Consolidating requirements for the user account running the es service#5109
Consolidating requirements for the user account running the es service#5109yetanothertw wants to merge 8 commits intomainfrom
Conversation
…arch service Fixes #1253
✅ Vale Linting ResultsNo issues found on modified lines! The Vale linter checks documentation changes against the Elastic Docs style guide. To use Vale locally or report issues, refer to Elastic style guide for Vale. |
🔍 Preview links for changed docs |
eedugon
left a comment
eedugon
left a comment
There was a problem hiding this comment.
Looks great, adding this new page seems like a very good addition IMO, also linking it properly with the system configuration docs. I'm surprised we never had this doc.
One small comment besides the provided suggestions. Are we going to consider windows users here? Not sure if it would be useful, just for your consideration.
deploy-manage/deploy/self-managed/elasticsearch-service-user.md
Outdated
Show resolved
Hide resolved
|
|
||
| For more information, refer to [Troubleshooting a shared file system repository](/deploy-manage/tools/snapshot-and-restore/shared-file-system-repository.md#_troubleshooting_a_shared_file_system_repository). | ||
|
|
||
| ## Required system permissions |
There was a problem hiding this comment.
| ## Required system permissions | |
| ## Required system resource limits |
Permissions in systems administration are usually tied to user permissions over the filesystem, so the title makes the reader to expect system permissions towards specific directories or things like that.
This section is apparently about the limits.conf configuration, which defines at kernel level limits for different resource types for processes. So this is about processes and kernel limits.
The user here is because the limit will be applied to the processes created by the user elasticsearch.
I'm suggesting a title change and a small refinement in the next sentence.
There was a problem hiding this comment.
So perhaps something like Kernel resource limits for the {{es}} process is more specific and more correct?
deploy-manage/deploy/self-managed/elasticsearch-service-user.md
Outdated
Show resolved
Hide resolved
deploy-manage/deploy/self-managed/elasticsearch-service-user.md
Outdated
Show resolved
Hide resolved
deploy-manage/deploy/self-managed/elasticsearch-service-user.md
Outdated
Show resolved
Hide resolved
shainaraskas
left a comment
shainaraskas
left a comment
There was a problem hiding this comment.
couple of questions that are perhaps a little naive
re:
Furthermore, this snippet documents that the config directory is owned by root:elasticsearch, meaning the service user is expected to be a member of the elasticsearch group, not root itself.
does this mean that there is a group that needs to be created/joined?
wonder if this would be a good PR to get some support TL input on (e.g. kuni/stef) - they probably have a good understanding of where we run into user permission issues
deploy-manage/deploy/self-managed/important-system-configuration.md
Outdated
Show resolved
Hide resolved
deploy-manage/deploy/self-managed/elasticsearch-service-user.md
Outdated
Show resolved
Hide resolved
deploy-manage/deploy/self-managed/elasticsearch-service-user.md
Outdated
Show resolved
Hide resolved
deploy-manage/deploy/self-managed/elasticsearch-service-user.md
Outdated
Show resolved
Hide resolved
|
Thank you, Shaina and Edu for the excellent observations and suggestions!
I think there are quite a few questions that we can't confidently answer and I couldn't find in our docs where we mention creating the group or adding the user to it, so this is definitely a gap. There's an implicit group requirement that is never explicitly documented.
Yes, definitely! @kunisen, @stefnestor, when you get the chance, would you please review this PR? Our archive install guidance doesn't inlcude explicit groupadd/useradd instructions, but should it? The docs say "create the user manually" but we never mention creating the group or adding the user to it. What specific group membership is required for archive installs vs package installs? What type of permission errors do you actually see in practice? |
|
👋🏽 howdy, friends! Sorry, I'm not actually a TL, we just hang out. And Kuni is TL for Cloud. Elasticsearch is handled by @Gunnerva and @\ppf2 . My best guess is that install requirements falls under "cluster formation" so tagging Ryan not Pius 🙂. Also FWIW I'd claim this type of official recommendation needs Dev-not-Support sign off on word nuances. 🙃 Thanks! |
4 participants
Summary
Fixes #1253 and adds a new page (PREVIEW) that includes the following Elasticsearch service user requirements:
Furthermore, this snippet documents that the config directory is owned by
root:elasticsearch, meaning the service user is expected to be a member of the elasticsearch group, not root itself.This guidance supports the principle of least privilege (in security) and ensures that the elasticsearch user only needs access to its data, logs, and config directories.
Use consistent user and group IDs across nodes, this guideline is supported on this page. This is also discussed in Add link to shared FS troubleshooting from system config page #1242 where it describes a scenario where nodes had the elasticsearch user with the same name but different numeric UIDs, causing silent NFS permission failures on shared file system snapshot repositories.
Required system permissions. This information can be found in the same section, but scattered throughout various pages. I've added a table that consolidates all these recommendations per system-level permission and links to each page for details.
File and directory ownership. This is supported by this snippet. Elasticsearch needs to read its configuration and write to data and log directories. Without correct ownership, Elasticsearch fails to start.
Generative AI disclosure
I've used claude 4.6 opus high to validate assumptions and find connections