The root endpoint for Elasticsearch contains diagnostic information
about what Elasticsearch is running. This commit adds TransportVersion
to this diagnostic information, alongside the existing version
information.
* [DOCS] Verifying Elasticsearch container image signatures with Cosign/Sigstore
This commit adds a step to verify the Elasticsearch container image signatures after pulling the image and before starting any cluster.
The goal is to introduce an easy and standard way for Elastic users to verify the provenance of the Elasticsearch container images before deploying them to any infrastructure and therefore protect against supply chain attacks.
* Update docker.asciidoc
* Update docs/reference/setup/install/docker.asciidoc
* Update docs/reference/setup/install/docker.asciidoc
* Update docs/reference/setup/install/docker.asciidoc
Co-authored-by: David Kilfoyle <41695641+kilfoyle@users.noreply.github.com>
* Update docs/reference/setup/install/docker.asciidoc
Co-authored-by: David Kilfoyle <41695641+kilfoyle@users.noreply.github.com>
* Remove JSON section from sample output
* Fix up command output format
* Change 'console' to 'sh'
---------
Co-authored-by: David Kilfoyle <41695641+kilfoyle@users.noreply.github.com>
Co-authored-by: David Kilfoyle <david.kilfoyle@elastic.co>
The current command to start the first Elasticsearch node includes `-p 9200:9200` and `-p 9300:9300`. This PR removes the extra ports so that they're not open unnecessarily.
Co-authored-by: Adam Locke <adam.locke@elastic.co>
The docs introduced in #91333 apply to older versions in which the `systemd`
startup timeout was 75s by default, but in #91338 we extended the `systemd`
startup timeout to 900s from 8.7.0 and 7.17.8 onwards. This commit adjusts the
docs to match.
ES_JAVA_OPTS is still the correct way to pass options to
the Elasticsearch process, CLI_JAVA_OPTS affects only the
command line tool. CLI_JAVA_OPTS is the correct way to pass
options for plugin installation or other tools.
The build_flavor was previously removed since it is no longer relevant;
only the default distribution now exists. However, the removal of build
flavor included removing it from the version information on the info
response for the root path. This API is supposed to be stable, so
removing that key was a compatibility break. This commit adds the
build_flavor back to that API, hardcoded to `default`. Additionally, a
test is added to ensure the key exists going forward, until it can be
properly deprecated.
closes#88318
The default distribution is the only remaining build flavor, and has been for
quite a while now. This commit removes flavor from the internal Build
class. It keeps rest api compat for nodes info for now by hardcoding
`default`.
In #84340 we adjusted the docs to show instructions on how to
retrieve TLS keystores passwords from the elasticsearch keystore
but the security-files-reference.asciidoc was not referenced in
all places where the instructions should be used. This commit
changes that and also removes references for beta versions.
The way this specific doc was structured meant that the path for
DEB/RPM packages were wrong (an extra `config` was added to the
dir path). This commit changes the structure to be relevant to the
ES_CONF_PATH env variable that should work uniformly for all of
our installation means.
Fixes an intro sentence for the Docker install instructions.
Co-authored-by: James Rodewig <40268737+jrodewig@users.noreply.github.com>
(cherry picked from commit 472a7d8e91)
Co-authored-by: Alexander Reelsen <alexander@reelsen.net>
The use of `apt-key` is deprecated and will no longer be available after
Debian 11 and Ubuntu 22.04. This updates the installation instructions
for Debian-based distributions.
Closes#84644
In 8.0.0. we introduce TLS autoconfiguration. We store the key and
certificate materials in password protected PKCS#12 keystores and
we store these passwords in the elasticsearch keystore.
This commit adds instructions on how to get hold of the passwords
for users to inspect or alter the PKCS#12 keystores.
* Clarify commands shown for "permanently" setting max_map_count
The current text shows a grep, which of course does not set the value at all. I've clarified why it's offered (to CHECK the value).
I've also moved the command for setting the value temporarily to above that discussion, to make it more clear to readers that that's what it does.
