search

bitnami / charts

Bitnami Helm Charts
https://bitnami.com
Other
8.81k stars 9.1k forks source link

--set plugins WARNING: plugin requires additional permissions #27962

Open yaodwwy opened 1 month ago

yaodwwy commented 1 month ago

Name and Version

bitnami/elasticsearch --version 20.0.0

What architecture are you using?

amd64

What steps will reproduce the bug?

  1. helm ... bitnami/elasticsearch --version 20.0.0
  2. config: --set plugins: https://github.com/infinilabs/analysis-ik/releases/download/v8.12.2/elasticsearch-analysis-ik-8.12.2.zip
  3. The following is the error message: 
    ==> Installing plugin: https://github.com/infinilabs/analysis-ik/releases/download/v8.12.2/elasticsearch-analysis-ik-8.12.2.zip
warning: ignoring JAVA_HOME=/opt/bitnami/java; using ES_JAVA_HOME
-> Installing https://github.com/infinilabs/analysis-ik/releases/download/v8.12.2/elasticsearch-analysis-ik-8.12.2.zip
-> Downloading https://github.com/infinilabs/analysis-ik/releases/download/v8.12.2/elasticsearch-analysis-ik-8.12.2.zip
Retrieving zip from https://github.com/infinilabs/analysis-ik/releases/download/v8.12.2/elasticsearch-analysis-ik-8.12.2.zip
- Plugin information:
Name: analysis-ik
Description: IK Analyzer for Elasticsearch
Version: 8.12.2
Elasticsearch Version: 8.12.2
Java Version: 1.8
Native Controller: false
Licensed: false
Extended Plugins: []
* Classname: org.elasticsearch.plugin.analysis.ik.AnalysisIkPlugin
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@     WARNING: plugin requires additional permissions     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
* java.net.SocketPermission * connect,resolve
See https://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html
for descriptions of what these permissions allow and the associated risks.
-> Failed installing https://github.com/infinilabs/analysis-ik/releases/download/v8.12.2/elasticsearch-analysis-ik-8.12.2.zip
-> Rolling back https://github.com/infinilabs/analysis-ik/releases/download/v8.12.2/elasticsearch-analysis-ik-8.12.2.zip
-> Rolled back https://github.com/infinilabs/analysis-ik/releases/download/v8.12.2/elasticsearch-analysis-ik-8.12.2.zip
Exception in thread "main" java.nio.file.FileSystemException: /opt/bitnami/elasticsearch/config/analysis-ik: Operation not permitted
at java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:100)
at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:106)
at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111)
at java.base/sun.nio.fs.UnixFileAttributeViews$Posix.setOwners(UnixFileAttributeViews.java:291)
at java.base/sun.nio.fs.UnixFileAttributeViews$Posix.setOwner(UnixFileAttributeViews.java:313)
at org.elasticsearch.plugins.cli.InstallPluginAction.setOwnerGroup(InstallPluginAction.java:1077)
at org.elasticsearch.plugins.cli.InstallPluginAction.installConfig(InstallPluginAction.java:1051)
at org.elasticsearch.plugins.cli.InstallPluginAction.installPluginSupportFiles(InstallPluginAction.java:974)
at org.elasticsearch.plugins.cli.InstallPluginAction.installPlugin(InstallPluginAction.java:943)
at org.elasticsearch.plugins.cli.InstallPluginAction.execute(InstallPluginAction.java:254)
at org.elasticsearch.plugins.cli.InstallPluginCommand.execute(InstallPluginCommand.java:89)
at org.elasticsearch.common.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:54)
at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:85)
at org.elasticsearch.cli.MultiCommand.execute(MultiCommand.java:94)
at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:85)
at org.elasticsearch.cli.Command.main(Command.java:50)
at org.elasticsearch.launcher.CliToolLauncher.main(CliToolLauncher.java:64)

    Are you using any custom parameters or values?

    --set plugins: https://github.com/infinilabs/analysis-ik/releases/download/v8.12.2/elasticsearch-analysis-ik-8.12.2.zip

    What is the expected behavior?

I wanna install Plugins when pods started.

rafariossaa commented 1 month ago

You could you try by disabling containerSecurityContext ? (eg. --set master.containerSecurityContext.enabled=false ) Some plugins does some changes in the ownership/permissions of the directories.

yaodwwy commented 1 month ago

You could you try by disabling containerSecurityContext ? (eg. --set master.containerSecurityContext.enabled=false ) Some plugins does some changes in the ownership/permissions of the directories.

No effect. Can Elasticsearch cluster Parameters initScripts use to install plugins ?

dgomezleon commented 1 month ago

Hi @yaodwwy ,

The Elasticsearch container, for security reasons, is executed as a non-root container and, therefore, the user (UID 1001 by default) doesn't have permissions to install new plugins.

We recommend you to extend the Bitnami Elasticsearch container image adding your custom plugins as it's explained in the link below:

https://github.com/bitnami/containers/tree/main/bitnami/elasticsearch#adding-plugins-at-build-time-persisting-plugins ... Then, you can install the Bitnami Elasticsearch chart using your custom image.

I hope it helps

yaodwwy commented 3 weeks ago

Hi @yaodwwy ,

The Elasticsearch container, for security reasons, is executed as a non-root container and, therefore, the user (UID 1001 by default) doesn't have permissions to install new plugins.

We recommend you to extend the Bitnami Elasticsearch container image adding your custom plugins as it's explained in the link below:

https://github.com/bitnami/containers/tree/main/bitnami/elasticsearch#adding-plugins-at-build-time-persisting-plugins ... Then, you can install the Bitnami Elasticsearch chart using your custom image.

I hope it helps

Hi, @dgomezleon

If I set below --set master.containerSecurityContext.enabled=false --set master.containerSecurityContext.runAsUser=0 When I install plugins with

elasticsearch-plugin install -b xxx

how to persistence plugins? It will disappear after restarting.

dgomezleon commented 2 weeks ago

I think you will still find permission issues only with those parameters. Take a look at this previous issue in case it helps: https://github.com/bitnami/charts/issues/25280

github-actions[bot] commented 3 days ago

This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.