search

pires / docker-elasticsearch

Dockerfile for a base Elasticsearch image to be extended by others (allow to install plug-ins, change configuration, etc.)
Apache License 2.0
161 stars 173 forks source link

The new `REPO_LOCATIONS` default is invalid: will dump backups to `/elasticsearch/[]` by default, and break when a non-privileged user is used #62

Closed Quentin-M closed 6 years ago

Quentin-M commented 6 years ago

When nothing is specified, and we try to run this Elastic Search image straight up, with an unprivileged user, it now fails (in both the Docker case, and the Kubernetes case).

$ mkdir data
$ sudo chown 1000 data
$ sudo chmod 777 data
$ docker run -it --rm -u 1000 quay.io/pires/docker-elasticsearch-kubernetes:6.2.3

[2018-04-16T22:35:12,953][WARN ][o.e.b.ElasticsearchUncaughtExceptionHandler] [2f0fa121-81e0-4056-8eb1-a0ffc52fbc48] uncaught exception in thread [main]
org.elasticsearch.bootstrap.StartupException: java.lang.IllegalStateException: Unable to access 'path.logs' (/data/log)
    at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:125) ~[elasticsearch-6.2.3.jar:6.2.3]
    at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:112) ~[elasticsearch-6.2.3.jar:6.2.3]
    at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86) ~[elasticsearch-6.2.3.jar:6.2.3]
    at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124) ~[elasticsearch-cli-6.2.3.jar:6.2.3]
    at org.elasticsearch.cli.Command.main(Command.java:90) ~[elasticsearch-cli-6.2.3.jar:6.2.3]
    at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:92) ~[elasticsearch-6.2.3.jar:6.2.3]
    at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:85) ~[elasticsearch-6.2.3.jar:6.2.3]
Caused by: java.lang.IllegalStateException: Unable to access 'path.logs' (/data/log)
    at org.elasticsearch.bootstrap.FilePermissionUtils.addDirectoryPath(FilePermissionUtils.java:70) ~[elasticsearch-6.2.3.jar:6.2.3]
    at org.elasticsearch.bootstrap.Security.addFilePermissions(Security.java:300) ~[elasticsearch-6.2.3.jar:6.2.3]
    at org.elasticsearch.bootstrap.Security.createPermissions(Security.java:262) ~[elasticsearch-6.2.3.jar:6.2.3]
    at org.elasticsearch.bootstrap.Security.configure(Security.java:123) ~[elasticsearch-6.2.3.jar:6.2.3]
    at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:208) ~[elasticsearch-6.2.3.jar:6.2.3]
    at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:323) ~[elasticsearch-6.2.3.jar:6.2.3]
    at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:121) ~[elasticsearch-6.2.3.jar:6.2.3]
    ... 6 more
Caused by: java.nio.file.AccessDeniedException: /data/log
    at sun.nio.fs.UnixException.translateToIOException(UnixException.java:84) ~[?:1.8.0_151]
    at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:102) ~[?:1.8.0_151]
    at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:107) ~[?:1.8.0_151]
    at sun.nio.fs.UnixFileSystemProvider.createDirectory(UnixFileSystemProvider.java:384) ~[?:1.8.0_151]
    at java.nio.file.Files.createDirectory(Files.java:674) ~[?:1.8.0_151]
    at java.nio.file.Files.createAndCheckIsDirectory(Files.java:781) ~[?:1.8.0_151]
    at java.nio.file.Files.createDirectories(Files.java:767) ~[?:1.8.0_151]
    at org.elasticsearch.bootstrap.Security.ensureDirectoryExists(Security.java:421) ~[elasticsearch-6.2.3.jar:6.2.3]
    at org.elasticsearch.bootstrap.FilePermissionUtils.addDirectoryPath(FilePermissionUtils.java:68) ~[elasticsearch-6.2.3.jar:6.2.3]
    at org.elasticsearch.bootstrap.Security.addFilePermissions(Security.java:300) ~[elasticsearch-6.2.3.jar:6.2.3]
    at org.elasticsearch.bootstrap.Security.createPermissions(Security.java:262) ~[elasticsearch-6.2.3.jar:6.2.3]
    at org.elasticsearch.bootstrap.Security.configure(Security.java:123) ~[elasticsearch-6.2.3.jar:6.2.3]
    at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:208) ~[elasticsearch-6.2.3.jar:6.2.3]
    at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:323) ~[elasticsearch-6.2.3.jar:6.2.3]
    at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:121) ~[elasticsearch-6.2.3.jar:6.2.3]
    ... 6 more

From reading Elastic Search's code, I can see that for each of the defined repo.path, Elastic Search will verify that the directory exists, and then add their respective policies. The exception thrown reveals that Elastic Search may be parsing [] as a literal repo.path. Launching Elastic Search as root, indeed, reveals that Elastic Search creates /elasticsearch/[] and will therefore dump backups there unexpectedly. When Elastic Search is ran as its unprivileged user, the run.sh entrypoint does not chown /elasticsearch nor /data, as /data is expected to already be mounted properly, and as nothing should be written under /elasticsearch - therefore, Elastic Search fails to create silently and then throw because it could not find /elasticsearch/[].

When the REPO_LOCATIONS environment variable is replaced by an empty string, rather than its default [], Elastic Search is able to start properly in both privileged and unprivileged cases.

pires commented 6 years ago

Tagged `quay.io/pires/docker-elasticsearch:6.2.3_1"! Thanks a lot @quentin-m