Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Do not use env variables ending in _FILE with Elasticsearch #2180

Merged
merged 1 commit into from
Nov 27, 2019
Merged

Do not use env variables ending in _FILE with Elasticsearch #2180

merged 1 commit into from
Nov 27, 2019

Conversation

pebrc
Copy link
Collaborator

@pebrc pebrc commented Nov 27, 2019
edited
Loading

*_FILE variables will interpreted as file paths and be read by
Elasticsearch as of v8.0 and are required to have strict read-only permissions.

Fixes #2177 (or rather works around it)

Will raise an issue against the Elasticsearch repo as well because on k8s even when using restricted SecretVolume permissions the file the variable points to is a symlink with 0777 permissions and only the file it is pointing to has the requested restricted permisssions with 0600 or 0400.

[root@cluster1-es-default-0 elasticsearch]# ls -l /mnt/elastic-internal/probe-user/
total 0
lrwxrwxrwx 1 root root 29 Nov 27 15:55 elastic-internal-probe -> ..data/elastic-internal-probe
[root@cluster1-es-default-0 elasticsearch]# ls -l /mnt/elastic-internal/probe-user/..data/elastic-internal-probe 
-rw------- 1 root root 24 Nov 27 15:55 /mnt/elastic-internal/probe-user/..data/elastic-internal-probe

@pebrc
Don't use env variables ending in _FILE with Elasticsearch
f4bed07 
*_FILE variables will interpreted as file paths and be read by
Elasticsearch and have strict permission requirements.
@pebrc pebrc added the >bug Something isn't working label Nov 27, 2019
@sebgl
Copy link
Contributor

sebgl commented Nov 27, 2019

A rolling upgade of all Elasticsearch clusters should be triggered when upgrading ECK to a version including this commit. Which is probably fine.

@pebrc pebrc added the v1.0.0 label Nov 27, 2019
@pebrc pebrc merged commit 37bc26a into elastic:master Nov 27, 2019
@barkbay barkbay mentioned this pull request Dec 3, 2019
Merged
@thbkrkr thbkrkr changed the title Don't use env variables ending in _FILE with Elasticsearch Do not use env variables ending in _FILE with Elasticsearch Jan 9, 2020
@barkbay barkbay mentioned this pull request Feb 26, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sebgl sebgl sebgl approved these changes

@thbkrkr thbkrkr thbkrkr approved these changes

Assignees
No one assigned
Labels
>bug Something isn't working v1.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Elasticsearch support for _FILE environment variables breaks ECK readiness proble
3 participants
@pebrc @sebgl @thbkrkr