1.6.1 or 1.7.0 fixes two security issues:
https://www.elastic.co/blog/elasticsearch-1-7-0-and-1-6-1-released
Stakeholders: Operations/Security
Outcome: Security in depth issues fixed. Security problem isn't glaring, just bad in depth.
Estimate: Two days total
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | • Deskana | T106090 [epic] Update Elasticsearch to 1.6.1 or 1.7.1 | |||
| Resolved | • Manybubbles | T106160 Validate Cirrus against Elasticsearch 1.7.0 | |||
| Resolved | • Manybubbles | T106161 Release wikimedia-extra plugin for Elasticsearch 1.7.0 | |||
| Resolved | • Manybubbles | T106162 Release experimental-highlighter for 1.7.0 | |||
| Resolved | • Manybubbles | T106163 Release swift-repository for 1.7.0 | |||
| Resolved | • chasemp | T106165 Upgrade production to elasticsearch 1.7.1 | |||
| Resolved | dcausse | T107411 Upgrade beta to elasticsearch 1.7.1 |
I was thinking we could time this with the rolling restart the shuts down dynamic scripting.
There's also a new round of security fixes for Java; the OpenJDK updates will probably be available beginning of next week, so can combine that,
Cool. You can upgrade java anytime you like so long as its still a 1.7. If
1.8 is in apt and not a mess we can validate cirrus against it too. That is
a simple task but we should do it before going to 1.8.
We don't have Java 1.8 in Debian jessie yet, so this will be the latest security bugfix release for 1.7 as packaged by OpenJDK 7
Cool. Then the jdk upgrade can hit the machines any time. We can do it when
we're logged in for the the rolling restart or you can. Or puppet can if we
use puppet for that sort of thing.
I'll update the Java packages once the updates are available and update this task once done.
I would like to help with this so I understand where things are at, even if it's just gettin the coffee :)
2 creams, 1 sugar?
We scheduled the upgrade on Thu, Jul 30, 5PM UTC.
Should be 7PM CET (for me)
and 10AM PST (for Erik)
@chasemp is this ok for you?
sounds good thanks guys. I'm planning to be around as an extra set of hands. Mostly for my own edification.
If Ubuntu has released their security updates by then (and I hope they will), I'll install the updates before you start, so that the cluster nodes pick up the fixed JDK.
Upgrade is delayed to next week because we'll switch directly to elasticsearch-1.7.1.
I propose Tue, Aug 4, same time (5PM UTC)
I will test that everything runs smoothly on beta in the meantime.
Thanks @Aklapper. As far as I know, this is resolved. @EBernhardson can correct me if I'm wrong.