Hanging on "Contacting elasticsearch cluster 'elasticsearch' and wait for YELLOW clusterstate ..."

#1

Hey !
I’m trying to retrieve my security index configurations to move to another server.
I used the tool securityadmin.sh and I receive this error after waiting for a while.

./securityadmin.sh -cacert /etc/elasticsearch/root-ca.pem -cert /etc/elasticsearch/kirk.pem -key /etc/elasticsearch/kirk-key.pem -r -icl -nhnv
Open Distro Security Admin v6
Will connect to localhost:9300 ... done
Elasticsearch Version: 6.5.4
Open Distro Security Version: 0.7.0.0
Connected as CN=kirk,OU=client,O=client,L=test,C=de
Contacting elasticsearch cluster 'elasticsearch' and wait for YELLOW clusterstate ...
ERR: Timed out while waiting for a green or yellow cluster state.
   * Try running securityadmin.sh with -icl (but no -cl) and -nhnv (If that works you need to check your clustername as well as hostnames in your TLS certificates)
   * Make also sure that your keystore or PEM certificate is a client certificate (not a node certificate) and configured properly in elasticsearch.yml
   * If this is not working, try running securityadmin.sh with --diagnose and see diagnose trace log file)
   * Add --accept-red-cluster to allow securityadmin to operate on a red cluster.

I did read the search guard documentation about the tool and researched in their google forum but still no way to get past through this error.

So I tried to find another way to have backups, I made some modifications to the yml config files and restarted the elasticsearch and kibana services.
Nothing changed, no impact on the users, roles or mappings.
I did try the security admin tool to reload the configuration and it said every thing went okay but no effect.
What am I doing wrong?

Hope I made my explanations clear enough. Thank you for all the work, it’s really nice.

EDIT : My elastic was in a red state so the tool wasn’t working. Not enough disk space.

If your cluster state is red, you can still execute sgadmin, but you need to add the  `-arc/--accept-red-cluster`  switch

I will try to do my restore. Keep you updated

Thi

#2

Hello guys !
I did my restore and all is fine. Really time saving and I can use the yml config files now.

Thi

#3

Nice ! Just curious - why wouldn’t you pass in all the yml files through docker-compose directly, as opposed to running security_admin to fetch them(and copy them manually) ?

    volumes:
      - odfe-data1:/usr/share/elasticsearch/data
      - ./elasticsearch.yml:/user/share/elasticsearch/config/elasticsearch.yml
      - ./config.yml:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/config.yml
    ports:
      - 9200:9200
      - 9600:9600 # required for Performance Analyzer
    networks:
      - odfe-net
  odfe-node2:
    image: amazon/opendistro-for-elasticsearch:0.7.0
    container_name: odfe-node2
    environment:
      - cluster.name=odfe-cluster
      - bootstrap.memory_lock=true
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
      - discovery.zen.ping.unicast.hosts=odfe-node1
    ulimits:
      memlock:
        soft: -1
        hard: -1
    volumes:
      - odfe-data2:/usr/share/elasticsearch/data
      - ./elasticsearch.yml:/user/share/elasticsearch/config/elasticsearch.yml
      - ./config.yml:/usr/share/elasticsearch/plugins/opendistro_security/securityconfig/config.yml