search

elastic / elasticsearch

Free and Open Source, Distributed, RESTful Search Engine
https://www.elastic.co/products/elasticsearch
Other
69.69k stars 24.66k forks source link

Elastic User Password Not Generated on New Container #85047

Open st11x opened 2 years ago

st11x commented 2 years ago

Hi,

This is my docker compose file.

version: '3'
services:
  elastic:
    image: elasticsearch:8.1.0
    ports:
      - 8200:9200
      - 8300:9300

    environment:
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
      - discovery.type=single-node

When I start up the container (docker-compose up -d), it does not generate the elastic user password and it also does not generate the Kibana token.

You can see the error in the log file

Auto-configuration will not generate a password for the elastic built-in superuser, ...

This is very similar to this issue

Adds known issue for aarch64 pwd generation by jkakavas · Pull Request #83654 · elastic/elasticsearch (github.com)

But it is supposed to be fixed and I'm also not on ARM nor M1. I'm running on Ubuntu 20.04 x86_64. This is a Linux VM (virtualbox). No shared mounts from Windows.

Log file from the container

elastic.log.zip

jkakavas commented 2 years ago

The informational message (it's not an error, that's why we print it on INFO level and not on ERROR level) you are getting is: 

"Auto-configuration will not generate a password for the elastic built-in superuser, as we cannot  determine if there is a terminal attached to the elasticsearch process. You can use the `bin/elasticsearch-reset-password` tool to set the password for the elastic user."`

You are running docker-compose up with -d which means : "Detached mode: Run containers in the background". When containers run in "Detached mode" then there is no terminal attached to the elasticsearch process and we don't proceed to generate and write out the password and enrollment token.

You need to run docker-compose up without -d , or you can use the CLI tools to get the password and kibana enrollment token: 

docker exec -ti elastic_1 /usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic
docker exec -ti elastic_1 /usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana

I'm going to close this issue as this is expected behavior, if you don't mind. If you have further questions around configuration or how to use elasticsearch, you can reach out to our forums in https://discuss.elastic.co

st11x commented 2 years ago

Thank you for the explanation. I did use those scripts to reset the password and create the token. I was going to use the forums but was advised to create a new issue in issue 83654.

The instructions given at https://hub.docker.com/_/elasticsearch gave the example of running the container in detached mode, and did not warn that the password will not be generated. Hence, leading to the misunderstanding.

Thanks

jkakavas commented 2 years ago

Thanks @st11x for bringing this to our attention! We will reach out to folks in hub.docker.com and update the example there so that it won't be confusing for folks any more.

wpm commented 2 years ago

I have the following docker-compose.yml file.

services:

  elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch:8.4.0
    container_name: es-node01
    ports:
      - "9200:9200"
      - "9300:9300"

  kibana:
    image: docker.elastic.co/kibana/kibana:8.4.0
    container_name: kib-01
    ports:
      - "5601:5601"

When I run docker compose up (without the -d) I get the "Auto-configuration will not generate a password for the elastic built-in superuser..." log message and no security information is generated.

Everything works if I type the docker run commands directly as described in Run Kibana on Docker for development. As far as I can tell, this docker-compose.yml should be doing the same thing as those commands.

jerryjune commented 1 year ago

The informational message (it's not an error, that's why we print it on INFO level and not on ERROR level) you are getting is:

"Auto-configuration will not generate a password for the elastic built-in superuser, as we cannot  determine if there is a terminal attached to the elasticsearch process. You can use the `bin/elasticsearch-reset-password` tool to set the password for the elastic user."`

You are running docker-compose up with -d which means : "Detached mode: Run containers in the background". When containers run in "Detached mode" then there is no terminal attached to the elasticsearch process and we don't proceed to generate and write out the password and enrollment token.

You need to run docker-compose up without -d , or you can use the CLI tools to get the password and kibana enrollment token:

docker exec -ti elastic_1 /usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic
docker exec -ti elastic_1 /usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana

I'm going to close this issue as this is expected behavior, if you don't mind. If you have further questions around configuration or how to use elasticsearch, you can reach out to our forums in https://discuss.elastic.co

Even I use docker-compose up without -d, It still reports "Auto-configuration will not generate a password for the elastic built-in superuser..." My version is 8.5.0 es.

markelwin commented 10 months ago

@jkakavas @jerryjune I am attempting to re-open this ticket as I get the same notice without the -d flag. I might also like to add that the solution provided by @jkakavas requires an interactive terminal which is not what will be necessary to start a remote service. I will check back here to see if any updates are provided.

n1v0lg commented 10 months ago

Re-opening this as it reproduces for me on an M1 with docker-compose up.

omid-h70 commented 8 months ago

hi, i have the same problem too, docker-compose up without "-d" is not detected by elastic search container

gochev commented 8 months ago

same issue here with the latest elastic search docker image 8.12.

