Trying to start filebeat from container

zebulyon · February 24, 2020, 1:47pm

Hello I am currently unable of properly starting my filebeat process from its container.

My probelm is that when I try to run it filebeat will imidietly exit and give me this error response:
Exiting: error loading config file: config file ("filebeat.yml") must be owned by the user identifier (uid=0) or root

The problem seem to be that when using the volume command
- ./filebeat.yml:/usr/share/filebeat/filebeat.yml"
The file in question is assigned some weird permission and locks me out from accessing it even though I have set the user in the container to root.

When checking the permission through the command ls -l filebeat.yml on the host computer I get: -rwxrwxrwx 1 zebul zebul 464 Feb 24 13:29 filebeat.yml so everyone should be allowed access to it. Even when I go into the container it says that everyone should have access to it
-rwxrwxrwx 1 filebeat filebeat 464 Feb 24 13:17 filebeat.yml

And before it is suggested I have tried to use chmod, and chown commands to try and change the permission of the file within the filebeat.yml container but I am denied the ability to do it.

I have managed to found a work around to this problem by removing the command
- ./filebeat.yml:/usr/share/filebeat/filebeat.yml" from the docker-compose file then go into the docker container for filebeat, at this point I have full access to the base filebeat.yml, which when using the ls -l filebeat.yml command give me this response
-rw-r----- 1 root filebeat 315 Feb 5 23:09 filebeat.yml,
This filebeat.yml file comes with the container and be modified it but then I run into another problem, which is that when i try to execute filebeat I get the response
Exiting: data path already locked by another beat.

2020-24

To my knowledge I am only running a single instance of beat which is the filebeat instance, I can only assume that I get this because I use the docker-compose to create the container from the image, but because I can't give it the correct filebeat.yml file right away I have to then use the command docker exec -it filebeat bash to get access to bash within the filebeat container. My assumption is thus that when using the docker exec command I am creating another instance of the filebeat container.

This is the docker-compose file I am using for starting the ELK-stack.

    version: '3'
services:
  elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch:7.6.0
    container_name: elasticsearch
    environment:
      #- cluster.name=elastic-cluster
      #- bootstrap.memory_lock=true # along with the memlock settings below, disables swapping
      #- "ES_JAVA_OPTS=-Xms512m -Xmx512m" # minimum and maximum Java heap size, recommend setting both to 50% of system RAM
       - "discovery.type=single-node"
    ulimits:
      nofile:
        soft: 65536
        hard: 65536
      memlock:
        soft: -1
        hard: -1
    volumes:
      - elastic-data:/usr/share/elasticsearch/data
    ports:
      - 9200:9200
      - 9600:9600 # required for Performance Analyzer
    expose:
      - "9200"
    networks:
      - elastic-net
  kibana:
    depends_on:      
      - "elasticsearch"
    image: docker.elastic.co/kibana/kibana:7.6.0
    container_name: kibana
    ports:
      - 5601:5601
    expose:
      - "5601"
    environment:
      ELASTICSEARCH_URL: http://elasticsearch:9200
    networks:
      - elastic-net
  filebeat:
    depends_on:
      - "elasticsearch"
    image: docker.elastic.co/beats/filebeat:7.6.0
    container_name: filebeat
    user: root
    volumes:
      - "./filebeat.yml:/usr/share/filebeat/filebeat.yml"
      - "./test.json:/usr/share/filebeat/sample.json"
      - "/var/lib/docker/containers:/usr/share/filebeat/dockerlogs:ro"
      - "/var/run/docker.sock:/var/run/docker.sock"
    environment:
      - filebeat
    networks:
      - elastic-net

volumes:
  elastic-data:

networks:
  elastic-net:
    driver: bridge

For the entirety of the ELK-stack I am using the docker images version 7.6.0

ChrsMark · February 24, 2020, 3:37pm

Hi!

You are right that when you are starting the container the entrypoint command is running filebeat, so this why you cannot start a second instance.

So now regarding the permission issue. This is what I see using your docker-compose.yml:

[root@75a00dcfa617 filebeat]# ls -l filebeat.yml 
-rw-r--r-- 1 root root 8345 Feb 24 15:19 filebeat.yml

and on the host:

ls -l  
-rw-r--r--  1 chrismark  staff  1596 Feb 24 16:27 docker-compose.yml
-rw-r--r--  1 chrismark  staff  8345 Feb 24 17:19 filebeat.yml

In this, I'm able to start the whole stack normally.

In order to provide an idea on the workaround you have found maybe you can try mounting a second configuration file like:

- "./filebeat.yml:/usr/share/filebeat/filebeat2.yml"

and override the container's entry command like:

  filebeat:
    depends_on:
      - "elasticsearch"
    image: docker.elastic.co/beats/filebeat:7.6.0
    container_name: filebeat
    user: root
    command: ./filebeat -e -c filebeat2.yml
    volumes:
      - "./filebeat.yml:/usr/share/filebeat/filebeat2.yml"
      - "./test.json:/usr/share/filebeat/sample.json"
      - "/var/lib/docker/containers:/usr/share/filebeat/dockerlogs:ro"
      - "/var/run/docker.sock:/var/run/docker.sock"
    environment:
      - filebeat
    networks:
      - elastic-net

zebulyon · February 24, 2020, 6:12pm

Hello, thanks for the quick response, as well as confirming my suspicions regarding the creation of a second instance.

I am however very confused as to why you can start the whole stack normally. As I truly am unable to get it to work.

Selection_004

I have now tried your solution in regards to my work around but that also fails, and I seem to get the exact same error message as before. I have tried to add your suggestion regarding the work around both in the normal docker-compose file and in the docker-compose.override.yml file but I still get the same old result.

ChrsMark · February 25, 2020, 11:33am

Hmm,

I see that in my case it is like this in the container:

[root@75a00dcfa617 filebeat]# ls -l filebeat.yml 
-rw-r--r-- 1 root root 8345 Feb 24 15:19 filebeat.yml

I would say that it is different because we run docker-compose differently (users, permissions etc) so this is why in my case works.

So can you fix the ownerships the files accordingly? What the error message indicates is that the configuration file should be owned by root (I guess that uid=0 is would also be root).

zebulyon · February 25, 2020, 12:26pm

I think that might be the solution.
Because when I create the filebeat.yml file as root, thus setting root as the owner of the file on the host computer, then the previous error
,Exiting: error loading config file: config file ("filebeat.yml") must be owned by the user identifier (uid=0) or root ,
seem to disappear. And no new error seems to have appeared either.

Could you also tell me how check to see if everything is working as intended?

ChrsMark · February 25, 2020, 4:34pm

If Filebeat is able to start then you have solved the configuration's permission related issue.

system · March 24, 2020, 4:34pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.