ERROR: don't run elasticsearch as root

[animageofmine]

I tried to run the container with additional elasticsearch parameters (tag = es240_l240_k460)

docker run --name elknode01 --net=es-network --restart always -p 9200:9200 -p 9300:9300 -p 5601:5601 myelkimage elasticsearch -Des.cluster.name=cluster-01 -Des.node.master=true -Des.node.name=node01

I get the following error:

Exception in thread "main" java.lang.RuntimeException: don't run elasticsearch as root.
at org.elasticsearch.bootstrap.Bootstrap.initializeNatives(Bootstrap.java:94)
at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:160)
at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:286)
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:35)

I removed logstash from dockerfile since I don't need it and added the following to docker file:
ENV PATH /usr/share/elasticsearch/bin:$PATH

Replaced the following (+ means added, - means line removed):
Dockerfile:

+ COPY elasticsearch.yml ./config/elasticsearch.yml
- ADD ./elasticsearch.yml /etc/elasticsearch/elasticsearch.yml

start.sh

+ CLUSTER_NAME=$(grep -Po '(?<=^cluster.name: ).*' /usr/share/elasticsearch/config/elasticsearch.yml | sed -e 's/^[ \t]*//;s/[ \t]*$//')
- CLUSTER_NAME=$(grep -Po '(?<=^cluster.name: ).*' /etc/elasticsearch/elasticsearch.yml | sed -e 's/^[ \t]*//;s/[ \t]*$//')

Somehow, docker is running elasticsearch as root when adding the parameters (-Des parameters mentioned above), while if I don't specify any additional parameters, it seems to work just fine. Tried googling quite a bit, but in vain.

I don't want to run as root, but I don't know how to run as another user. Are the scripts missing anything or am I missing something?

[spujadas]

Elasticsearch is supposed to be started as a service, the corresponding init script starts it as the right user (namely elasticsearch). See http://elk-docker.readthedocs.io/#selective-services for guidance on how to start ES only.
To add extra ES parameters, overwrite the default /etc/default/elasticsearch.

[animageofmine]

Thank you. I added "--user elasticsearch" parameter in docker run command and that worked. Example below:

docker run --name eknode01 --net=es-network --restart always --user elasticsearch -p 9200:9200 -p 9300:9300 -p 5601:5601 ek1 /usr/share/elasticsearch/bin/elasticsearch -Des.cluster.name=cluster-01 -Des.node.master=true -Des.node.name=node01

Is that a recommended way or updating elasticsearch a better option?

Also, the above command only starts elasticsearch. I understand that it should start both kibana and elasticsearch unless I specify a parameter with value other than 1 explicitly. What could I be missing?

Something that is not related to this thread, but would be very useful if you already know. If I want a cluster of nodes running on production environment, do I need kibana on all dockerized nodes (probably a stupid question, but still learning more about elasticsearch)?

[spujadas]

The image is designed to start the services using the start.sh script. By passing a command line to docker run you're bypassing this script (and I won't be able to help you).
I would strongly recommend that you set your configuration parameters (cluster.name, node.master, etc.) in an updated elasticsearch.yml and use that file to run the container (see https://elk-docker.readthedocs.io/#tweaking-image for more on that).
And as mentioned, start the container without the /usr/share/elasticsearch/bin/elasticsearch ... command line.

Something that is not related to this thread, but would be very useful if you already know. If I want a cluster of nodes running on production environment, do I need kibana on all dockerized nodes (probably a stupid question, but still learning more about elasticsearch)?

In a production cluster set-up it's best to keep Kibana separate from your ES master nodes, and depending on capacity requirements you may need several (e.g. load-balanced) Kibana nodes connected to your ES cluster.

[animageofmine]

Thank you. I added the configuration parameters in the yml. Both the services are up and running, though I am not able to access elasticsearch on my browser via port 9200.

localhost:5601 (kibana) works ok
localhost:9200 (elasticsearch) does not work, though the port is open

lsof -n -i:9200

COMMAND     PID  USER   FD   TYPE             DEVICE SIZE/OFF NODE NAME
com.docke 48317 foo   20u  IPv4 0xa6d81fdd9b04aa12      0t0  TCP *:wap-wsp (LISTEN)
com.docke 48317 foo   21u  IPv6 0xa6d81fdd97cf008a      0t0  TCP [::1]:wap-wsp (LISTEN)

Ideas?

[spujadas]

Could you confirm that you're observing this behaviour with the default image (i.e. non overriden with your config file)? I just want to rule out that this isn't a configuration error.

Assuming that the answer is yes, then if the container starts properly (nothing suspicious in the logs, and nothing indicated at https://elk-docker.readthedocs.io/#troubleshooting), then the most common reason for what you're observing is that ES dies due to a lack of memory (see #57 for more on this, try running the container with at least 4GB RAM).

(Oh by the way, the port being accessible from the host doesn't really mean anything, as it's Docker that's publishing it, even if there's nothing running at the other end.)

[animageofmine]

I updated elasticsearch.yml with some parameters that I passed earlier via terminal. I believe if ES dies, kibana starts complaining via logs and I didn't see anything in kibana logs.

I am checking logs to see if I can find something meaningful.

[animageofmine]

I reverted back to default image and it seems to be working as expected. I am making incremental changes to see what exactly is the config error that is causing this problem since the logs are not indicating anything. Please let me know if you have any ideas in the meanwhile.

UPDATE: I confirm that making any changes to elasticsearch.yml causes the issue to repro. Default config file just works fine. Let me know if you have any insight into this.

UPDATE 2: I was able to figure out the issue. This happened because I changed the path of config files from /etc/elasticsearch to /etc/shared/elasticsearch. I wasn't aware of the default configs / paths that elasticsearch used, which I found it out here.

[spujadas]

OK thanks for the update, great to hear that you managed to figure out!
(Closing the issue.)