Failing start elasticsearch 6.2.2 on ubuntu due to java.security permission denied

Dear sirs,
I'm struggling at starting up Elastic search on Ubuntu.
My Settings:
Java_HOME: /usr/lib/jvm/java-8-oracle
Java version: java version "1.8.0_161"
Java(TM) SE Runtime Environment (build 1.8.0_161-b12)
Java HotSpot(TM) 64-Bit Server VM (build 25.161-b12, mixed mode)

I've installed it with dpkg:

dpkg -i elasticsearch-6.2.2.deb

I have add this java.policy inside /etc/elasticsearch:
// Standard extensions get all permissions by default

grant codeBase "file:${{java.ext.dirs}}/*" {
        permission java.security.AllPermission;
        permission java.lang.RuntimePermission "createClassLoader";

};

// default permissions granted to all domains

grant {
        permission java.security.AllPermission;
        permission java.lang.RuntimePermission "createClassLoader";
};

And I have modified jvm.options to load it:

...

specify our java policy

-Djava.security.policy=/etc/elasticsearch/java.policy

....

Needless to say, the server fail to start:

[2018-03-14T12:04:38,873][INFO ][o.e.n.Node ] [matenode] initializing ...
[2018-03-14T12:04:39,037][INFO ][o.e.e.NodeEnvironment ] [matenode] using [1] data paths, mounts [[/ (/dev/root)]], net usable_space [41.5gb], net total_space [47gb], types [ext4]
[2018-03-14T12:04:39,038][INFO ][o.e.e.NodeEnvironment ] [matenode] heap size [1007.3mb], compressed ordinary object pointers [true]
[2018-03-14T12:04:39,039][INFO ][o.e.n.Node ] [matenode] node name [matenode], node ID [BoVpioMXS1SdzWD5sIaZBQ]
[2018-03-14T12:04:39,040][INFO ][o.e.n.Node ] [matenode] version[6.2.2], pid[28594], build[10b1edd/2018-02-16T19:01:30.685723Z], OS[Linux/4.14.17-x86_64-linode99/amd64], JVM[Oracle Corporation/Java HotSpot(TM) 64-Bit Server VM/1.8.0_161/25.161-b12]
[2018-03-14T12:04:39,040][INFO ][o.e.n.Node ] [matenode] JVM arguments [-Xms1g, -Xmx1g, -XX:+UseConcMarkSweepGC, -XX:CMSInitiatingOccupancyFraction=75, -XX:+UseCMSInitiatingOccupancyOnly, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.io.tmpdir=/tmp/elasticsearch.LMRahUA3, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=/var/lib/elasticsearch, -Djava.security.policy=/etc/elasticsearch/java.policy, -XX:+PrintGCDetails, -XX:+PrintGCDateStamps, -XX:+PrintTenuringDistribution, -XX:+PrintGCApplicationStoppedTime, -Xloggc:/var/log/elasticsearch/gc.log, -XX:+UseGCLogFileRotation, -XX:NumberOfGCLogFiles=32, -XX:GCLogFileSize=64m, -Des.path.home=/usr/share/elasticsearch, -Des.path.conf=/etc/elasticsearch]
[2018-03-14T12:04:39,118][ERROR][o.e.b.Bootstrap ] Exception
java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "createClassLoader")
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472) ~[?:1.8.0_161]
at java.security.AccessController.checkPermission(AccessController.java:884) ~[?:1.8.0_161]
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) ~[?:1.8.0_161]
at java.lang.SecurityManager.checkCreateClassLoader(SecurityManager.java:611) ~[?:1.8.0_161]
at java.lang.ClassLoader.checkCreateClassLoader(ClassLoader.java:274) ~[?:1.8.0_161]
at java.lang.ClassLoader.(ClassLoader.java:316) ~[?:1.8.0_161]
at org.elasticsearch.plugins.ExtendedPluginsClassLoader.(ExtendedPluginsClassLoader.java:36) ~[plugin-classloader-6.2.2.jar:6.2.2]
at ...

Is there anyone who could give me a suggestion?
Many Thanks!

I reply to myself - maybe it could be useful for others. After turning on security debug ("-Djava.security.debug=all") I find out that the process failed to load "java.home/lib/security/java.security " with "Permission denied". Then, I find out that in my installation all the files inside "java.home/lib/security/" where actually symlinced to /etc/java-8-oracle/security/; and that all the real files had only "-w------" permission. So elasticsearch user could not read them. I add "r" permission to those files and - voilà - elasticsearch now starts up.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.