Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[deb/rpm] Create keystore after installation #76465

Merged
merged 15 commits into from
Nov 17, 2020
Merged

Conversation

jbudz
Copy link
Member

@jbudz jbudz commented Sep 2, 2020

Create keystore during package installation

A common source of permission errors stem from creating files after
package installation under a user that runtime kibana won't be able to
read or write to. Under package installations this is usually root.

This PR contains two changes:

  1. Create the keystore during deb/rpm installation with permissions
    consistent with other stack products
  2. Limit the force-root flag to the server CLI. The force-root flag is
    a good precaution for long running and global processes, but for local
    writes we can pre-enforce this by setting install permissions.

Closes #77392
Closes #75448

@jbudz jbudz requested a review from a team as a code owner September 2, 2020 00:36
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-operations (Team:Operations)

@jbudz
Copy link
Member Author

jbudz commented Sep 17, 2020

@elasticmachine merge upstream

2 similar comments
@jbudz
Copy link
Member Author

jbudz commented Sep 21, 2020

@elasticmachine merge upstream

@jbudz
Copy link
Member Author

jbudz commented Sep 29, 2020

@elasticmachine merge upstream

@jbudz
Copy link
Member Author

jbudz commented Sep 29, 2020

ADding a build here in ~90, just going down the whole list.

@tylersmalley
Copy link
Contributor

You will want to merge these changes in: #79409

@tylersmalley
Copy link
Contributor

#79409 has been merged and the conflicts need to be resolved.

jbudz added 2 commits October 26, 2020 06:41

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
A common source of permission errors stem from creating files after
package installation under a user that runtime kibana won't be able to
read or write to.  Under package installations this is usually root.

This PR contains two changes:
1) Create the keystore during deb/rpm installation with permissions
consistent with other stack products
2) Limit the force-root flag to the server CLI.  The force-root flag is
a good precaution for long running and global processes, but for local
writes we can pre-enforce this by setting install permissions.
@jbudz jbudz changed the title [deb/rpm] create keystore after installation [deb/rpm] Create keystore after installation Nov 2, 2020
@jbudz
Copy link
Member Author

jbudz commented Nov 2, 2020

https://s3-us-west-1.amazonaws.com/kibana.budzenski.com/76465/290aa61/kibana-8.0.0-SNAPSHOT-amd64.deb
https://s3-us-west-1.amazonaws.com/kibana.budzenski.com/76465/290aa61/kibana-8.0.0-SNAPSHOT-x86_64.rpm

jon@debd1:~/kibana$ sudo ls -lah /etc/kibana
total 28K
drwxr-s---   2 root kibana 4.0K Nov  2 15:16 .
drwxr-xr-x 100 root root   4.0K Nov  2 15:08 ..
-rw-rw----   1 root kibana  130 Nov  2 15:08 kibana.keystore
-rw-r--r--   1 root kibana   62 Nov  2 15:08 .kibana.keystore.initial_md5sum
-rw-rw----   1 root kibana 4.8K Nov  2 15:16 kibana.yml
-rw-rw-r--   1 root kibana  216 Nov  2 14:59 node.options
jon@debd1:~/kibana$ sudo /usr/share/kibana/bin/kibana-keystore add foo.bar
Enter value for foo.bar: ***
jon@debd1:~/kibana$ sudo service kibana start
jon@debd1:~/kibana$ sudo service kibana status
● kibana.service - Kibana
     Loaded: loaded (/etc/systemd/system/kibana.service; disabled; vendor preset: enabled)
     Active: failed (Result: exit-code) since Mon 2020-11-02 15:28:16 UTC; 24s ago
       Docs: https://www.elastic.co
    Process: 7718 ExecStart=/usr/share/kibana/bin/kibana --logging.dest=/var/log/kibana/kibana.log (code>
   Main PID: 7718 (code=exited, status=64)

Nov 02 15:28:16 debd1 systemd[1]: kibana.service: Scheduled restart job, restart counter is at 3.
Nov 02 15:28:16 debd1 systemd[1]: Stopped Kibana.
Nov 02 15:28:16 debd1 systemd[1]: kibana.service: Start request repeated too quickly.
Nov 02 15:28:16 debd1 systemd[1]: kibana.service: Failed with result 'exit-code'.
Nov 02 15:28:16 debd1 systemd[1]: Failed to start Kibana.
jon@debd1:~/kibana$ sudo /usr/share/kibana/bin/kibana-keystore remove foo.bar
jon@debd1:~/kibana$ sudo service kibana start
jon@debd1:~/kibana$ sudo service kibana status
● kibana.service - Kibana
     Loaded: loaded (/etc/systemd/system/kibana.service; disabled; vendor preset: enabled)
     Active: active (running) since Mon 2020-11-02 15:29:30 UTC; 3s ago
       Docs: https://www.elastic.co
   Main PID: 7773 (node)
      Tasks: 11 (limit: 9334)
     Memory: 148.1M
     CGroup: /system.slice/kibana.service
             └─7773 /usr/share/kibana/bin/../node/bin/node /usr/share/kibana/bin/../src/cli/dist --loggi>

