ILM & Reindexing Automation Runbooks

Using Python Elasticsearch Client to Apply ILM Policies

Declarative Index Lifecycle Management (ILM) in Elasticsearch is inherently stateful. While the cluster master node orchestrates phase transitions, production environments routinely encounter stuck steps, mapping conflicts during rollover, and shard allocation deadlocks. [Using Python Elasticsearch Client to Apply ILM Policies] requires deterministic state tracking, idempotent execution patterns, and explicit error-state recovery. This guide details production-grade automation for policy attachment, diagnostic triage, and safe rollback strategies tailored for search engineers, log analytics teams, and DevOps operators. Failure to enforce strict state validation results in unbounded storage growth, compliance violations, and irreversible data loss.

flowchart TD
  A["put_lifecycle (name, policy)"] --> B["put_settings: attach to indices"]
  B --> C["explain_lifecycle: verify managed"]
  C --> D{"step == ERROR?"}
  D -->|"yes"| E["retry(index) with backoff"]
  D -->|"no"| F["Managed and progressing"]
  E --> C

1. Client Hardening & State-Aware Initialization

The default elasticsearch Python client configuration is insufficient for ILM orchestration. ILM operations are asynchronous and frequently hit 409 Conflict or 429 Too Many Requests during cluster rebalancing. Initialize the client with explicit retry backoff, connection pooling, and strict timeout boundaries to prevent orphaned policy states.

from elasticsearch import Elasticsearch, ApiError
from elasticsearch.exceptions import ConflictError, NotFoundError
import logging

logging.basicConfig(
    level=logging.INFO, 
    format="%(asctime)s [%(levelname)s] %(message)s",
    handlers=[logging.FileHandler("ilm_automation_audit.log"), logging.StreamHandler()]
)

def get_ilm_client(hosts: list[str], api_key: str) -> Elasticsearch:
    """
    Initialize a hardened Elasticsearch v8+ client for ILM orchestration.
    Enforces strict timeouts, disables sniffing to prevent routing instability,
    and retries transient cluster pressure. The v8 client manages retries
    natively (elastic-transport), so `max_retries` is an int and retryable
    HTTP statuses are listed via `retry_on_status` — there is no urllib3 Retry.
    """
    return Elasticsearch(
        hosts=hosts,
        api_key=api_key,
        request_timeout=30,
        max_retries=5,
        retry_on_timeout=True,
        retry_on_status=(429, 502, 503, 504),
        verify_certs=True,
        sniff_on_start=False,
        http_compress=True
    )

Compliance Note: All ILM mutations must be logged to an immutable audit trail. The logging.FileHandler configuration above ensures deterministic execution records for regulatory review.

2. Idempotent Policy Attachment & Lifecycle Validation

ILM policy application must be idempotent. Re-running automation against already-attached indices or existing policies should resolve cleanly without raising exceptions. The attachment workflow requires explicit policy existence checks, versioned settings application, and immediate state verification to catch silent failures.

def apply_ilm_policy_idempotent(es: Elasticsearch, policy_name: str, policy_body: dict, index_pattern: str) -> bool:
    """
    Idempotent policy creation and index attachment with strict state verification.
    Returns True on successful application, False on recoverable conflict, raises on fatal errors.
    """
    # 1. Create or update policy (idempotent via PUT)
    try:
        es.ilm.put_lifecycle(name=policy_name, policy=policy_body)
        logging.info(f"Policy '{policy_name}' applied/updated successfully.")
    except ConflictError:
        logging.warning(f"Policy '{policy_name}' already exists. Skipping creation.")
    except ApiError as e:
        logging.error(f"Failed to apply policy: {e.info}")
        raise

    # 2. Attach policy to matching indices
    try:
        es.indices.put_settings(
            index=index_pattern,
            settings={"index.lifecycle.name": policy_name},
            expand_wildcards="all"
        )
        logging.info(f"Policy '{policy_name}' attached to pattern '{index_pattern}'.")
    except ApiError as e:
        logging.error(f"Failed to attach policy: {e.info}")
        raise

    # 3. Immediate state verification
    verify_ilm_state(es, index_pattern, policy_name)
    return True

def verify_ilm_state(es: Elasticsearch, index_pattern: str, expected_policy: str):
    """
    Validates that indices are actively managed by the expected ILM policy.
    """
    explain = es.ilm.explain_lifecycle(index=index_pattern, expand_wildcards="all")
    for idx_name, idx_data in explain.get("indices", {}).items():
        if not idx_data.get("managed"):
            logging.error(f"Index {idx_name} is NOT managed by ILM. Immediate intervention required.")
            raise RuntimeError(f"ILM attachment failed for {idx_name}")
        if idx_data.get("policy") != expected_policy:
            logging.warning(f"Index {idx_name} attached to unexpected policy: {idx_data.get('policy')}")

For comprehensive lifecycle synchronization strategies, refer to ILM Policy Design & Lifecycle Synchronization before deploying policy mutations in regulated environments.

3. Cluster State Diagnostics & Deadlock Resolution

When ILM stalls, immediate diagnostic triage is mandatory. Do not blindly restart nodes or force-delete indices. Execute exact diagnostic endpoints to isolate the failure vector.

