Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
image: opensearchproject/opensearch:2.11.0
Describe the issue:
I am trying to create an opensearch serveur with docker-compose. It worked fine on Fedora35 but does not work well on Ubuntu 22.04. I get an error message that OpenSearch cannot create or access a directory in /usr/share/opensearch/data/nodes due to an AccessDeniedException.
I created /usr/share/opensearch/data/nodes by hand because it told me that I could not access it and indeed it was not there. I also did a chmod +x /usr/share/opensearch/data/nodes.
I also tried mkdir -p /usr/share/opensearch/data/nodes && chown -R 1000:1000 /usr/share/opensearch/data but it doesn’t change.
Configuration:
docker-compose.yaml
version: '3'
services:
# Serveur OpenSearch (fork Elasticsearch 7.10)
opensearch:
image: opensearchproject/opensearch:2.11.0
container_name: opensearch
environment:
- cluster.name=docker-cluster
- discovery.type=single-node
- bootstrap.memory_lock=true
- node.roles=ml, data, master, ingest
- plugins.ml_commons.native_memory_threshold=100
- plugins.security.disabled=true
- "OPENSEARCH_JAVA_OPTS=-Xms4096m -Xmx4096m"
volumes:
- ./docker/opensearch/data:/usr/share/opensearch/data
# command: bash -c "mkdir -p /usr/share/opensearch/data/nodes && chown -R 1000:1000 /usr/share/opensearch/data"
ulimits:
memlock:
soft: -1
hard: -1
ports:
- 9200:9200
- 9600:9600
networks:
- opensearch-net
# Opensearch dashboard pour la visualisation
opensearch-dashboards:
image: opensearchproject/opensearch-dashboards:2.11.0
container_name: opensearch-dashboards
ports:
- 5601:5601
networks:
- opensearch-net
environment:
- 'OPENSEARCH_HOSTS=["http://opensearch:9200"]'
- "DISABLE_SECURITY_DASHBOARDS_PLUGIN=true"
volumes:
- ./docker/opensearch-dashboards/config/opensearch_dashboards.yml:/usr/share/opensearch-dashboards/config/opensearch_dashboards.yml
depends_on:
- opensearch
networks:
opensearch-net:
driver: bridge
Relevant Logs or Screenshots:
.venv) reply@reply-GP66-Leopard-11UH:~/Documents/chatbot-rag/docker-opensearch$ sudo docker-compose up
[+] Running 2/0
✔ Container opensearch Running 0.0s
✔ Container opensearch-dashboards Running 0.0s
Attaching to opensearch, opensearch-dashboards
opensearch | Enabling execution of install_demo_configuration.sh for OpenSearch Security Plugin
opensearch | **************************************************************************
opensearch | ** This tool will be deprecated in the next major release of OpenSearch **
opensearch | ** https://github.com/opensearch-project/security/issues/1755 **
opensearch | **************************************************************************
opensearch | OpenSearch Security Demo Installer
opensearch | ** Warning: Do not use on production or public reachable systems **
opensearch | Basedir: /usr/share/opensearch
opensearch | OpenSearch install type: rpm/deb on Amazon Linux release 2023 (Amazon Linux)
opensearch | OpenSearch config dir: /usr/share/opensearch/config
opensearch | OpenSearch config file: /usr/share/opensearch/config/opensearch.yml
opensearch | OpenSearch bin dir: /usr/share/opensearch/bin
opensearch | OpenSearch plugins dir: /usr/share/opensearch/plugins
opensearch | OpenSearch lib dir: /usr/share/opensearch/lib
opensearch | Detected OpenSearch Version: x-content-2.11.0
opensearch | Detected OpenSearch Security Version: 2.11.0.0
opensearch |
opensearch | ### Success
opensearch | ### Execute this script now on all your nodes and then start all nodes
opensearch | ### OpenSearch Security will be automatically initialized.
opensearch | ### If you like to change the runtime configuration
opensearch | ### change the files in ../../../config/opensearch-security and execute:
opensearch | "/usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh" -cd "/usr/share/opensearch/config/opensearch-security" -icl -key "/usr/share/opensearch/config/kirk-key.pem" -cert "/usr/share/opensearch/config/kirk.pem" -cacert "/usr/share/opensearch/config/root-ca.pem" -nhnv
opensearch | ### or run ./securityadmin_demo.sh
opensearch | ### To use the Security Plugin ConfigurationGUI
opensearch | ### To access your secured cluster open https://<hostname>:<HTTP port> and log in with admin/admin.
