Exception in thread "main" java.lang.IllegalStateException: Unable to access 'path.scripts' (/usr/share/elasticsearch/config/scripts)

[cameronmaske]

Hi, there I'm running into this issue when adding the elasticsearch to a dokku instance.

Steps to recreate

export ELASTICSEARCH_IMAGE_VERSION="2.1.1"
dokku elasticsearch:create lolipop

From the output it stales for ever on...

-----> Starting container
       Waiting for container to be ready

Looking at the logs of the booted up container

...
Refer to the log for complete error details.
log4j:WARN No appenders could be found for logger (bootstrap).
log4j:WARN Please initialize the log4j system properly.
log4j:WARN See http://logging.apache.org/log4j/1.2/faq.html#noconfig for more info.
Exception in thread "main" java.lang.IllegalStateException: Unable to access 'path.scripts' (/usr/share/elasticsearch/config/scripts)
Likely root cause: java.nio.file.AccessDeniedException: /usr/share/elasticsearch/config/scripts
    at sun.nio.fs.UnixException.translateToIOException(UnixException.java:84)
    at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:102)
    at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:107)
    at sun.nio.fs.UnixFileSystemProvider.createDirectory(UnixFileSystemProvider.java:384)
    at java.nio.file.Files.createDirectory(Files.java:674)
    at java.nio.file.Files.createAndCheckIsDirectory(Files.java:781)
    at java.nio.file.Files.createDirectories(Files.java:767)
    at org.elasticsearch.bootstrap.Security.ensureDirectoryExists(Security.java:250)
    at org.elasticsearch.bootstrap.Security.addPath(Security.java:227)
    at org.elasticsearch.bootstrap.Security.addFilePermissions(Security.java:195)
    at org.elasticsearch.bootstrap.Security.createPermissions(Security.java:184)
    at org.elasticsearch.bootstrap.Security.configure(Security.java:105)
    at org.elasticsearch.bootstrap.Bootstrap.setupSecurity(Bootstrap.java:196)
    at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:167)
    at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:285)
    at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:35)
Refer to the log for complete error details.
log4j:WARN No appenders could be found for logger (bootstrap).
log4j:WARN Please initialize the log4j system properly.
log4j:WARN See http://logging.apache.org/log4j/1.2/faq.html#noconfig for more info.

[cameronmaske]

Here is my workaround for the moment.

Looking at the folders I could see that data is owned by colord

dokku@frames:/var/lib/dokku/services/elasticsearch/frames$ ls -al /var/lib/dokku/services/elasticsearch/frames/
total 24
drwxr-xr-x 4 dokku  dokku 4096 Jan 17 14:51 .
drwxr-xr-x 3 dokku  dokku 4096 Jan 17 14:51 ..
drwxr-xr-x 2 dokku  dokku 4096 Jan 17 14:51 config
drwxr-xr-x 3 colord ssh   4096 Jan 17 14:55 data
-rw-r--r-- 1 dokku  dokku    1 Jan 17 14:51 ENV
-rw-r--r-- 1 dokku  dokku   65 Jan 17 14:51 ID
-rw-r--r-- 1 dokku  dokku    0 Jan 17 14:51 LINKS

I was able to chown the config folder as colord

chown colord:ssh /var/lib/dokku/services/elasticsearch/frames/config

Then the service booted correctly.

I'm guessing this is related to https://github.com/docker-library/elasticsearch/issues/74 and the userid mismatch. Elasticsearch > 2 can't be run as root, hence they use user elasticsearch

It seems that user colord on the host matches the userid of the elasticsearch user in the container

dokku@frames:/var/lib/dokku/services/elasticsearch/frames$ id -u colord
105
dokku@frames:/var/lib/dokku/services/elasticsearch/frames$ docker exec b9433224b65e id -u elasticsearch
105

Which fits with what thoughtcroft mentions in the comment on the elasticsearch image

Lots of people have complained about the AccessDenied issue. This usually occurs when using docker machine (or boot2docker) on a Mac. I previously got around this by running elasticsearch as root but you can't do that on the 2.x release.

My solution to this is based on the mount of /Users from the Mac into the boot2docker vm /Users is owned by the docker user who has uid 1000. When you look at the mount of the folder from the vm into the container, you can see that the user is 1000 (no name since there is no user with uid of 1000 defined in the container).

The hack is to change the uid of the elasticsearch user to be 1000 and then he will have permission against any mounted volume from the Mac. Just use this is the command supplied to docker run

/bin/bash -c 'usermod -u 1000 elasticsearch; gosu elasticsearch elasticsearch'

[josegonzalez]

Is that directory mounted on the mac somehow for you?

[cameronmaske]

@josegonzalez Nope! This is running on a DO instances using their pre-built Dokku image (which in on Ubuntu 14.04 I believe).

I think the issue is that the mkdir in the command script setup the folders using the dokku user when run (which had userid 1000) but the elasticsearch image only chown the data dir not the config dir.

[kengoldfarb]

+1 Seeing the same thing

[lord2800]

Can confirm this as well.

[rodcrespo]

+1 Happening in a Ubuntu 14.04 DO clean droplet, manually installing the last version of Dokku.

[hereisandres]

I experienced the same issue on a clean DO droplet, as well. We managed to fix the issue by specifying the version of elastic search before creating a new service. The latest version 2.x.x was giving us issues.

export ELASTICSEARCH_IMAGE_VERSION="1.7.1"
dokku elasticsearch:create service_name

[josegonzalez]

Should I just revert to 1.7.1? Thats annoying.

[cu12]

I would +1 to revert to 1.7.1 until this is fixed.

[rafaferrari]

I had the same problem yet.

[josegonzalez]

I reverted to 1.7.1.

[dtest11]

when i`am log as root the exception is missed