Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG][Opensearch] helm upgrade cause all master pods killed almost simultaneously and breaks the cluster #198

Closed
deng47 opened this issue Jan 21, 2022 · 15 comments · May be fixed by deng47/helm-charts#1
Closed

[BUG][Opensearch] helm upgrade cause all master pods killed almost simultaneously and breaks the cluster #198

deng47 opened this issue Jan 21, 2022 · 15 comments · May be fixed by deng47/helm-charts#1
Labels
bug Something isn't working

Comments

@deng47
Copy link

deng47 commented Jan 21, 2022
edited
Loading

Describe the bug
How I deployed my Onpensearch cluster: pulled the OpenSearch helm chart to local, and modified the values.yaml, then did helm install <name> -f values.yaml --create-namespace -n <name>

I have 3 master pods in my Opensearch cluster. They are all persistence disabled. I updated the content of opensearch.yml in values.yaml, and did a helm upgrade <name> -f values.yaml --create-namespace -n <name>

Kubernetes recreates all master pods with the new opensearch.yml. It's a rolling upgrade, but a master pod becomes ready in just a few seconds, so actually, Kubernetes kills all old master pods almost simultaneously. Once this happens, the cluster loses all master pods even though kubectl get pods shows all master pods are up and healthy. securityadmin.sh in the master pod hangs on Contacting opensearch cluster 'opensearch' and wait for YELLOW clusterstate ...

I believe the root cause is K8s kills master pods in a short time. I tripled the values of readinessProbe.periodSeconds and readinessProbe.successThreshold in values.yaml, but didn't see k8s wait any extra seconds when it kills pods. I found a new feature minReadySeconds in Kubernetes v1.23 that may solve my problem, however, I have a v1.21 k8s cluster.

To Reproduce
Steps to reproduce the behavior:

  1. update the content of opensearch.yml in values.yaml
  2. do a helm upgrade with the new values.yaml
  3. check if the Opensearch cluster works after the upgrade

Expected behavior
Rolling upgrade should make sure a new master pod is really in a ready state before killing the next pod

Chart Name
Chart: opensearch
cat Chart.yaml
apiVersion: v2
appVersion: 1.2.3
description: A Helm chart for OpenSearch
maintainers:

  • name: DandyDeveloper
  • name: gaiksaya
  • name: peternied
  • name: peterzhuamazon
  • name: TheAlgo
    name: opensearch
    type: application
    version: 1.5.4

Host/Environment (please complete the following information):
kubectl version
Client Version: version.Info{Major:"1", Minor:"21", GitVersion:"v1.21.6+k3s1", GitCommit:"df033fa248bc2c9f636e4c0ff2b782cb8edbbf10", GitTreeState:"clean", BuildDate:"2021-11-04T00:25:14Z", GoVersion:"go1.16.8", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"21", GitVersion:"v1.21.6+k3s1", GitCommit:"df033fa248bc2c9f636e4c0ff2b782cb8edbbf10", GitTreeState:"clean", BuildDate:"2021-11-04T00:25:14Z", GoVersion:"go1.16.8", Compiler:"gc", Platform:"linux/amd64"}

helm version
version.BuildInfo{Version:"v3.7.1", GitCommit:"1d11fcb5d3f3bf00dbe6fe31b8412839a96b3dc4", GitTreeState:"clean", GoVersion:"go1.16.9"}
@deng47 deng47 added bug Something isn't working untriaged Issues that have not yet been triaged labels Jan 21, 2022
@peterzhuamazon
Copy link
Member

Hi @deng47 do you have any logs to show whether this is a normal termination of master nodes or some other errors?
@DandyDeveloper @TheAlgo

@peterzhuamazon peterzhuamazon removed the untriaged Issues that have not yet been triaged label Jan 22, 2022
@deng47
Copy link
Author

deng47 commented Jan 22, 2022

Below are logs from one of my new master pods. I noticed that it complained about opensearch.yml: Permission denied. In my previous post, I suspected the root cause was new master pods didn't really join the cluster because k8s killed old pods too early. But it seems the real cause is Opensearch can't start with a opensearch.yml'. I am a beginner of Opensearch, so please correct me if I am wrong. Can the opensearch.yml' be updated in a running Opensearch cluster? Thank you

Enabling execution of install_demo_configuration.sh for OpenSearch Security Plugin
OpenSearch Security Demo Installer
 ** Warning: Do not use on production or public reachable systems **
Basedir: /usr/share/opensearch
OpenSearch install type: rpm/deb on NAME="Amazon Linux"
OpenSearch config dir: /usr/share/opensearch/config
OpenSearch config file: /usr/share/opensearch/config/opensearch.yml
OpenSearch bin dir: /usr/share/opensearch/bin
OpenSearch plugins dir: /usr/share/opensearch/plugins
OpenSearch lib dir: /usr/share/opensearch/lib
Detected OpenSearch Version: x-content-1.2.3
Detected OpenSearch Security Version: 1.2.3.0
tee: /usr/share/opensearch/config/opensearch.yml: Permission denied

