[DOCS] RHEL Security TMP override #77285
Conversation
Adding content for [top last 30d Elastic Discuss post](https://discuss.elastic.co/t/elasticsearch-v7-6-2-failed-to-start-killed-by-sigabrt-on-rhel-7-7-urgent/231039) which covers a BlackHat RHEL start-up error with [this solution](https://discuss.elastic.co/t/elasticsearch-v7-6-2-failed-to-start-killed-by-sigabrt-on-rhel-7-7-urgent/231039/11).
|
Pinging @elastic/es-docs (Team:Docs) |
elasticsearchmachine
added
v8.0.0
external-contributor
jrodewig
changed the title
jrodewig
added
the
:Delivery/Packaging
|
Pinging @elastic/es-delivery (Team:Delivery) |
|
@pugnascotia were you involved in tracking down this issue? If so you can give the 👍 on this? |
| @@ -123,6 +123,17 @@ endif::[] | |||
|
|
|||
| include::skip-set-kernel-parameters.asciidoc[] | |||
|
|
|||
| [[install-rhel-security]] | |||
| ==== Override Red Hat TMP if Security Compliance | |||
There was a problem hiding this comment.
Should be something like the following? This feels convoluted.
| ==== Override Red Hat TMP if Security Compliance | |
| ==== Override Red Hat TMP if Security Compliant |
There was a problem hiding this comment.
Compliant is better than Compliance, but "Security Compliant" is still vague. Can we be more specific here and say something like, "Override Red Hat TMP if FIPS mode is enabled"?
There was a problem hiding this comment.
Unfortunately it's nothing to do with FIPS mode - these steps are necessary today if the user is using SELinux with a particular config (which we don't test and haven't even fully characterised). Admittedly there will be significant overlap between users of FIPS mode and users of this kind of SELinux config.
| ==== Override Red Hat TMP if Security Compliance | ||
|
|
||
| If you are applying a security compliance in your RHEL installation | ||
| you must change the path of the TMP directory that will use elasticsearch as Java. |
There was a problem hiding this comment.
| you must change the path of the TMP directory that will use elasticsearch as Java. | |
| you must change the path of the TMP directory that Java and {es} will use. |
|
|
||
| 1. Uncomment `-Djava.io.tmpdir=${ES_TMPDIR}` under `/etc/elasticsearch/jvm.options` | ||
| 2. Add `ES_TMPDIR=/usr/share/elasticsearch/tmp` under `/etc/sysconfig/elasticsearch` | ||
| 3. Create the /usr/share/elasticsearch/tmp directory and make sure that the owner and group are elasticsearch and the permissions are `0755` |
There was a problem hiding this comment.
| 3. Create the /usr/share/elasticsearch/tmp directory and make sure that the owner and group are elasticsearch and the permissions are `0755` | |
| 3. Create the `/usr/share/elasticsearch/tmp` directory and make sure that the owner and group are `elasticsearch` and the permissions are `0755`. |
There was a problem hiding this comment.
If step 4 is deemed unacceptable, I'd add a note to this step indicating that no users other than the elasticsearch user should have access to this directory.
|
@DaveCTurner knows more about this than me, so I've added him as a reviewer. |
There was a problem hiding this comment.
I think we shouldn't copy the instructions from the forum post without validating them and considering some simpler alternatives. I believe we could fix this whole thing ourselves by setting TMPDIR to the value of ES_TMPDIR in our startup scripts. Does anything bad happen if we set TMPDIR for every Linux user?
A more targeted fix will be #77014 but this needs JNA to upgrade their libffi and then we need to upgrade our JNA so it'll be a while before we can do that.
I'm also not sure we actually need to override ES_TMPDIR in these environments either. If you hit the segfault in the linked forum post then we know that JNA's temporary directory supports executables so it should be enough to tell libffi to use the same location.
| If you are applying a security compliance in your RHEL installation | ||
| you must change the path of the TMP directory that will use elasticsearch as Java. | ||
|
|
||
| 1. Uncomment `-Djava.io.tmpdir=${ES_TMPDIR}` under `/etc/elasticsearch/jvm.options` |
There was a problem hiding this comment.
I think we shouldn't be telling users to edit jvm.options, they should be adding extra options files in jvm.options.d.
But then I think this isn't necessary anyway, we already copy ES_TMPDIR to java.io.tmpdir IIRC.
