minor release of Kibana due to\r\nan underlying
upgrade of Node.js to v18.\r\nThe legacy provider can be disabled by
removing\r\n`--openssl-legacy-provider` in
`config/node.options`.\r\n\r\n[Node.js\r\ndocumentation](https://nodejs.org/docs/latest-v18.x/api/cli.html#--openssl-legacy-provider)\r\n[OpenSSL\r\ndocumentation](https://www.openssl.org/docs/man3.0/man7/OSSL_PROVIDER-legacy.html)\r\n\r\n---------\r\n\r\nCo-authored-by:
Thomas Watson
<[email protected]>","sha":"aebd6f392384b4e36241f1a1ad5f3c615b42bcca"}}]}]
BACKPORT-->

---------

Co-authored-by: Jon <[email protected]>
eokoneyo pushed a commit to eokoneyo/kibana that referenced this pull request Aug 31, 2023
This is to prevent a breaking change in a minor release of Kibana due to
an underlying upgrade of Node.js to v18.
The legacy provider can be disabled by removing
`--openssl-legacy-provider` in `config/node.options`.

[Node.js
documentation](https://nodejs.org/docs/latest-v18.x/api/cli.html#--openssl-legacy-provider)
[OpenSSL
documentation](https://www.openssl.org/docs/man3.0/man7/OSSL_PROVIDER-legacy.html)

---------

Co-authored-by: Thomas Watson <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
auto-backport Deprecated - use backport:version if exact versions are needed ci:build-all-platforms ci:cloud-deploy Create or update a Cloud deployment release_note:skip Skip the PR/issue when compiling release notes Team:Operations Team label for Operations Team v7.17.13 v8.10.0 v8.11.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants