OpenShift 4 - 解决 OpenShift 中 elasticsearch 环境的 Log4j 漏洞

《OpenShift 4.x HOL教程汇总》

OpenShift 使用的 elasticsearch 会受到 Log4j 的安全漏洞影响，可以使用以下方法屏蔽安全漏洞。

• OpenShift 3
• OpenShift 4

1. 修改 elasticsearch 使用的 Java参数

$ oc project openshift-logging

$ oc get dc -l component=es
NAME                              REVISION   DESIRED   CURRENT   TRIGGERED BY
logging-es-data-master-9fgtlhi4   1          1         1

$ oc set env -c elasticsearch dc/logging-es-data-master-9fgtlhi4 ES_JAVA_OPTS="-Dlog4j2.formatMsgNoLookups=true"
$ oc set env -c elasticsearch dc -l component=es --list | grep ES_JAVA_OPTS

$ oc scale dc/logging-es-data-master-9fgtlhi4 --replicas=0
$ oc rollout latest dc/logging-es-data-master-9fgtlhi4
$ oc scale dc/logging-es-data-master-9fgtlhi4 --replicas=1

2. 验证

for es_pod in $(oc get pods -l component=es --no-headers -o jsonpath='{range .items[?(@.status.phase=="Running")]}{.metadata.name}{"n"}{end}'); 
   do echo "Confirm changes on $es_pod" ;  sleep 1 ; 
   oc rsh -Tc elasticsearch $es_pod ps auxwww | grep log4j2.formatMsgNoLookups ; sleep 3; 
   done

for es_pod in $(oc get pods -l component=es --no-headers -o jsonpath='{range .items[?(@.status.phase=="Running")]}{.metadata.name}{"n"}{end}'); 
   do echo "Confirm changes on $es_pod" ;  sleep 1 ; 
   oc rsh -Tc elasticsearch $es_pod printenv | grep ES_JAVA_OPTS ; sleep 3; 
   done

1. 修改 elasticsearch 使用的 Java参数

$ oc project openshift-logging

$ oc get deployment -l component=elasticsearch
NAME                                      REVISION   DESIRED   CURRENT   TRIGGERED BY
elasticsearch-cdm-ba9c6evk-1-796f6cfdbc   1          1         1

$ oc patch deployment/elasticsearch-cdm-ba9c6evk-1-796f6cfdbc --type=merge -p '{"spec":{"paused": false}}'
$ oc set env deployment/elasticsearch-cdm-ba9c6evk-1-796f6cfdbc -c elasticsearch ES_JAVA_OPTS="-Dlog4j2.formatMsgNoLookups=true"
$ oc set env -c elasticsearch deployment -l component=elasticsearch --list | grep ES_JAVA_OPTS

$ oc scale deployment/elasticsearch-cdm-ba9c6evk-1-796f6cfdbc --replicas=0

2. 验证

$ oc get pods -l component=elasticsearch

$ oc set env -c elasticsearch pods -l component=elasticsearch --list | grep ES_JAVA_OPTS

$ oc exec -c elasticsearch elasticsearch-cdm-ba9c6evk-1-796f6cfdbc-4dqc6 -- grep -a log4j2.formatMsgNoLookups /proc/1/cmdline