Enabling OpenSearch Security Plugin
sed: cannot rename /usr/share/opensearch/config/sedEpDF1t: Device or resource busy
[2022-01-20T05:19:46,794][INFO ][o.o.n.Node               ] [opensearch-cluster-master-0] version[1.2.3], pid[46], build[tar/8a529d77c7432bc45b005ac1c4ba3b2741b57d4a/2021-12-21T01:36:21.407473Z], OS[Linux/5.14.15-300.fc35.x86_64/amd64], JVM[AdoptOpenJDK/OpenJDK 64-Bit Server VM/15.0.1/15.0.1+9]
[2022-01-20T05:19:46,796][INFO ][o.o.n.Node               ] [opensearch-cluster-master-0] JVM home [/usr/share/opensearch/jdk], using bundled JDK [true]
[2022-01-20T05:19:46,796][INFO ][o.o.n.Node               ] [opensearch-cluster-master-0] JVM arguments [-Xshare:auto, -Dopensearch.networkaddress.cache.ttl=60, -Dopensearch.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -XX:+ShowCodeDetailsInExceptionMessages, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.locale.providers=SPI,COMPAT, -Xms1g, -Xmx1g, -XX:+UseG1GC, -XX:G1ReservePercent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/tmp/opensearch-6223526198976459133, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=data, -XX:ErrorFile=logs/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=logs/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Dclk.tck=100, -Djdk.attach.allowAttachSelf=true, -Djava.security.policy=/usr/share/opensearch/plugins/opensearch-performance-analyzer/pa_config/opensearch_security.policy, -Dopensearch.cgroups.hierarchy.override=/, -Xmx2048M, -Xms2048M, -XX:MaxDirectMemorySize=1073741824, -Dopensearch.path.home=/usr/share/opensearch, -Dopensearch.path.conf=/usr/share/opensearch/config, -Dopensearch.distribution.type=tar, -Dopensearch.bundled_jdk=true]
[2022-01-20T05:19:48,011][INFO ][o.o.s.s.t.SSLConfig      ] [opensearch-cluster-master-0] SSL dual mode is disabled
[2022-01-20T05:19:48,011][INFO ][o.o.s.OpenSearchSecurityPlugin] [opensearch-cluster-master-0] OpenSearch Config path is /usr/share/opensearch/config
[2022-01-20T05:19:48,325][INFO ][o.o.s.s.DefaultSecurityKeyStore] [opensearch-cluster-master-0] JVM supports TLSv1.3
[2022-01-20T05:19:48,327][INFO ][o.o.s.s.DefaultSecurityKeyStore] [opensearch-cluster-master-0] Config directory is /usr/share/opensearch/config/, from there the key- and truststore files are resolved relatively
[2022-01-20T05:19:49,167][INFO ][o.o.s.s.DefaultSecurityKeyStore] [opensearch-cluster-master-0] TLS Transport Client Provider : JDK
[2022-01-20T05:19:49,167][INFO ][o.o.s.s.DefaultSecurityKeyStore] [opensearch-cluster-master-0] TLS Transport Server Provider : JDK
[2022-01-20T05:19:49,167][INFO ][o.o.s.s.DefaultSecurityKeyStore] [opensearch-cluster-master-0] TLS HTTP Provider             : JDK
[2022-01-20T05:19:49,167][INFO ][o.o.s.s.DefaultSecurityKeyStore] [opensearch-cluster-master-0] Enabled TLS protocols for transport layer : [TLSv1.3, TLSv1.2, TLSv1.1]
[2022-01-20T05:19:49,167][INFO ][o.o.s.s.DefaultSecurityKeyStore] [opensearch-cluster-master-0] Enabled TLS protocols for HTTP layer      : [TLSv1.3, TLSv1.2, TLSv1.1]
[2022-01-20T05:19:49,439][INFO ][o.o.s.OpenSearchSecurityPlugin] [opensearch-cluster-master-0] Clustername: opensearch-cluster
[2022-01-20T05:19:49,444][WARN ][o.o.s.OpenSearchSecurityPlugin] [opensearch-cluster-master-0] Directory /usr/share/opensearch/config has insecure file permissions (should be 0700)
[2022-01-20T05:19:49,444][WARN ][o.o.s.OpenSearchSecurityPlugin] [opensearch-cluster-master-0] File /usr/share/opensearch/config/opensearch.yml has insecure file permissions (should be 0600)
[2022-01-20T05:19:49,444][WARN ][o.o.s.OpenSearchSecurityPlugin] [opensearch-cluster-master-0] File /usr/share/opensearch/config/cert.pem has insecure file permissions (should be 0600)
[2022-01-20T05:19:49,445][WARN ][o.o.s.OpenSearchSecurityPlugin] [opensearch-cluster-master-0] File /usr/share/opensearch/config/kirk.pem has insecure file permissions (should be 0600)
[2022-01-20T05:19:49,445][WARN ][o.o.s.OpenSearchSecurityPlugin] [opensearch-cluster-master-0] File /usr/share/opensearch/config/esnode.pem has insecure file permissions (should be 0600)
[2022-01-20T05:19:49,445][WARN ][o.o.s.OpenSearchSecurityPlugin] [opensearch-cluster-master-0] File /usr/share/opensearch/config/root-ca.pem has insecure file permissions (should be 0600)
[2022-01-20T05:19:49,445][WARN ][o.o.s.OpenSearchSecurityPlugin] [opensearch-cluster-master-0] File /usr/share/opensearch/config/esnode-key.pem has insecure file permissions (should be 0600)
[2022-01-20T05:19:49,445][WARN ][o.o.s.OpenSearchSecurityPlugin] [opensearch-cluster-master-0] File /usr/share/opensearch/config/kirk-key.pem has insecure file permissions (should be 0600)
[2022-01-20T05:19:49,608][INFO ][o.o.p.c.PluginSettings   ] [opensearch-cluster-master-0] Config: metricsLocation: /dev/shm/performanceanalyzer/, metricsDeletionInterval: 1, httpsEnabled: false, cleanup-metrics-db-files: true, batch-metrics-retention-period-minutes: 7, rpc-port: 9650, webservice-port 9600
[2022-01-20T05:19:50,109][INFO ][o.o.i.r.ReindexPlugin    ] [opensearch-cluster-master-0] ReindexPlugin reloadSPI called
[2022-01-20T05:19:50,110][INFO ][o.o.i.r.ReindexPlugin    ] [opensearch-cluster-master-0] Unable to find any implementation for RemoteReindexExtension
[2022-01-20T05:19:50,124][INFO ][o.o.j.JobSchedulerPlugin ] [opensearch-cluster-master-0] Loaded scheduler extension: opendistro-index-management, index: .opendistro-ism-config
[2022-01-20T05:19:50,128][INFO ][o.o.j.JobSchedulerPlugin ] [opensearch-cluster-master-0] Loaded scheduler extension: opendistro_anomaly_detector, index: .opendistro-anomaly-detector-jobs
[2022-01-20T05:19:50,155][INFO ][o.o.j.JobSchedulerPlugin ] [opensearch-cluster-master-0] Loaded scheduler extension: reports-scheduler, index: .opendistro-reports-definitions
[2022-01-20T05:19:50,157][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-0] loaded module [aggs-matrix-stats]
[2022-01-20T05:19:50,157][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-0] loaded module [analysis-common]
[2022-01-20T05:19:50,157][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-0] loaded module [geo]
[2022-01-20T05:19:50,157][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-0] loaded module [ingest-common]
[2022-01-20T05:19:50,157][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-0] loaded module [ingest-geoip]
[2022-01-20T05:19:50,157][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-0] loaded module [ingest-user-agent]
[2022-01-20T05:19:50,157][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-0] loaded module [lang-expression]
[2022-01-20T05:19:50,158][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-0] loaded module [lang-mustache]
[2022-01-20T05:19:50,158][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-0] loaded module [lang-painless]
[2022-01-20T05:19:50,158][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-0] loaded module [mapper-extras]
[2022-01-20T05:19:50,158][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-0] loaded module [opensearch-dashboards]
[2022-01-20T05:19:50,158][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-0] loaded module [parent-join]
[2022-01-20T05:19:50,158][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-0] loaded module [percolator]
[2022-01-20T05:19:50,158][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-0] loaded module [rank-eval]
[2022-01-20T05:19:50,158][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-0] loaded module [reindex]
[2022-01-20T05:19:50,158][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-0] loaded module [repository-url]
[2022-01-20T05:19:50,158][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-0] loaded module [transport-netty4]
[2022-01-20T05:19:50,159][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-0] loaded plugin [opensearch-alerting]
[2022-01-20T05:19:50,159][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-0] loaded plugin [opensearch-anomaly-detection]
[2022-01-20T05:19:50,159][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-0] loaded plugin [opensearch-asynchronous-search]
[2022-01-20T05:19:50,159][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-0] loaded plugin [opensearch-cross-cluster-replication]
[2022-01-20T05:19:50,159][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-0] loaded plugin [opensearch-index-management]
[2022-01-20T05:19:50,159][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-0] loaded plugin [opensearch-job-scheduler]
[2022-01-20T05:19:50,159][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-0] loaded plugin [opensearch-knn]
[2022-01-20T05:19:50,159][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-0] loaded plugin [opensearch-observability]
[2022-01-20T05:19:50,159][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-0] loaded plugin [opensearch-performance-analyzer]
[2022-01-20T05:19:50,160][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-0] loaded plugin [opensearch-reports-scheduler]
[2022-01-20T05:19:50,160][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-0] loaded plugin [opensearch-security]
[2022-01-20T05:19:50,160][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-0] loaded plugin [opensearch-sql]
[2022-01-20T05:19:50,178][INFO ][o.o.s.OpenSearchSecurityPlugin] [opensearch-cluster-master-0] Disabled https compression by default to mitigate BREACH attacks. You can enable it by setting 'http.compression: true' in opensearch.yml
[2022-01-20T05:19:50,193][INFO ][o.o.e.NodeEnvironment    ] [opensearch-cluster-master-0] using [1] data paths, mounts [[/ (overlay)]], net usable_space [190.3gb], net total_space [202.9gb], types [overlay]
[2022-01-20T05:19:50,193][INFO ][o.o.e.NodeEnvironment    ] [opensearch-cluster-master-0] heap size [2gb], compressed ordinary object pointers [true]
[2022-01-20T05:19:50,229][INFO ][o.o.n.Node               ] [opensearch-cluster-master-0] node name [opensearch-cluster-master-0], node ID [mXKUC66jT4exZHV1pRC09g], cluster name [opensearch-cluster], roles [master]
[2022-01-20T05:19:53,549][WARN ][o.o.s.c.Salt             ] [opensearch-cluster-master-0] If you plan to use field masking pls configure compliance salt e1ukloTsQlOgPquJ to be a random string of 16 chars length identical on all nodes
[2022-01-20T05:19:53,569][INFO ][o.o.s.a.i.AuditLogImpl   ] [opensearch-cluster-master-0] Message routing enabled: true
[2022-01-20T05:19:53,614][INFO ][o.o.s.f.SecurityFilter   ] [opensearch-cluster-master-0] <NONE> indices are made immutable.
[2022-01-20T05:19:53,879][INFO ][o.o.a.b.ADCircuitBreakerService] [opensearch-cluster-master-0] Registered memory breaker.
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by io.protostuff.runtime.PolymorphicThrowableSchema (file:/usr/share/opensearch/plugins/opensearch-anomaly-detection/protostuff-runtime-1.7.4.jar) to field java.lang.Throwable.cause
WARNING: Please consider reporting this to the maintainers of io.protostuff.runtime.PolymorphicThrowableSchema
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
[2022-01-20T05:19:54,387][INFO ][o.o.t.NettyAllocator     ] [opensearch-cluster-master-0] creating NettyAllocator with the following configs: [name=opensearch_configured, chunk_size=256kb, suggested_max_allocation_size=256kb, factors={opensearch.unsafe.use_netty_default_chunk_and_page_size=false, g1gc_enabled=true, g1gc_region_size=1mb}]
[2022-01-20T05:19:54,473][INFO ][o.o.d.DiscoveryModule    ] [opensearch-cluster-master-0] using discovery type [zen] and seed hosts providers [settings]
[2022-01-20T05:19:54,860][WARN ][o.o.g.DanglingIndicesState] [opensearch-cluster-master-0] gateway.auto_import_dangling_indices is disabled, dangling indices will not be automatically detected or imported and must be managed manually
[2022-01-20T05:19:55,293][INFO ][o.o.p.h.c.PerformanceAnalyzerConfigAction] [opensearch-cluster-master-0] PerformanceAnalyzer Enabled: false
[2022-01-20T05:19:55,352][INFO ][o.o.n.Node               ] [opensearch-cluster-master-0] initialized
[2022-01-20T05:19:55,352][INFO ][o.o.n.Node               ] [opensearch-cluster-master-0] starting ...
[2022-01-20T05:19:55,469][INFO ][o.o.t.TransportService   ] [opensearch-cluster-master-0] publish_address {10.42.5.176:9300}, bound_addresses {[::]:9300}
[2022-01-20T05:19:55,629][INFO ][o.o.b.BootstrapChecks    ] [opensearch-cluster-master-0] bound or publishing to a non-loopback address, enforcing bootstrap checks
[2022-01-20T05:19:56,930][INFO ][o.o.c.c.Coordinator      ] [opensearch-cluster-master-0] setting initial configuration to VotingConfiguration{BMlKdOZiSzGT35bIurEr_w,mXKUC66jT4exZHV1pRC09g,{bootstrap-placeholder}-opensearch-cluster-master-1}
[2022-01-20T05:19:58,016][INFO ][o.o.c.s.ClusterApplierService] [opensearch-cluster-master-0] master node changed {previous [], current [{opensearch-cluster-master-1}{B-sDSiN5QpGcwXy3yASY6g}{8iLBo68GTOmrFfkcGBD3bA}{10.42.4.6}{10.42.4.6:9300}{m}{shard_indexing_pressure_enabled=true}]}, added {{opensearch-cluster-client-0}{SzwhjQqASJymWmKVXX3o1w}{P36GG301QhmOiE4LFJFChA}{10.42.9.3}{10.42.9.3:9300}{i}{shard_indexing_pressure_enabled=true},{opensearch-cluster-master-1}{B-sDSiN5QpGcwXy3yASY6g}{8iLBo68GTOmrFfkcGBD3bA}{10.42.4.6}{10.42.4.6:9300}{m}{shard_indexing_pressure_enabled=true},{opensearch-cluster-master-2}{BMlKdOZiSzGT35bIurEr_w}{t0z01XtgSgKXYMDnuPGnkg}{10.42.3.229}{10.42.3.229:9300}{m}{shard_indexing_pressure_enabled=true},{opensearch-cluster-client-1}{C1m620oQQqWIOm6Gk8kQlw}{A9OIo2r2S8WhoTrCk2Aedw}{10.42.3.230}{10.42.3.230:9300}{i}{shard_indexing_pressure_enabled=true}}, term: 5, version: 6, reason: ApplyCommitRequest{term=5, version=6, sourceNode={opensearch-cluster-master-1}{B-sDSiN5QpGcwXy3yASY6g}{8iLBo68GTOmrFfkcGBD3bA}{10.42.4.6}{10.42.4.6:9300}{m}{shard_indexing_pressure_enabled=true}}
[2022-01-20T05:19:58,329][WARN ][o.o.p.c.s.h.ConfigOverridesClusterSettingHandler] [opensearch-cluster-master-0] Config override setting update called with empty string. Ignoring.
[2022-01-20T05:19:58,335][INFO ][o.o.a.c.HashRing         ] [opensearch-cluster-master-0] Node added: [B-sDSiN5QpGcwXy3yASY6g, C1m620oQQqWIOm6Gk8kQlw, BMlKdOZiSzGT35bIurEr_w, SzwhjQqASJymWmKVXX3o1w, mXKUC66jT4exZHV1pRC09g]
[2022-01-20T05:19:58,341][INFO ][o.o.a.c.ADClusterEventListener] [opensearch-cluster-master-0] Cluster node changed, node removed: false, node added: true
[2022-01-20T05:19:58,342][INFO ][o.o.a.c.HashRing         ] [opensearch-cluster-master-0] AD version hash ring change is in progress. Can't build hash ring for node delta event.
[2022-01-20T05:19:58,342][INFO ][o.o.a.c.ADClusterEventListener] [opensearch-cluster-master-0] Hash ring build result: false
[2022-01-20T05:19:58,348][INFO ][o.o.a.c.HashRing         ] [opensearch-cluster-master-0] All nodes with known AD version: {B-sDSiN5QpGcwXy3yASY6g=ADNodeInfo{version=1.2.3, isEligibleDataNode=false}, C1m620oQQqWIOm6Gk8kQlw=ADNodeInfo{version=1.2.3, isEligibleDataNode=false}, BMlKdOZiSzGT35bIurEr_w=ADNodeInfo{version=1.2.3, isEligibleDataNode=false}, SzwhjQqASJymWmKVXX3o1w=ADNodeInfo{version=1.2.3, isEligibleDataNode=false}, mXKUC66jT4exZHV1pRC09g=ADNodeInfo{version=1.2.3, isEligibleDataNode=false}}
[2022-01-20T05:19:58,349][INFO ][o.o.a.c.HashRing         ] [opensearch-cluster-master-0] Rebuild AD hash ring for realtime AD with cooldown, nodeChangeEvents size 1
[2022-01-20T05:19:58,349][INFO ][o.o.a.c.HashRing         ] [opensearch-cluster-master-0] Build AD version hash ring successfully
[2022-01-20T05:19:58,351][INFO ][o.o.a.c.ADClusterEventListener] [opensearch-cluster-master-0] Init AD version hash ring successfully
[2022-01-20T05:19:58,355][INFO ][o.o.h.AbstractHttpServerTransport] [opensearch-cluster-master-0] publish_address {10.42.5.176:9200}, bound_addresses {[::]:9200}
[2022-01-20T05:19:58,355][INFO ][o.o.n.Node               ] [opensearch-cluster-master-0] started
[2022-01-20T05:19:58,356][INFO ][o.o.s.OpenSearchSecurityPlugin] [opensearch-cluster-master-0] Node started
[2022-01-20T05:19:58,356][INFO ][o.o.s.c.ConfigurationRepository] [opensearch-cluster-master-0] Will attempt to create index .opendistro_security and default configs if they are absent
[2022-01-20T05:19:58,357][INFO ][o.o.s.OpenSearchSecurityPlugin] [opensearch-cluster-master-0] 0 OpenSearch Security modules loaded so far: []
[2022-01-20T05:19:58,357][INFO ][o.o.s.c.ConfigurationRepository] [opensearch-cluster-master-0] Background init thread started. Install default config?: true
[2022-01-20T05:19:58,488][INFO ][o.o.s.c.ConfigurationRepository] [opensearch-cluster-master-0] Index .opendistro_security already exists
[2022-01-20T05:19:58,489][INFO ][o.o.s.c.ConfigurationRepository] [opensearch-cluster-master-0] Node started, try to initialize it. Wait for at least yellow cluster state....
[2022-01-20T05:20:18,351][ERROR][o.o.s.a.BackendRegistry  ] [opensearch-cluster-master-0] Not yet initialized (you may need to run securityadmin)
[2022-01-20T05:20:38,234][ERROR][o.o.s.a.BackendRegistry  ] [opensearch-cluster-master-0] Not yet initialized (you may need to run securityadmin)
[2022-01-20T05:21:18,232][ERROR][o.o.s.a.BackendRegistry  ] [opensearch-cluster-master-0] Not yet initialized (you may need to run securityadmin)
[2022-01-20T05:21:27,253][ERROR][o.o.s.a.BackendRegistry  ] [opensearch-cluster-master-0] Not yet initialized (you may need to run securityadmin)
[2022-01-20T05:21:27,291][ERROR][o.o.s.a.BackendRegistry  ] [opensearch-cluster-master-0] Not yet initialized (you may need to run securityadmin)
[2022-01-20T05:21:28,227][ERROR][o.o.s.a.BackendRegistry  ] [opensearch-cluster-master-0] Not yet initialized (you may need to run securityadmin)
[2022-01-20T05:21:29,702][ERROR][o.o.s.a.BackendRegistry  ] [opensearch-cluster-master-0] Not yet initialized (you may need to run securityadmin)
[2022-01-20T05:21:29,708][ERROR][o.o.s.a.BackendRegistry  ] [opensearch-cluster-master-0] Not yet initialized (you may need to run securityadmin)