Nov 02 15:29:30 debd1 systemd[1]: Started Kibana.
jon@debd1:~/kibana$ curl -XGET localhost:5601/api/status
Kibana server is not ready yet

@jbudz jbudz added the review label Nov 2, 2020
@jbudz
Copy link
Member Author

jbudz commented Nov 4, 2020

@elasticmachine merge upstream

@jbudz
Copy link
Member Author

jbudz commented Nov 6, 2020

@elasticmachine merge upstream

@@ -17,5 +17,5 @@
* under the License.
*/

require('../setup_node_env');
require('../setup_node_env/cli');
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we drop the new cli and instead require no_transpilation?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pushed with 7bcf044

Copy link
Contributor

@tylersmalley tylersmalley left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Possible suggestion on dropping requirement of new cli file.

@jbudz
Copy link
Member Author

jbudz commented Nov 9, 2020

@elasticmachine merge upstream

@jbudz
Copy link
Member Author

jbudz commented Nov 9, 2020

@jbudz
Copy link
Member Author

jbudz commented Nov 11, 2020

@elasticmachine merge upstream

@jbudz
Copy link
Member Author

jbudz commented Nov 16, 2020

@elasticmachine merge upstream

@kibanamachine
Copy link
Contributor

💚 Build Succeeded

Metrics [docs]

✅ unchanged

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

Copy link
Contributor

@tylersmalley tylersmalley left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM - tested both deb and rpm.

@jbudz jbudz merged commit b328492 into elastic:master Nov 17, 2020
@jbudz jbudz deleted the keystore/create branch November 17, 2020 20:14
@jbudz
Copy link
Member Author

jbudz commented Nov 17, 2020

7.x/7.11: dd9434a

phillipb added a commit to phillipb/kibana that referenced this pull request Nov 18, 2020
…o-node-details

* 'master' of github.com:elastic/kibana: (65 commits)
  update chromedriver dependency to 87 (elastic#83624)
  [TSVB] use new Search API for rollup search (elastic#83275)
  [TSVB] Y-axis has number formatting not considering all series formatters in the group (elastic#83438)
  [Logs UI] Update <LogStream /> internal state when its props change (elastic#83302)
  Add tag bulk action context menu (elastic#82816)
  [code coverage] adding plugin to flush coverage data (elastic#83447)
  [UsageCollection] Expose `KibanaRequest` to explicitly opted-in collectors (elastic#83413)
  Added eventBus to trigger and listen plotHandler event (elastic#83435)
  [Runtime fields] Editor phase 1 (elastic#81472)
  [Maps] Fix threshold alert issue resolving nested fields (elastic#83577)
  chore(NA): remove usage of unverified es snapshots (elastic#83589)
  [DOCS] Adds Elastic Contributor Program link (elastic#83561)
  Upgrade EUI to v30.2.0 (elastic#82730)
  Don't show loading screen during auto-reload (elastic#83376)
  Functional tests - fix esArchive mappings with runtime fields (elastic#83530)
  [deb/rpm] Create keystore after installation (elastic#76465)
  [rpm] Create default environment file at "/etc/sysconfig/kibana" (elastic#82144)
  [docker] removes workaround for missing crypto-policies-scripts subpackage (elastic#83455)
  [ML] Persisted URL state for the Data frame analytics jobs and models pages (elastic#83439)
  adds xpack.security.authc.selector.enabled setting (elastic#83551)
  ...
jbudz added a commit that referenced this pull request Dec 2, 2020
russcam added a commit to elastic/azure-marketplace that referenced this pull request Feb 11, 2021
russcam added a commit to elastic/azure-marketplace that referenced this pull request Feb 24, 2021
This commit updates the versions of the Elastic Stack that the template deploys.

- Add 7.11.1
- Update 7.10 version to 7.10.2
- Remove EOL versions, 7.2.1 and 7.3.2

- Don't use --allow root for 7.11

  Relates: elastic/kibana#76465
Copy link

@Alex089616 Alex089616 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Need all accounts containing fundsa

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Unable to create keystore [build] Create kibana.keystore in post install and set permissions
5 participants