LinuxCommandLibrary

elasticsearch-node

Start Elasticsearch node

TLDR

Display information about the current node

$ elasticsearch-node info
copy

Prepare the node for a full cluster restart (e.g., after upgrading)
$ elasticsearch-node unsafe-bootstrap
copy

Repurpose a node for a different role (e.g., from master to data node)
$ elasticsearch-node repurpose
copy

List the roles assigned to the node
$ elasticsearch-node roles
copy

Show the installed JVM version, Elasticsearch home path, and other diagnostic information
$ elasticsearch-node diagnostics
copy

Display help
$ elasticsearch-node [[-h|--help]]
copy

SYNOPSIS

elasticsearch-node generate-enrollment-token [--scope SCOPE] [--days DAYS] [--url URL]

elasticsearch-node unsafe-bootstrap-password [--no-auto-link-enrollment-token]

PARAMETERS

generate-enrollment-token
    Generates a token for enrolling nodes into a secure cluster.

--scope
    Token scope: cluster (default, joins cluster) or node (dedicated node enrollment).

--days
    Token validity in days (default: 30, range 1-1800).

--url
    Elasticsearch base URL (default: https://localhost:9200).

unsafe-bootstrap-password
    Generates/sets random bootstrap password for initial setup.

--no-auto-link-enrollment-token
    Skip auto-generating cluster enrollment token after password setup.

DESCRIPTION

The elasticsearch-node command is a key utility in Elasticsearch 8.0+ for simplifying secure cluster setup.

It offers two primary actions: generate-enrollment-token creates time-limited tokens allowing new nodes to join an existing secure cluster automatically, handling transport TLS certificates and configurations. This streamlines scaling without manual certutil usage.

The unsafe-bootstrap-password action generates a random password for initial single-node bootstrap in dev/test setups, optionally linking an enrollment token.

Designed for ease, it enforces HTTPS by default, promotes security best practices, and integrates with Elasticsearch's auto-configuration. Run as the elasticsearch user from /usr/share/elasticsearch/bin/. Ideal for quick starts while guiding toward production security.

CAVEATS

unsafe-bootstrap-password is for dev/test only; production requires manual certs and passwords. Tokens have limited lifetime; regenerate as needed. Requires Elasticsearch 8.0+.

USAGE NOTES

Run as elasticsearch user. Output token: echo 'token' | elasticsearch-node enroll... on new nodes.

EXAMPLES

Enrollment token: elasticsearch-node generate-enrollment-token
Dev bootstrap: elasticsearch-node unsafe-bootstrap-password

HISTORY

Introduced in Elasticsearch 8.0 (Feb 2022) to automate security bootstrapping, replacing manual elasticsearch-certutil workflows for faster, secure-by-default clusters.

SEE ALSO

elasticsearch(1), elasticsearch-certutil(1), elasticsearch-keystore(1)

Copied to clipboard