Closed
Description
CentoOS 6 does not (as far as I can research) support SecComp, but ES tries to use it anyway, and fails to start due to bootstrap.system_call_filter: true
.
The only workaround currently is to disable bootstrap.system_call_filter
ES 5.2.0
[2017-02-01T10:46:14,173][INFO ][o.e.b.BootstrapChecks ] [elasticclient] bound or publishing to a non-loopback or non-link-local address, enforcing bootstrap checks
[2017-02-01T10:46:14,175][ERROR][o.e.b.Bootstrap ] [elasticclient] node validation exception
bootstrap checks failed
system call filters failed to install; check the logs and fix your configuration or disable system call filters at your own risk
[2017-02-01T10:46:10,639][WARN ][o.e.b.JNANatives ] unable to install syscall filter:
java.lang.UnsupportedOperationException: seccomp unavailable: CONFIG_SECCOMP not compiled into kernel, CONFIG_SECCOMP and CONFIG_SECCOMP_FILTER are needed
at org.elasticsearch.bootstrap.SystemCallFilter.linuxImpl(SystemCallFilter.java:363) ~[elasticsearch-5.2.0.jar:5.2.0]
at org.elasticsearch.bootstrap.SystemCallFilter.init(SystemCallFilter.java:638) ~[elasticsearch-5.2.0.jar:5.2.0]
at org.elasticsearch.bootstrap.JNANatives.tryInstallSystemCallFilter(JNANatives.java:215) [elasticsearch-5.2.0.jar:5.2.0]
at org.elasticsearch.bootstrap.Natives.tryInstallSystemCallFilter(Natives.java:99) [elasticsearch-5.2.0.jar:5.2.0]
at org.elasticsearch.bootstrap.Bootstrap.initializeNatives(Bootstrap.java:110) [elasticsearch-5.2.0.jar:5.2.0]
at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:203) [elasticsearch-5.2.0.jar:5.2.0]
at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:333) [elasticsearch-5.2.0.jar:5.2.0]
at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:121) [elasticsearch-5.2.0.jar:5.2.0]
at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:112) [elasticsearch-5.2.0.jar:5.2.0]
at org.elasticsearch.cli.SettingCommand.execute(SettingCommand.java:54) [elasticsearch-5.2.0.jar:5.2.0]
at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:122) [elasticsearch-5.2.0.jar:5.2.0]
at org.elasticsearch.cli.Command.main(Command.java:88) [elasticsearch-5.2.0.jar:5.2.0]
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:89) [elasticsearch-5.2.0.jar:5.2.0]
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:82) [elasticsearch-5.2.0.jar:5.2.0]
Activity
jasontedor commentedon Feb 1, 2017
This is operating as designed, and is documented. Your kernel does not support seccomp. Elasticsearch attempts to utilize seccomp by default (via the setting
bootstrap.system_call_filter
). Starting in 5.2.0, if you're in production mode,bootstrap.system_call_filter
is enabled, and initializing seccomp fails, then Elasticsearch will refuse to bootstrap. This to prevent scenarios when seccomp is silently not initialized yet configured to be so. You either have to migrate to a kernel that supports seccomp, or disablebootstrap.system_call_filter
.tomsommer commentedon Feb 1, 2017
Fair enough, https://www.elastic.co/support/matrix might need an update then.
jasontedor commentedon Feb 1, 2017
No, it doesn't. You can still run Elasticsearch on CentOS 6, and we still support it on CentOS 6.
nik9000 commentedon Feb 2, 2017
Maybe we should suppress the stack trace here, leaving the warning. Maybe even explaining that elasticsearch will still run just fine but doesn't have the extra fork protection.
jasontedor commentedon Feb 2, 2017
I don't think we should suppress the stack trace (there's a few different ways this can fail). We say this in the tail of the logs:
And the bootstrap check docs say this:
tomsommer commentedon Feb 2, 2017
Well, 'at your own risk' makes you go looking for a way to make system call filters work on CentOS 6, which it can't.
You will have all CentOS 6 users setting
bootstrap.system_call_filter
to false now, and forgetting to unset it when they upgrade to CentOS 7+.Just my two cents :)
jasontedor commentedon Feb 2, 2017
Okay, but at least they are aware of the problem whereas they weren't before since we silently failed.
dhirenshumsher commentedon Feb 13, 2017
Hi jasontedor, What is a safer way to disable bootstrap.system_call_filter?
datayjz commentedon Feb 13, 2017
in elasticsearch.yml memory after config
jasontedor commentedon Feb 13, 2017
Just configure it like you would any other configuration option (e.g., in the elasticsearch.yml).
12 remaining items