投稿
  1. 首页
  2. 随笔

OpenShift 4 - 解决 OpenShift 中 elasticsearch 环境的 Log4j 漏洞

遥远的救世主下载 2022-12-17 随笔 阅读 21

OpenShift 4 - 解决 OpenShift 中 elasticsearch 环境的 Log4j 漏洞,第1张

OpenShift 4 - 解决 OpenShift 中 elasticsearch 环境的 Log4j 漏洞

《OpenShift 4.x HOL教程汇总》

OpenShift 使用的 elasticsearch 会受到 Log4j 的安全漏洞影响,可以使用以下方法屏蔽安全漏洞。

文章目录
  • OpenShift 3
  • OpenShift 4

OpenShift 3
  1. 修改 elasticsearch 使用的 Java参数
$ oc project openshift-logging

$ oc get dc -l component=es
NAME                              REVISION   DESIRED   CURRENT   TRIGGERED BY
logging-es-data-master-9fgtlhi4   1          1         1

$ oc set env -c elasticsearch dc/logging-es-data-master-9fgtlhi4 ES_JAVA_OPTS="-Dlog4j2.formatMsgNoLookups=true"
$ oc set env -c elasticsearch dc -l component=es --list | grep ES_JAVA_OPTS

$ oc scale dc/logging-es-data-master-9fgtlhi4 --replicas=0
$ oc rollout latest dc/logging-es-data-master-9fgtlhi4
$ oc scale dc/logging-es-data-master-9fgtlhi4 --replicas=1
  1. 验证
for es_pod in $(oc get pods -l component=es --no-headers -o jsonpath='{range .items[?(@.status.phase=="Running")]}{.metadata.name}{"n"}{end}'); 
   do echo "Confirm changes on $es_pod" ;  sleep 1 ; 
   oc rsh -Tc elasticsearch $es_pod ps auxwww | grep log4j2.formatMsgNoLookups ; sleep 3; 
   done

for es_pod in $(oc get pods -l component=es --no-headers -o jsonpath='{range .items[?(@.status.phase=="Running")]}{.metadata.name}{"n"}{end}'); 
   do echo "Confirm changes on $es_pod" ;  sleep 1 ; 
   oc rsh -Tc elasticsearch $es_pod printenv | grep ES_JAVA_OPTS ; sleep 3; 
   done
OpenShift 4
  1. 修改 elasticsearch 使用的 Java参数
$ oc project openshift-logging

$ oc get deployment -l component=elasticsearch
NAME                                      REVISION   DESIRED   CURRENT   TRIGGERED BY
elasticsearch-cdm-ba9c6evk-1-796f6cfdbc   1          1         1

$ oc patch deployment/elasticsearch-cdm-ba9c6evk-1-796f6cfdbc --type=merge -p '{"spec":{"paused": false}}'
$ oc set env deployment/elasticsearch-cdm-ba9c6evk-1-796f6cfdbc -c elasticsearch ES_JAVA_OPTS="-Dlog4j2.formatMsgNoLookups=true"
$ oc set env -c elasticsearch deployment -l component=elasticsearch --list | grep ES_JAVA_OPTS

$ oc scale deployment/elasticsearch-cdm-ba9c6evk-1-796f6cfdbc --replicas=0
  1. 验证
$ oc get pods -l component=elasticsearch

$ oc set env -c elasticsearch pods -l component=elasticsearch --list | grep ES_JAVA_OPTS

$ oc exec -c elasticsearch elasticsearch-cdm-ba9c6evk-1-796f6cfdbc-4dqc6 -- grep -a log4j2.formatMsgNoLookups /proc/1/cmdline

欢迎分享,转载请注明来源:内存溢出

原文地址: http://outofmemory.cn/zaji/5688663.html

(0)
打赏 微信扫一扫 微信扫一扫 支付宝扫一扫 支付宝扫一扫
遥远的救世主下载 遥远的救世主下载 一级用户组
0 0
上一篇 2022-12-17
下一篇 2022-12-17

发表评论

登录后才能评论

评论列表(0条)

保存