Don't Use PW in ENV vars and default SSL on #39
Conversation
fxdgear
changed the title
config/apm-server/apm-server.yml
Outdated
| hosts: ['elasticsearch:9200'] | ||
| protocol: "https" | ||
| username: elastic | ||
| # Read PW from auditbeat.keystore |
config/filebeat/filebeat.yml
Outdated
| hosts: ['elasticsearch:9200'] | ||
| protocol: "https" | ||
| username: elastic | ||
| # Read PW from auditbeat.keystore |
There was a problem hiding this comment.
hah yeah it is I'll fix.
| reload.enabled: false | ||
|
|
||
| processors: | ||
| - add_cloud_metadata: |
There was a problem hiding this comment.
Shouldn't this be add_docker_metadata? Here and in the 3 other Beats configs
There was a problem hiding this comment.
Oh? Quite possibly. I just copied out the config from each container as it ran in the master branch.
I wasn’t checking for correctness.
But I suppose this exercise is a good one given that we can now analyze more easily the config for each service.
There was a problem hiding this comment.
Ah, I didn't check that. I've created #40 to keep track of this — no point in adding that to this PR as well.
There was a problem hiding this comment.
This all makes sense to me and looks much cleaner! Loving the direction.
Beyond @jarpy's make on Windows concern, my only real comment is that checking in static public/private keys (even as an example) is a bit of a fishy smell to me. I could see where someone might accidentally run something production-y using those...could we instead generate them as part of the initial setup step?
|
@elasticdog Make is for Linux/Mac people. Windows users can use the multiple -f in docker compose. I’ll upstate to dynamically create keystores and certs. Thanks for the feedback. |
|
There's something nasty happening with file permissions. When I bring up the stack I see this: Same behaviour on Windows and Linux. |
|
I'm in two minds about running Kibana on HTTPS. It means that the first thing a brand new user sees is an error page with the word "unsafe" in it. We know that's just a self-signed cert, but it doesn't give that "it just works" feeling. |
|
@jarpy I'm happy you ran into the permissions issue. I kinda thought it might happen. But wasn't sure. I'll update. thank you |
fxdgear
force-pushed
the
nick/dont_use_pw_in_env
branch
2 times, most recently
from
d0fb0d2
to
1a1f656
Compare
* upgrade docker-compose file version
* upgrade elasticstack TAG
* use secrets instead of PW in ENV vars
* Make it easy to use secrets
* Don't teach people to use passwords in ENV vars
* just as easy to use a docker secret as it is to use a bind mounted volume
* adding setup.yml to create
1. passwords
2. keystores
3. certs
adding health checks
update the readme
turn off ssl for kibana endbpoint to avoid confusion for new users
fxdgear
force-pushed
the
nick/dont_use_pw_in_env
branch
from
eb44d57
to
87ef7dc
Compare
|
@elastic/infra if anyone would like to review this PR I'm happy to answer any questions. i think it's ready to go now for real world use. |
fxdgear
changed the title
Assuming I understand this correctly, can we please not do this. Ping: @elastic/es-security |
|
What are you trying to understand. I'm creating a keystore and then adding the password "changeme" to it. If you're wanting to get away from the password "changeme" I can default it to something else. the other option is I can use an automatically generated password and output it in the setup script after everything is done. Something like: Will that work? EDIT: @tvernum also I realized after re-reading my PR description it needs to be changed to reflect the fact that the keystores (and any senstiive) info is no longer included like I had originally done in this PR. Keystores and certs are now generated using the |
|
@fxdgear Sorry, I had forgotten that stack-docker has historically had a pre-configured password ( 😢 😭 🤢 😡 ) I would truly love if we never shipped anything that had any preconfigured password in it. Even for things that are intended to be examples rather than production ready - users take what we provide as a gold standard and do likewise. If it's possible for the setup process to ask for a password, or generate a password that would be a wonderful step forwards. |
Also updated to echo the pw for the user when the script finishes.
README.md
Outdated
|
|
||
| Point a browser at [`http://localhost:5601`](http://localhost:5601) to see the results. | ||
| > *NOTE*: Elasticsearch is now setup with self-signed certs. | ||
|
|
||
| Log in with `elastic` / `changeme`. |
There was a problem hiding this comment.
This should be updated to explain that the autogenerated password needs to be used if you don't set it yourself.
Makefile
Outdated
| centos:7 "/usr/local/bin/setup-permissions.sh" | ||
|
|
||
| setup_users: | ||
| docker-compose run --no-deps -e ELASTIC_PASSWORD=changeme elasticsearch /usr/local/bin/setup-users.sh |
There was a problem hiding this comment.
This hardcoded password doesn't work anymore here. This will need to use the autogenerted password that you have now added.
