Elasticsearch in docker container running as root

HeadScratcher · October 12, 2022, 2:08pm

Hi all,

I've been wrestling with this problem for a few days now and im scratching my head a bit as i can't figure out what's wrong.

I ran a fresh docker pull and install with docker-compose and it ran fine.

then i ran my version of the compose and i errors out like below.

NFO  Main.cc@112 Parent process died - ML controller exiting
{"@timestamp":"2022-10-12T13:52:24.496Z", "log.level":"ERROR", "message":"uncaught exception in thread [main]", "ecs.version": "1.2.0","service.name":"ES_ECS","event.dataset":"elasticsearch.server","process.thread.name":"main","log.logger":"org.elasticsearch.bootstrap.ElasticsearchUncaughtExceptionHandler","elasticsearch.node.name":"es01","elasticsearch.cluster.name":"elk-tls-cluster","error.type":"org.elasticsearch.bootstrap.StartupException","error.message":"java.lang.RuntimeException: can not run elasticsearch as root","error.stack_trace":"java.lang.RuntimeException: can not run elasticsearch as root\n\tat org.elasticsearch.bootstrap.Bootstrap.initializeNatives(Bootstrap.java:103)\n\tat org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:183)\n\tat org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:358)\n\tat org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:169)\n\tat org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:160)\n\tat org.elasticsearch.common.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:81)\n\tat org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:112)\n\tat org.elasticsearch.cli.Command.main(Command.java:77)\n\tat org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:125)\n\tat org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:80)\nFor complete error details, refer to the log at /usr/share/elasticsearch/logs/elk-tls-cluster.log\n"}
uncaught exception in thread [main]
java.lang.RuntimeException: can not run elasticsearch as root
	at org.elasticsearch.bootstrap.Bootstrap.initializeNatives(Bootstrap.java:103)
	at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:183)
	at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:358)
	at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:169)
	at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:160)
	at org.elasticsearch.common.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:81)
	at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:112)
	at org.elasticsearch.cli.Command.main(Command.java:77)
	at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:125)
	at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:80)
For complete error details, refer to the log at /usr/share/elasticsearch/logs/elk-tls-cluster.log
2022-10-12 13:52:25,096374 UTC [456] INFO  Main.cc@112 Parent process died - ML controller exiting

i cant seem to get elasticsearch to run as a non root user

my compose looks like this:

version: '3.9'
  elasticsearch:
    container_name: elasticsearch
    hostname: es01
    domainname: 172-16-3
    mac_address: 8a:ca:58:b9:e9:51
    build:
      context: elasticsearch/
      dockerfile: Dockerfile
      args:
        ELK_VERSION: ${ELK_VERSION}
    restart: unless-stopped
    environment:
      CONFIG_DIR: ${ELASTIC_DIR}/config
      ELASTIC_USERNAME: ${ELASTIC_USERNAME}
      ELASTIC_PASSWORD: ${ELASTIC_PASSWORD}
      ES_JAVA_OPTS: -Xmx${ELASTICSEARCH_HEAP} -Xms${ELASTICSEARCH_HEAP}
      bootstrap.memory_lock: "true"
      discovery.type: single-node
    volumes:
      - /share/CACHEDEV2_DATA/containers/container-data/lib/docker/volumes/es_repo/_data:/home/admin/repo_data/:rw
      - esdata:${ELASTIC_DIR}
      - type: bind
        source: ./elasticsearch/config/elasticsearch.yml
        target: ${ELASTIC_DIR}/config/elasticsearch.yml
    secrets:
      - source: elasticsearch.keystore
        target: ${ELASTIC_DIR}/config/elasticsearch.keystore
      - source: ca.crt
        target: ${ELASTIC_DIR}/config/ca.crt
      - source: elasticsearch.cert
        target: ${ELASTIC_DIR}/config/elasticsearch.crt
      - source: elasticsearch.key
        target: ${ELASTIC_DIR}/config/elasticsearch.key
    networks:
      - elk
    ports:
      - "9200:9200"
      - "9300:9300"
    healthcheck:
      test: curl -s https://es01.172-16-3.local:9200 >/dev/null; if [[ $$? == 52 ]]; then echo 0; else echo 1; fi
      interval: 30s
      timeout: 10s
      retries: 5
    ulimits:
      memlock:
        soft: -1
        hard: -1
      nofile:
        soft: 200000
        hard: 200000
volumes:
  esdata:
  es_repo:
  kibana:
    container_name: kibana
    hostname: kibana
    domainname: 172-16-3
    mac_address: 8a:ca:58:b9:e9:52
    build:
      context: kibana/
      args:
        ELK_VERSION: $ELK_VERSION
        COMPOSE_HTTP_TIMEOUT: 200
    restart: unless-stopped
    volumes:
      - kibdata:${KIBANA_DIR}:rw
      - ./kibana/config/kibana.yml:${KIBANA_DIR}/config/kibana.yml:rw
      #- type: volume
     #   source: ./kibana/config/kibana.yml:rw
      #  target: ${KIBANA_DIR}/config/kibana.yml:rw

