Cloud-on-k8s: plugin requires additional permissions
Hi, i meet this problem when i install a plugin.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: plugin requires additional permissions @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
* java.net.SocketPermission * connect,resolve
See http://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html
for descriptions of what these permissions allow and the associated risks.
Exception in thread "main" java.lang.IllegalStateException: unable to read from standard input; is standard input open and a tty attached?
at org.elasticsearch.cli.Terminal$SystemTerminal.readText(Terminal.java:173)
at org.elasticsearch.plugins.PluginSecurity.prompt(PluginSecurity.java:74)
at org.elasticsearch.plugins.PluginSecurity.confirmPolicyExceptions(PluginSecurity.java:67)
at org.elasticsearch.plugins.InstallPluginCommand.installPlugin(InstallPluginCommand.java:811)
at org.elasticsearch.plugins.InstallPluginCommand.install(InstallPluginCommand.java:785)
at org.elasticsearch.plugins.InstallPluginCommand.execute(InstallPluginCommand.java:231)
at org.elasticsearch.plugins.InstallPluginCommand.execute(InstallPluginCommand.java:216)
at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86)
at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124)
at org.elasticsearch.cli.MultiCommand.execute(MultiCommand.java:77)
at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124)
at org.elasticsearch.cli.Command.main(Command.java:90)
at org.elasticsearch.plugins.PluginCli.main(PluginCli.java:47)
the initContainers's code is:
initContainers:
- name: install-plugins
securityContext:
privileged: true
command: ['sh', '-c', 'bin/elasticsearch-plugin install https://github.com/medcl/elasticsearch-analysis-ik/releases/download/v6.8.4/elasticsearch-analysis-ik-6.8.4.zip']
i also see the #1801 , but not found clear solutions and i don't want to make custom images? What should i do?
ftyuuu
All 7 comments
Hello,
If you add the --batch flag as described in the docs here:
https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-init-containers-plugin-downloads.html
You should be able to to bypass the prompt. It is expecting you to accept the additional permissions, but there's no tty attached.
anyasabo
on 6 Dec 2019
@anyasabo Thank you very much for your reply!
ftyuuu
on 7 Dec 2019
I'm sorry to revive a closed issue, but I don't find --batch or prepending with yes | ... to be working, I still see the warning. Is this only supported in some versions, but not all?
I even tried this in a Dockerfile but still see warning:
FROM docker.elastic.co/elasticsearch/elasticsearch:6.8.13
RUN bin/elasticsearch-plugin install --batch repository-s3
Digest: sha256:dca6a75fb0db7ff2ca7d1e18797f0936ef7e2e7e02ad253ae648292639c1ff82
Status: Downloaded newer image for docker.elastic.co/elasticsearch/elasticsearch:6.8.13
---> a7e1d4b5ee81
Step 2/2 : RUN bin/elasticsearch-plugin install --batch repository-s3
---> Running in 894afa3e90c4
-> Downloading repository-s3 from elastic
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: plugin requires additional permissions @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
* java.lang.RuntimePermission accessDeclaredMembers
* java.lang.RuntimePermission getClassLoader
* java.lang.reflect.ReflectPermission suppressAccessChecks
* java.net.SocketPermission * connect,resolve
* java.util.PropertyPermission es.allow_insecure_settings read,write
See http://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html
for descriptions of what these permissions allow and the associated risks.
-> Installed repository-s3
Removing intermediate container 894afa3e90c4
---> 141b1ffe3281
Successfully built 141b1ffe3281
mooreniemi
on 6 Nov 2020
I'm sorry to revive a closed issue, but I don't find
--batchor prepending withyes | ...to be working, I still see the warning. Is this only supported in some versions, but not all?
Adding --batch won't remove the Warning. It does however removes the Exception as described by @ftyuuu
The Exception will block usage of the container, the Warning is just what it is, a Warning, you can use the created Docker image as usual.
edwardsmit
on 11 Nov 2020
Unfortunately not work to me, after follow these steps: https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-init-containers-plugin-downloads.html.
And specify the securityContext: privilege: true the elastic pod starts crashloopback because of privileges:
apiVersion: elasticsearch.k8s.elastic.co/v1
kind: Elasticsearch
metadata:
name: elastic-test
spec:
version: 7.10.1
http:
tls:
selfSignedCertificate:
disabled: true
nodeSets:
- name: default
count: 1
config:
node.store.allow_mmap: false
podTemplate:
metadata:
annotations:
traffic.sidecar.istio.io/includeInboundPorts: "*"
traffic.sidecar.istio.io/excludeOutboundPorts: "9300,443"
traffic.sidecar.istio.io/excludeInboundPorts: "9300"
spec:
automountServiceAccountToken: true
initContainers:
- name: install-plugins
securityContext:
privileged: true
command: ['sh', '-c', 'bin/elasticsearch-plugin install --batch repository-s3']
Follow my logs:
Elastic Pod:
Exception in thread "main" org.elasticsearch.bootstrap.BootstrapException: java.nio.file.AccessDeniedException: /usr/share/elasticsearch/config/repository-s3
Likely root cause: java.nio.file.AccessDeniedException: /usr/share/elasticsearch/config/repository-s3
at java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:90)
at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:106)
at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111)
at java.base/sun.nio.fs.UnixFileSystemProvider.newDirectoryStream(UnixFileSystemProvider.java:431)
at java.base/java.nio.file.Files.newDirectoryStream(Files.java:476)
at java.base/java.nio.file.FileTreeWalker.visit(FileTreeWalker.java:300)
at java.base/java.nio.file.FileTreeWalker.next(FileTreeWalker.java:373)
at java.base/java.nio.file.Files.walkFileTree(Files.java:2840)
at org.elasticsearch.common.logging.LogConfigurator.configure(LogConfigurator.java:220)
at org.elasticsearch.common.logging.LogConfigurator.configure(LogConfigurator.java:129)
at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:354)
at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:170)
at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:161)
at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86)
at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:127)
at org.elasticsearch.cli.Command.main(Command.java:90)
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:126)
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:92)
For complete error details, refer to the log at /usr/share/elasticsearch/logs/elastic-test.log
ghost
on 22 Dec 2020
@weydersantos I think what you experience is similar to https://github.com/elastic/cloud-on-k8s/issues/3934.
sebgl
on 23 Dec 2020
@weydersantos I think what you experience is similar to #3934.
@sebgl thankful bro, I'm rolback Elasticsearch version to 7.9.3and works fine.
ghost
on 23 Dec 2020
Related issues
sebgl
路
3Comments
thbkrkr
路
5Comments
anyasabo
路
3Comments
pebrc
路
5Comments
nkvoll
路
4Comments
Most helpful comment
Adding
--batchwon't remove theWarning. It does however removes theExceptionas described by @ftyuuuThe
Exceptionwill block usage of the container, theWarningis just what it is, a Warning, you can use the created Docker image as usual.