Does an execution of securityadmin.sh on one node is enough to update the configuration of the whole cluster?

Hi

I run the securityadmin.sh (option -cd) script to deploy modifications done on security configuration files such as roles.yml, roles_mapping.yml, config.yml and so no.

Using a script I trigger the execution of the securityadmin.sh script on all data, master and client nodes from outside of the node (using ssh or kubectl exec for k8s)

As a result I get some node sending the folliwing output

Open Distro Security Admin v7
Will connect to localhost:9300 … done
Connected as CN=kirk,OU=client,O=client,L=test,C=de
Elasticsearch Version: 7.10.2
Open Distro Security Version: 1.13.1.0
Contacting elasticsearch cluster ‘elasticsearch’ and wait for YELLOW clusterstate …
Clustername: elasticsearch
Clusterstate: YELLOW
Number of nodes: 3
Number of data nodes: 1
.opendistro_security index already exists, so we do not need to create one.
Populate config from /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/
Will update ‘_doc/config’ with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/config.yml
SUCC: Configuration for ‘config’ created or updated
Will update ‘_doc/roles’ with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles.yml
SUCC: Configuration for ‘roles’ created or updated
Will update ‘_doc/rolesmapping’ with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/roles_mapping.yml
SUCC: Configuration for ‘rolesmapping’ created or updated
Will update ‘_doc/internalusers’ with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/internal_users.yml
SUCC: Configuration for ‘internalusers’ created or updated
Will update ‘_doc/actiongroups’ with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/action_groups.yml
SUCC: Configuration for ‘actiongroups’ created or updated
Will update ‘_doc/tenants’ with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/tenants.yml
SUCC: Configuration for ‘tenants’ created or updated
Will update ‘_doc/nodesdn’ with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/nodes_dn.yml
SUCC: Configuration for ‘nodesdn’ created or updated
Will update ‘_doc/whitelist’ with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/whitelist.yml
SUCC: Configuration for ‘whitelist’ created or updated
Will update ‘_doc/audit’ with /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/audit.yml
SUCC: Configuration for ‘audit’ created or updated
Done with success

While others send the following output

Open Distro Security Admin v7
Will connect to localhost:9300 … done
command terminated with exit code 137

As a result the updated configuration is well deployed and usable on kibana

My questions are two fold,

  1. what does return code 137 means for securityadmin.sh ?
  2. Does an execution of securityadmin.sh on one node is enough to update the configuration of the whole cluster ?
  1. No idea, maybe you could run the script with –diagnose option, hopefully it will give you some more insight.

  2. Yes, running securityadmin.sh on one node is enough.

2 Likes

I’m not sure but 137 at least sometimes is the OS that killed the process for example OOM-killer. Are you low on memory? At least OOM-killer should be visible in /var/log/messages in CentOS but I’m not sure how it works in k8s.

Hey, looks like you are able to get this working. I’m having trouble getting any of the configurations to be set. How did you get this working? Is there a copy of your working values.yaml that I can take a look at? I can get this thing running on stand alone node, but having a tough time with kubernetes.