From e671deb62ccd85d2f5980099526418b00a268664 Mon Sep 17 00:00:00 2001 From: Jonathan Budzenski Date: Sun, 25 Oct 2020 12:17:52 -0500 Subject: [PATCH 1/6] Create keystore during package installation A common source of permission errors stem from creating files after package installation under a user that runtime kibana won't be able to read or write to. Under package installations this is usually root. This PR contains two changes: 1) Create the keystore during deb/rpm installation with permissions consistent with other stack products 2) Limit the force-root flag to the server CLI. The force-root flag is a good precaution for long running and global processes, but for local writes we can pre-enforce this by setting install permissions. --- src/cli_keystore/dev.js | 2 +- .../package_scripts/post_install.sh | 13 ++++++++++ .../os_packages/package_scripts/post_trans.sh | 8 ++++++ src/dev/build/tasks/os_packages/run_fpm.ts | 2 ++ src/setup_node_env/cli.js | 25 +++++++++++++++++++ 5 files changed, 49 insertions(+), 1 deletion(-) create mode 100644 src/dev/build/tasks/os_packages/package_scripts/post_trans.sh create mode 100644 src/setup_node_env/cli.js diff --git a/src/cli_keystore/dev.js b/src/cli_keystore/dev.js index 12dc51134aad7..b99bb37282690 100644 --- a/src/cli_keystore/dev.js +++ b/src/cli_keystore/dev.js @@ -17,5 +17,5 @@ * under the License. */ -require('../setup_node_env'); +require('../setup_node_env/cli'); require('./cli_keystore'); diff --git a/src/dev/build/tasks/os_packages/package_scripts/post_install.sh b/src/dev/build/tasks/os_packages/package_scripts/post_install.sh index 1c679bdb40b59..5e51229441009 100644 --- a/src/dev/build/tasks/os_packages/package_scripts/post_install.sh +++ b/src/dev/build/tasks/os_packages/package_scripts/post_install.sh @@ -36,8 +36,10 @@ case $1 in fi set_access + PACKAGE=deb ;; abort-deconfigure|abort-upgrade|abort-remove) + PACKAGE=deb ;; # Red Hat @@ -56,6 +58,7 @@ case $1 in fi set_access + PACKAGE=rpm ;; *) @@ -69,3 +72,13 @@ if [ "$IS_UPGRADE" = "true" ]; then systemctl daemon-reload fi fi + +# the equivalent code for rpm is in posttrans +if [ "$PACKAGE" = "deb" ]; then + if [ ! -f "${KBN_PATH_CONF}"/kibana.keystore ]; then + /usr/share/kibana/bin/kibana-keystore create + chown root:<%= group %> "${KBN_PATH_CONF}"/kibana.keystore + chmod 660 "${KBN_PATH_CONF}"/kibana.keystore + md5sum "${KBN_PATH_CONF}"/kibana.keystore > "${KBN_PATH_CONF}"/.kibana.keystore.initial_md5sum + fi +fi diff --git a/src/dev/build/tasks/os_packages/package_scripts/post_trans.sh b/src/dev/build/tasks/os_packages/package_scripts/post_trans.sh new file mode 100644 index 0000000000000..a08e4552f0e06 --- /dev/null +++ b/src/dev/build/tasks/os_packages/package_scripts/post_trans.sh @@ -0,0 +1,8 @@ +export KBN_PATH_CONF=${KBN_PATH_CONF:-<%= configDir %>} + +if [ ! -f "${KBN_PATH_CONF}"/kibana.keystore ]; then + /usr/share/kibana/bin/kibana-keystore create + chown root:<%= group %> "${KBN_PATH_CONF}"/kibana.keystore + chmod 660 "${KBN_PATH_CONF}"/kibana.keystore + md5sum "${KBN_PATH_CONF}"/kibana.keystore > "${KBN_PATH_CONF}"/.kibana.keystore.initial_md5sum +fi \ No newline at end of file diff --git a/src/dev/build/tasks/os_packages/run_fpm.ts b/src/dev/build/tasks/os_packages/run_fpm.ts index b5169ec3d43b6..743dc8a0e8104 100644 --- a/src/dev/build/tasks/os_packages/run_fpm.ts +++ b/src/dev/build/tasks/os_packages/run_fpm.ts @@ -92,6 +92,8 @@ export async function runFpm( resolve(__dirname, 'package_scripts/pre_remove.sh'), '--after-remove', resolve(__dirname, 