opensearch | ### (Ignore the SSL certificate warning because we installed self-signed demo certificates)
opensearch | Enabling OpenSearch Security Plugin
opensearch | Enabling execution of OPENSEARCH_HOME/bin/opensearch-performance-analyzer/performance-analyzer-agent-cli for OpenSearch Performance Analyzer Plugin
opensearch | WARNING: A terminally deprecated method in java.lang.System has been called
opensearch | WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.OpenSearch (file:/usr/share/opensearch/lib/opensearch-2.11.0.jar)
opensearch | WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.OpenSearch
opensearch | WARNING: System::setSecurityManager will be removed in a future release
opensearch | WARNING: A terminally deprecated method in java.lang.System has been called
opensearch | WARNING: System::setSecurityManager has been called by org.opensearch.bootstrap.Security (file:/usr/share/opensearch/lib/opensearch-2.11.0.jar)
opensearch | WARNING: Please consider reporting this to the maintainers of org.opensearch.bootstrap.Security
opensearch | WARNING: System::setSecurityManager will be removed in a future release
opensearch | [2023-11-02T17:35:35,817][INFO ][o.o.n.Node ] [05a295b38cbe] version[2.11.0], pid[105], build[tar/4dcad6dd1fd45b6bd91f041a041829c8687278fa/2023-10-13T02:55:55.511945994Z], OS[Linux/6.2.0-36-generic/amd64], JVM[Eclipse Adoptium/OpenJDK 64-Bit Server VM/17.0.8/17.0.8+7]
opensearch | [2023-11-02T17:35:35,819][INFO ][o.o.n.Node ] [05a295b38cbe] JVM home [/usr/share/opensearch/jdk], using bundled JDK/JRE [true]
opensearch | [2023-11-02T17:35:35,819][INFO ][o.o.n.Node ] [05a295b38cbe] JVM arguments [-Xshare:auto, -Dopensearch.networkaddress.cache.ttl=60, -Dopensearch.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -XX:+ShowCodeDetailsInExceptionMessages, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.locale.providers=SPI,COMPAT, -Xms1g, -Xmx1g, -XX:+UseG1GC, -XX:G1ReservePercent=25, -XX:InitiatingHeapOccupancyPercent=30, -Djava.io.tmpdir=/tmp/opensearch-1034605652609818352, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=data, -XX:ErrorFile=logs/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=logs/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Djava.util.concurrent.ForkJoinPool.common.threadFactory=org.opensearch.secure_sm.SecuredForkJoinWorkerThreadFactory, -Dclk.tck=100, -Djdk.attach.allowAttachSelf=true, -Djava.security.policy=/usr/share/opensearch/config/opensearch-performance-analyzer/opensearch_security.policy, --add-opens=jdk.attach/sun.tools.attach=ALL-UNNAMED, -Dopensearch.cgroups.hierarchy.override=/, -Xms4096m, -Xmx4096m, -XX:MaxDirectMemorySize=2147483648, -Dopensearch.path.home=/usr/share/opensearch, -Dopensearch.path.conf=/usr/share/opensearch/config, -Dopensearch.distribution.type=tar, -Dopensearch.bundled_jdk=true]
opensearch | [2023-11-02T17:35:36,377][INFO ][o.o.s.s.t.SSLConfig ] [05a295b38cbe] SSL dual mode is disabled
opensearch | [2023-11-02T17:35:36,378][WARN ][o.o.s.OpenSearchSecurityPlugin] [05a295b38cbe] OpenSearch Security plugin installed but disabled. This can expose your configuration (including passwords) to the public.
