Elasticsearch is throwing bootstrap error and it's unable to load system call filters when i'm trying to run on linux

HI Guyz,

I'm trying to start elasticsearch with system IP address on remote linux machine by uploading tar file and extract it there.
where i set

network.host: <my remote system IP address>
http.port: 9200

and running this command.
bin/elasticsearch

but it is showing like
1st error:

[2017-06-06T12:51:58,612][WARN ][o.e.b.JNANatives         ] unable to install syscall filter:
java.lang.UnsupportedOperationException: seccomp unavailable: requires kernel 3.5+ with CONFIG_SECCOMP and CONFIG_SECCOMP_FILTER compiled in
        at org.elasticsearch.bootstrap.SystemCallFilter.linuxImpl(SystemCallFilter.java:350) ~[elasticsearch-5.4.0.jar:5.4.0]
        at org.elasticsearch.bootstrap.SystemCallFilter.init(SystemCallFilter.java:638) ~[elasticsearch-5.4.0.jar:5.4.0]
        at org.elasticsearch.bootstrap.JNANatives.tryInstallSystemCallFilter(JNANatives.java:215) [elasticsearch-5.4.0.jar:5.4.0]
        at org.elasticsearch.bootstrap.Natives.tryInstallSystemCallFilter(Natives.java:99) [elasticsearch-5.4.0.jar:5.4.0]
        at org.elasticsearch.bootstrap.Bootstrap.initializeNatives(Bootstrap.java:111) [elasticsearch-5.4.0.jar:5.4.0]
        at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:204) [elasticsearch-5.4.0.jar:5.4.0]
        at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:360) [elasticsearch-5.4.0.jar:5.4.0]
        at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:123) [elasticsearch-5.4.0.jar:5.4.0]
        at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:114) [elasticsearch-5.4.0.jar:5.4.0]
        at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:67) [elasticsearch-5.4.0.jar:5.4.0]
        at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:122) [elasticsearch-5.4.0.jar:5.4.0]
        at org.elasticsearch.cli.Command.main(Command.java:88) [elasticsearch-5.4.0.jar:5.4.0]
        at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:91) [elasticsearch-5.4.0.jar:5.4.0]
        at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:84) [elasticsearch-5.4.0.jar:5.4.0]

and 2nd Error:

[2017-06-06T12:52:02,721][INFO ][o.e.b.BootstrapChecks    ] [ZFOUSwA] bound or publishing to a non-loopback or non-link-local address, enforcing bootstrap checks
ERROR: bootstrap checks failed
max file descriptors [1024] for elasticsearch process is too low, increase to at least [65536]
max number of threads [1024] for user [avaya] is too low, increase to at least [2048]
system call filters failed to install; check the logs and fix your configuration or disable system call filters at your own risk
[2017-06-06T12:52:02,729][INFO ][o.e.n.Node               ] [ZFOUSwA] stopping ...
[2017-06-06T12:52:02,769][INFO ][o.e.n.Node               ] [ZFOUSwA] stopped
[2017-06-06T12:52:02,770][INFO ][o.e.n.Node               ] [ZFOUSwA] closing ...
[2017-06-06T12:52:02,783][INFO ][o.e.n.Node               ] [ZFOUSwA] closed

On windows it's running fine but in remote system it's showing errors
please suggest me what should i do to resolve this on linux machine ?

HI,
You can "fix" it by having a kernel installed that match requirements :

requires kernel 3.5+ with CONFIG_SECCOMP and CONFIG_SECCOMP_FILTER compiled in

Second error is "easier" to fix, you need to set max file descriptors to 65,536 or higher as described in

https://www.elastic.co/guide/en/elasticsearch/reference/current/file-descriptors.html

ulimit -n 65536 as root

Hi @pts0

Thanks for reply..
but still i'm working on linux environment. and i have some questions

Is it good to do system level changes for kernels errors

because if there is possible error for system level changes then i was expecting there is any batch script elasticsearch will provide us to fix these kind of system level errors.
because we are using their tools and developing application on top of that

what if same error would occurs on production server ?

between can you provide how to fix or update ulimit on linux ?

I don't agree that elastic should take care of your settings in linux. Is your system, they clearly tell you what is needed, is up to you to provide the base system. If you like don't want to care about it, you may use cloud service, all is configured and managed by elastic.
Docker images are good alternative too

That why you should test on QA, then make changes on production server before deploying.

yes, i done it:

# ulimit -n 65536

or

# ulimit -n unlimited

as root

Thanks @pts0

its seems like we can't do anything in case of kernal 3.5+ requirement. that's the one of reason for bootstarp validation process in elasticsearch-5.4 version.

and between elasticsearch -2.4 to 5.4 they do major breaking changes
in elasticsearch 2.4 is not strictly dependent on system level setting but in 5.4 it's must which is not good thing.

so i will go with downgrade version instead of replacing whole system.
i hope it will work with latest logstash and kibana. as i defined my elk stack pipeline.

You are welcome,

just a notive about :

This is always a hot topic ... that was my reaction too at first when I struggle with boostrap validations. But when you get in trouble on Production because of wrong settings you will regret of missing fail fast.
Validation at boostrap are not just there to make you hard to install elasticseach. All this check are very important and help you to have a running and stable node. Downgrading to 2.4 just to skip this check is not a good idea, belive me.

pts0

In 2.4 there is still warning regarding bootstrap validation but not mandatory step to run elasticsearch.
i don't know on what scenario i have required bootstrap validation.

but in my current situation i just using elasticsearch as a database for insertion and deletion that's it rest network & preprocessing part is take care by logstash & filebeat.

Can You Suggest anything on this topic also

how to set ./pattern directory path in logstash after extracting tar file on linux ?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.