Elasticsearch: SecComp fails on CentOS 6

Created on 1 Feb 2017  路  16Comments  路  Source: elastic/elasticsearch

CentoOS 6 does not (as far as I can research) support SecComp, but ES tries to use it anyway, and fails to start due to bootstrap.system_call_filter: true.

The only workaround currently is to disable bootstrap.system_call_filter

ES 5.2.0

[2017-02-01T10:46:14,173][INFO ][o.e.b.BootstrapChecks    ] [elasticclient] bound or publishing to a non-loopback or non-link-local address, enforcing bootstrap checks
[2017-02-01T10:46:14,175][ERROR][o.e.b.Bootstrap          ] [elasticclient] node validation exception
bootstrap checks failed
system call filters failed to install; check the logs and fix your configuration or disable system call filters at your own risk

[2017-02-01T10:46:10,639][WARN ][o.e.b.JNANatives         ] unable to install syscall filter:
java.lang.UnsupportedOperationException: seccomp unavailable: CONFIG_SECCOMP not compiled into kernel, CONFIG_SECCOMP and CONFIG_SECCOMP_FILTER are needed
        at org.elasticsearch.bootstrap.SystemCallFilter.linuxImpl(SystemCallFilter.java:363) ~[elasticsearch-5.2.0.jar:5.2.0]
        at org.elasticsearch.bootstrap.SystemCallFilter.init(SystemCallFilter.java:638) ~[elasticsearch-5.2.0.jar:5.2.0]
        at org.elasticsearch.bootstrap.JNANatives.tryInstallSystemCallFilter(JNANatives.java:215) [elasticsearch-5.2.0.jar:5.2.0]
        at org.elasticsearch.bootstrap.Natives.tryInstallSystemCallFilter(Natives.java:99) [elasticsearch-5.2.0.jar:5.2.0]
        at org.elasticsearch.bootstrap.Bootstrap.initializeNatives(Bootstrap.java:110) [elasticsearch-5.2.0.jar:5.2.0]
        at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:203) [elasticsearch-5.2.0.jar:5.2.0]
        at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:333) [elasticsearch-5.2.0.jar:5.2.0]
        at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:121) [elasticsearch-5.2.0.jar:5.2.0]
        at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:112) [elasticsearch-5.2.0.jar:5.2.0]
        at org.elasticsearch.cli.SettingCommand.execute(SettingCommand.java:54) [elasticsearch-5.2.0.jar:5.2.0]
        at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:122) [elasticsearch-5.2.0.jar:5.2.0]
        at org.elasticsearch.cli.Command.main(Command.java:88) [elasticsearch-5.2.0.jar:5.2.0]
        at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:89) [elasticsearch-5.2.0.jar:5.2.0]
        at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:82) [elasticsearch-5.2.0.jar:5.2.0]
picture tomsommer

Most helpful comment

Well, 'at your own risk' makes you go looking for a way to make system call filters work on CentOS 6, which it can't.

You will have _all_ CentOS 6 users setting bootstrap.system_call_filter to false now, and forgetting to unset it when they upgrade to CentOS 7+.

Just my two cents :)

picture tomsommer on 2 Feb 2017
👍21

All 16 comments

This is operating as designed, and is documented. Your kernel does not support seccomp. Elasticsearch attempts to utilize seccomp by default (via the setting bootstrap.system_call_filter). Starting in 5.2.0, if you're in production mode, bootstrap.system_call_filter is enabled, and initializing seccomp fails, then Elasticsearch will refuse to bootstrap. This to prevent scenarios when seccomp is silently not initialized yet configured to be so. You either have to migrate to a kernel that supports seccomp, or disable bootstrap.system_call_filter.

jasontedor picture jasontedor on 1 Feb 2017

Fair enough, https://www.elastic.co/support/matrix might need an update then.

tomsommer picture tomsommer on 1 Feb 2017

No, it doesn't. You can still run Elasticsearch on CentOS 6, and we still support it on CentOS 6.

jasontedor picture jasontedor on 1 Feb 2017

Maybe we should suppress the stack trace here, leaving the warning. Maybe even explaining that elasticsearch will still run just fine but doesn't have the extra fork protection.

nik9000 picture nik9000 on 2 Feb 2017

I don't think we should suppress the stack trace (there's a few different ways this can fail). We say this in the tail of the logs:

[2017-02-02T03:22:24,059][INFO ][o.e.b.BootstrapChecks    ] [2oC8mTv] bound or publishing to a non-loopback or non-link-local address, enforcing bootstrap checks
ERROR: bootstrap checks failed
system call filters failed to install; check the logs and fix your configuration or disable system call filters at your own risk
[2017-02-02T03:22:24,078][INFO ][o.e.n.Node               ] [2oC8mTv] stopping ...
[2017-02-02T03:22:24,109][INFO ][o.e.n.Node               ] [2oC8mTv] stopped
[2017-02-02T03:22:24,109][INFO ][o.e.n.Node               ] [2oC8mTv] closing ...
[2017-02-02T03:22:24,126][INFO ][o.e.n.Node               ] [2oC8mTv] closed

And the bootstrap check docs say this:

To pass the system call filter check you must either fix any configuration errors on your system that prevented system call filters from installing (check your logs), or at your own risk disable system call filters by setting bootstrap.system_call_filter to false.

jasontedor picture jasontedor on 2 Feb 2017

Well, 'at your own risk' makes you go looking for a way to make system call filters work on CentOS 6, which it can't.

You will have _all_ CentOS 6 users setting bootstrap.system_call_filter to false now, and forgetting to unset it when they upgrade to CentOS 7+.

Just my two cents :)

tomsommer picture tomsommer on 2 Feb 2017
👍21

Okay, but at least they are aware of the problem whereas they weren't before since we silently failed.

jasontedor picture jasontedor on 2 Feb 2017

Hi jasontedor, What is a safer way to disable bootstrap.system_call_filter?

dhirenshumsher picture dhirenshumsher on 13 Feb 2017

in elasticsearch.yml memory after config

datayjz picture datayjz on 13 Feb 2017

Hi jasontedor, What is a safer way to disable bootstrap.system_call_filter?

Just configure it like you would any other configuration option (e.g., in the elasticsearch.yml).

jasontedor picture jasontedor on 13 Feb 2017
👍2

same reason brings me here, now that it's a warn... I decide to ignore it lol

Exlsunshine picture Exlsunshine on 9 Sep 2017

For me it doesnt get the ES started :(

chitraj8 picture chitraj8 on 5 Feb 2018

when i started the sonarqube, i had the same problem. I tried to modify elasticsearch.yml(bootstrap.system_call_filter: false) but there is still the same problem. How can i fix it?

Cavielee picture Cavielee on 31 Jan 2019

@Cavielee please ask your question on our discussion forum. We cannot diagnose your issue here, but there are people who can help on the forums.

tvernum picture tvernum on 31 Jan 2019

@Cavielee please ask your question on our discussion forum. We cannot diagnose your issue here, but there are people who can help on the forums.

Thx, i find the way in the docs

Cavielee picture Cavielee on 31 Jan 2019

@Cavielee please ask your question on our discussion forum. We cannot diagnose your issue here, but there are people who can help on the forums.

Thx, i find the way in the docs

where is the docs锛宼hks I have the same problem

xj198806 picture xj198806 on 23 Jul 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

malpani picture malpani  路  3Comments
brwe picture brwe  路  3Comments
ppf2 picture ppf2  路  3Comments
clintongormley picture clintongormley  路  3Comments
ttaranov picture ttaranov  路  3Comments