@peterzhuamazon
Copy link
Member

We have some changes between 1.2.1 to 1.2.3 to introduce some variable in env to disable security plugin.
They are using inline modification of sed.
https://github.com/opensearch-project/opensearch-build/blob/opensearch-1.2.3/docker/release/config/opensearch/opensearch-docker-entrypoint.sh#L67-L74
https://github.com/opensearch-project/opensearch-build/tree/opensearch-1.2.3/docker/release#disable-security-plugin-security-dashboards-plugin-security-demo-configurations-and-related-configurations

Between 1.2.3 and 1.2.4 we introduce two changes to fix the sed inline open a different inode issue:
opensearch-project/opensearch-build#1130
opensearch-project/opensearch-build#1458

Both of these changes need write permission to opensearch.yml file for OpenSearch.
Similar for Dashboards as well need write permission to opensearch_dashboards.yml.

I dont know what is your setup on your k8s cluster @deng47 but can you check your mounts permission to /usr/share/opensearch/config/?

Thanks.

@deng47
Copy link
Author

deng47 commented Jan 22, 2022

@peterzhuamazon Thank you for your quick reply.

sh-4.2$ ls -l /usr/share/opensearch/config
total 40
-rw-r--r-- 1 root       opensearch 2817 Jan 20 05:19 cert.pem
-rw-rw-r-- 1 opensearch opensearch 1704 Jan 20 05:19 esnode-key.pem
-rw-rw-r-- 1 opensearch opensearch 1720 Jan 20 05:19 esnode.pem
-rw-rw---- 1 opensearch opensearch 2503 Dec 22 16:19 jvm.options
drwxr-x--- 2 opensearch opensearch    6 Dec 21 01:37 jvm.options.d
-rw-rw-r-- 1 opensearch opensearch 1704 Jan 20 05:19 kirk-key.pem
-rw-rw-r-- 1 opensearch opensearch 1610 Jan 20 05:19 kirk.pem
-rw-rw---- 1 opensearch opensearch  285 Dec 22 16:19 log4j2.properties
drwxr-x--- 2 opensearch opensearch   31 Dec 21 02:07 opensearch-observability
drwxr-x--- 2 opensearch opensearch   35 Dec 21 02:07 opensearch-reports-scheduler
-rw-rw---- 1 opensearch opensearch  196 Jan 20 05:19 opensearch.keystore
-rw-r--r-- 1 root       opensearch 1888 Jan 20 05:19 opensearch.yml
-rw-rw-r-- 1 opensearch opensearch 1444 Jan 20 05:19 root-ca.pem
sh-4.2$

In the stateful set, it's the config dir is mounted with 420 permission. Can I change that in values.yaml? If not, sounds like upgrading to 1.2.4 is the best option

      volumes:
      - configMap:
          defaultMode: 420
          name: opensearch-cluster-master-config
        name: config
      - name: security-config-complete
        secret:
          defaultMode: 420
          secretName: opensearch-cluster-master-securityconfig

@peterzhuamazon
Copy link
Member

Is there any chance for you to check out 1.2.4 just to see if it runs?
1.2.3 has shown an issue in opensearch-project/OpenSearch#768 (comment) that mounts in docker prevents new inode to be created, which is exactly what 1.2.4 fix is addressing.

And I am quite confused why opensearch.yml and cert.pem in your docker is having root user but opensearch group.
However, the group has write permission so I would think opensearch.yml should be edited without issues in 1.2.4.

I think we probably need to address this in a later version with some smarter logic.
As of now, it is assuming user can restart their node, thus would attempt to cleanup plugins.security.disabled no matter what.

Thanks.

