-
Notifications
You must be signed in to change notification settings - Fork 454
Don't Use PW in ENV vars and default SSL on #39
Conversation
config/apm-server/apm-server.yml
Outdated
hosts: ['elasticsearch:9200'] | ||
protocol: "https" | ||
username: elastic | ||
# Read PW from auditbeat.keystore |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nitpick: apm.keystore
config/filebeat/filebeat.yml
Outdated
hosts: ['elasticsearch:9200'] | ||
protocol: "https" | ||
username: elastic | ||
# Read PW from auditbeat.keystore |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, this must be a copy paste issue :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hah yeah it is I'll fix.
reload.enabled: false | ||
|
||
processors: | ||
- add_cloud_metadata: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't this be add_docker_metadata
? Here and in the 3 other Beats configs
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh? Quite possibly. I just copied out the config from each container as it ran in the master
branch.
I wasn’t checking for correctness.
But I suppose this exercise is a good one given that we can now analyze more easily the config for each service.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, I didn't check that. I've created #40 to keep track of this — no point in adding that to this PR as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This all makes sense to me and looks much cleaner! Loving the direction.
Beyond @jarpy's make
on Windows concern, my only real comment is that checking in static public/private keys (even as an example) is a bit of a fishy smell to me. I could see where someone might accidentally run something production-y using those...could we instead generate them as part of the initial setup step?
@elasticdog Make is for Linux/Mac people. Windows users can use the multiple -f in docker compose. I’ll upstate to dynamically create keystores and certs. Thanks for the feedback. |
There's something nasty happening with file permissions. When I bring up the stack I see this:
Same behaviour on Windows and Linux. |
I'm in two minds about running Kibana on HTTPS. It means that the first thing a brand new user sees is an error page with the word "unsafe" in it. We know that's just a self-signed cert, but it doesn't give that "it just works" feeling. |
@jarpy I'm happy you ran into the permissions issue. I kinda thought it might happen. But wasn't sure. I'll update. thank you |
d0fb0d2
to
1a1f656
Compare
* upgrade docker-compose file version * upgrade elasticstack TAG * use secrets instead of PW in ENV vars * Make it easy to use secrets * Don't teach people to use passwords in ENV vars * just as easy to use a docker secret as it is to use a bind mounted volume * adding setup.yml to create 1. passwords 2. keystores 3. certs adding health checks update the readme turn off ssl for kibana endbpoint to avoid confusion for new users
eb44d57
to
87ef7dc
Compare
@elastic/infra if anyone would like to review this PR I'm happy to answer any questions. i think it's ready to go now for real world use. |
Assuming I understand this correctly, can we please not do this. Ping: @elastic/es-security |
What are you trying to understand. I'm creating a keystore and then adding the password "changeme" to it. If you're wanting to get away from the password "changeme" I can default it to something else. the other option is I can use an automatically generated password and output it in the setup script after everything is done. Something like:
Will that work? EDIT: @tvernum also I realized after re-reading my PR description it needs to be changed to reflect the fact that the keystores (and any senstiive) info is no longer included like I had originally done in this PR. Keystores and certs are now generated using the |
@fxdgear Sorry, I had forgotten that stack-docker has historically had a pre-configured password ( 😢 😭 🤢 😡 ) I would truly love if we never shipped anything that had any preconfigured password in it. Even for things that are intended to be examples rather than production ready - users take what we provide as a gold standard and do likewise. If it's possible for the setup process to ask for a password, or generate a password that would be a wonderful step forwards. |
Also updated to echo the pw for the user when the script finishes.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I tried to run stack-docker blindly following the projects readme (as I would expect our users to do). I ran into a couple of issues which can be quickly fixed up.
README.md
Outdated
|
||
Point a browser at [`http://localhost:5601`](http://localhost:5601) to see the results. | ||
> *NOTE*: Elasticsearch is now setup with self-signed certs. | ||
|
||
Log in with `elastic` / `changeme`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be updated to explain that the autogenerated password needs to be used if you don't set it yourself.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1 thanks will do.
Makefile
Outdated
centos:7 "/usr/local/bin/setup-permissions.sh" | ||
|
||
setup_users: | ||
docker-compose run --no-deps -e ELASTIC_PASSWORD=changeme elasticsearch /usr/local/bin/setup-users.sh |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This hardcoded password doesn't work anymore here. This will need to use the autogenerted password that you have now added.
