-
Notifications
You must be signed in to change notification settings - Fork 277
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove demo certificates when DISABLE_INSTALL_DEMO_CONFIG is set to true #240
Conversation
The demo certificates exists in official Opensearch container images. Sometimes it may raise an issue to start properly the opensearch service. In that case, if DISABLE_INSTALL_DEMO_CONFIG variable is set to true, demo certificates will be removed before opensearch will start. Signed-off-by: Daniel Pawlik <[email protected]>
I was trying to find where If yes,
|
@dblock thanks for reply. |
@dblock not sure that your suggested 1. will work because the demo files are in the image from the beginning and not created by the specified script. At least I tried to replace the script by an empty file like suggested in opendistro-for-elasticsearch/opendistro-build#10 and it didn't change anything. So I gather that the script is not executed/the files are already there. Also the creation timestamps for the demo certificates suggest that they have been created together with the image. ad 3. demo config will be insecure for production as the certificates are not generated anew but are always the same on all systems, at least that is what I think by looking at the script |
any news @dblock ? |
To me an environment variable should not be permanently disabling (deleting) configuration, especially anything security-related, demo or not, at runtime. If this script runs in a production environment, I don't know much about demo images, or how they are created, but I'll do my best to help. @peterzhuamazon can you point us to the right direction? It looks like the official images ship with a demo security certificate configuration? I like the idea that they would be generated when the container starts the first time. Either way, need something more robust than an environment variable to replace them. |
We are doing the same practice by running install demo configuration script which comes from security repo. This script will be run either use tarball or use docker images. Also, we change the way this script is run just like @dblock pointed out. If needed we can change this behavior back to this: Let me know what you guys think about it. Thanks. |
@peterzhuamazon I think reverting to the previous behaviour will be the only way without larger rework on the container images side. Only downside of this approach is that the changes of this script will go away on container termination unless the whole |
Got it. Let me work on it tomorrow. Thanks for feedbacks @nebulon42. |
@nebulon42 you mind close this PR so I can open a new one with the original behavior? |
I think @peterzhuamazon meant to address @danpawlik in the last comment. |
Thanks @peterzhuamazon and @nebulon42. |
Yes, I apologize. And thanks both @danpawlik and @nebulon42 will send the new PR later. |
Fixed now: #436 |
The new Opensearch image should contain patch [1], so the customized version is not needed. [1] opensearch-project/opensearch-build#240 Change-Id: I7b5092df2b2dc84671b442a73f413c8a44de280f
Description
The demo certificates exists in official Opensearch container images.
Sometimes it may raise an issue to start properly the opensearch
service. In that case, if DISABLE_INSTALL_DEMO_CONFIG variable is set to
true, demo certificates will be removed before opensearch will start.
Issues Resolved
#254
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.