@deng47
Copy link
Author

deng47 commented Jan 23, 2022

I did a helm upgrade with 1.2.4 in Chart.yaml, and also tried changing the defaultMode for configMap and secret to 0600 or 0660 by doing kubectl edit -n test statefulset.apps/opensearch-cluster-master. But non of these help. I will try creating a new 1.2.4 cluster

Enabling execution of install_demo_configuration.sh for OpenSearch Security Plugin
OpenSearch Security Demo Installer
 ** Warning: Do not use on production or public reachable systems **
Basedir: /usr/share/opensearch
OpenSearch install type: rpm/deb on NAME="Amazon Linux"
OpenSearch config dir: /usr/share/opensearch/config
OpenSearch config file: /usr/share/opensearch/config/opensearch.yml
OpenSearch bin dir: /usr/share/opensearch/bin
OpenSearch plugins dir: /usr/share/opensearch/plugins
OpenSearch lib dir: /usr/share/opensearch/lib
Detected OpenSearch Version: x-content-1.2.4
Detected OpenSearch Security Version: 1.2.4.0
tee: /usr/share/opensearch/config/opensearch.yml: Read-only file system

Enabling OpenSearch Security Plugin
tee: /usr/share/opensearch/config/opensearch.yml: Read-only file system
cluster.name: opensearch-cluster

# Bind to all interfaces because we don't know what IP address Docker will assign to us.
network.host: 0.0.0.0

# # minimum_master_nodes need to be explicitly set when bound on a public IP
# # set to 1 to allow single node clusters
# discovery.zen.minimum_master_nodes: 1

# Setting network.host to a non-loopback address enables the annoying bootstrap checks. "Single-node" mode disables them again.
# discovery.type: single-node

