Permission denied when starting Elasticsearch 7.17.0 installed via RPM

ed_vf · April 25, 2022, 6:12pm

We are trying to expand our cluster size from 3 nodes to 5 nodes. After installing Elasticsearch via RPM on the new nodes we receive the following 'Permission denied' error when starting the service.

[root@host user]# sudo -i service elasticsearch start
Starting elasticsearch: /usr/share/elasticsearch/bin/elasticsearch-env: line 87: /etc/sysconfig/elasticsearch: Permission denied
                                                           [FAILED]

Line 87 in /usr/share/elasticsearch/bin/elasticsearch-env refers to:

 87 source /etc/sysconfig/elasticsearch

The permissions on that file and directory look OK to my eyes:

[root@host user]# ls -la /etc/sysconfig
total 228
drwxr-xr-x.   8 root root           4096 Apr 25 14:03 .
[root@host user]# ls -la /etc/sysconfig/elasticsearch
-rw-rw---- 1 root elasticsearch 1676 Jan 28 03:39 /etc/sysconfig/elasticsearch

I have looked at the following threads and still do not understand what the issue is:

Our nodes are Chef-managed so they get provisioned with nearly the same configuration, so the discrepancy here is not clear to me.

Any assistance would be greatly appreciated.

elasticforme · April 25, 2022, 7:26pm

did you check permission on "/etc/Elasticsearch" ? may be message is misleading.

ed_vf · April 25, 2022, 7:43pm

[root@host ~]# ls -la /etc/elasticsearch/
total 196
drwxr-s---    4 root elasticsearch   4096 Apr 25 15:37 .

This matches the other 3 nodes where Elasticsearch is running without issue. Elasticsearch runs under the elasticsearch user on those nodes, same as the new node.

elasticforme · April 25, 2022, 9:11pm

anything more detail in any log?

what about journelctl -xe
does it even creates any log?

ed_vf · April 26, 2022, 1:20pm

No log is created by Elasticsearch.

journalctl is not available on my system (Oracle Enterprise Linux 6.10) and I don't see anything relevant in dmesg or in system logs.

elasticforme · April 26, 2022, 4:48pm

how about you execute this at prompt? does that works?

ed_vf · April 26, 2022, 5:23pm

[root@host ~]# sudo -u elasticsearch bash -c 'source /etc/sysconfig/elasticsearch'
bash: /etc/sysconfig/elasticsearch: Permission denied

It works if I source the file as root, but that doesn't help diagnose since root has full access to everything.

elasticforme · April 26, 2022, 6:20pm

ok. I see now what is happening.
sudo do no have access to see your /etc/sysconfig/Elasticsearch file.

check sudo -l (as user) and you should see what access you have. you need to give that use read access to that file.

ed_vf · April 26, 2022, 6:45pm

I'm only using sudo to invoke commands as another user. I'm not intending to elevate the privileges of the elasticsearch user itself.

[elasticsearch@host ~]$ whoami
elasticsearch
[elasticsearch@host ~]$ source /etc/sysconfig/elasticsearch
bash: /etc/sysconfig/elasticsearch: Permission denied

However I think you may have uncovered the issue. When I su to elasticsearch I get the following error:

[root@host ~]# su elasticsearch
/usr/bin/id: cannot find name for group ID 1408
[elasticsearch@host ~]$ whoami
elasticsearch
[elasticsearch@host ~]$ groups
groups: cannot find name for group ID 1408
1408

I'm not sure why the Elasticsearch user is assigned to a group id that doesn't exist, but this explains why the user does not have permission to /etc/sysconfig/elasticsearch.

elasticforme · April 26, 2022, 6:59pm

yes you have to give all require sudo access to user Elasticsearch.
or simply you can start your service as root user and have to not worry about sudo.

ed_vf · April 26, 2022, 7:28pm

I appreciate your help but there's nothing in the RPM instructions (Install Elasticsearch with RPM | Elasticsearch Guide [7.17] | Elastic) that requires sudoers changes for the elasticsearch user.

Furthermore, we do not grant any sudo access to the elasticsearch user on our other 3 nodes and it runs there successfully under elasticsearch, not root.

The issue here is entirely caused by the GID of the elasticsearch being incorrectly set. I will manually correct this, although I suspect that the RPM install process caused it.

Running Elasticsearch as root is not recommended as described here: elasticsearch/es-security-principles.asciidoc at 9958c3c2fc49a3e253b04e96cfec2e653c39d2e7 · elastic/elasticsearch · GitHub.

In fact, the code specifically checks for this and throws a RuntimeException if you try to do so: elasticsearch/Bootstrap.java at v7.17.0 · elastic/elasticsearch · GitHub

elasticforme · April 26, 2022, 8:10pm

This is what I do.
Set /etc/group, /etc/passwd, /etc/shadow first before installing rpm on new node
that way all GID/UID are same across all node

if you want to do that you first have to remove rpm -e and then set UID/GID and reinstall the package, configure Elasticsearch.yml and restart

system · May 24, 2022, 8:10pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.