错误详情
集群中使用 Open Distro for Elasticsearch 发行版。
当之前在这个环境上使用过,再次安装的时候,可能是之前 es 挂载的数据没清干净,别的 pod 在连该 es 的 client 的时候,就会报错 CrashLoopBackOff。查看日志说 es 健康检查出错,连不上。
查看 es-client pod 的日志,发现报错如下:
[2021-08-12T02:34:21,855][ERROR][o.o.s.a.BackendRegistry ] [opensearch-node1] Not yet initialized (you may need to run securityadmin),
[2021-08-12T02:34:21,857][ERROR][o.o.s.a.BackendRegistry ] [opensearch-node1] Not yet initialized (you may need to run securityadmin),
[2021-08-12T02:34:24,354][ERROR][o.o.s.a.BackendRegistry ] [opensearch-node1] Not yet initialized (you may need to run securityadmin),
[2021-08-12T02:34:24,355][ERROR][o.o.s.a.BackendRegistry ] [opensearch-node1] Not yet initialized (you may need to run securityadmin),
[2021-08-12T02:34:24,356][ERROR][o.o.s.a.BackendRegistry ] [opensearch-node1] Not yet initialized (you may need to run securityadmin),
解决方案
- 使用 kubectl exec 命令进入 es client 的 Pod 里,如:
kubectl exec -it -n default opendistro-es-client -- bash
- 在容器中,执行命令找到 securityadmin.sh 脚本:
find / -name securityadmin.sh
- 执行 securityadmin.sh 脚本:
./securityadmin.sh -cd ../securityconfig/ -icl -nhnv \
-cacert ../../../config/root-ca.pem \
-cert ../../../config/kirk.pem \
-key ../../../config/kirk-key.pem
- 运行结果:
Open Distro Security Admin v7
Will connect to localhost:9300 ... done
Connected as CN=kirk,OU=client,O=client,L=test,C=de
Elasticsearch Version: 7.10.2
Open Distro Security Version: 1.13.1.0
Contacting elasticsearch cluster 'elasticsearch' and wait for YELLOW clusterstate ...
Clustername: elasticsearch
Clusterstate: GREEN
Number of nodes: 3
Number of data nodes: 1
.opendistro_security index already exists, so we do not need to create one.
Populate config from /usr/share/elasticsearch/plugins/opendistro_security/securityconfig
Will update '_doc/config' with ../securityconfig/config.yml
SUCC: Configuration for 'config' created or updated
Will update '_doc/roles' with ../securityconfig/roles.yml
SUCC: Configuration for 'roles' created or updated
Will update '_doc/rolesmapping' with ../securityconfig/roles_mapping.yml
SUCC: Configuration for 'rolesmapping' created or updated
Will update '_doc/internalusers' with ../securityconfig/internal_users.yml
SUCC: Configuration for 'internalusers' created or updated
Will update '_doc/actiongroups' with ../securityconfig/action_groups.yml
SUCC: Configuration for 'actiongroups' created or updated
Will update '_doc/tenants' with ../securityconfig/tenants.yml
SUCC: Configuration for 'tenants' created or updated
Will update '_doc/nodesdn' with ../securityconfig/nodes_dn.yml
SUCC: Configuration for 'nodesdn' created or updated
Will update '_doc/whitelist' with ../securityconfig/whitelist.yml
SUCC: Configuration for 'whitelist' created or updated
Will update '_doc/audit' with ../securityconfig/audit.yml
SUCC: Configuration for 'audit' created or updated
Done with success
- 查看 pod 状态,已经正常 running 了。
错误原因
—— 翻译自 https://www.electricbrain.com.au/pages/analytics/opensearch-vs-elasticsearch.php
1 你能不能把 OpenSearch 放在你现有的索引上?
这简直是个地狱!下图是直接在 ElectricBrain 的太阳能分析系统的 ElasticSearch 索引上加载OpenSearch的结果。
有几个额外的步骤来让新的安全东西运行,但当结合上面的步骤在摄入方面,我们得到了一个完整的可行的解决方案与所有额外的功能。而且是完全可再发布和可 saas 化的。
文档中出现的第一件事是“你需要转换 config.yml 中的设置到 OpenSearch”。当然,关于这样一个过程的文档很少,我想这在早期发布的情况下是可以预料到的。
然后,一旦您弄清楚了这些参数及其名称,那么旧的 Java 虚拟机选项就不再工作了。从官方镜像中复制过来的演示集覆盖到原来的 ElasticSearch 配置之上。
于是Opensearch亮了起来!不过,还需要最后一步。由于OpenSearch内置了安全功能,而ElasticSearch-OSS 没有(因为它是 X-Pak 的付费选项),因此您的现有数据中没有任何需要的索引。
[2021-08-12T02:34:21,855][ERROR][o.o.s.a.BackendRegistry ] [opensearch-node1] Not yet initialized (you may need to run securityadmin),
[2021-08-12T02:34:21,857][ERROR][o.o.s.a.BackendRegistry ] [opensearch-node1] Not yet initialized (you may need to run securityadmin),
[2021-08-12T02:34:24,354][ERROR][o.o.s.a.BackendRegistry ] [opensearch-node1] Not yet initialized (you may need to run securityadmin),
[2021-08-12T02:34:24,355][ERROR][o.o.s.a.BackendRegistry ] [opensearch-node1] Not yet initialized (you may need to run securityadmin),
[2021-08-12T02:34:24,356][ERROR][o.o.s.a.BackendRegistry ] [opensearch-node1] Not yet initialized (you may need to run securityadmin),
[2021-08-12T02:34:24,356][ERROR][o.o.s.a.BackendRegistry ] [opensearch-node1] Not yet initialized (you may need to run securityadmin),
[2021-08-12T02:34:26,854][ERROR][o.o.s.a.BackendRegistry ] [opensearch-node1] Not yet initialized (you may need to run securityadmin),
[2021-08-12T02:34:26,855][ERROR][o.o.s.a.BackendRegistry ] [opensearch-node1] Not yet initialized (you may need to run securityadmin),
[2021-08-12T02:34:26,856][ERROR][o.o.s.a.BackendRegistry ] [opensearch-node1] Not yet initialized (you may need to run securityadmin),
[2021-08-12T02:34:26,856][ERROR][o.o.s.a.BackendRegistry ] [opensearch-node1] Not yet initialized (you may need to run securityadmin),
[2021-08-12T02:34:27,259][WARN ][o.o.s.c.ConfigurationLoaderSecurity7] [opensearch-node1] No data for internalusers while retrieving configuration for [INTERNALUSERS,
ACTIONGROUPS,
CONFIG,
ROLES,
ROLESMAPPING,
TENANTS,
NODESDN,
WHITELIST,
AUDIT] (index=.opendistro_security and type=null),
[2021-08-12T02:34:27,259][WARN ][o.o.s.c.ConfigurationLoaderSecurity7] [opensearch-node1] No data for actiongroups while retrieving configuration for [INTERNALUSERS,
ACTIONGROUPS,
CONFIG,
ROLES,
ROLESMAPPING,
TENANTS,
NODESDN,
WHITELIST,
AUDIT] (index=.opendistro_security and type=null),