# Start OpenSearch Security Demo Configuration
# WARNING: revise all the lines below before you go into production
plugins:
  security:
    ssl:
      transport:
        pemcert_filepath: esnode.pem
        pemkey_filepath: esnode-key.pem
        pemtrustedcas_filepath: root-ca.pem
        enforce_hostname_verification: false
      http:
        enabled: true
        pemcert_filepath: esnode.pem
        pemkey_filepath: esnode-key.pem
        pemtrustedcas_filepath: root-ca.pem
    allow_unsafe_democertificates: true
    allow_default_init_securityindex: true
    authcz:
      admin_dn:
        - CN=kirk,OU=client,O=client,L=test,C=de
    audit.type: internal_opensearch
    enable_snapshot_restore_privilege: true
    check_snapshot_restore_write_privileges: true
    restapi:
      roles_enabled: ["admin", "all_access", "security_rest_api_access"]
    system_indices:
      enabled: true
      indices:
        [
          ".opendistro-alerting-config",
          ".opendistro-alerting-alert*",
          ".opendistro-anomaly-results*",
          ".opendistro-anomaly-detector*",
          ".opendistro-anomaly-checkpoints",
          ".opendistro-anomaly-detection-state",
          ".opendistro-reports-*",
          ".opendistro-notifications-*",
          ".opendistro-notebooks",
          ".opendistro-asynchronous-search-response*",
        ]
######## End OpenSearch Security Demo Configuration ########
[2022-01-23T00:03:47,072][INFO ][o.o.n.Node               ] [opensearch-cluster-master-0] version[1.2.4], pid[48], build[tar/e505b10357c03ae8d26d675172402f2f2144ef0f/2022-01-14T03:38:06.881862Z], OS[Linux/5.14.15-300.fc35.x86_64/amd64], JVM[AdoptOpenJDK/OpenJDK 64-Bit Server VM/15.0.1/15.0.1+9]
[2022-01-23T00:03:47,074][INFO ][o.o.n.Node               ] [opensearch-cluster-master-0] JVM home [/usr/share/opensearch/jdk], using bundled JDK [true]
[2022-01-23T00:03:47,074][INFO ][o.o.n.Node               ] [opensearch-cluster-master-0] JVM arguments [-Xshare:auto, -Dopensearch.networkaddress.cache.ttl=60, -Dopensearch.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -XX:+ShowCodeDetailsInExceptionMessages, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.locale.providers=SPI,COMPAT, -Xms1g, -Xmx1g, -XX:+UseG1GC, -XX:G1ReservePercent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/tmp/opensearch-14610669438027808516, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=data, -XX:ErrorFile=logs/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=logs/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Dclk.tck=100, -Djdk.attach.allowAttachSelf=true, -Djava.security.policy=/usr/share/opensearch/plugins/opensearch-performance-analyzer/pa_config/opensearch_security.policy, -Dopensearch.cgroups.hierarchy.override=/, -Xmx2048M, -Xms2048M, -XX:MaxDirectMemorySize=1073741824, -Dopensearch.path.home=/usr/share/opensearch, -Dopensearch.path.conf=/usr/share/opensearch/config, -Dopensearch.distribution.type=tar, -Dopensearch.bundled_jdk=true]
[2022-01-23T00:03:48,345][INFO ][o.o.s.s.t.SSLConfig      ] [opensearch-cluster-master-0] SSL dual mode is disabled
[2022-01-23T00:03:48,346][INFO ][o.o.s.OpenSearchSecurityPlugin] [opensearch-cluster-master-0] OpenSearch Config path is /usr/share/opensearch/config
[2022-01-23T00:03:48,637][INFO ][o.o.s.s.DefaultSecurityKeyStore] [opensearch-cluster-master-0] JVM supports TLSv1.3
[2022-01-23T00:03:48,638][INFO ][o.o.s.s.DefaultSecurityKeyStore] [opensearch-cluster-master-0] Config directory is /usr/share/opensearch/config/, from there the key- and truststore files are resolved relatively
[2022-01-23T00:03:49,661][INFO ][o.o.s.s.DefaultSecurityKeyStore] [opensearch-cluster-master-0] TLS Transport Client Provider : JDK
[2022-01-23T00:03:49,662][INFO ][o.o.s.s.DefaultSecurityKeyStore] [opensearch-cluster-master-0] TLS Transport Server Provider : JDK
[2022-01-23T00:03:49,662][INFO ][o.o.s.s.DefaultSecurityKeyStore] [opensearch-cluster-master-0] TLS HTTP Provider             : JDK
[2022-01-23T00:03:49,662][INFO ][o.o.s.s.DefaultSecurityKeyStore] [opensearch-cluster-master-0] Enabled TLS protocols for transport layer : [TLSv1.3, TLSv1.2, TLSv1.1]
[2022-01-23T00:03:49,663][INFO ][o.o.s.s.DefaultSecurityKeyStore] [opensearch-cluster-master-0] Enabled TLS protocols for HTTP layer      : [TLSv1.3, TLSv1.2, TLSv1.1]
[2022-01-23T00:03:49,947][INFO ][o.o.s.OpenSearchSecurityPlugin] [opensearch-cluster-master-0] Clustername: opensearch-cluster
[2022-01-23T00:03:49,954][WARN ][o.o.s.OpenSearchSecurityPlugin] [opensearch-cluster-master-0] Directory /usr/share/opensearch/config has insecure file permissions (should be 0700)
[2022-01-23T00:03:49,954][WARN ][o.o.s.OpenSearchSecurityPlugin] [opensearch-cluster-master-0] File /usr/share/opensearch/config/kirk.pem has insecure file permissions (should be 0600)
[2022-01-23T00:03:49,954][WARN ][o.o.s.OpenSearchSecurityPlugin] [opensearch-cluster-master-0] File /usr/share/opensearch/config/esnode.pem has insecure file permissions (should be 0600)
[2022-01-23T00:03:49,955][WARN ][o.o.s.OpenSearchSecurityPlugin] [opensearch-cluster-master-0] File /usr/share/opensearch/config/root-ca.pem has insecure file permissions (should be 0600)
[2022-01-23T00:03:49,955][WARN ][o.o.s.OpenSearchSecurityPlugin] [opensearch-cluster-master-0] File /usr/share/opensearch/config/esnode-key.pem has insecure file permissions (should be 0600)
[2022-01-23T00:03:49,955][WARN ][o.o.s.OpenSearchSecurityPlugin] [opensearch-cluster-master-0] File /usr/share/opensearch/config/kirk-key.pem has insecure file permissions (should be 0600)
[2022-01-23T00:03:50,158][INFO ][o.o.p.c.PluginSettings   ] [opensearch-cluster-master-0] Config: metricsLocation: /dev/shm/performanceanalyzer/, metricsDeletionInterval: 1, httpsEnabled: false, cleanup-metrics-db-files: true, batch-metrics-retention-period-minutes: 7, rpc-port: 9650, webservice-port 9600
[2022-01-23T00:03:50,741][INFO ][o.o.i.r.ReindexPlugin    ] [opensearch-cluster-master-0] ReindexPlugin reloadSPI called
[2022-01-23T00:03:50,742][INFO ][o.o.i.r.ReindexPlugin    ] [opensearch-cluster-master-0] Unable to find any implementation for RemoteReindexExtension
[2022-01-23T00:03:50,758][INFO ][o.o.j.JobSchedulerPlugin ] [opensearch-cluster-master-0] Loaded scheduler extension: opendistro-index-management, index: .opendistro-ism-config
[2022-01-23T00:03:50,762][INFO ][o.o.j.JobSchedulerPlugin ] [opensearch-cluster-master-0] Loaded scheduler extension: opendistro_anomaly_detector, index: .opendistro-anomaly-detector-jobs
[2022-01-23T00:03:50,790][INFO ][o.o.j.JobSchedulerPlugin ] [opensearch-cluster-master-0] Loaded scheduler extension: reports-scheduler, index: .opendistro-reports-definitions
[2022-01-23T00:03:50,792][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-0] loaded module [aggs-matrix-stats]
[2022-01-23T00:03:50,793][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-0] loaded module [analysis-common]
[2022-01-23T00:03:50,793][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-0] loaded module [geo]
[2022-01-23T00:03:50,793][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-0] loaded module [ingest-common]
[2022-01-23T00:03:50,793][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-0] loaded module [ingest-geoip]
[2022-01-23T00:03:50,793][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-0] loaded module [ingest-user-agent]
[2022-01-23T00:03:50,793][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-0] loaded module [lang-expression]
[2022-01-23T00:03:50,793][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-0] loaded module [lang-mustache]
[2022-01-23T00:03:50,793][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-0] loaded module [lang-painless]
[2022-01-23T00:03:50,793][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-0] loaded module [mapper-extras]
[2022-01-23T00:03:50,793][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-0] loaded module [opensearch-dashboards]
[2022-01-23T00:03:50,793][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-0] loaded module [parent-join]
[2022-01-23T00:03:50,793][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-0] loaded module [percolator]
[2022-01-23T00:03:50,794][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-0] loaded module [rank-eval]
[2022-01-23T00:03:50,794][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-0] loaded module [reindex]
[2022-01-23T00:03:50,794][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-0] loaded module [repository-url]
[2022-01-23T00:03:50,794][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-0] loaded module [transport-netty4]
[2022-01-23T00:03:50,794][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-0] loaded plugin [opensearch-alerting]
[2022-01-23T00:03:50,794][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-0] loaded plugin [opensearch-anomaly-detection]
[2022-01-23T00:03:50,794][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-0] loaded plugin [opensearch-asynchronous-search]
[2022-01-23T00:03:50,795][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-0] loaded plugin [opensearch-cross-cluster-replication]
[2022-01-23T00:03:50,795][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-0] loaded plugin [opensearch-index-management]
[2022-01-23T00:03:50,795][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-0] loaded plugin [opensearch-job-scheduler]
[2022-01-23T00:03:50,795][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-0] loaded plugin [opensearch-knn]
[2022-01-23T00:03:50,795][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-0] loaded plugin [opensearch-observability]
[2022-01-23T00:03:50,795][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-0] loaded plugin [opensearch-performance-analyzer]
[2022-01-23T00:03:50,795][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-0] loaded plugin [opensearch-reports-scheduler]
[2022-01-23T00:03:50,795][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-0] loaded plugin [opensearch-security]
[2022-01-23T00:03:50,795][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-0] loaded plugin [opensearch-sql]
[2022-01-23T00:03:50,813][INFO ][o.o.s.OpenSearchSecurityPlugin] [opensearch-cluster-master-0] Disabled https compression by default to mitigate BREACH attacks. You can enable it by setting 'http.compression: true' in opensearch.yml
[2022-01-23T00:03:50,831][INFO ][o.o.e.NodeEnvironment    ] [opensearch-cluster-master-0] using [1] data paths, mounts [[/ (overlay)]], net usable_space [190.5gb], net total_space [202.9gb], types [overlay]
[2022-01-23T00:03:50,831][INFO ][o.o.e.NodeEnvironment    ] [opensearch-cluster-master-0] heap size [2gb], compressed ordinary object pointers [true]
[2022-01-23T00:03:50,867][INFO ][o.o.n.Node               ] [opensearch-cluster-master-0] node name [opensearch-cluster-master-0], node ID [mjCUSeXPTuONDMIZSZfNMA], cluster name [opensearch-cluster], roles [master]
[2022-01-23T00:03:54,312][WARN ][o.o.s.c.Salt             ] [opensearch-cluster-master-0] If you plan to use field masking pls configure compliance salt e1ukloTsQlOgPquJ to be a random string of 16 chars length identical on all nodes
[2022-01-23T00:03:54,341][INFO ][o.o.s.a.i.AuditLogImpl   ] [opensearch-cluster-master-0] Message routing enabled: true
[2022-01-23T00:03:54,387][INFO ][o.o.s.f.SecurityFilter   ] [opensearch-cluster-master-0] <NONE> indices are made immutable.
[2022-01-23T00:03:54,689][INFO ][o.o.a.b.ADCircuitBreakerService] [opensearch-cluster-master-0] Registered memory breaker.
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by io.protostuff.runtime.PolymorphicThrowableSchema (file:/usr/share/opensearch/plugins/opensearch-anomaly-detection/protostuff-runtime-1.7.4.jar) to field java.lang.Throwable.cause
WARNING: Please consider reporting this to the maintainers of io.protostuff.runtime.PolymorphicThrowableSchema
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
[2022-01-23T00:03:55,202][INFO ][o.o.t.NettyAllocator     ] [opensearch-cluster-master-0] creating NettyAllocator with the following configs: [name=opensearch_configured, chunk_size=256kb, suggested_max_allocation_size=256kb, factors={opensearch.unsafe.use_netty_default_chunk_and_page_size=false, g1gc_enabled=true, g1gc_region_size=1mb}]
[2022-01-23T00:03:55,278][INFO ][o.o.d.DiscoveryModule    ] [opensearch-cluster-master-0] using discovery type [zen] and seed hosts providers [settings]
[2022-01-23T00:03:55,652][WARN ][o.o.g.DanglingIndicesState] [opensearch-cluster-master-0] gateway.auto_import_dangling_indices is disabled, dangling indices will not be automatically detected or imported and must be managed manually
[2022-01-23T00:03:55,994][INFO ][o.o.p.h.c.PerformanceAnalyzerConfigAction] [opensearch-cluster-master-0] PerformanceAnalyzer Enabled: false
[2022-01-23T00:03:56,054][INFO ][o.o.n.Node               ] [opensearch-cluster-master-0] initialized
[2022-01-23T00:03:56,054][INFO ][o.o.n.Node               ] [opensearch-cluster-master-0] starting ...
[2022-01-23T00:03:56,162][INFO ][o.o.t.TransportService   ] [opensearch-cluster-master-0] publish_address {10.42.3.44:9300}, bound_addresses {[::]:9300}
[2022-01-23T00:03:56,454][INFO ][o.o.b.BootstrapChecks    ] [opensearch-cluster-master-0] bound or publishing to a non-loopback address, enforcing bootstrap checks
[2022-01-23T00:03:57,142][INFO ][o.o.c.c.Coordinator      ] [opensearch-cluster-master-0] setting initial configuration to VotingConfiguration{mjCUSeXPTuONDMIZSZfNMA,lAAwQSLeR_C1kqedfLzPNA,{bootstrap-placeholder}-opensearch-cluster-master-1}
[2022-01-23T00:03:57,460][INFO ][o.o.c.s.ClusterApplierService] [opensearch-cluster-master-0] master node changed {previous [], current [{opensearch-cluster-master-1}{lk8C-Lh_TjS7Y_oQcmY-qg}{8ChIjPQ2SoGmVAD4eqtbew}{10.42.4.71}{10.42.4.71:9300}{m}{shard_indexing_pressure_enabled=true}]}, added {{opensearch-cluster-master-2}{lAAwQSLeR_C1kqedfLzPNA}{NFJDFfbRS7uZxr3NYkPP7w}{10.42.9.85}{10.42.9.85:9300}{m}{shard_indexing_pressure_enabled=true},{opensearch-cluster-master-1}{lk8C-Lh_TjS7Y_oQcmY-qg}{8ChIjPQ2SoGmVAD4eqtbew}{10.42.4.71}{10.42.4.71:9300}{m}{shard_indexing_pressure_enabled=true}}, term: 2, version: 4, reason: ApplyCommitRequest{term=2, version=4, sourceNode={opensearch-cluster-master-1}{lk8C-Lh_TjS7Y_oQcmY-qg}{8ChIjPQ2SoGmVAD4eqtbew}{10.42.4.71}{10.42.4.71:9300}{m}{shard_indexing_pressure_enabled=true}}
[2022-01-23T00:03:57,520][INFO ][o.o.a.c.HashRing         ] [opensearch-cluster-master-0] Node added: [mjCUSeXPTuONDMIZSZfNMA, lAAwQSLeR_C1kqedfLzPNA, lk8C-Lh_TjS7Y_oQcmY-qg]
[2022-01-23T00:03:57,522][WARN ][o.o.p.c.s.h.ConfigOverridesClusterSettingHandler] [opensearch-cluster-master-0] Config override setting update called with empty string. Ignoring.
[2022-01-23T00:03:57,523][INFO ][o.o.a.c.ADClusterEventListener] [opensearch-cluster-master-0] Cluster node changed, node removed: false, node added: true
[2022-01-23T00:03:57,524][INFO ][o.o.a.c.HashRing         ] [opensearch-cluster-master-0] AD version hash ring change is in progress. Can't build hash ring for node delta event.
[2022-01-23T00:03:57,525][INFO ][o.o.a.c.ADClusterEventListener] [opensearch-cluster-master-0] Hash ring build result: false
[2022-01-23T00:03:57,530][INFO ][o.o.a.c.HashRing         ] [opensearch-cluster-master-0] All nodes with known AD version: {mjCUSeXPTuONDMIZSZfNMA=ADNodeInfo{version=1.2.4, isEligibleDataNode=false}, lAAwQSLeR_C1kqedfLzPNA=ADNodeInfo{version=1.2.4, isEligibleDataNode=false}, lk8C-Lh_TjS7Y_oQcmY-qg=ADNodeInfo{version=1.2.4, isEligibleDataNode=false}}
[2022-01-23T00:03:57,531][INFO ][o.o.a.c.HashRing         ] [opensearch-cluster-master-0] Rebuild AD hash ring for realtime AD with cooldown, nodeChangeEvents size 1
[2022-01-23T00:03:57,531][INFO ][o.o.a.c.HashRing         ] [opensearch-cluster-master-0] Build AD version hash ring successfully
[2022-01-23T00:03:57,532][INFO ][o.o.a.c.ADClusterEventListener] [opensearch-cluster-master-0] Init AD version hash ring successfully
[2022-01-23T00:03:57,536][INFO ][o.o.h.AbstractHttpServerTransport] [opensearch-cluster-master-0] publish_address {10.42.3.44:9200}, bound_addresses {[::]:9200}
[2022-01-23T00:03:57,536][INFO ][o.o.n.Node               ] [opensearch-cluster-master-0] started
[2022-01-23T00:03:57,537][INFO ][o.o.s.OpenSearchSecurityPlugin] [opensearch-cluster-master-0] Node started
[2022-01-23T00:03:57,538][INFO ][o.o.s.c.ConfigurationRepository] [opensearch-cluster-master-0] Will attempt to create index .opendistro_security and default configs if they are absent
[2022-01-23T00:03:57,538][INFO ][o.o.s.c.ConfigurationRepository] [opensearch-cluster-master-0] Background init thread started. Install default config?: true
[2022-01-23T00:03:57,539][INFO ][o.o.s.OpenSearchSecurityPlugin] [opensearch-cluster-master-0] 0 OpenSearch Security modules loaded so far: []
[2022-01-23T00:03:57,756][INFO ][o.o.s.c.ConfigurationRepository] [opensearch-cluster-master-0] Index .opendistro_security already exists
[2022-01-23T00:03:57,756][INFO ][o.o.s.c.ConfigurationRepository] [opensearch-cluster-master-0] Node started, try to initialize it. Wait for at least yellow cluster state....
[2022-01-23T00:03:58,266][ERROR][o.o.s.a.BackendRegistry  ] [opensearch-cluster-master-0] Not yet initialized (you may need to run securityadmin)
[2022-01-23T00:04:08,232][ERROR][o.o.s.a.BackendRegistry  ] [opensearch-cluster-master-0] Not yet initialized (you may need to run securityadmin)
[2022-01-23T00:04:18,221][ERROR][o.o.s.a.BackendRegistry  ] [opensearch-cluster-master-0] Not yet initialized (you may need to run securityadmin)
^C

@deng47
Copy link
Author

deng47 commented Jan 23, 2022

I created a 1.2.4 cluster(appVersion: 1.2.4;Chart version: 1.5.4) from scratch, then updated the content of opensearch.yml in values.yaml, did a helm upgrade with the new values.yaml and hit the same permission issue.

