Closed jnioche closed 2 years ago
I hit the same issue. After some digging I noticed that the plugins.security.ssl. settings come from opensearch/tasks/security.yml. It only adds the snippet if the local /tmp/opensearch-nodecerts changes. But if there is a change to opensearch.yml in future runs it will strip out that snippet.
@saravanan30erd anything we can do to help improve this? Thanks.
@peterzhuamazon we need to support the script for safe re-run, will work on this.
Thanks. In the meantime, is there a way to circumvent the issue? e.g. something I can do on the target servers to fully reinstall from scratch?
Hello, is there currently any workaround for this?
I hit the same issue. After some digging I noticed that the plugins.security.ssl. settings come from opensearch/tasks/security.yml. It only adds the snippet if the local /tmp/opensearch-nodecerts changes. But if there is a change to opensearch.yml in future runs it will strip out that snippet.
@gadgetmerc @jnioche Actually when we created this script, its focused only on first time installation because RPM/deb packages are not available that time so upgrade process is not straight forward. We will work on proper upgrade process soon.
For now, I created a quick workaround for this issue. opensearch.yml
config file is completely overwrited on re-run which causing this issue. Instead of whole file copy, now I am verifying and just copying only the content (lines) so it will not overwrite the whole file on next run.
I'm still getting the same error @jnioche, problem is not solved.
Caused by: org.opensearch.OpenSearchException: plugins.security.ssl.transport.keystore_filepath or plugins.security.ssl.transport.server.pemcert_filepath and plugins.security.ssl.transport.client.pemcert_filepath must be set if transport ssl is requested.
at org.opensearch.security.ssl.DefaultSecurityKeyStore.initTransportSSLConfig(DefaultSecurityKeyStore.java:487) ~[?:?]
at org.opensearch.security.ssl.DefaultSecurityKeyStore.initSSLConfig(DefaultSecurityKeyStore.java:298) ~[?:?]
at org.opensearch.security.ssl.DefaultSecurityKeyStore.<init>(DefaultSecurityKeyStore.java:204) ~[?:?]
at org.opensearch.security.ssl.OpenSearchSecuritySSLPlugin.<init>(OpenSearchSecuritySSLPlugin.java:256) ~[?:?]
at org.opensearch.security.OpenSearchSecurityPlugin.<init>(OpenSearchSecurityPlugin.java:308) ~[?:?]
at java.base/jdk.internal.reflect.DirectConstructorHandleAccessor.newInstance(DirectConstructorHandleAccessor.java:62) ~[?:?]
at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:502) ~[?:?]
at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:486) ~[?:?]
at org.opensearch.plugins.PluginsService.loadPlugin(PluginsService.java:794) ~[opensearch-2.14.0.jar:2.14.0]
at org.opensearch.plugins.PluginsService.loadBundle(PluginsService.java:743) ~[opensearch-2.14.0.jar:2.14.0]
at org.opensearch.plugins.PluginsService.loadBundles(PluginsService.java:544) ~[opensearch-2.14.0.jar:2.14.0]
at org.opensearch.plugins.PluginsService.<init>(PluginsService.java:196) ~[opensearch-2.14.0.jar:2.14.0]
at org.opensearch.node.Node.<init>(Node.java:493) ~[opensearch-2.14.0.jar:2.14.0]
at org.opensearch.node.Node.<init>(Node.java:420) ~[opensearch-2.14.0.jar:2.14.0]
at org.opensearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:242) ~[opensearch-2.14.0.jar:2.14.0]
at org.opensearch.bootstrap.Bootstrap.setup(Bootstrap.java:242) ~[opensearch-2.14.0.jar:2.14.0]
at org.opensearch.bootstrap.Bootstrap.init(Bootstrap.java:404) ~[opensearch-2.14.0.jar:2.14.0]
at org.opensearch.bootstrap.OpenSearch.init(OpenSearch.java:181) ~[opensearch-2.14.0.jar:2.14.0]```
I'm still getting the same error @jnioche, problem is not solved.
@demanuPL Just delete /tmp/opensearch-nodecerts folder and retry again.
I followed the steps in the README.
The playbook fails on
TASK [linux/opensearch : Wait for opensearch to startup]
When inspecting one of the servers, I find that Opensearch is not running. Its logs end in
Looking at the documentation for TLS, I can't see any reference to _plugins.security.ssl.transport.client.pemcertfilepath nor _plugins.security.ssl.transport.server.pemcertfilepath.
The config dir contains a number of .key and .pem files.
The openseach.yml file contains
If I add
to the config file and restart Opensearch with
systemctl restart opensearch
, it goes past the error.Shouldn't the configuration have been created correctly by the playbook?
Thanks