OpenCTI container error - platform fails to start

timothyghall commented 2 years ago

Prerequisites

[ x] I read the Deployment and Setup section of the OpenCTI documentation as well as the Troubleshooting page and didn't find anything relevant to my problem.
[ x] I went through old GitHub issues and couldn't find anything relevant
[ x] I googled the issue and didn't find anything relevant

Description

I can't keep the platform running. I get it up and it works for a day or so then the app starts being unresponsive. If I stop and restart the stack I get this error and the container keeps restarting then stopping:

{"category":"APP","error":{"context":{"category":"technical","error":{"_error":{},"_showLocations":false,"_showPath":false,"data":{"category":"technical","http_status":500,"reason":"[INIT] Fail initialize schema, index already exists, previous initialization fail because you kill the platform before the end of the initialization. Please remove your elastic/opensearch data and restart."},"internalData":{},"name":"ConfigurationError","time_thrown":"2022-07-17T15:08:25.760Z"},"http_status":500,"reason":"[OPENCTI] Platform initialization fail"},"message":"An unknown error has occurred","name":"UnknownError","stack":"UnknownError: An unknown error has occurred\n at error (/opt/opencti/build/src/config/errors.js:8:10)\n at UnknownError (/opt/opencti/build/src/config/errors.js:54:47)\n at platformInit (/opt/opencti/build/src/initialization.js:335:13)\n at processTicksAndRejections (node:internal/process/task_queues:96:5)\n at boot (/opt/opencti/build/src/boot.js:14:5)"},"level":"error","message":"[OPENCTI] Platform start fail","timestamp":"2022-07-17T15:08:25.766Z","version":"5.3.7"}

How can I correct this without deleting the elastic volume - and losing all my data? That seems to be the only way I get it working again and I have to start all over.

Environment

OS (where OpenCTI server runs): { e.g. Mac OS 10, Windows 10, Ubuntu 16.4, etc. }. Ubuntu 22.04 LTS
OpenCTI version: { e.g. OpenCTI 1.0.2 } 5.3.7
OpenCTI client: { e.g. frontend or python } Frontend
Other environment details: Two docker swarm nodes. Managing with Portainer. 8gb RAM and 4 processors each. Both virtual machines on a Windows host - VMWare workstation, no host errors or issues observed.

Reproducible Steps

I just start the stack and eventually start running into these problems about 24 hours later. If I restart the stack then I start getting this index already exists error.

Steps to create the smallest reproducible scenario:

{ e.g. Run ... }
{ e.g. Click ... }
{ e.g. Error ... }

Additional information

ade-secrutiny commented 2 years ago

I don't know if this maps directly to your issue, but I was having exactly the same problem recently - very frustrating. Same error message and symptoms as you're seeing. In the process of tearing it all down to bare metal and starting again to try to isolate the issue, I noticed that running it outside of Swarm works fine. Only when I introduced Swarm and deployed as a stack did the problem appear. Running stand-alone and bringing everything up with docker-compose using the same docker-compose.yml file works. It's been running now for 24hrs with no problem and as I don't actually need to run it in Swarm mode, I'm letting sleeping dogs lie for now.. I'd love to find out what the root cause is, I always assume it's me..

timothyghall commented 2 years ago

Sounds like its similar. So the disk I was running on was 2x128 GB SSD combined in a dynamic disk on the windows host. And they failed a couple days ago. Maybe that had something to do with it. I deployed a new OpenCTI stack with the same config on a different disk. We shall see. I also notices that my stack config file did not specifically have the elasticsearch ports listed in it so I added that. Don't know if it makes a difference. I don't understand how it would run without it if its required to be there but it was not in install instructions and default docker compose file.

ade-secrutiny commented 2 years ago

It's been driving me gradually mad. I forgot to mention that it did fail with the same error once after I dropped Swarm mode and just for fun I not only removed the esdata volume, which you would think would eradicate all evidence of pre-existing data, but still threw the error on recreation - I actually renamed it in the docker-compose.yml to newesdata and brought it up - and hey presto! still working... When I removed the esdata volume initially I even ensured the corresponding /var/lib/docker/volumes/XXXXX directory was gone, just in case I was losing it..

robbiemueller commented 1 year ago

im getting this same error and have had no luck. ive tried so many things. just tried renaming to newesdata like the poster above me did as well and still get the same issue

christiantroldmand commented 1 year ago

Same issue here, anyone managed to solve it?

CreativeASAP commented 1 year ago

I have the same issue

"[INIT] Fail initialize schema, index already exists, previous initialization fail because you kill the platform before the end of the initialization. Please remove your elastic/opensearch data and restart."

OpenCTI-Platform / opencti