Enabling execution of install_demo_configuration.sh for OpenSearch Security Plugin
OpenSearch Security Demo Installer
 ** Warning: Do not use on production or public reachable systems **
Basedir: /usr/share/opensearch
OpenSearch install type: rpm/deb on NAME="Amazon Linux"
OpenSearch config dir: /usr/share/opensearch/config
OpenSearch config file: /usr/share/opensearch/config/opensearch.yml
OpenSearch bin dir: /usr/share/opensearch/bin
OpenSearch plugins dir: /usr/share/opensearch/plugins
OpenSearch lib dir: /usr/share/opensearch/lib
Detected OpenSearch Version: x-content-1.2.4
Detected OpenSearch Security Version: 1.2.4.0
tee: /usr/share/opensearch/config/opensearch.yml: Permission denied

Enabling OpenSearch Security Plugin
tee: /usr/share/opensearch/config/opensearch.yml: Read-only file system
cluster.name: opensearch-cluster

# Bind to all interfaces because we don't know what IP address Docker will assign to us.
network.host: 0.0.0.0

reindex.remote.whitelist: "*.service.consul:9200,*.nip.io:9200"

# # minimum_master_nodes need to be explicitly set when bound on a public IP
# # set to 1 to allow single node clusters
# discovery.zen.minimum_master_nodes: 1

# Setting network.host to a non-loopback address enables the annoying bootstrap checks. "Single-node" mode disables them again.
# discovery.type: single-node