    environment:
      CONFIG_DIR: ${KIBANA_DIR}/config
      ELASTIC_USERNAME: ${ELASTIC_USERNAME}
      ELASTIC_PASSWORD: ${ELASTIC_PASSWORD}
      ENCRYPTION_KEY: ${XPACK_ENCRYPTION_KEY}
      KIBANA_URL: ${KIBANA_URL}
    secrets:
      - source: ca.crt
        target: ${KIBANA_DIR}/config/ca.crt
      - source: kibana.cert
        target: ${KIBANA_DIR}/config/kibana.crt
      - source: kibana.key
        target: ${KIBANA_DIR}/config/kibana.key
    healthcheck:
      test: curl -s https://kibana.172-16-3.local:5601 >/dev/null; if [[ $$? == 52 ]]; then echo 0; else echo 1; fi
      interval: 30s
      timeout: 20s
      retries: 5
    networks:
      - elk
    ports:
      - "5601:5601"
    depends_on: 
      - elasticsearch
  logstash:
    container_name: logstash
    hostname: logstash
    domainname: 172-16-3
    mac_address: 8a:ca:58:b9:e9:53
    build:
      context: logstash/
      args:
        ELK_VERSION: $ELK_VERSION
    restart: unless-stopped
    volumes:
      - type: bind
        source: ./logstash/config/logstash.yml
        target: ${LOGSTASH_DIR}/config/logstash.yml
      - type: bind
        source: ./logstash/pipeline/
        target: ${LOGSTASH_DIR}/pipeline/
      - type: bind
        source: ./logstash/pipeline/geo
        target: ${LOGSTASH_DIR}/pipeline/geo

    environment:
      path.settings: null
      CONFIG_DIR: ${LOGSTASH_DIR}/config
      ELASTIC_USERNAME: ${ELASTIC_USERNAME}
      ELASTIC_PASSWORD: ${ELASTIC_PASSWORD}
      LS_JAVA_OPTS: "-Xmx${LOGSTASH_HEAP} -Xms${LOGSTASH_HEAP}"
    secrets:
      - source: ca.crt
        target: ${LOGSTASH_DIR}/config/ca.crt
      - source: logstash.cert
        target: ${LOGSTASH_DIR}/config/logstash.crt
      - source: logstash.pkcs8.key
        target: ${LOGSTASH_DIR}/config/logstash.pkcs8.key
      - source: logstash.key
        target: ${LOGSTASH_DIR}/config/logstash.key
      - source: logstash.p12
        target: ${LOGSTASH_DIR}/config/logstash.p12
    networks:
      - elk
    ports:
    - "12201:12201/udp"
    - "5044:5044"
    - "5045:5045/tcp"
    - "5046:5046"
    - "9600:9600"
    - "5000:5000/tcp"
    - "5000:5000/udp"
    depends_on: 
      - elasticsearch
      - kibana
  elastic-agent:
    container_name: elastic-agent
    hostname: elastic-agent
    domainname: 172-16-3
    mac_address: 8a:ca:58:b9:e9:54
    build:
      context: elastic-agent/
      args:
        ELK_VERSION: $ELK_VERSION
    restart: unless-stopped
    environment:
      FLEET_CA: '/ca.crt'
      ELK_VERSION: ${ELK_VERSION}
      KIBANA_HOST: "https://kibana.172-16-3.local:5601"
      ELASTICSEARCH_USERNAME: ${ELASTIC_USERNAME}
      ELASTICSEARCH_PASSWORD: ${ELASTIC_PASSWORD}
      ELASTICSEARCH_HOSTS: "https://es01.172-16-3.local:9200"
      #FLEET_ENROLL=1
      #FLEET_URL: https://elastic-agent
      #FLEET_ENROLLMENT_TOKEN: SUhwZzJvSUJqbFZaOFNIMEU1WE46anN2b0VxWHFUZUNwM0tzY1VZczVNdw==
      #PREFLIGHT_CHECK: 1
    secrets:
      - source: ca.crt
        target: ${LOGSTASH_DIR}/config/ca.crt
      - source: logstash.cert
        target: ${LOGSTASH_DIR}/config/logstash.crt
      - source: logstash.pkcs8.key
        target: ${LOGSTASH_DIR}/config/logstash.pkcs8.key
      - source: logstash.key
        target: ${LOGSTASH_DIR}/config/logstash.key
      - source: logstash.p12
        target: ${LOGSTASH_DIR}/config/logstash.p12

