Plugins requiring extra java permissions fail to install properly

[brownc]

When using the plugin provider to install plugins, those requiring additional java permissions don't appear to install correctly.

If I run manually:

$ sudo ./elasticsearch-plugin install discovery-ec2
-> Downloading discovery-ec2 from elastic
[=================================================] 100%
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@     WARNING: plugin requires additional permissions     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
* java.lang.RuntimePermission accessDeclaredMembers
* java.lang.RuntimePermission getClassLoader
See http://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html
for descriptions of what these permissions allow and the associated risks.

Continue with installation? [y/N]y
-> Installed discovery-ec2

elasticsearch-plugin does have a flag for batch mode (-b), however this isn't used in the chef provider:

  def action_install
    return if plugin_exists(new_resource.plugin_name)

    # since install can take a URL argument instead
    url_or_name = new_resource.url || new_resource.plugin_name
    manage_plugin("install #{url_or_name}")
  end # action

In function manage_plugin:

cmd_str = "#{es_conf.path_bin}/elasticsearch-plugin #{arguments.chomp(' ')} #{new_resource.options}".chomp(' ')

So that's running the plugin with install and the name/url but without batch mode.

The net result: a half install plugin that doesn't get the required permissions.

Suspected fix: add "-b" in the 'manage_plugin()' call within action_install.

Will dig further and try and pop up a PR later. The question will be is batch mode acceptable by default?

[brownc]

Oh I forgot how I got here in the first place. Elasticsearch refused to start and bombed out because of the following:

[2017-09-14T15:39:00,879][ERROR][o.e.b.Bootstrap          ] Exception
java.lang.IllegalArgumentException: unknown setting [cloud.aws.region] please check that any required plugins are installed, or check the breaking changes documentation for removed settings
        at org.elasticsearch.common.settings.AbstractScopedSettings.validate(AbstractScopedSettings.java:293) ~[elasticsearch-5.5.3.jar:5.5.3]

Because the discovery_ec2 plugin hadn't loaded in my case, it couldn't understand the cloud.aws.region key.

Also impacts 5.6.0.

[martinb3]

Hi there -- I'll have to be sure that batch mode is supported in all of the versions we're testing against. In the mean time, you can specify options '-b' to the plugin resource if you'd like to bypass this, by providing specific options to run.

[brownc]

Thanks Martin. Looking back, clearly had a very blind day yesterday - I even pasted the "options" option in my output above, which would happily fix this! That fixes my immediate problem without changes - whether -b should be a default therefore becomes less of an issue and not a blocker.

Based on your response, that suggested fix may not need to be compulsory - depends if you guys think this should be just smoother, and if all the current supported versions support -b, as you said.

Thanks again, much appreciated!

[leegarrett]

bump

any update on this issue? Would be great for it to work out of the box.

[AashishChughHome]

Any update on the issue?

[jensenbox]

elasticsearch_plugin 'repository-s3' do
  options '--batch'
end

Worked for me for ES6 - I strongly recommend adding that to the examples at the very least.

[matthowardcohere]

@jensenbox 's suggestion worked for me, thanks!