keystore value not available in configuration processing

[LeeDr]

The same docker compose I've been running for a few releases has just broken sometime between 7.3.0 and the latest 7.3.1 BC builds. It seems like the value added to the keystore isn't in the environment when the config or yml file is loaded. I don't know if it has anything to do with it being a docker image or not. I can try to reproduce it outside of docker.

I don't know if it's related or not, but this is one of the only changes in 7.3.1 that fits the timeframe of when this broke; #11043

• Version: 7.3.1
• Operating System: Docker on Ubuntu 18
• Config File (if you have sensitive info, please remove it):

logstash.conf

input {
  heartbeat {
    interval => 5
    message  => 'Hello from Logstash 💓'
  }
}

output {
  elasticsearch {
    hosts    => [ 'elasticsearch' ]
    user     => 'elastic'
    password => "${ELASTIC_PASSWORD}"  # read password from logstash.keystore
    ssl => true
    cacert => '/certs/ssl/ca/ca.crt'
  }
}

logstash.yml

http.host: 0.0.0.0
# read password from logstash.keystore
xpack.monitoring.elasticsearch.password: ${ELASTIC_PASSWORD}
xpack.monitoring.elasticsearch.hosts: https://elasticsearch:9200
xpack.monitoring.elasticsearch.username: logstash_system
xpack.monitoring.elasticsearch.ssl.certificate_authority: /certs/ssl/ca/ca.crt

• Steps to Reproduce:
  The scripts are setting a value in the logstash keystore like this;

echo "$ELASTIC_PASSWORD" | /usr/share/logstash/bin/logstash-keystore add 'ELASTIC_PASSWORD' -x
/usr/share/logstash/bin/logstash-keystore list

And that step appears to work OK;

=== CREATE Keystore ===
OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in version 9.0 and will likely be removed in a future release.
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by org.jruby.util.SecurityHelper to field java.lang.reflect.Field.modifiers
WARNING: Please consider reporting this to the maintainers of org.jruby.util.SecurityHelper
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release

WARNING: The keystore password is not set. Please set the environment variable `LOGSTASH_KEYSTORE_PASS`. Failure to do so will result in reduced security. Continue without password protection on the keystore? [y/N] Created Logstash keystore at /usr/share/logstash/config/logstash.keystore
Setting ELASTIC_PASSWORD...
OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in version 9.0 and will likely be removed in a future release.
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by org.jruby.util.SecurityHelper to field java.lang.reflect.Field.modifiers
WARNING: Please consider reporting this to the maintainers of org.jruby.util.SecurityHelper
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release

Enter value for ELASTIC_PASSWORD: Added 'elastic_password' to the Logstash keystore.
OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in version 9.0 and will likely be removed in a future release.
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by org.jruby.util.SecurityHelper to field java.lang.reflect.Field.modifiers
WARNING: Please consider reporting this to the maintainers of org.jruby.util.SecurityHelper
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release

But when logstash starts it fails with errors indicating it doesn't see that keystore key/value;

"Unable to configure plugins: Cannot evaluate ${ELASTIC_PASSWORD}. Replacement variable ELASTIC_PASSWORD is not defined in a Logstash secret store or an environment entry and there is no default value given.",

