Rolling Restart

[mcost...@np6.com]

Hello,

I need confirmation concerning rolling restarts for SearchGuard with our particular deployment plan. We plan to:

1) Install and initialize search guard with `searchguard.disabled: true` set.
2) Unset that property, do as non-intrusive a restart as possible, and voila!

Questions:

1) Is it true that a full cluster restart (not a rolling restart) will be required for step 2?

2) Is any restarting needed for step 1, and if so, what kind?

The essence of this post is really "given our plan, what is the most non-intrusive restart we can perform?"

Please and thanks,

Marco.

[SG]

If your question is: Can i install SG into a already running cluster without full restart than the answer is: no
If you have a cluster with SG already running you can normally upgrade with a rolling restart.

> --
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/ba791ecd-ab99-457b-bdd6-8309a4898b00%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Jochen Kressin]

Correct me if I'm wrong, but I guess you are trying to ask if you can install Search Guard on a vanilla (non SG) cluster, and avoid a full cluster restart.

No, that is not possible: Your cluster initially does not have any TLS enabled. So if you do a rolling restart, and some nodes have TLS enabled (since you set SG enabled to true), and other nodes do not have TLS enabled yet (because SG enabled is still set to false), you end up with a split cluster. The TLS enabled nodes cannot talk to the non-TLS nodes and vice versa.

On Tuesday, October 17, 2017 at 8:23:19 PM UTC+2, Search Guard wrote:

If your question is: Can i install SG into a already running cluster without full restart than the answer is: no
If you have a cluster with SG already running you can normally upgrade with a rolling restart.

> Am 17.10.2017 um 16:54 schrieb mcost...@np6.com:
>
> Hello,
> I need confirmation concerning rolling restarts for SearchGuard with our particular deployment plan. We plan to:
>
> 1) Install and initialize search guard with `searchguard.disabled: true` set.
> 2) Unset that property, do as non-intrusive a restart as possible, and voila!
>
> Questions:
> 1) Is it true that a full cluster restart (not a rolling restart) will be required for step 2?
> 2) Is any restarting needed for step 1, and if so, what kind?
>
> The essence of this post is really "given our plan, what is the most non-intrusive restart we can perform?"
>
> Please and thanks,
> Marco.
>
> --
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.

> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.

[mcost...@np6.com]

Thanks, everyone, for the confirmation.

On Tuesday, October 17, 2017 at 11:50:13 PM UTC+2, Jochen Kressin wrote:

Correct me if I'm wrong, but I guess you are trying to ask if you can install Search Guard on a vanilla (non SG) cluster, and avoid a full cluster restart.

No, that is not possible: Your cluster initially does not have any TLS enabled. So if you do a rolling restart, and some nodes have TLS enabled (since you set SG enabled to true), and other nodes do not have TLS enabled yet (because SG enabled is still set to false), you end up with a split cluster. The TLS enabled nodes cannot talk to the non-TLS nodes and vice versa.

On Tuesday, October 17, 2017 at 8:23:19 PM UTC+2, Search Guard wrote:

If your question is: Can i install SG into a already running cluster without full restart than the answer is: no
If you have a cluster with SG already running you can normally upgrade with a rolling restart.

> Am 17.10.2017 um 16:54 schrieb mcost...@np6.com:
>
> Hello,
> I need confirmation concerning rolling restarts for SearchGuard with our particular deployment plan. We plan to:
>
> 1) Install and initialize search guard with `searchguard.disabled: true` set.
> 2) Unset that property, do as non-intrusive a restart as possible, and voila!
>
> Questions:
> 1) Is it true that a full cluster restart (not a rolling restart) will be required for step 2?
> 2) Is any restarting needed for step 1, and if so, what kind?
>
> The essence of this post is really "given our plan, what is the most non-intrusive restart we can perform?"
>
> Please and thanks,
> Marco.
>
> --
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.

> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

[mcost...@np6.com]

Just a brainstorm here:

Would adding the ability to turn off TLS temporary kill two birds with one stone?
1) Provide a way for people to do quick proofs of concept with SearchGuard. This was discussed in a previous thread.
2) Provide the ability to do rolling-restart installations? 

I was thinking (way in over my head here) that the SG plugin could have two open sockets (TLS and non-TLS) during "install mode" only. Configs can be transferred via the non-secure socket, which would close once installation has finished. Because the implementation of both points above probably has a large overlap, I thought it could be a good opportunity to kill two birds with one stone.

Thanks,

Marco.

On Tuesday, October 17, 2017 at 11:50:13 PM UTC+2, Jochen Kressin wrote:

Correct me if I'm wrong, but I guess you are trying to ask if you can install Search Guard on a vanilla (non SG) cluster, and avoid a full cluster restart.

No, that is not possible: Your cluster initially does not have any TLS enabled. So if you do a rolling restart, and some nodes have TLS enabled (since you set SG enabled to true), and other nodes do not have TLS enabled yet (because SG enabled is still set to false), you end up with a split cluster. The TLS enabled nodes cannot talk to the non-TLS nodes and vice versa.

On Tuesday, October 17, 2017 at 8:23:19 PM UTC+2, Search Guard wrote:

If your question is: Can i install SG into a already running cluster without full restart than the answer is: no
If you have a cluster with SG already running you can normally upgrade with a rolling restart.

> Am 17.10.2017 um 16:54 schrieb mcost...@np6.com:
>
> Hello,
> I need confirmation concerning rolling restarts for SearchGuard with our particular deployment plan. We plan to:
>
> 1) Install and initialize search guard with `searchguard.disabled: true` set.
> 2) Unset that property, do as non-intrusive a restart as possible, and voila!
>
> Questions:
> 1) Is it true that a full cluster restart (not a rolling restart) will be required for step 2?
> 2) Is any restarting needed for step 1, and if so, what kind?
>
> The essence of this post is really "given our plan, what is the most non-intrusive restart we can perform?"
>
> Please and thanks,
> Marco.
>
> --
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.

> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.