# Start OpenSearch Security Demo Configuration
# WARNING: revise all the lines below before you go into production
plugins:
  security:
    ssl:
      transport:
        pemcert_filepath: esnode.pem
        pemkey_filepath: esnode-key.pem
        pemtrustedcas_filepath: root-ca.pem
        enforce_hostname_verification: false
      http:
        enabled: true
        pemcert_filepath: esnode.pem
        pemkey_filepath: esnode-key.pem
        pemtrustedcas_filepath: root-ca.pem
    allow_unsafe_democertificates: true
    allow_default_init_securityindex: true
    authcz:
      admin_dn:
        - CN=kirk,OU=client,O=client,L=test,C=de
    audit.type: internal_opensearch
    enable_snapshot_restore_privilege: true
    check_snapshot_restore_write_privileges: true
    restapi:
      roles_enabled: ["admin", "all_access", "security_rest_api_access"]
    system_indices:
      enabled: true
      indices:
        [
          ".opendistro-alerting-config",
          ".opendistro-alerting-alert*",
          ".opendistro-anomaly-results*",
          ".opendistro-anomaly-detector*",
          ".opendistro-anomaly-checkpoints",
          ".opendistro-anomaly-detection-state",
          ".opendistro-reports-*",
          ".opendistro-notifications-*",
          ".opendistro-notebooks",
          ".opendistro-asynchronous-search-response*",
        ]
######## End OpenSearch Security Demo Configuration ########
[2022-01-23T00:16:16,191][INFO ][o.o.n.Node               ] [opensearch-cluster-master-2] version[1.2.4], pid[48], build[tar/e505b10357c03ae8d26d675172402f2f2144ef0f/2022-01-14T03:38:06.881862Z], OS[Linux/5.14.15-300.fc35.x86_64/amd64], JVM[AdoptOpenJDK/OpenJDK 64-Bit Server VM/15.0.1/15.0.1+9]
[2022-01-23T00:16:16,193][INFO ][o.o.n.Node               ] [opensearch-cluster-master-2] JVM home [/usr/share/opensearch/jdk], using bundled JDK [true]
[2022-01-23T00:16:16,193][INFO ][o.o.n.Node               ] [opensearch-cluster-master-2] JVM arguments [-Xshare:auto, -Dopensearch.networkaddress.cache.ttl=60, -Dopensearch.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -XX:+ShowCodeDetailsInExceptionMessages, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.locale.providers=SPI,COMPAT, -Xms1g, -Xmx1g, -XX:+UseG1GC, -XX:G1ReservePercent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/tmp/opensearch-10054980897310616562, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=data, -XX:ErrorFile=logs/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=logs/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Dclk.tck=100, -Djdk.attach.allowAttachSelf=true, -Djava.security.policy=/usr/share/opensearch/plugins/opensearch-performance-analyzer/pa_config/opensearch_security.policy, -Dopensearch.cgroups.hierarchy.override=/, -Xmx2048M, -Xms2048M, -XX:MaxDirectMemorySize=1073741824, -Dopensearch.path.home=/usr/share/opensearch, -Dopensearch.path.conf=/usr/share/opensearch/config, -Dopensearch.distribution.type=tar, -Dopensearch.bundled_jdk=true]
[2022-01-23T00:16:17,347][INFO ][o.o.s.s.t.SSLConfig      ] [opensearch-cluster-master-2] SSL dual mode is disabled
[2022-01-23T00:16:17,348][INFO ][o.o.s.OpenSearchSecurityPlugin] [opensearch-cluster-master-2] OpenSearch Config path is /usr/share/opensearch/config
[2022-01-23T00:16:17,603][INFO ][o.o.s.s.DefaultSecurityKeyStore] [opensearch-cluster-master-2] JVM supports TLSv1.3
[2022-01-23T00:16:17,604][INFO ][o.o.s.s.DefaultSecurityKeyStore] [opensearch-cluster-master-2] Config directory is /usr/share/opensearch/config/, from there the key- and truststore files are resolved relatively
[2022-01-23T00:16:18,333][INFO ][o.o.s.s.DefaultSecurityKeyStore] [opensearch-cluster-master-2] TLS Transport Client Provider : JDK
[2022-01-23T00:16:18,334][INFO ][o.o.s.s.DefaultSecurityKeyStore] [opensearch-cluster-master-2] TLS Transport Server Provider : JDK
[2022-01-23T00:16:18,334][INFO ][o.o.s.s.DefaultSecurityKeyStore] [opensearch-cluster-master-2] TLS HTTP Provider             : JDK
[2022-01-23T00:16:18,334][INFO ][o.o.s.s.DefaultSecurityKeyStore] [opensearch-cluster-master-2] Enabled TLS protocols for transport layer : [TLSv1.3, TLSv1.2, TLSv1.1]
[2022-01-23T00:16:18,334][INFO ][o.o.s.s.DefaultSecurityKeyStore] [opensearch-cluster-master-2] Enabled TLS protocols for HTTP layer      : [TLSv1.3, TLSv1.2, TLSv1.1]
[2022-01-23T00:16:18,590][INFO ][o.o.s.OpenSearchSecurityPlugin] [opensearch-cluster-master-2] Clustername: opensearch-cluster
[2022-01-23T00:16:18,594][WARN ][o.o.s.OpenSearchSecurityPlugin] [opensearch-cluster-master-2] Directory /usr/share/opensearch/config has insecure file permissions (should be 0700)
[2022-01-23T00:16:18,594][WARN ][o.o.s.OpenSearchSecurityPlugin] [opensearch-cluster-master-2] File /usr/share/opensearch/config/opensearch.yml has insecure file permissions (should be 0600)
[2022-01-23T00:16:18,595][WARN ][o.o.s.OpenSearchSecurityPlugin] [opensearch-cluster-master-2] File /usr/share/opensearch/config/cert.pem has insecure file permissions (should be 0600)
[2022-01-23T00:16:18,595][WARN ][o.o.s.OpenSearchSecurityPlugin] [opensearch-cluster-master-2] File /usr/share/opensearch/config/kirk.pem has insecure file permissions (should be 0600)
[2022-01-23T00:16:18,595][WARN ][o.o.s.OpenSearchSecurityPlugin] [opensearch-cluster-master-2] File /usr/share/opensearch/config/esnode.pem has insecure file permissions (should be 0600)
[2022-01-23T00:16:18,595][WARN ][o.o.s.OpenSearchSecurityPlugin] [opensearch-cluster-master-2] File /usr/share/opensearch/config/root-ca.pem has insecure file permissions (should be 0600)
[2022-01-23T00:16:18,595][WARN ][o.o.s.OpenSearchSecurityPlugin] [opensearch-cluster-master-2] File /usr/share/opensearch/config/esnode-key.pem has insecure file permissions (should be 0600)
[2022-01-23T00:16:18,595][WARN ][o.o.s.OpenSearchSecurityPlugin] [opensearch-cluster-master-2] File /usr/share/opensearch/config/kirk-key.pem has insecure file permissions (should be 0600)
[2022-01-23T00:16:18,746][INFO ][o.o.p.c.PluginSettings   ] [opensearch-cluster-master-2] Config: metricsLocation: /dev/shm/performanceanalyzer/, metricsDeletionInterval: 1, httpsEnabled: false, cleanup-metrics-db-files: true, batch-metrics-retention-period-minutes: 7, rpc-port: 9650, webservice-port 9600
[2022-01-23T00:16:19,197][INFO ][o.o.i.r.ReindexPlugin    ] [opensearch-cluster-master-2] ReindexPlugin reloadSPI called
[2022-01-23T00:16:19,198][INFO ][o.o.i.r.ReindexPlugin    ] [opensearch-cluster-master-2] Unable to find any implementation for RemoteReindexExtension
[2022-01-23T00:16:19,211][INFO ][o.o.j.JobSchedulerPlugin ] [opensearch-cluster-master-2] Loaded scheduler extension: opendistro-index-management, index: .opendistro-ism-config
[2022-01-23T00:16:19,215][INFO ][o.o.j.JobSchedulerPlugin ] [opensearch-cluster-master-2] Loaded scheduler extension: opendistro_anomaly_detector, index: .opendistro-anomaly-detector-jobs
[2022-01-23T00:16:19,241][INFO ][o.o.j.JobSchedulerPlugin ] [opensearch-cluster-master-2] Loaded scheduler extension: reports-scheduler, index: .opendistro-reports-definitions
[2022-01-23T00:16:19,243][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-2] loaded module [aggs-matrix-stats]
[2022-01-23T00:16:19,243][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-2] loaded module [analysis-common]
[2022-01-23T00:16:19,243][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-2] loaded module [geo]
[2022-01-23T00:16:19,243][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-2] loaded module [ingest-common]
[2022-01-23T00:16:19,243][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-2] loaded module [ingest-geoip]
[2022-01-23T00:16:19,244][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-2] loaded module [ingest-user-agent]
[2022-01-23T00:16:19,244][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-2] loaded module [lang-expression]
[2022-01-23T00:16:19,244][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-2] loaded module [lang-mustache]
[2022-01-23T00:16:19,244][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-2] loaded module [lang-painless]
[2022-01-23T00:16:19,244][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-2] loaded module [mapper-extras]
[2022-01-23T00:16:19,244][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-2] loaded module [opensearch-dashboards]
[2022-01-23T00:16:19,244][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-2] loaded module [parent-join]
[2022-01-23T00:16:19,244][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-2] loaded module [percolator]
[2022-01-23T00:16:19,244][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-2] loaded module [rank-eval]
[2022-01-23T00:16:19,244][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-2] loaded module [reindex]
[2022-01-23T00:16:19,244][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-2] loaded module [repository-url]
[2022-01-23T00:16:19,244][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-2] loaded module [transport-netty4]
[2022-01-23T00:16:19,245][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-2] loaded plugin [opensearch-alerting]
[2022-01-23T00:16:19,245][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-2] loaded plugin [opensearch-anomaly-detection]
[2022-01-23T00:16:19,245][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-2] loaded plugin [opensearch-asynchronous-search]
[2022-01-23T00:16:19,245][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-2] loaded plugin [opensearch-cross-cluster-replication]
[2022-01-23T00:16:19,245][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-2] loaded plugin [opensearch-index-management]
[2022-01-23T00:16:19,245][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-2] loaded plugin [opensearch-job-scheduler]
[2022-01-23T00:16:19,245][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-2] loaded plugin [opensearch-knn]
[2022-01-23T00:16:19,245][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-2] loaded plugin [opensearch-observability]
[2022-01-23T00:16:19,246][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-2] loaded plugin [opensearch-performance-analyzer]
[2022-01-23T00:16:19,246][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-2] loaded plugin [opensearch-reports-scheduler]
[2022-01-23T00:16:19,246][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-2] loaded plugin [opensearch-security]
[2022-01-23T00:16:19,246][INFO ][o.o.p.PluginsService     ] [opensearch-cluster-master-2] loaded plugin [opensearch-sql]
[2022-01-23T00:16:19,262][INFO ][o.o.s.OpenSearchSecurityPlugin] [opensearch-cluster-master-2] Disabled https compression by default to mitigate BREACH attacks. You can enable it by setting 'http.compression: true' in opensearch.yml
[2022-01-23T00:16:19,276][INFO ][o.o.e.NodeEnvironment    ] [opensearch-cluster-master-2] using [1] data paths, mounts [[/ (overlay)]], net usable_space [190.7gb], net total_space [202.9gb], types [overlay]
[2022-01-23T00:16:19,276][INFO ][o.o.e.NodeEnvironment    ] [opensearch-cluster-master-2] heap size [2gb], compressed ordinary object pointers [true]
[2022-01-23T00:16:19,307][INFO ][o.o.n.Node               ] [opensearch-cluster-master-2] node name [opensearch-cluster-master-2], node ID [S_w_eapDRbeGzcAHtl9-nw], cluster name [opensearch-cluster], roles [master]
[2022-01-23T00:16:22,460][WARN ][o.o.s.c.Salt             ] [opensearch-cluster-master-2] If you plan to use field masking pls configure compliance salt e1ukloTsQlOgPquJ to be a random string of 16 chars length identical on all nodes
[2022-01-23T00:16:22,484][INFO ][o.o.s.a.i.AuditLogImpl   ] [opensearch-cluster-master-2] Message routing enabled: true
[2022-01-23T00:16:22,536][INFO ][o.o.s.f.SecurityFilter   ] [opensearch-cluster-master-2] <NONE> indices are made immutable.
[2022-01-23T00:16:22,849][INFO ][o.o.a.b.ADCircuitBreakerService] [opensearch-cluster-master-2] Registered memory breaker.
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by io.protostuff.runtime.PolymorphicThrowableSchema (file:/usr/share/opensearch/plugins/opensearch-anomaly-detection/protostuff-runtime-1.7.4.jar) to field java.lang.Throwable.cause
WARNING: Please consider reporting this to the maintainers of io.protostuff.runtime.PolymorphicThrowableSchema
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
[2022-01-23T00:16:23,378][INFO ][o.o.t.NettyAllocator     ] [opensearch-cluster-master-2] creating NettyAllocator with the following configs: [name=opensearch_configured, chunk_size=256kb, suggested_max_allocation_size=256kb, factors={opensearch.unsafe.use_netty_default_chunk_and_page_size=false, g1gc_enabled=true, g1gc_region_size=1mb}]
[2022-01-23T00:16:23,452][INFO ][o.o.d.DiscoveryModule    ] [opensearch-cluster-master-2] using discovery type [zen] and seed hosts providers [settings]
[2022-01-23T00:16:23,838][WARN ][o.o.g.DanglingIndicesState] [opensearch-cluster-master-2] gateway.auto_import_dangling_indices is disabled, dangling indices will not be automatically detected or imported and must be managed manually
[2022-01-23T00:16:24,245][INFO ][o.o.p.h.c.PerformanceAnalyzerConfigAction] [opensearch-cluster-master-2] PerformanceAnalyzer Enabled: false
[2022-01-23T00:16:24,307][INFO ][o.o.n.Node               ] [opensearch-cluster-master-2] initialized
[2022-01-23T00:16:24,307][INFO ][o.o.n.Node               ] [opensearch-cluster-master-2] starting ...
[2022-01-23T00:16:24,405][INFO ][o.o.t.TransportService   ] [opensearch-cluster-master-2] publish_address {10.42.3.49:9300}, bound_addresses {[::]:9300}
[2022-01-23T00:16:24,537][INFO ][o.o.b.BootstrapChecks    ] [opensearch-cluster-master-2] bound or publishing to a non-loopback address, enforcing bootstrap checks
[2022-01-23T00:16:25,145][INFO ][o.o.c.c.Coordinator      ] [opensearch-cluster-master-2] setting initial configuration to VotingConfiguration{8Qhbyn7dTw6h8DrHcP24nA,S_w_eapDRbeGzcAHtl9-nw,{bootstrap-placeholder}-opensearch-cluster-master-1}
[2022-01-23T00:16:34,552][WARN ][o.o.c.c.ClusterFormationFailureHelper] [opensearch-cluster-master-2] master not discovered or elected yet, an election requires 2 nodes with ids [8Qhbyn7dTw6h8DrHcP24nA, S_w_eapDRbeGzcAHtl9-nw], have discovered [{opensearch-cluster-master-2}{S_w_eapDRbeGzcAHtl9-nw}{Uu7GimGoQh20pcgUftOCpw}{10.42.3.49}{10.42.3.49:9300}{m}{shard_indexing_pressure_enabled=true}, {opensearch-cluster-master-0}{8Qhbyn7dTw6h8DrHcP24nA}{hIUF5j4hRySoQg3hM4FVew}{10.42.9.87}{10.42.9.87:9300}{m}{shard_indexing_pressure_enabled=true}] which is a quorum; discovery will continue using [10.42.9.87:9300, 10.42.4.78:9300] from hosts providers and [{opensearch-cluster-master-2}{S_w_eapDRbeGzcAHtl9-nw}{Uu7GimGoQh20pcgUftOCpw}{10.42.3.49}{10.42.3.49:9300}{m}{shard_indexing_pressure_enabled=true}] from last-known cluster state; node term 0, last-accepted version 0 in term 0
[2022-01-23T00:16:44,555][WARN ][o.o.c.c.ClusterFormationFailureHelper] [opensearch-cluster-master-2] master not discovered or elected yet, an election requires 2 nodes with ids [8Qhbyn7dTw6h8DrHcP24nA, S_w_eapDRbeGzcAHtl9-nw], have discovered [{opensearch-cluster-master-2}{S_w_eapDRbeGzcAHtl9-nw}{Uu7GimGoQh20pcgUftOCpw}{10.42.3.49}{10.42.3.49:9300}{m}{shard_indexing_pressure_enabled=true}, {opensearch-cluster-master-0}{8Qhbyn7dTw6h8DrHcP24nA}{hIUF5j4hRySoQg3hM4FVew}{10.42.9.87}{10.42.9.87:9300}{m}{shard_indexing_pressure_enabled=true}, {opensearch-cluster-master-1}{i46LzJLGRgiLiPHJBzQVjQ}{epiMdGugTcKUlP9mW1nxnQ}{10.42.4.78}{10.42.4.78:9300}{m}{shard_indexing_pressure_enabled=true}] which is a quorum; discovery will continue using [10.42.9.87:9300, 10.42.4.78:9300] from hosts providers and [{opensearch-cluster-master-2}{S_w_eapDRbeGzcAHtl9-nw}{Uu7GimGoQh20pcgUftOCpw}{10.42.3.49}{10.42.3.49:9300}{m}{shard_indexing_pressure_enabled=true}] from last-known cluster state; node term 0, last-accepted version 0 in term 0
[2022-01-23T00:16:54,555][WARN ][o.o.n.Node               ] [opensearch-cluster-master-2] timed out while waiting for initial discovery state - timeout: 30s
[2022-01-23T00:16:54,559][WARN ][o.o.c.c.ClusterFormationFailureHelper] [opensearch-cluster-master-2] master not discovered or elected yet, an election requires 2 nodes with ids [8Qhbyn7dTw6h8DrHcP24nA, S_w_eapDRbeGzcAHtl9-nw], have discovered [{opensearch-cluster-master-2}{S_w_eapDRbeGzcAHtl9-nw}{Uu7GimGoQh20pcgUftOCpw}{10.42.3.49}{10.42.3.49:9300}{m}{shard_indexing_pressure_enabled=true}, {opensearch-cluster-master-1}{i46LzJLGRgiLiPHJBzQVjQ}{epiMdGugTcKUlP9mW1nxnQ}{10.42.4.78}{10.42.4.78:9300}{m}{shard_indexing_pressure_enabled=true}] which is not a quorum; discovery will continue using [10.42.9.87:9300, 10.42.4.78:9300] from hosts providers and [{opensearch-cluster-master-2}{S_w_eapDRbeGzcAHtl9-nw}{Uu7GimGoQh20pcgUftOCpw}{10.42.3.49}{10.42.3.49:9300}{m}{shard_indexing_pressure_enabled=true}] from last-known cluster state; node term 0, last-accepted version 0 in term 0
[2022-01-23T00:16:54,575][INFO ][o.o.h.AbstractHttpServerTransport] [opensearch-cluster-master-2] publish_address {10.42.3.49:9200}, bound_addresses {[::]:9200}
[2022-01-23T00:16:54,575][INFO ][o.o.n.Node               ] [opensearch-cluster-master-2] started
[2022-01-23T00:16:54,576][INFO ][o.o.s.OpenSearchSecurityPlugin] [opensearch-cluster-master-2] Node started
[2022-01-23T00:16:54,576][INFO ][o.o.s.c.ConfigurationRepository] [opensearch-cluster-master-2] Will attempt to create index .opendistro_security and default configs if they are absent
[2022-01-23T00:16:54,577][INFO ][o.o.s.c.ConfigurationRepository] [opensearch-cluster-master-2] Background init thread started. Install default config?: true
[2022-01-23T00:16:54,578][INFO ][o.o.s.OpenSearchSecurityPlugin] [opensearch-cluster-master-2] 0 OpenSearch Security modules loaded so far: []
[2022-01-23T00:16:56,180][ERROR][o.o.s.a.BackendRegistry  ] [opensearch-cluster-master-2] Not yet initialized (you may need to run securityadmin)
[2022-01-23T00:16:56,202][ERROR][o.o.s.a.BackendRegistry  ] [opensearch-cluster-master-2] Not yet initialized (you may need to run securityadmin)
[2022-01-23T00:16:56,205][ERROR][o.o.s.a.BackendRegistry  ] [opensearch-cluster-master-2] Not yet initialized (you may need to run securityadmin)
[2022-01-23T00:16:56,211][ERROR][o.o.s.a.BackendRegistry  ] [opensearch-cluster-master-2] Not yet initialized (you may need to run securityadmin)
[2022-01-23T00:16:58,552][ERROR][o.o.s.a.BackendRegistry  ] [opensearch-cluster-master-2] Not yet initialized (you may need to run securityadmin)
[2022-01-23T00:16:58,556][ERROR][o.o.s.a.BackendRegistry  ] [opensearch-cluster-master-2] Not yet initialized (you may need to run securityadmin)
[2022-01-23T00:16:58,560][ERROR][o.o.s.a.BackendRegistry  ] [opensearch-cluster-master-2] Not yet initialized (you may need to run securityadmin)
[2022-01-23T00:16:58,563][ERROR][o.o.s.a.BackendRegistry  ] [opensearch-cluster-master-2] Not yet initialized (you may need to run securityadmin)
^C