* Reorder commands, add headings, and fix typos
Co-authored-by: Adam Locke <adam.locke@elastic.co>
Co-authored-by: Charlie Arehart <charlie@carehart.org>
Closes#69533.
The Docker docs mention bind-mounting the `config`, `data` and
`logs` directories when using an arbitrary UID / GID, but they fail
to mention that the `plugins` dir must also be mounted in order to
install plugins.
* [DOCS] Remove extraneous Elasticsearch Docker image information
In the step for starting Elasticsearch with the generated enrollment token, `docker.elastic.co/elasticsearch/elasticsearch:` was included in conjunction with the `{docker-image}` variable. This include led to a duplicate Docker image that displayed as `ocker.elastic.co/elasticsearch/elasticsearch:docker.elastic.co/elasticsearch/elasticsearch:8.0.0-rc1`. This PR removes the duplicate image information.
* Update ifeval statements and add sub-heading for setting JVM heap size
We (mostly I) were initially advocating for the auto-generated files to
use unique names (the name containing a timestamp particle), in order to
avoid that subsequent invocations of the config step conflict with
itself. Moreover, I was wishing that these files will not have to be
handled directly by admins (that the enrollment process was to be used).
However, experience proved us otherwise, admins have to manipulate these
files, and unique configuration names are hard to deal with in scripts
and docs, so this PR is all about using a fixed name for all the
generated files. _Labeling as a bug fix because the feedback is that it
very negatively impacts usabilty._ Closes
https://github.com/elastic/elasticsearch/issues/81057
After 7.16.2, we'll no longer produce Windows MSI installer packages for Elasticsearch. These packages were previously released in beta and didn't receive widespread adoption.
### Changes:
* Adds a related 7.17 breaking change.
* Adds a related 7.16 deprecation.
* Removes the MSI installation instructions.
* Removes references to the MSI installer.
I plan to port the applicable changes to 8.1 (main), 8.0, 7.17, and 7.16. In the 7.16 ports, I'll leave in the MSI install docs and add related deprecation notes to them instead.
* [DOCS] Enroll additional nodes on Docker
* Remove -p option for second node
Co-authored-by: Fabio Busatto <52658645+bytebilly@users.noreply.github.com>
* Rename nodes to align with other Docker docs
* Add elastic network to first node docker run command
* Remove hyphen from node names
Co-authored-by: Fabio Busatto <52658645+bytebilly@users.noreply.github.com>
* [DOCS] Add docs for verifying CA fingerprint
* Update openssl command and explanatory text
* Explain copying CA cert if fingerprint validation isn't possible
* Incorporate new section into the main security config page
* Clarify how cert is used
Co-authored-by: Ioannis Kakavas <ikakavas@protonmail.com>
* Split into two, separate sections
* Rename file and update text based on feedback
* Update ref to use new filename
* Remove extra word
Co-authored-by: Ioannis Kakavas <ikakavas@protonmail.com>
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
* [DOCS] Update Windows .zip install instructions for security ON by default
* Rework instructions for running as a service on Windows
* Update wording and add variable for back/forward slashes
* Relocating enroll nodes steps and introducing variables
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Closes#76681. Our approach to using `scratch` for building Docker
images has caused problems at Docker Hub. Fix this situation by
removing the whole process of using scratch and instead bases the
default distribution on `almalinux:8.4-minimal`. Alma Linux is
binary-compatible with RHEL, and therefore very similar to UBI.
The `elasticsearch.yml` file that ships with our Docker image includes the
`network.host: 0.0.0.0` setting by default. If a user bind-mounts a custom
config file, it should include this setting to ensure Elasticsearch is reachable.
Closes#77937.
* [DOCS] Update archive install docs for security ON by default
* Remove extra attribute references that aren't needed
* Incorporate security info into start page
* Update heading
* Adjust packaged installation docs for security on by default
This commit introduces necessary changes to guide users through
the installation of our DEB/RPM packages, now that security is
enabled and configured by default.
* Update security docs and configure includes
* Update wording in check-running.asciidoc
* Adding hidden GET request
* Update heading
* Updated reconfigure heading
Co-authored-by: Adam Locke <adam.locke@elastic.co>
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