opensearch | [2023-11-02T17:35:36,688][INFO ][o.o.p.c.c.PluginSettings ] [05a295b38cbe] Config: metricsLocation: /dev/shm/performanceanalyzer/, metricsDeletionInterval: 1, httpsEnabled: false, cleanup-metrics-db-files: true, batch-metrics-retention-period-minutes: 7, rpc-port: 9650, webservice-port 9600
opensearch | [2023-11-02T17:35:36,691][ERROR][o.o.p.c.PerformanceAnalyzerController] [05a295b38cbe] java.nio.file.AccessDeniedException: /usr/share/opensearch/data/performance_analyzer_enabled.conf
opensearch | java.nio.file.AccessDeniedException: /usr/share/opensearch/data/performance_analyzer_enabled.conf
opensearch | at sun.nio.fs.UnixException.translateToIOException(UnixException.java:90) ~[?:?]
opensearch | at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:106) ~[?:?]
opensearch | at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111) ~[?:?]
opensearch | at sun.nio.fs.UnixFileSystemProvider.newByteChannel(UnixFileSystemProvider.java:218) ~[?:?]
opensearch | at java.nio.file.spi.FileSystemProvider.newOutputStream(FileSystemProvider.java:484) ~[?:?]
opensearch | at java.nio.file.Files.newOutputStream(Files.java:228) ~[?:?]
opensearch | at java.nio.file.Files.write(Files.java:3512) ~[?:?]
opensearch | at org.opensearch.performanceanalyzer.config.PerformanceAnalyzerController.lambda$saveStateToConf$5(PerformanceAnalyzerController.java:335) [opensearch-performance-analyzer-2.11.0.0.jar:2.11.0.0]
opensearch | at org.opensearch.performanceanalyzer.PerformanceAnalyzerPlugin.lambda$invokePrivileged$1(PerformanceAnalyzerPlugin.java:130) [opensearch-performance-analyzer-2.11.0.0.jar:2.11.0.0]
opensearch | at java.security.AccessController.doPrivileged(AccessController.java:318) [?:?]
opensearch | at org.opensearch.performanceanalyzer.PerformanceAnalyzerPlugin.invokePrivileged(PerformanceAnalyzerPlugin.java:126) [opensearch-performance-analyzer-2.11.0.0.jar:2.11.0.0]
opensearch | at org.opensearch.performanceanalyzer.config.PerformanceAnalyzerController.saveStateToConf(PerformanceAnalyzerController.java:327) [opensearch-performance-analyzer-2.11.0.0.jar:2.11.0.0]
opensearch | at org.opensearch.performanceanalyzer.config.PerformanceAnalyzerController.lambda$initPerformanceAnalyzerStateFromConf$0(PerformanceAnalyzerController.java:207) [opensearch-performance-analyzer-2.11.0.0.jar:2.11.0.0]
opensearch | at org.opensearch.performanceanalyzer.PerformanceAnalyzerPlugin.lambda$invokePrivileged$1(PerformanceAnalyzerPlugin.java:130) [opensearch-performance-analyzer-2.11.0.0.jar:2.11.0.0]
opensearch | at java.security.AccessController.doPrivileged(AccessController.java:318) [?:?]
opensearch | at org.opensearch.performanceanalyzer.PerformanceAnalyzerPlugin.invokePrivileged(PerformanceAnalyzerPlugin.java:126) [opensearch-performance-analyzer-2.11.0.0.jar:2.11.0.0]
opensearch | at org.opensearch.performanceanalyzer.config.PerformanceAnalyzerController.initPerformanceAnalyzerStateFromConf(PerformanceAnalyzerController.java:199) [opensearch-performance-analyzer-2.11.0.0.jar:2.11.0.0]
opensearch | at org.opensearch.performanceanalyzer.config.PerformanceAnalyzerController.<init>(PerformanceAnalyzerController.java:55) [opensearch-performance-analyzer-2.11.0.0.jar:2.11.0.0]
opensearch | at org.opensearch.performanceanalyzer.PerformanceAnalyzerPlugin.<init>(PerformanceAnalyzerPlugin.java:161) [opensearch-performance-analyzer-2.11.0.0.jar:2.11.0.0]
opensearch | at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
opensearch | at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:77) ~[?:?]
opensearch | at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
opensearch | at java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:499) ~[?:?]
opensearch | at java.lang.reflect.Constructor.newInstance(Constructor.java:480) ~[?:?]