Exact _cluster/health Output Analysis 

GET /_cluster/health?wait_for_status=yellow&timeout=10s
{
  "cluster_name": "prod-es-cluster",
  "status": "yellow",
  "timed_out": false,
  "number_of_nodes": 3,
  "active_primary_shards": 45,
  "active_shards": 89,
  "unassigned_shards": 2,
  "delayed_unassigned_shards": 0,
  "number_of_pending_tasks": 0,
  "active_shards_percent_as_number": 97.8
}

Interpretation: unassigned_shards > 0 with yellow status indicates allocation failure. Correlate with _cluster/allocation/explain to identify disk watermark breaches or node attribute mismatches.

Exact _ilm/explain Output for Stuck Indices 

GET /logs-app-2024.01.01/_ilm/explain
{
  "indices": {
    "logs-app-2024.01.01": {
      "index": "logs-app-2024.01.01",
      "managed": true,
      "policy": "logs-policy",
      "phase": "hot",
      "action": "rollover",
      "step": "check-rollover-ready",
      "step_info": {
        "message": "Waiting for index to meet rollover conditions [max_age=7d, max_primary_shard_size=50gb]"
      }
    }
  }
}

Interpretation: This is the normal waiting state, not a failure — check-rollover-ready simply means the index has not yet met any rollover condition. A genuine failure instead reports "step": "ERROR" with a step_info.type (the exception class, e.g. illegal_argument_exception) and a step_info.reason; that usually indicates a missing write alias or insufficient disk space.

Safe Manual Reroute Protocol

If shard allocation deadlocks occur due to node evacuation or disk watermark triggers, execute a controlled reroute. Never use allocate_empty_primary on production data without verified snapshot backups.

# Force allocation of unassigned replica shards to available nodes
POST /_cluster/reroute
{
  "commands": [
    {
      "allocate_replica": {
        "index": "logs-app-2024.01.01",
        "shard": 0,
        "node": "data-node-02"
      }
    }
  ]
}

For automated phase transition logic and alias management during rollover, consult Automating Phase Transitions with Python.

4. Automated Python Recovery Patterns

Production environments require deterministic recovery loops. The following v8+ Python pattern parses _ilm/explain output, identifies failed steps, and safely retries or advances indices without manual intervention.

def resolve_stuck_ilm_indices(es: Elasticsearch, index_pattern: str, max_retries: int = 3):
    """
    Automated recovery for ILM-stuck indices.
    Handles failed steps, forces safe step advancement, and logs compliance audit trails.
    """
    explain = es.ilm.explain_lifecycle(index=index_pattern, expand_wildcards="all")
    recovered = []
    
    for idx_name, idx_data in explain.get("indices", {}).items():
        if not idx_data.get("managed"):
            continue
            
        phase = idx_data.get("phase")
        step = idx_data.get("step")
        step_info = idx_data.get("step_info", {})
        
        # Detect explicit failure states. An index in the ERROR step exposes the
        # failing exception class in step_info.type and a human reason in step_info.reason.
        if step == "ERROR" or step_info.get("type"):
            reason = step_info.get("reason", step_info.get("type", "unknown"))
            logging.warning(f"Index {idx_name} stuck at {phase}/{step}: {reason}. Attempting recovery.")
            
            for attempt in range(max_retries):
                try:
                    # Retry the current ILM step
                    es.ilm.retry(index=idx_name)
                    logging.info(f"Retry {attempt+1} triggered for {idx_name}")
                    
                    # Verify resolution
                    updated = es.ilm.explain_lifecycle(index=idx_name)
                    current_step = updated["indices"][idx_name].get("step")
                    
                    if current_step != step:
                        logging.info(f"Index {idx_name} successfully advanced past {step}")
                        recovered.append(idx_name)
                        break
                except ApiError as e:
                    logging.error(f"Recovery attempt {attempt+1} failed for {idx_name}: {e.info}")
                    if attempt == max_retries - 1:
                        logging.critical(f"Manual intervention required for {idx_name}")
                        
    return recovered

Execution Guardrails:

  • Always run recovery scripts against a staging cluster first.
  • Implement circuit breakers: halt execution if active_shards_percent_as_number < 85%.
  • Use es.ilm.move_to_step only when explicitly authorized by data governance teams.

5. Escalation Paths & Compliance Enforcement

When automated recovery fails, strict escalation protocols must be enforced to maintain data integrity and regulatory compliance.

SeverityTrigger ConditionRequired ActionCompliance Impact
L1step_info.type == "retryable"Execute resolve_stuck_ilm_indices() with exponential backoffNone. Automated recovery logged.
L2unassigned_shards > 5 for >15mManual _cluster/reroute, verify disk watermarks, force snapshotMinor. Requires change ticket approval.
L3step_info.type == "fatal" or mapping conflictReindex to new index, attach ILM, decommission stale indexHigh. Requires DPO sign-off and audit trail submission.

Compliance Enforcement Directives:

  1. Enable xpack.security.audit.enabled: true in elasticsearch.yml to capture all ILM mutations.
  2. Maintain immutable policy versioning. Never overwrite active policies without a documented change request.
  3. Validate snapshot integrity before executing allocate_empty_primary or move commands. Reference the official Elasticsearch ILM API Reference for parameter constraints.
  4. Implement Python-side circuit breakers using the v8 client’s native retry controls (max_retries, retry_on_status, retry_on_timeout) rather than a urllib3 Retry object, which the elastic-transport layer does not accept.

Failure to adhere to these protocols constitutes a breach of operational compliance. All recovery actions must be timestamped, attributed to an operator ID, and archived for a minimum of 90 days.