Basically if you run a container with docker run you will get this section printed

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
✅ Elasticsearch security features have been automatically configured!
✅ Authentication is enabled and cluster connections are encrypted.

ℹ️  Password for the elastic user (reset with `bin/elasticsearch-reset-password -u elastic`):
  3a9r7wdwOfglJd=ey6qs

ℹ️  HTTP CA certificate SHA-256 fingerprint:
  28f284ed0e0615bba5b121739c6e5391588b4e72e20b2efa806b8fa33c825fe4

ℹ️  Configure Kibana to use this cluster:
• Run Kibana and click the configuration link in the terminal when Kibana starts.
• Copy the following enrollment token and paste it into Kibana in your browser (valid for the next 30 minutes):
  eyJ2ZXIiOiI4LjEyLjAiLCJhZHIiOlsiMTcyLjE3LjAuMjo5MjAwIl0sImZnciI6IjI4ZjI4NGVkMGUwNjE1YmJhNWIxMjE3MzljNmU1MzkxNTg4YjRlNzJlMjBiMmVmYTgwNmI4ZmEzM2M4MjVmZTQiLCJrZXkiOiJISUpaWkkwQndlS2U4VVRVcW0wMTp5M1BET1lUclMtRzVpMTc0TGdYRW1RIn0=

ℹ️ Configure other nodes to join this cluster:
• Copy the following enrollment token and start new Elasticsearch nodes with `bin/elasticsearch --enrollment-token <token>` (valid for the next 30 minutes):
  eyJ2ZXIiOiI4LjEyLjAiLCJhZHIiOlsiMTcyLjE3LjAuMjo5MjAwIl0sImZnciI6IjI4ZjI4NGVkMGUwNjE1YmJhNWIxMjE3MzljNmU1MzkxNTg4YjRlNzJlMjBiMmVmYTgwNmI4ZmEzM2M4MjVmZTQiLCJrZXkiOiJIWUpaWkkwQndlS2U4VVRVcW0wMTp6cUJ1ZmJFR1F3ZTg1NlBNZlRtZ1F3In0=

  If you're running in Docker, copy the enrollment token and run:
  `docker run -e "ENROLLMENT_TOKEN=<token>" docker.elastic.co/elasticsearch/elasticsearch:8.12.0`

However if you run elastic search and THE SAME IMAGE with docker compose up or docker compose -d in both cases the log is only until

VYbA","elasticsearch.node.id":"uNnSJpAgSUGLMsRDOBRnww","elasticsearch.node.name":"elasticsearch","elasticsearch.cluster.name":"docker-cluster"}
{"@timestamp":"2024-02-01T11:14:47.735Z", "log.level": "INFO", "message":"license [5d2fbac1-fd70-4c7d-80a4-8983ed42dfbb] mode [basic] - valid", "ecs.version": "1.2.0","service.name":"ES_ECS","event.dataset":"elasticsearch.server","process.thread.name":"elasticsearch[elasticsearch][clusterApplierService#updateTask][T#1]","log.logger":"org.elasticsearch.license.ClusterStateLicenseService","elasticsearch.cluster.uuid":"qrE8O1JwSQyvaSdd35VYbA","elasticsearch.node.id":"uNnSJpAgSUGLMsRDOBRnww","elasticsearch.node.name":"elasticsearch","elasticsearch.cluster.name":"docker-cluster"}

so the lines with fingerprint and password are missing.

EXPECTED: docker compose up to work the same as docker run ACTUAL: parts in the output are missing when using docker compose

gochev commented 8 months ago

Right now the workaround is super user hostile.

in order to get both password and fingerprint if using docker-compose you have to :

after running lets say that the container is called "elasticsearch"

docker exec -it elasticsearch /usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic

docker cp elasticsearch:/usr/share/elasticsearch/config/certs/http_ca.crt /tmp/.

openssl x509 -fingerprint -sha256 -noout -in /tmp/http_ca.crt | awk -F"=" {' print $2 '} | sed s/://g