log4j temporary fix in elasticsearch helm chart using Dlog4j2.formatMsgNoLookups

Question

I was trying to setup an elasticsearch cluster in AKS using helm chart but due to the log4j vulnerability, I wanted to set it up with option -Dlog4j2.formatMsgNoLookups set to true. I am getting unknown flag error when I pass the arguments in helm commands. Ref: https://artifacthub.io/packages/helm/elastic/elasticsearch/6.8.16

helm upgrade  elasticsearch elasticsearch --set imageTag=6.8.16 esJavaOpts "-Dlog4j2.formatMsgNoLookups=true"
Error: unknown shorthand flag: 'D' in -Dlog4j2.formatMsgNoLookups=true

I have also tried to add below in values.yaml file

esConfig: {}
#  elasticsearch.yml: |
#    key:
#      nestedkey: value
log4j2.properties: |
  -Dlog4j2.formatMsgNoLookups = true

but the values are not adding to the /usr/share/elasticsearch/config/jvm.options, /usr/share/elasticsearch/config/log4j2.properties or in the environment variables.

gohm'c · Answer 1 · 2021-12-14T10:42:10.883

First of all, here's a good source of knowledge about mitigating Log4j2 security issue if this is the reason you reached here.

Here's how you can write your values.yaml for the Elasticsearch chart:

esConfig:
  log4j2.properties: |
    logger.discovery.name = org.elasticsearch.discovery
    logger.discovery.level = debug

A ConfigMap will be generated by Helm:

apiVersion: v1
kind: ConfigMap
metadata:
  name: elasticsearch-master-config
  ...
data:
  log4j2.properties: |
    logger.discovery.name = org.elasticsearch.discovery
    logger.discovery.level = debug

And the Log4j configuration will be mount to your Elasticsearch as:

...
volumeMounts:
  ...
  - name: esconfig
    mountPath: /usr/share/elasticsearch/config/log4j2.properties
    subPath: log4j2.properties

Update: How to set and add multiple configuration files.

You can setup other ES configuration files in your values.yaml, all the files that you specified here will be part of the ConfigMap, each of the files will be mounted at /usr/share/elasticsearch/config/ in the Elasticsearch container. Example:

esConfig:
  elasticsearch.yml: |
    node.master: true
    node.data: true

  log4j2.properties: |
    logger.discovery.name = org.elasticsearch.discovery
    logger.discovery.level = debug

  jvm.options: |
    # You can also place a comment here.
    -Xmx1g -Xms1g -Dlog4j2.formatMsgNoLookups=true

  roles.yml: |
    click_admins:
      run_as: [ 'clicks_watcher_1' ]
      cluster: [ 'monitor' ]
      indices:
      - names: [ 'events-*' ]
        privileges: [ 'read' ]
        field_security:
          grant: ['category', '@timestamp', 'message' ]
        query: '{"match": {"category": "click"}}'

ALL of the configurations above are for illustration only to demonstrate how to add multiple configuration files in the values.yaml. Please substitute these configurations with your own settings.

Thanks, May I ask one more? Currently the configuration files are: `[elasticsearch@elasticsearch-master-0 ~]$ ls /usr/share/elasticsearch/config/ elasticsearch.keystore elasticsearch.yml jvm.options log4j2.properties role_mapping.yml roles.yml users users_roles` Though I added the configuration parameter in log4j2.properties file, I really wanted to add the configuration in jvm.options but could not find how to do this. Can you help me as i am not sure about the precedence of the configurations? — theG, Dec 13 '21 at 07:58
Sure, checkout the updated answer about how to add other configurable files. — gohm'c, Dec 13 '21 at 08:20
This answer is incorrect in 2 ways. The log4j2 flag should be set in jvm settings and it is not reccommended to overwrite the jvm.options file like this. ref: https://www.elastic.co/guide/en/elasticsearch/reference/current/advanced-configuration.html#set-jvm-options — József Kertész, Dec 14 '21 at 10:06

score 0 · Answer 2 · answered Dec 13 '21 at 08:22

0

if you update and put a value under esConfig, you will need to remove the curly brackets

esConfig:
log4j2.properties: |
key = value

answered Dec 13 '21 at 08:22

Asaf Moalem

1

score 0 · Answer 3 · answered Dec 13 '21 at 19:00

0

I would rather suggest to change the /config/jvm.options file and at the end add

-Dlog4j2.formatMsgNoLookups=true

answered Dec 13 '21 at 19:00

Kris Bogaert

21
4

It is not reccommended to modify the jvm.options file like this. ref: https://www.elastic.co/guide/en/elasticsearch/reference/current/advanced-configuration.html#set-jvm-options – József Kertész Dec 14 '21 at 10:30

score 0 · Answer 4 · answered Dec 14 '21 at 10:10

0

The helm chart has an option to set java options.

esJavaOpts: "" # example: "-Xmx1g -Xms1g"

In your case, setting it like this should be the solution:

esJavaOpts: "-Dlog4j2.formatMsgNoLookups=true"

answered Dec 14 '21 at 10:10

József Kertész

103
6

`The ES_JAVA_OPTS variable overrides all other JVM options. We do not recommend using ES_JAVA_OPTS in production.` - [Go to the last lines here](https://www.elastic.co/guide/en/elasticsearch/reference/current/advanced-configuration.html) – gohm'c Dec 14 '21 at 10:38

score -1 · Answer 5 · answered Dec 13 '21 at 07:52

-1

As I see in updated in elastic repository values.yml:

esConfig: {}
log4j2.properties: |
key = value

Probably need to uncomment log4j2.properties part.

answered Dec 13 '21 at 07:52

muzafarow

926
3
12
32

log4j temporary fix in elasticsearch helm chart using Dlog4j2.formatMsgNoLookups

5 Answers5