      #- source: ca.crt
      #  target: /ca.crt
    networks:
      - elk
    ports:
      - "22:22" 
    depends_on: 
      - logstash

networks:
  elk:
    external: true
    name: eth0-6d6da6
    driver: local
secrets:
  ca.crt:
    file: ./secrets/certificate_authority/ca/ca.crt
  elasticsearch.keystore:
    file: ./secrets/elasticsearch.keystore
  elastic-stack-ca.p12:
    file: ./secrets/certificate_authority/elastic-stack-ca.p12
  elasticsearch.key:
    file: ./secrets/certificates/elasticsearch/elasticsearch.key
  elasticsearch.cert:
    file: ./secrets/certificates/elasticsearch/elasticsearch.crt
  kibana.key:
    file: ./secrets/certificates/kibana/kibana.key
  kibana.cert:
    file: ./secrets/certificates/kibana/kibana.crt
  logstash.pkcs8.key:
    file: ./secrets/certificates/logstash/logstash.pkcs8.key
  logstash.key:
    file: ./secrets/certificates/logstash/logstash.key
  logstash.p12:
    file: ./secrets/keystores/logstash/logstash.p12
  logstash.cert:
    file: ./secrets/certificates/logstash/logstash.crt
  elastic-agent.pkcs8.key:
    file: ./secrets/certificates/elastic-agent/elastic-agent.pkcs8.key
  elastic-agent.key:
    file: ./secrets/certificates/elastic-agent/elastic-agent.key
  elastic-agent.p12:
    file: ./secrets/keystores/elastic-agent/elastic-agent.p12
  elastic-agent.cert:
    file: ./secrets/certificates/elastic-agent/elastic-agent.crt

and my .env looks like this:


ELK_VERSION=8.4.3
ELASTIC_USERNAME=elastic
ELASTIC_PASSWORD=Pa55word
KIBANA_URL=https://kibana.172-16-3.local:5601
# Configuration Variables
ELASTICSEARCH_HEAP=2g
LOGSTASH_HEAP=1g


# Self signed TLS certificates
CA_PASSWORD=Pa55word
CA_DAYS=3650
ELASTIC_DIR=/usr/share/elasticsearch
LOGSTASH_DIR=/usr/share/logstash
KIBANA_DIR=/usr/share/kibana
#PACKETBEAT_DIR=/usr/share/packetbeat
#FILEBEAT_DIR=/usr/share/filebeat
#METRICBEAT_DIR=/usr/share/metricbeat
STAGING=true
ELASTIC_MEMORY_SIZE=4G

and my Dockerfile is this:

ARG ELK_VERSION
FROM docker.elastic.co/elasticsearch/elasticsearch:${ELK_VERSION}
#USER root
RUN sysctl -w vm.max_map_count=262144

is there a way to force elasticsearch to run as a user like 'elasticsearch' with enough permissions to run elasticsearch just like a bare metal ubuntu running elasticsearch on its own ?

thanks for reading and any help or pointers would be helpful

cheers!!

HeadScratcher · October 13, 2022, 10:55am

answer is:

.env file

ARG ELK_VERSION
ARG USERNAME=elasticsearch
FROM docker.elastic.co/elasticsearch/elasticsearch:${ELK_VERSION}
USER root
RUN sysctl -w vm.max_map_count=262144
RUN chown elasticsearch:elasticsearch -R /usr/share/elasticsearch
USER elasticsearch

chowning the elastic dir

system · November 10, 2022, 10:56am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Elasticsearch - can not run elasticsearch as root Elasticsearch	2	4444	July 31, 2017
Elasticsearch 7.17.6 can't be started as root Elasticsearch	5	40	September 10, 2024
Wh not run elasticsearch as root Elasticsearch	2	564	June 5, 2019
Exception in thread "main" java.lang.RuntimeException: don't run elasticsearch as root Elasticsearch	3	5680	July 5, 2017
Why is it ElasticSearch is not allowed to run as root Elasticsearch	10	26240	July 5, 2017

Elasticsearch in docker container running as root

Related topics