There was a problem hiding this comment.
Yes, we tell people to add custom options files. If this step is necessary, I'd cross reference the info on setting JVM options (https://www.elastic.co/guide/en/elasticsearch/reference/master/advanced-configuration.html#set-jvm-options). Something like:
In a <<set-jvm-options, custom JVM options>> file, override the -Djava.io.tempdir setting:
-Djava.io.tmpdir=${ES_TMPDIR}
There was a problem hiding this comment.
I can confirm this is unnecessary: we already have this setting in the default jvm.options file:
elasticsearch/distribution/src/config/jvm.options
Lines 64 to 65 in f8793c6
| 1. Uncomment `-Djava.io.tmpdir=${ES_TMPDIR}` under `/etc/elasticsearch/jvm.options` | ||
| 2. Add `ES_TMPDIR=/usr/share/elasticsearch/tmp` under `/etc/sysconfig/elasticsearch` | ||
| 3. Create the /usr/share/elasticsearch/tmp directory and make sure that the owner and group are elasticsearch and the permissions are `0755` | ||
| 4. Lastly make sure that `/dev/shm` doesn't have the noexec attribute with command: `mount | grep tmpfs | grep '/dev/shm'` |
There was a problem hiding this comment.
This is probably unacceptable to many users of locked-down systems. Instead we should set TMPDIR (eventually LIBFFI_TMPDIR to point to a location to which only the elasticsearch user has access.
|
@DaveCTurner so we also have #74163, and I don't think it's too much of a stretch to expand that to just using |
|
#74163 is related but kinda different, |
There was a problem hiding this comment.
I added some comments and suggestions. It took me a bit to wrap my head around what was going on here, so not 100% sure the details are correct. However, I do thing we need to work in a bit more context about what you're doing and why.
Also, we should add an IMPORTANT note to https://www.elastic.co/guide/en/elasticsearch/reference/master/important-settings.html#es-tmpdir that indicates that you must use a dedicated TMP directory outside of the system TMP directory if you are running on a system with FIPS mode enabled.
| @@ -123,6 +123,17 @@ endif::[] | |||
|
|
|||
| include::skip-set-kernel-parameters.asciidoc[] | |||
|
|
|||
| [[install-rhel-security]] | |||
| ==== Override Red Hat TMP if Security Compliance | |||
There was a problem hiding this comment.
Compliant is better than Compliance, but "Security Compliant" is still vague. Can we be more specific here and say something like, "Override Red Hat TMP if FIPS mode is enabled"?
| If you are applying a security compliance in your RHEL installation | ||
| you must change the path of the TMP directory that will use elasticsearch as Java. | ||
|
|
||
| 1. Uncomment `-Djava.io.tmpdir=${ES_TMPDIR}` under `/etc/elasticsearch/jvm.options` |
There was a problem hiding this comment.
Yes, we tell people to add custom options files. If this step is necessary, I'd cross reference the info on setting JVM options (https://www.elastic.co/guide/en/elasticsearch/reference/master/advanced-configuration.html#set-jvm-options). Something like:
In a <<set-jvm-options, custom JVM options>> file, override the -Djava.io.tempdir setting:
-Djava.io.tmpdir=${ES_TMPDIR}
| you must change the path of the TMP directory that will use elasticsearch as Java. | ||
|
|
||
| 1. Uncomment `-Djava.io.tmpdir=${ES_TMPDIR}` under `/etc/elasticsearch/jvm.options` | ||
| 2. Add `ES_TMPDIR=/usr/share/elasticsearch/tmp` under `/etc/sysconfig/elasticsearch` |
There was a problem hiding this comment.
I'd make this the first step, even if you do need to explicitly set the JVM TMP directory to ES_TMPDIR.
| 2. Add `ES_TMPDIR=/usr/share/elasticsearch/tmp` under `/etc/sysconfig/elasticsearch` | |
| 2. Configure a dedicated {es} TMP directory outside of the system TMP directory: | |
| + | |
| [source,shell] | |
| ---- | |
| ES_TMPDIR=/usr/share/elasticsearch/tmp | |
| --- |
|
|
||
| 1. Uncomment `-Djava.io.tmpdir=${ES_TMPDIR}` under `/etc/elasticsearch/jvm.options` | ||
| 2. Add `ES_TMPDIR=/usr/share/elasticsearch/tmp` under `/etc/sysconfig/elasticsearch` | ||
| 3. Create the /usr/share/elasticsearch/tmp directory and make sure that the owner and group are elasticsearch and the permissions are `0755` |
There was a problem hiding this comment.