Makefile
Outdated
docker-compose run --no-deps -e ELASTIC_PASSWORD=changeme heartbeat /usr/local/bin/setup-beat.sh heartbeat | ||
|
||
setup_metricbeat: | ||
docker-compose run --no-deps -e ELASTIC_PASSWORD=changeme metricbeat /usr/local/bin/setup-beat.sh metricbeat |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I didn't dive into it but when I try to run make setup_metricbeat
with the ELASTIC_PASSWORD
updated to my autogenerated one I'm getting Read-only file system errors.
chmod: changing permissions of '/usr/share/metricbeat/metricbeat.yml': Read-only file system
@Crazybus 💥 thanks for the feedback. I forgot that I modified the Makefile. I'm gonna set that back to it's normal thing cause I put all the setup in a docker container. There's no need to use the make file anymore as a general user. |
update docs on readme for how to use and get the elastic password
@jarpy @tvernum @xeraa @Crazybus You all have commented on this PR at some point. I'd like to invite you to review it again. I feel like I've addressed everyones comments and concerns, and would like to get this "done" with so it's not something I have lingering anymore :) Thanks for all your assistance with this. |
I think this breaks on Windows because it depends on the Docker Unix socket.
|
@jarpy ahh thanks for this. you have to specify some env vars for a windows user and I forgot to put those in the read me. I'll add thanks. :) |
Makefile
Outdated
@@ -28,3 +28,4 @@ $(TARGETS:%=%-checkout): | |||
|
|||
$(TARGETS:%=%-clean): | |||
rm -rf stack/$(@:%-clean=%) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we make sure make clean
also removes the keystores? Took me a while to figure out why this was causing me problems when trying to spin up a fresh cluster after doing a make clean
and a delete all my docker data with fire
* remove keystores * do proper docker-compose down * remove volumes and networks make it fresh
@Crazybus I made the makefile a bit more exhaustive wrt to the thank you for taking the time to review! |
Thanks, @fxdgear. Still not behaving itself on my Windows machine, I'm afraid.
|
scripts/setup.sh
Outdated
@@ -4,6 +4,9 @@ chown 1000 -R "$confdir" | |||
find "$confdir" -type f -name "*.keystore" -exec chmod go-wrx {} \; | |||
find "$confdir" -type f -name "*.yml" -exec chmod go-wrx {} \; | |||
|
|||
PW=$(date +%s | sha256sum | base64 | head -c 16 ;) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We shouldn't do this to generate the password, it will be predictable. Better to grab some data from /dev/urandom or use openssl
Possible error conditions I've found: On second attempts to
|
@jordansissel if you have Thank you so much for all your help on windows testing! |
README.md
Outdated
* `PWD=/path/to/checkout/for/stack-docker` | ||
* for example I use the path: `/c/Users/nick/elastic/stack-docker` | ||
* You can set these two ways: | ||
1. in powershell use: `$Env:COMPOSE_CONVERT_WINDOWS_PATHS=1` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This will only set the variable for the current PowerShell session, which may be OK for this?
The equivalent of option 2. would be
[Environment]::SetEnvironmentVariable("COMPOSE_CONVERT_WINDOWS_PATHS", "1", "Machine")
As per number 2, you'd need to start a new session after this, for the change to be picked up (or refresh the environment from the registry).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@russcam thanks! I had no idea you could do that! ;)
Possible fixes: Use curl's `-u` flag for user:pass, or use hex instead of base64 for `openssl rand`. I chose `curl -u` The bug is that base64 includes `/`, so the `openssl rand -base64 16` password could contain a `/` and make curl think that the username is really the hostname: ``` curl 'https://elastic:nfAvKVigT7Bd7R60/o+1OQ==@elasticsearch:9200/' curl: (6) Could not resolve host: elastic; Unknown error ``` The bug manifests as setup_logstash and setup_kibana getting stuck waiting for Elasticsearch to be online, but never succeeds because the curl invocation is wonky.
Tested latest commit, and it works for me (Tested on Windows 10 / powershell). |
@Crazybus can you please review again. I hope I've addressed all your changes. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! All is working well now when I blindly follow the readme 👍
As we discussed filebeat currently doesn't have any incoming data. An idea would be to mount the docker socket into the container and show the docker logs inside of this demo. However this is out of scope for this PR.
The PowerShell environment variable change looks good @fxdgear 👍 |
New Description to account for changes in direction during the life of this PR and feedback received.
ELASTIC_PASSWORD
if one is not provided by the user at script execution time.config
directory and no longer are configs managed via env vars.