root@packer-virtualbox-iso-1548601029:/vagrant/qa# docker logs logstash
OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in version 9.0 and will likely be removed in a future release.
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by com.headius.backport9.modules.Modules (file:/usr/share/logstash/logstash-core/lib/jars/jruby-complete-9.2.7.0.jar) to field java.io.FileDescriptor.fd
WARNING: Please consider reporting this to the maintainers of com.headius.backport9.modules.Modules
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
Thread.exclusive is deprecated, use Thread::Mutex
Sending Logstash logs to /usr/share/logstash/logs which is now configured via log4j2.properties
[2019-08-17T06:28:17,067][INFO ][logstash.setting.writabledirectory] Creating directory {:setting=>"path.queue", :path=>"/usr/share/logstash/data/queue"}
[2019-08-17T06:28:17,250][INFO ][logstash.setting.writabledirectory] Creating directory {:setting=>"path.dead_letter_queue", :path=>"/usr/share/logstash/data/dead_letter_queue"}
[2019-08-17T06:28:18,050][INFO ][logstash.runner          ] Starting Logstash {"logstash.version"=>"7.3.1"}
[2019-08-17T06:28:18,095][INFO ][logstash.agent           ] No persistent UUID file found. Generating new UUID {:uuid=>"02a976fb-d382-4f71-8ec2-e581e4ad1918", :path=>"/usr/share/logstash/data/uuid"}
[2019-08-17T06:28:18,894][WARN ][logstash.monitoringextension.pipelineregisterhook] xpack.monitoring.enabled has not been defined, but found elasticsearch configuration. Please explicitly set `xpack.monitoring.enabled: true` in logstash.yml
[2019-08-17T06:28:20,313][INFO ][logstash.licensechecker.licensereader] Elasticsearch pool URLs updated {:changes=>{:removed=>[], :added=>[https://logstash_system:xxxxxx@elasticsearch:9200/]}}
[2019-08-17T06:28:21,543][WARN ][logstash.licensechecker.licensereader] Restored connection to ES instance {:url=>"https://logstash_system:xxxxxx@elasticsearch:9200/"}
[2019-08-17T06:28:21,686][INFO ][logstash.licensechecker.licensereader] ES Output version determined {:es_version=>7}
[2019-08-17T06:28:21,697][WARN ][logstash.licensechecker.licensereader] Detected a 6.x and above cluster: the `type` event field won't be used to determine the document _type {:es_version=>7}
[2019-08-17T06:28:21,932][INFO ][logstash.monitoring.internalpipelinesource] Monitoring License OK
[2019-08-17T06:28:21,934][INFO ][logstash.monitoring.internalpipelinesource] Validated license for monitoring. Enabling monitoring pipeline.
[2019-08-17T06:28:23,034][INFO ][org.reflections.Reflections] Reflections took 75 ms to scan 1 urls, producing 20 keys and 40 values
[2019-08-17T06:28:23,449][ERROR][logstash.agent           ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:pipeline_1, :exception=>"Java::JavaLang::IllegalStateException", :message=>"Unable to configure plugins: Cannot evaluate `${ELASTIC_PASSWORD}`. Replacement variable `ELASTIC_PASSWORD` is not defined in a Logstash secret store or an environment entry and there is no default value given.", :backtrace=>["org.logstash.config.ir.CompiledPipeline.