Seccomp is present, but bootstrap check fails (Centos 7 / ES 6.4.2)


(Jose) #1

CentOS Linux release 7.5.1804 (Core)

Configuring a production cluster, and ES refuses to start:

1:33:56,454][INFO ][o.e.t.TransportService   ] [node-68795-C] publish_address {192.168.200.162:9300}, bound_addresses {192.168.200.162:9300}
[2018-10-28T21:33:56,467][INFO ][o.e.b.BootstrapChecks    ] [node-68795-C] bound or publishing to a non-loopback address, enforcing bootstrap checks
[2018-10-28T21:33:56,494][ERROR][o.e.b.Bootstrap          ] [node-68795-C] node validation exception
[1] bootstrap checks failed
[1]: system call filters failed to install; check the logs and fix your configuration or disable system call filters at your own risk

OK, so I go to check the presence of seccomp:

[$]# cat /boot/config-`uname -r` | grep CONFIG_SECCOMP=
CONFIG_SECCOMP=y
[$]# CONFIG_SECCOMP=y

Hmm, still having problems, let's dig deeper:

[$]# grep SECCOMP /boot/config-$(uname -r)
CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
CONFIG_SECCOMP_FILTER=y
CONFIG_SECCOMP=y

So, looks and smells like seccomp is present.

What next?


(Jose) #2

RESOLVED

The root case: /tmp was mounted as noexec

It turns out that two or thee bootstrap checks fail if /tmp is noexec.

Solve for /tmp, and all the other issues are resolved!


(system) #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.