Makefile
Outdated
| docker-compose run --no-deps -e ELASTIC_PASSWORD=changeme heartbeat /usr/local/bin/setup-beat.sh heartbeat | ||
|
|
||
| setup_metricbeat: | ||
| docker-compose run --no-deps -e ELASTIC_PASSWORD=changeme metricbeat /usr/local/bin/setup-beat.sh metricbeat |
There was a problem hiding this comment.
I didn't dive into it but when I try to run make setup_metricbeat with the ELASTIC_PASSWORD updated to my autogenerated one I'm getting Read-only file system errors.
chmod: changing permissions of '/usr/share/metricbeat/metricbeat.yml': Read-only file system
|
@Crazybus 💥 thanks for the feedback. I forgot that I modified the Makefile. I'm gonna set that back to it's normal thing cause I put all the setup in a docker container. There's no need to use the make file anymore as a general user. |
update docs on readme for how to use and get the elastic password
|
@jarpy @tvernum @xeraa @Crazybus You all have commented on this PR at some point. I'd like to invite you to review it again. I feel like I've addressed everyones comments and concerns, and would like to get this "done" with so it's not something I have lingering anymore :) Thanks for all your assistance with this. |
|
I think this breaks on Windows because it depends on the Docker Unix socket. |
|
@jarpy ahh thanks for this. you have to specify some env vars for a windows user and I forgot to put those in the read me. I'll add thanks. :) |
Makefile
Outdated
| @@ -28,3 +28,4 @@ $(TARGETS:%=%-checkout): | |||
|
|
|||
| $(TARGETS:%=%-clean): | |||
| rm -rf stack/$(@:%-clean=%) | |||
There was a problem hiding this comment.
Can we make sure make clean also removes the keystores? Took me a while to figure out why this was causing me problems when trying to spin up a fresh cluster after doing a make clean and a delete all my docker data with fire
* remove keystores * do proper docker-compose down * remove volumes and networks make it fresh
|
@Crazybus I made the makefile a bit more exhaustive wrt to the thank you for taking the time to review! |
|
Thanks, @fxdgear. Still not behaving itself on my Windows machine, I'm afraid. |
scripts/setup.sh
Outdated
| @@ -4,6 +4,9 @@ chown 1000 -R "$confdir" | |||
| find "$confdir" -type f -name "*.keystore" -exec chmod go-wrx {} \; | |||
| find "$confdir" -type f -name "*.yml" -exec chmod go-wrx {} \; | |||
|
|
|||
| PW=$(date +%s | sha256sum | base64 | head -c 16 ;) | |||
There was a problem hiding this comment.
We shouldn't do this to generate the password, it will be predictable. Better to grab some data from /dev/urandom or use openssl
|
Possible error conditions I've found: On second attempts to
|
|
@jordansissel if you have Thank you so much for all your help on windows testing! |
README.md
Outdated
| * `PWD=/path/to/checkout/for/stack-docker` | ||
| * for example I use the path: `/c/Users/nick/elastic/stack-docker` | ||
| * You can set these two ways: | ||
| 1. in powershell use: `$Env:COMPOSE_CONVERT_WINDOWS_PATHS=1` |
There was a problem hiding this comment.
This will only set the variable for the current PowerShell session, which may be OK for this?
The equivalent of option 2. would be
[Environment]::SetEnvironmentVariable("COMPOSE_CONVERT_WINDOWS_PATHS", "1", "Machine")As per number 2, you'd need to start a new session after this, for the change to be picked up (or refresh the environment from the registry).
There was a problem hiding this comment.
@russcam thanks! I had no idea you could do that! ;)
Possible fixes: Use curl's `-u` flag for user:pass, or use hex instead of base64 for `openssl rand`. I chose `curl -u` The bug is that base64 includes `/`, so the `openssl rand -base64 16` password could contain a `/` and make curl think that the username is really the hostname: ``` curl 'https://elastic:nfAvKVigT7Bd7R60/o+1OQ==@elasticsearch:9200/' curl: (6) Could not resolve host: elastic; Unknown error ``` The bug manifests as setup_logstash and setup_kibana getting stuck waiting for Elasticsearch to be online, but never succeeds because the curl invocation is wonky.
|
Tested latest commit, and it works for me (Tested on Windows 10 / powershell). |
|
@Crazybus can you please review again. I hope I've addressed all your changes. |
There was a problem hiding this comment.
LGTM! All is working well now when I blindly follow the readme 👍
As we discussed filebeat currently doesn't have any incoming data. An idea would be to mount the docker socket into the container and show the docker logs inside of this demo. However this is out of scope for this PR.
|
The PowerShell environment variable change looks good @fxdgear 👍 |
New Description to account for changes in direction during the life of this PR and feedback received.
ELASTIC_PASSWORDif one is not provided by the user at script execution time.configdirectory and no longer are configs managed via env vars.