If step 4 is deemed unacceptable, I'd add a note to this step indicating that no users other than the elasticsearch user should have access to this directory.
Today if `libffi` cannot allocate pages of memory which are both writeable and executable then it will attempt to write code to a temporary file. Elasticsearch configures itself a suitable temporary directory for use by JNA but by default `libffi` won't find this directory and will try various other places. In certain configurations, none of the other places that `libffi` tries are suitable. With older versions of JNA this would result in a `SIGSEGV`; since elastic#80617 the JVM will exit with an exception. With this commit we use the `LIBFFI_TMPDIR` environment variable to configure `libffi` to use the same directory as JNA for its temporary files if they are needed. Closes elastic#18272 Closes elastic#73309 Closes elastic#74545 Closes elastic#77014 Closes elastic#77053 Relates elastic#77285 Co-authored-by: Rory Hunter <[email protected]>
|
Now that #80651 is merged I think users don't need to do most of this stuff. It should be sufficient to just set |
Today if `libffi` cannot allocate pages of memory which are both writeable and executable then it will attempt to write code to a temporary file. Elasticsearch configures itself a suitable temporary directory for use by JNA but by default `libffi` won't find this directory and will try various other places. In certain configurations, none of the other places that `libffi` tries are suitable. With older versions of JNA this would result in a `SIGSEGV`; since elastic#80617 the JVM will exit with an exception. With this commit we use the `LIBFFI_TMPDIR` environment variable to configure `libffi` to use the same directory as JNA for its temporary files if they are needed. Closes elastic#18272 Closes elastic#73309 Closes elastic#74545 Closes elastic#77014 Closes elastic#77053 Relates elastic#77285 Co-authored-by: Rory Hunter <[email protected]>
Today if `libffi` cannot allocate pages of memory which are both writeable and executable then it will attempt to write code to a temporary file. Elasticsearch configures itself a suitable temporary directory for use by JNA but by default `libffi` won't find this directory and will try various other places. In certain configurations, none of the other places that `libffi` tries are suitable. With older versions of JNA this would result in a `SIGSEGV`; since #80617 the JVM will exit with an exception. With this commit we use the `LIBFFI_TMPDIR` environment variable to configure `libffi` to use the same directory as JNA for its temporary files if they are needed. Closes #18272 Closes #73309 Closes #74545 Closes #77014 Closes #77053 Relates #77285 Co-authored-by: Rory Hunter <[email protected]> Co-authored-by: Rory Hunter <[email protected]>
* Set LIBFFI_TMPDIR at startup (#80651) Today if `libffi` cannot allocate pages of memory which are both writeable and executable then it will attempt to write code to a temporary file. Elasticsearch configures itself a suitable temporary directory for use by JNA but by default `libffi` won't find this directory and will try various other places. In certain configurations, none of the other places that `libffi` tries are suitable. With older versions of JNA this would result in a `SIGSEGV`; since #80617 the JVM will exit with an exception. With this commit we use the `LIBFFI_TMPDIR` environment variable to configure `libffi` to use the same directory as JNA for its temporary files if they are needed. Closes #18272 Closes #73309 Closes #74545 Closes #77014 Closes #77053 Relates #77285 Co-authored-by: Rory Hunter <[email protected]> * Fix incorrect SSL usage Co-authored-by: Rory Hunter <[email protected]>
|
@stefnestor please enable the option "Allow edits and access to secrets by maintainers" on your PR. For more information, see the documentation. |
|
@debadair I'm suppose to ... but I don't show the option from the documentation ... . Can you help me convert to whatever Docs needs to move forward? 🙏🏼
screenshot
|
|
Gah. The GitHub API isn't very helpful when it comes to detecting the "Allow edits and access to secrets by maintainers" setting, sorry for the noise |
|
Deb's no longer with Elastic ( cc: @elastic/docs ) & per @DaveCTurner ... above, I'll side with this no longer being needed & close. Cheers all!
|
Adding content for top last 30d Elastic Discuss post which covers a BlackHat RHEL start-up error with this solution.
Not sure if it makes sense to include "if you don't do this, you'll get these errors" or some kind of better framing/context. Putting in raw helpful content for review 🙏🏼