-
Notifications
You must be signed in to change notification settings - Fork 240
Elasticsearch 6: Failed to create node environment #187
Comments
I presume that the uid of the user that you issuing the commands as is not |
I also meet the same problem when I mount logs dir from the container to local ,and it returns to me as follow: |
It appears that the entrypoint is not correctly setting the primary group of the user to
We can, however, explicitly set the GID of the process using the same technique:
I suggest we do this in the entrypoint. |
Alternatively, now that we prefer GID |
Hi @dliappis , My docker-compose looks like this:
And my local user id is 1000, so workaround with changing ownership to 1000:1000 for /usr/share/elasticsearch doesn't work. Is there any other solution? Thanks |
Have you tried changing the group of the files to |
You mean 1000:0 ? I just tried it, and it doesn't work. |
To be honest, I'm not sure I fully understand the behaviour you are seeing. This issue is about file permissions for the data directory, but it looks like you are using a named volume for the data dir. That should not have any problem. Can you expand a bit on what's not working for you? |
@jarpy sorry this took time to get back to. I vaguely remember that I was happy with the |
@jarpy I'm using named volume for data dir, but I can see exactly the same exception as in original post not being able to create node environment because of the AccessDeniedException on /usr/share/elasticsearch/data/nodes. I've manually created these directories and tried to change owner of elasticsearch directory and all children. It doesn't work for me since I'm user 1000. |
I don't think that your user account being UID 1000 is a problem. My UID is usually 1000, too. That's only in the host UID namespace, however. Unless you have explicitly arranged otherwise, the container is running in its own UID namespace. It doesn't know about "you", only the "elasticsearch" user, which is UID 1000 in that namespace. |
I'm not sure how it is possible that container is not aware of host user. These files are on the host machine, and when I change ownership to 1000, it is assigned to my username. For me, it doesn't make sense that docker container can override the ownership of the files that live on host machine and which is assigned by host OS, and take the ownership on the files. I'm not an expert for docker, so I can't claim this for sure. It's just my thought. |
It's all about Linux namespaces. These are really the essence of containers. The PID namepace is also really important, for example. That's how your process can think it's PID 1 inside the container, but can also be seen as some other number outside. UIDs within the container are completely separate from those on the host. That model does break down a little, however, if you share a filesystem between the host and the container. Then, you have to start worrying about matching up the UIDs. We recommend that people avoid sharing filesystems if possible and instead use storage that is dedicated to the container, like Docker named volumes (which you are doing). If there are any existing file in those volumes, then it's best to make them UID:GID 1000:0. The presence of a host user with UID 1000 has no effect. Better still, just recreate the volumes and let Elasticsearch create the files it needs. I assume there is no data in them, since the process won't start? What is the exact error that you are seeing? |
This issue hasn't had any feedback in 6 months. Additionally, maintenance of the docker files for elasticsearch has moved to the elasticsearch repo. Please open any new bug reports there. As we will be archiving this repository, I am going to close this issue. |
Bug Description
Suppose we have a data directory that is not owned by the elasticsearch user, so we set group permissions on it as per the documentation:
Then we run the elasticsearch container:
This results in the following error:
However, this used to work correctly on elasticsearch 5. For example, this command runs successfully:
It seems like the newer containers require something more that just group permissions on the data directory, so either the documentation is wrong or there is a bug somewhere.
Environment
The text was updated successfully, but these errors were encountered: