OpenShift 使用的 elasticsearch 会受到 Log4j 的安全漏洞影响,可以使用以下方法屏蔽安全漏洞。
OpenShift 3
- 修改 elasticsearch 使用的 Java参数
$ oc project openshift-logging
$ oc get dc -l component=es
NAME REVISION DESIRED CURRENT TRIGGERED BY
logging-es-data-master-9fgtlhi4 1 1 1
$ oc set env -c elasticsearch dc/logging-es-data-master-9fgtlhi4 ES_JAVA_OPTS="-Dlog4j2.formatMsgNoLookups=true"
$ oc set env -c elasticsearch dc -l component=es --list | grep ES_JAVA_OPTS
$ oc scale dc/logging-es-data-master-9fgtlhi4 --replicas=0
$ oc rollout latest dc/logging-es-data-master-9fgtlhi4
$ oc scale dc/logging-es-data-master-9fgtlhi4 --replicas=1
- 验证
for es_pod in $(oc get pods -l component=es --no-headers -o jsonpath='{range .items[?(@.status.phase=="Running")]}{.metadata.name}{"\n"}{end}'); \
do echo "Confirm changes on $es_pod" ; sleep 1 ; \
oc rsh -Tc elasticsearch $es_pod ps auxwww | grep log4j2.formatMsgNoLookups ; sleep 3; \
done
for es_pod in $(oc get pods -l component=es --no-headers -o jsonpath='{range .items[?(@.status.phase=="Running")]}{.metadata.name}{"\n"}{end}'); \
do echo "Confirm changes on $es_pod" ; sleep 1 ; \
oc rsh -Tc elasticsearch $es_pod printenv | grep ES_JAVA_OPTS ; sleep 3; \
done
OpenShift 4
- 修改 elasticsearch 使用的 Java参数
$ oc project openshift-logging
$ oc get deployment -l component=elasticsearch
NAME REVISION DESIRED CURRENT TRIGGERED BY
elasticsearch-cdm-ba9c6evk-1-796f6cfdbc 1 1 1
$ oc patch deployment/elasticsearch-cdm-ba9c6evk-1-796f6cfdbc --type=merge -p '{"spec":{"paused": false}}'
$ oc set env deployment/elasticsearch-cdm-ba9c6evk-1-796f6cfdbc -c elasticsearch ES_JAVA_OPTS="-Dlog4j2.formatMsgNoLookups=true"
$ oc set env -c elasticsearch deployment -l component=elasticsearch --list | grep ES_JAVA_OPTS
$ oc scale deployment/elasticsearch-cdm-ba9c6evk-1-796f6cfdbc --replicas=0
- 验证
$ oc get pods -l component=elasticsearch
$ oc set env -c elasticsearch pods -l component=elasticsearch --list | grep ES_JAVA_OPTS
$ oc exec -c elasticsearch elasticsearch-cdm-ba9c6evk-1-796f6cfdbc-4dqc6 -- grep -a log4j2.formatMsgNoLookups /proc/1/cmdline