Self-hosted ES startup fails after upgrading 8.18.0 -> 8.18.2 due to changes in entitlements

Elastic Stack Elasticsearch
1

In our self-hosted hardened RHEL 8 installed via RPM Elasticsearch 8.18.2 a node failed to start due to changes made here. What would be a sustainable way to fix this error? Just remove this addition from entitlement-policy.yaml or some other solution?

we removed this to get elastic to start again from entitlement-policy.yaml what was the addition in the pull request.

org.elasticsearch.repository.url:
  - outbound_network
  - files:
      - relative_path: .
        relative_to: shared_repo
        mode: read

path.repo is set in elasticsearch.yml

path.repo: ["/"]

here is the failure with the addition that came in v8.18.2 with the following error

[2025-06-24T08:11:53,072][INFO ][o.a.l.i.v.PanamaVectorizationProvider] [redacted] Java vector incubator API enabled; uses preferredBitSize=128; floating-point vectors only
[2025-06-24T08:11:53,127][INFO ][o.e.b.Elasticsearch      ] [redacted] Bootstrapping Entitlements
[2025-06-24T08:11:55,694][WARN ][stderr                   ] [redacted] java.lang.reflect.InvocationTargetException
[2025-06-24T08:11:55,695][WARN ][stderr                   ] [redacted]        at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:119)
[2025-06-24T08:11:55,695][WARN ][stderr                   ] [redacted]        at java.base/java.lang.reflect.Method.invoke(Method.java:565)
[2025-06-24T08:11:55,695][WARN ][stderr                   ] [redacted]        at java.instrument/sun.instrument.InstrumentationImpl.loadClassAndStartAgent(InstrumentationImpl.java:544)
[2025-06-24T08:11:55,698][WARN ][stderr                   ] [redacted]        at java.instrument/sun.instrument.InstrumentationImpl.loadClassAndCallAgentmain(InstrumentationImpl.java:566)
[2025-06-24T08:11:55,699][WARN ][stderr                   ] [redacted] Caused by: java.lang.AssertionError: entitlement initialization failed
[2025-06-24T08:11:55,699][WARN ][stderr                   ] [redacted]        at org.elasticsearch.entitlement.agent.EntitlementAgent.agentmain(EntitlementAgent.java:52)
[2025-06-24T08:11:55,699][WARN ][stderr                   ] [redacted]        at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)
[2025-06-24T08:11:55,699][WARN ][stderr                   ] [redacted]        ... 3 more
[2025-06-24T08:11:55,700][WARN ][stderr                   ] [redacted] Caused by: java.lang.reflect.InvocationTargetException
[2025-06-24T08:11:55,700][WARN ][stderr                   ] [redacted]        at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:119)
[2025-06-24T08:11:55,700][WARN ][stderr                   ] [redacted]        at java.base/java.lang.reflect.Method.invoke(Method.java:565)
[2025-06-24T08:11:55,700][WARN ][stderr                   ] [redacted]        at org.elasticsearch.entitlement.agent.EntitlementAgent.agentmain(EntitlementAgent.java:50)
[2025-06-24T08:11:55,700][WARN ][stderr                   ] [redacted]        ... 4 more
[2025-06-24T08:11:55,700][WARN ][stderr                   ] [redacted] Caused by: java.lang.IllegalArgumentException: policy for module [org.elasticsearch.repository.url] in [repository-url] has an invalid file entitlement. Any path under [/usr/share/elasticsearch/modules] is forbidden for mode [READ].
[2025-06-24T08:11:55,701][WARN ][stderr                   ] [redacted]        at org.elasticsearch.entitlement@8.18.2/org.elasticsearch.entitlement.initialization.FilesEntitlementsValidation.buildValidationException(FilesEntitlementsValidation.java:62)
[2025-06-24T08:11:55,701][WARN ][stderr                   ] [redacted]        at org.elasticsearch.entitlement@8.18.2/org.elasticsearch.entitlement.initialization.FilesEntitlementsValidation.validateReadFilesEntitlements(FilesEntitlementsValidation.java:81)
[2025-06-24T08:11:55,701][WARN ][stderr                   ] [redacted]        at org.elasticsearch.entitlement@8.18.2/org.elasticsearch.entitlement.initialization.FilesEntitlementsValidation.validate(FilesEntitlementsValidation.java:48)
[2025-06-24T08:11:55,702][WARN ][stderr                   ] [redacted]        at org.elasticsearch.entitlement@8.18.2/org.elasticsearch.entitlement.initialization.EntitlementInitialization.createPolicyManager(EntitlementInitialization.java:83)
[2025-06-24T08:11:55,702][WARN ][stderr                   ] [redacted]        at org.elasticsearch.entitlement@8.18.2/org.elasticsearch.entitlement.initialization.EntitlementInitialization.initChecker(EntitlementInitialization.java:151)
[2025-06-24T08:11:55,702][WARN ][stderr                   ] [redacted]        at org.elasticsearch.entitlement@8.18.2/org.elasticsearch.entitlement.initialization.EntitlementInitialization.initialize(EntitlementInitialization.java:64)
[2025-06-24T08:11:55,702][WARN ][stderr                   ] [redacted]        at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)
[2025-06-24T08:11:55,702][WARN ][stderr                   ] [redacted]        ... 6 more
[2025-06-24T08:11:55,707][ERROR][o.e.b.Elasticsearch      ] [redacted] fatal exception while booting Elasticsearch
java.lang.IllegalStateException: Unable to attach entitlement agent
        at org.elasticsearch.entitlement.bootstrap.EntitlementBootstrap.loadAgent(EntitlementBootstrap.java:146) ~[elasticsearch-entitlement-8.18.2.jar:?]
        at org.elasticsearch.entitlement.bootstrap.EntitlementBootstrap.bootstrap(EntitlementBootstrap.java:125) ~[elasticsearch-entitlement-8.18.2.jar:?]
        at org.elasticsearch.bootstrap.Elasticsearch.initPhase2(Elasticsearch.java:258) ~[elasticsearch-8.18.2.jar:?]
        at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:96) ~[elasticsearch-8.18.2.jar:?]
Caused by: com.sun.tools.attach.AgentInitializationException: Agent JAR loaded but agent failed to initialize
        at sun.tools.attach.HotSpotVirtualMachine.loadAgent(HotSpotVirtualMachine.java:178) ~[jdk.attach:?]
        at org.elasticsearch.entitlement.bootstrap.EntitlementBootstrap.loadAgent(EntitlementBootstrap.java:141) ~[elasticsearch-entitlement-8.18.2.jar:?]
        ... 3 more
2

This is the problem: you're giving Elasticsearch permission to attempt to read any file on your filesystem! Tighten this up to just the paths that actually include snapshot data.

3

Yes this fixed the issue. we had this "/" as a default in our custom ansible role. changing it to the actual path fixed it.

4

Great, thanks for closing the loop. I've mentioned it to the team in case there's a way we could handle this situation more gracefully in a future version.