@peterzhuamazon
Copy link
Member

Is there a way you can cat the content of opensearch after the failure of sed?

I have seen tee failure like this: opensearch-project/opensearch-build#1529

But never see a sed failure in 1.2.4.

Please try to create a 1.2.4 and let me know the results.
I will have an env of k8s next week when I am back to office to test out the upgrade scenario.

Thanks.

@peterzhuamazon
Copy link
Member

Oops, you post it right when I was typing.

Can you let me know if you can start a normal cluster with 1.2.4 follow this guide without mounting any specific devices?
https://opensearch.org/docs/latest/opensearch/install/helm/#install-opensearch-using-helm

I was testing on kind and minikube but never seen any issues like in your case.

@peterzhuamazon
Copy link
Member

Are you using a specific user to run the deployment?
I think the issue is it defaults to 1000 user, but since the file is owned by 0, it has permission denied issue after all.

I suspect the folder is changed the perm to 660 but the file still own by 0:1000, with 644 perm, thus prevent modifying.

@peterzhuamazon
Copy link
Member

I think we need to figure out why the file is changed to 0 user on the 1st place, I just verified on my side it is 1000 user on my side.

drwxr-xr-x  1 opensearch opensearch     47 Jan 18 18:00 config

-rw-rw---- 1 opensearch opensearch  460 Jan 18 18:00 opensearch.yml

@peterzhuamazon
Copy link
Member

cert.pem is not a part of the demo certs.
What is your setting to create your own cert?
I think if the file is not exist and you are asking docker to create it, then the default to root here:
moby/moby#3206

@deng47
Copy link
Author

deng47 commented Jan 23, 2022
edited
Loading

I created cert.pem by adding the content below in values.yaml. It's used for the ssl communication with LDAP

config:
  cert.pem: |
    -----BEGIN CERTIFICATE-----

<NOT ON GITHUB>

    -----END CERTIFICATE-----

I think you are right. If I can get the permission of those two files right, I should be able to fix it.

Secret and ConfigMap are read-only projections into the Pod filesystems. I think that's why pods are complaining the permission issue

@deng47
Copy link
Author

deng47 commented Jan 23, 2022

Tried securityadmin.sh in the new master pod

sh-4.2$ ./securityadmin.sh -cd ../securityconfig/ -icl -nhnv    -cacert ../../../config/root-ca.pem    -cert ../../../config/kirk.pem    -key ../../../config/kirk-key.pem --accept-red-cluster
Security Admin v7
Will connect to localhost:9300 ... done
Connected as CN=kirk,OU=client,O=client,L=test,C=de
OpenSearch Version: 1.2.3
OpenSearch Security Version: 1.2.3.0
Contacting opensearch cluster 'opensearch' ...
Clustername: opensearch-cluster
Clusterstate: RED
Number of nodes: 3
Number of data nodes: 0
.opendistro_security index already exists, so we do not need to create one.
ERR: .opendistro_security index state is RED.
Populate config from /usr/share/opensearch/plugins/opensearch-security/securityconfig
Will update '_doc/config' with ../securityconfig/config.yml 
   FAIL: Configuration for 'config' failed because of UnavailableShardsException[[.opendistro_security][0] primary shard is not active Timeout: [1m], request: [BulkShardRequest [[.opendistro_security][0]] containing [index {[.opendistro_security][_doc][config], source[n/a, actual length: [2kb], max length: 2kb]}] and a refresh]]
Will update '_doc/roles' with ../securityconfig/roles.yml 
   FAIL: Configuration for 'roles' failed because of UnavailableShardsException[[.opendistro_security][0] primary shard is not active Timeout: [1m], request: [BulkShardRequest [[.opendistro_security][0]] containing [index {[.opendistro_security][_doc][roles], source[n/a, actual length: [5.1kb], max length: 2kb]}] and a refresh]]

...

deng47 added a commit to deng47/helm-charts that referenced this issue Jan 24, 2022
@deng47
Update statefulset.yaml
276a0f0 
Adding a startupProbe to fix opensearch-project#198 [BUG][Opensearch] helm upgrade cause all master pods killed almost simultaneously and breaks the cluster
When helm upgrades master pods, it kills all old master pods in a few seconds, leaving no time for new master pods to start up and join the cluster, eventually kills the whole cluster.
A 30-second startupProbe solve this problem
@deng47 deng47 mentioned this issue Jan 24, 2022
Open
deng47 added a commit to deng47/helm-charts that referenced this issue Jan 24, 2022
@deng47
Update statefulset.yaml
c643d50 
Adding a startupProbe to fix opensearch-project#198 
When helm upgrades master pods, it kills all old master pods in a few seconds, leaving no time for new master pods to start up and join the cluster, eventually killing the whole cluster. A 30-second startupProbe solve this problem
@deng47 deng47 mentioned this issue Jan 24, 2022
Closed
1 task
@peterzhuamazon peterzhuamazon mentioned this issue Feb 1, 2022
Merged
1 task
@peterzhuamazon
Copy link
Member

Close this for now as we have rereleased new 1.2.4 image.
Please feel free to re-open if you still have questions.

Thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update statefulset.yaml deng47/helm-charts
Update statefulset.yaml deng47/helm-charts
2 participants
@deng47 @peterzhuamazon