<init>(CompiledPipeline.java:100)", "org.logstash.execution.JavaBasePipelineExt.initialize(JavaBasePipelineExt.java:60)", "org.logstash.execution.JavaBasePipelineExt$INVOKER$i$1$0$initialize.call(JavaBasePipelineExt$INVOKER$i$1$0$initialize.gen)", "org.jruby.internal.runtime.methods.JavaMethod$JavaMethodN.call(JavaMethod.java:837)", "org.jruby.ir.runtime.IRRuntimeHelpers.instanceSuper(IRRuntimeHelpers.java:1154)", "org.jruby.ir.runtime.IRRuntimeHelpers.instanceSuperSplatArgs(IRRuntimeHelpers.java:1141)", "org.jruby.ir.targets.InstanceSuperInvokeSite.invoke(InstanceSuperInvokeSite.java:39)", "usr.share.logstash.logstash_minus_core.lib.logstash.java_pipeline.RUBY$method$initialize$0(/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:24)", "org.jruby.internal.runtime.methods.CompiledIRMethod.call(CompiledIRMethod.java:91)", "org.jruby.internal.runtime.methods.MixedModeIRMethod.call(MixedModeIRMethod.java:90)", "org.jruby.runtime.callsite.CachingCallSite.cacheAndCall(CachingCallSite.java:296)", "org.jruby.runtime.callsite.CachingCallSite.call(CachingCallSite.java:82)", "org.jruby.RubyClass.newInstance(RubyClass.java:915)", "org.jruby.RubyClass$INVOKER$i$newInstance.call(RubyClass$INVOKER$i$newInstance.gen)", "org.jruby.ir.targets.InvokeSite.invoke(InvokeSite.java:183)", "usr.share.logstash.logstash_minus_core.lib.logstash.pipeline_action.create.RUBY$method$execute$0(/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:36)", "usr.share.logstash.logstash_minus_core.lib.logstash.pipeline_action.create.RUBY$method$execute$0$__VARARGS__(/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb)", "org.jruby.internal.runtime.methods.CompiledIRMethod.call(CompiledIRMethod.java:91)", "org.jruby.internal.runtime.methods.MixedModeIRMethod.call(MixedModeIRMethod.java:90)", "org.jruby.ir.targets.InvokeSite.invoke(InvokeSite.java:183)", "usr.share.logstash.logstash_minus_core.lib.logstash.agent.RUBY$block$converge_state$2(/usr/share/logstash/logstash-core/lib/logstash/agent.rb:325)", "org.jruby.runtime.CompiledIRBlockBody.callDirect(CompiledIRBlockBody.java:136)", "org.jruby.runtime.IRBlockBody.call(IRBlockBody.java:77)", "org.jruby.runtime.Block.call(Block.java:124)", "org.jruby.RubyProc.call(RubyProc.java:295)", "org.jruby.RubyProc.call(RubyProc.java:274)", "org.jruby.RubyProc.call(RubyProc.java:270)", "org.jruby.internal.runtime.RubyRunnable.run(RubyRunnable.java:105)", "java.base/java.lang.Thread.run(Thread.java:834)"]}
warning: thread "Converge PipelineAction::Create<pipeline_1>" terminated with exception (report_on_exception is true):
LogStash::Error: Don't know how to handle `Java::JavaLang::IllegalStateException` for `PipelineAction::Create<pipeline_1>`
          create at org/logstash/execution/ConvergeResultExt.java:109
             add at org/logstash/execution/ConvergeResultExt.java:37
  converge_state at /usr/share/logstash/logstash-core/lib/logstash/agent.rb:338
[2019-08-17T06:28:23,466][ERROR][logstash.agent           ] An exception happened when converging configuration {:exception=>LogStash::Error, :message=>"Don't know how to handle `Java::JavaLang::IllegalStateException` for `PipelineAction::Create<pipeline_1>`", :backtrace=>["org/logstash/execution/ConvergeResultExt.java:109:in `create'", "org/logstash/execution/ConvergeResultExt.java:37:in `add'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:338:in `block in converge_state'"]}
[2019-08-17T06:28:23,505][FATAL][logstash.runner          ] An unexpected error occurred! {:error=>#<LogStash::Error: Don't know how to handle `Java::JavaLang::IllegalStateException` for `PipelineAction::Create<pipeline_1>`>, :backtrace=>["org/logstash/execution/ConvergeResultExt.java:109:in `create'", "org/logstash/execution/ConvergeResultExt.java:37:in `add'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:338:in `block in converge_state'"]}
[2019-08-17T06:28:23,551][ERROR][org.logstash.Logstash    ] java.lang.IllegalStateException: Logstash stopped processing because of an error: (SystemExit) exit