'package_scripts/post_remove.sh'), + '--rpm-posttrans', + resolve(__dirname, 'package_scripts/post_trans.sh'), // tell fpm about the config file so that it is called out in the package definition '--config-files', diff --git a/src/setup_node_env/cli.js b/src/setup_node_env/cli.js new file mode 100644 index 0000000000000..c88a0819eb292 --- /dev/null +++ b/src/setup_node_env/cli.js @@ -0,0 +1,25 @@ +/* + * Licensed to Elasticsearch B.V. under one or more contributor + * license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright + * ownership. Elasticsearch B.V. licenses this file to you under + * the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +// The following require statements MUST be executed before any others - BEGIN +require('./exit_on_warning'); +require('./harden'); +// The following require statements MUST be executed before any others - END + +require('./node_version_validator'); From 96a25465bc8bcf4088fb77fb1fc8162d9e97894e Mon Sep 17 00:00:00 2001 From: Jonathan Budzenski Date: Mon, 26 Oct 2020 06:44:46 -0500 Subject: [PATCH 2/6] temporarily build --all-platforms for testing --- test/scripts/jenkins_xpack_build_kibana.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/scripts/jenkins_xpack_build_kibana.sh b/test/scripts/jenkins_xpack_build_kibana.sh index 2452e2f5b8c58..3e7946055094b 100755 --- a/test/scripts/jenkins_xpack_build_kibana.sh +++ b/test/scripts/jenkins_xpack_build_kibana.sh @@ -28,7 +28,7 @@ node scripts/functional_tests --assert-none-excluded \ if [[ -z "$CODE_COVERAGE" ]] ; then echo " -> building and extracting default Kibana distributable for use in functional tests" cd "$KIBANA_DIR" - node scripts/build --debug --no-oss + node scripts/build --debug --no-oss --all-platforms linuxBuild="$(find "$KIBANA_DIR/target" -name 'kibana-*-linux-x86_64.tar.gz')" installDir="$KIBANA_DIR/install/kibana" mkdir -p "$installDir" From a9e6af24f864bd070d93a324629d7a5842e9fc53 Mon Sep 17 00:00:00 2001 From: Jonathan Budzenski Date: Tue, 27 Oct 2020 10:24:33 -0500 Subject: [PATCH 3/6] Revert "temporarily build --all-platforms for testing" This reverts commit 96a25465bc8bcf4088fb77fb1fc8162d9e97894e. --- test/scripts/jenkins_xpack_build_kibana.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/scripts/jenkins_xpack_build_kibana.sh b/test/scripts/jenkins_xpack_build_kibana.sh index 3e7946055094b..2452e2f5b8c58 100755 --- a/test/scripts/jenkins_xpack_build_kibana.sh +++ b/test/scripts/jenkins_xpack_build_kibana.sh @@ -28,7 +28,7 @@ node scripts/functional_tests --assert-none-excluded \ if [[ -z "$CODE_COVERAGE" ]] ; then echo " -> building and extracting default Kibana distributable for use in functional tests" cd "$KIBANA_DIR" - node scripts/build --debug --no-oss --all-platforms + node scripts/build --debug --no-oss linuxBuild="$(find "$KIBANA_DIR/target" -name 'kibana-*-linux-x86_64.tar.gz')" installDir="$KIBANA_DIR/install/kibana" mkdir -p "$installDir" From 4a893788307a0177ac687ed3d90a13eee8cd2405 Mon Sep 17 00:00:00 2001 From: Jonathan Budzenski Date: Mon, 2 Nov 2020 07:59:15 -0600 Subject: [PATCH 4/6] remove force-root flag from keystore and plugin cli --- src/cli/dev.js | 1 + src/cli/dist.js | 1 + src/setup_node_env/no_transpilation.js | 1 - 3 files changed, 2 insertions(+), 1 deletion(-) diff --git a/src/cli/dev.js b/src/cli/dev.js index a284c82dfeb6e..99b7c1a696e49 100644 --- a/src/cli/dev.js +++ b/src/cli/dev.js @@ -19,4 +19,5 @@ require('../apm')(process.env.ELASTIC_APM_SERVICE_NAME || 'kibana-proxy'); require('../setup_node_env'); +require('../setup_node_env/root'); require('./cli'); diff --git a/src/cli/dist.js b/src/cli/dist.js index 05f0a68aa495c..bc14a3b530356 100644 --- a/src/cli/dist.js +++ b/src/cli/dist.js @@ -19,4 +19,5 @@ require('../apm')(); require('../setup_node_env/dist'); +require('../setup_node_env/root'); require('./cli'); diff --git a/src/setup_node_env/no_transpilation.js b/src/setup_node_env/no_transpilation.js index 71fdfa5ad29ea..e989fedcec66f 100644 --- a/src/setup_node_env/no_transpilation.js +++ b/src/setup_node_env/no_transpilation.js @@ -24,5 +24,4 @@ require('./harden'); require('symbol-observable'); require('source-map-support/register'); -require('./root'); require('./node_version_validator'); From 290aa611beba52ba906375d30495e152440e2c30 Mon Sep 17 00:00:00 2001 From: Jonathan Budzenski Date: Mon, 2 Nov 2020 08:43:41 -0600 Subject: [PATCH 5/6] fix merge conflict --- .../build/tasks/os_packages/package_scripts/post_install.sh | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/src/dev/build/tasks/os_packages/package_scripts/post_install.sh b/src/dev/build/tasks/os_packages/package_scripts/post_install.sh index d0cd1df1b6ffc..c9b59fed9311e 100644 --- a/src/dev/build/tasks/os_packages/package_scripts/post_install.sh +++ b/src/dev/build/tasks/os_packages/package_scripts/post_install.sh @@ -59,13 +59,9 @@ case $1 in if [ "$1" = "2" ]; then IS_UPGRADE=true fi - -<<<<<<< HEAD - set_access + PACKAGE=rpm -======= setup ->>>>>>> master ;; *) From 7bcf044ec63b4e0bdf39865974a15bcc06b9678d Mon Sep 17 00:00:00 2001 From: Jonathan Budzenski Date: Mon, 9 Nov 2020 07:15:54 -0600 Subject: [PATCH 6/6] reuse no_transpilation instead of creating cli --- src/cli_keystore/dev.js | 2 +- .../os_packages/package_scripts/post_trans.sh | 2 +- src/setup_node_env/cli.js | 25 ------------------- 3 files changed, 2 insertions(+), 27 deletions(-) delete mode 100644 src/setup_node_env/cli.js diff --git a/src/cli_keystore/dev.js b/src/cli_keystore/dev.js index b99bb37282690..c229d26439bb5 100644 --- a/src/cli_keystore/dev.js +++ b/src/cli_keystore/dev.js @@ -17,5 +17,5 @@ * under the License. */ -require('../setup_node_env/cli'); +require('../setup_node_env/no_transpilation'); require('./cli_keystore'); diff --git a/src/dev/build/tasks/os_packages/package_scripts/post_trans.sh b/src/dev/build/tasks/os_packages/package_scripts/post_trans.sh index a08e4552f0e06..3c1bd3ccf88b4 100644 --- a/src/dev/build/tasks/os_packages/package_scripts/post_trans.sh +++ b/src/dev/build/tasks/os_packages/package_scripts/post_trans.sh @@ -5,4 +5,4 @@ if [ ! -f "${KBN_PATH_CONF}"/kibana.keystore ]; then chown root:<%= group %> "${KBN_PATH_CONF}"/kibana.keystore chmod 660 "${KBN_PATH_CONF}"/kibana.keystore md5sum "${KBN_PATH_CONF}"/kibana.keystore > "${KBN_PATH_CONF}"/.kibana.keystore.initial_md5sum -fi \ No newline at end of file +fi diff --git a/src/setup_node_env/cli.js b/src/setup_node_env/cli.js deleted file mode 100644 index c88a0819eb292..0000000000000 --- a/src/setup_node_env/cli.js +++ /dev/null @@ -1,25 +0,0 @@ -/* - * Licensed to Elasticsearch B.V. under one or more contributor - * license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright - * ownership. Elasticsearch B.V. licenses this file to you under - * the Apache License, Version 2.0 (the "License"); you may - * not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -// The following require statements MUST be executed before any others - BEGIN -require('./exit_on_warning'); -require('./harden'); -// The following require statements MUST be executed before any others - END - -require('./node_version_validator');