[LeeDr]

The fact that logstash keystore lowercases keys seems different than beats. I'm not sure about Elasticsearch and Kibana. But I don't think that changed from 7.3.0 to 7.3.1. But it could possibly be that the interpreting of the variables in the config file changed to be case sensitive. that would explain the key/value pair being added (lowercase) and not being found (uppercase).

[danhermann]

@LeeDr, the Logstash keystore implementation is different than ES, Beats, and Kibana and has always converted keys to lowercase before storing them.

Could you share your Docker configuration because in following your steps above outside of Docker, everything works as expected.

[LeeDr]

@danhermann the docker configuration in this repo (in stack-docker folder)
https://github.com/elastic/integration-test came from https://github.com/elastic/stack-docker

One option is to reproduce this issue using the integration-test repo.

1. checkout integration-test repo 7.3 branch
2. install vagrant and virtualbox if you don't have them
3. edit jenkins_test.sh and set to run the released 7.3 artifacts like this;

if [ -z "${MANIFEST}" ]; then
  # MANIFEST=snapshots; BRANCH=7.3
  # MANIFEST=staging; BUILD=7.3.1-dd7e8fea
  MANIFEST=artifacts;  BUILD=7.3.0
fi

4. run VMS=ubuntu18_docker ./jenkins_test.sh
   This will create a Ubuntu 18.04 VM to be created and pull the 7.3.0 docker images and configure them and then run tests (also requires node installed), but you can see if logstash data loads and if logstash monitoring is working without running the tests.
5. Change jenkins_test.sh to run a later 7.3.1 snapshot or staging BC build like;

if [ -z "${MANIFEST}" ]; then
  # MANIFEST=snapshots; BRANCH=7.3
  MANIFEST=staging; BUILD=7.3.1-dd7e8fea
  # MANIFEST=artifacts;  BUILD=7.3.0
fi

6. run VMS=ubuntu18_docker ./jenkins_test.sh
   This will fail at a point where jenkins_test checks that there are documents in the logstash index. It fails apparently because the password in the config file doesn't get expanded.

[clintandrewhall]

Can I get an update as to if this is a blocker? I need to know if we need a fix and a BC build.

[danhermann]

@clintandrewhall, I haven't been able to isolate the problem, yet, but there's a reasonable possibility it would cause any Logstash installations with configuration variables to fail to start. Because of that, I'm going to revert the commit that introduced these changes so we can get a 7.3.1 BC without them.

[danhermann]

The revert is here: #11056

[clintandrewhall]

Labeling this as a blocker for tracking purposes. Once merged to 7.3.1 I'll build a new BC. Thanks!

[danhermann]

@clintandrewhall, this has been merged to the 7.3 branch of Logstash. Please let me know if you need anything else from me on this issue.

[LeeDr]

FYI, I just reproduced this issue outside of a docker environment (CentOS 7 with rpm package install).

Aug 19 19:04:06 localhost logstash: ERROR: Failed to load settings file from "path.settings". Aborting... path.setting=/etc/logstash, exception=LogStash::ConfigurationError, message=>Cannot evaluate ${ELASTIC_PASSWORD}. Replacement variable ELASTIC_PASSWORD is not defined in a Logstash secret store or as an Environment entry and there is no default value given.

But I can see that I did add that ELASTIC_PASSWORD key to the keystore.

Also I confirmed it not a case problem. I changed logstash.yml to try the lowercase form of the key and it still failed the same way;

Aug 19 19:10:01 localhost logstash: ERROR: Failed to load settings file from "path.settings". Aborting... path.setting=/etc/logstash, exception=LogStash::ConfigurationError, message=>Cannot evaluate ${elastic_password}. Replacement variable elastic_password is not defined in a Logstash secret store or as an Environment entry and there is no default value given.
Aug 19 19:10:01 localhost logstash: [ERROR] 2019-08-19 19:10:01.083 [main] Logstash - java.lang.IllegalStateException: Logstash stopped processing because of an error: (SystemExit) exit

[jsvd]

I believe this is the same problem as with any other config files in logsatsh. when the config folder is elsewhere (like /etc/logstash) you need to pass --path.settings=/etc/logstash to both /usr/share/logstash/bin/logstash-keystore and any /usr/share/logstash/bin/logstash invocations

[LeeDr]

@jsvd From this error message, it looks like it is using the correct path.setting=/etc/logstash and indeed that's where the logstash.yml file is in this case, and contains ${ELASTIC_PASSWORD} which is not being evaluated

Aug 19 19:04:06 localhost logstash: ERROR: Failed to load settings file from "path.settings". Aborting... path.setting=/etc/logstash, exception=LogStash::ConfigurationError, message=>Cannot evaluate ${ELASTIC_PASSWORD}. Replacement variable ELASTIC_PASSWORD is not defined in a Logstash secret store or as an Environment entry and there is no default value given.

[LeeDr]

Ohhh, it's logstash not finding the keystore file? The message doesn't make it clear if it did find a keystore or not.