opensearch | at org.opensearch.plugins.PluginsService.loadPlugin(PluginsService.java:782) [opensearch-2.11.0.jar:2.11.0]
opensearch | at org.opensearch.plugins.PluginsService.loadBundle(PluginsService.java:731) [opensearch-2.11.0.jar:2.11.0]
opensearch | at org.opensearch.plugins.PluginsService.loadBundles(PluginsService.java:533) [opensearch-2.11.0.jar:2.11.0]
opensearch | at org.opensearch.plugins.PluginsService.<init>(PluginsService.java:195) [opensearch-2.11.0.jar:2.11.0]
opensearch | at org.opensearch.node.Node.<init>(Node.java:480) [opensearch-2.11.0.jar:2.11.0]
opensearch | at org.opensearch.node.Node.<init>(Node.java:407) [opensearch-2.11.0.jar:2.11.0]
opensearch | at org.opensearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:242) [opensearch-2.11.0.jar:2.11.0]
opensearch | at org.opensearch.bootstrap.Bootstrap.setup(Bootstrap.java:242) [opensearch-2.11.0.jar:2.11.0]
opensearch | at org.opensearch.bootstrap.Bootstrap.init(Bootstrap.java:404) [opensearch-2.11.0.jar:2.11.0]
opensearch | at org.opensearch.bootstrap.OpenSearch.init(OpenSearch.java:180) [opensearch-2.11.0.jar:2.11.0]
opensearch | at org.opensearch.bootstrap.OpenSearch.execute(OpenSearch.java:171) [opensearch-2.11.0.jar:2.11.0]
opensearch | at org.opensearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:104) [opensearch-2.11.0.jar:2.11.0]
opensearch | at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138) [opensearch-cli-2.11.0.jar:2.11.0]
opensearch | at org.opensearch.cli.Command.main(Command.java:101) [opensearch-cli-2.11.0.jar:2.11.0]
opensearch | at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:137) [opensearch-2.11.0.jar:2.11.0]
opensearch-dashboards | Disabling OpenSearch Security Dashboards Plugin
opensearch-dashboards | Removing securityDashboards...
opensearch-dashboards | Plugin removal complete
opensearch-dashboards | {"type":"log","@timestamp":"2023-11-02T17:35:36Z","tags":["info","plugins-service"],"pid":1,"message":"Plugin \"dataSourceManagement\" has been disabled since the following direct or transitive dependencies are missing or disabled: [dataSource]"}
opensearch-dashboards | {"type":"log","@timestamp":"2023-11-02T17:35:36Z","tags":["info","plugins-service"],"pid":1,"message":"Plugin \"dataSource\" is disabled."}
opensearch-dashboards | {"type":"log","@timestamp":"2023-11-02T17:35:36Z","tags":["info","plugins-service"],"pid":1,"message":"Plugin \"visTypeXy\" is disabled."}
opensearch-dashboards | {"type":"log","@timestamp":"2023-11-02T17:35:36Z","tags":["warning","config","deprecation"],"pid":1,"message":"\"cpu.cgroup.path.override\" is deprecated and has been replaced by \"ops.cGroupOverrides.cpuPath\""}
opensearch-dashboards | {"type":"log","@timestamp":"2023-11-02T17:35:36Z","tags":["warning","config","deprecation"],"pid":1,"message":"\"cpuacct.cgroup.path.override\" is deprecated and has been replaced by \"ops.cGroupOverrides.cpuAcctPath\""}
opensearch | at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:103) [opensearch-2.11.0.jar:2.11.0]
opensearch | [2023-11-02T17:35:36,695][ERROR][o.o.p.c.PerformanceAnalyzerController] [05a295b38cbe] java.nio.file.AccessDeniedException: /usr/share/opensearch/data/performance_analyzer_enabled.conf
opensearch | java.nio.file.AccessDeniedException: /usr/share/opensearch/data/performance_analyzer_enabled.conf
opensearch | at sun.nio.fs.UnixException.translateToIOException(UnixException.java:90) ~[?:?]
opensearch-dashboards | {"type":"log","@timestamp":"2023-11-02T17:35:36Z","tags":["warning","config","deprecation"],"pid":1,"message":"\"opensearch.requestHeadersWhitelist\" is deprecated and has been replaced by \"opensearch.requestHeadersAllowlist\""}
opensearch-dashboards | [agentkeepalive:deprecated] options.freeSocketKeepAliveTimeout is deprecated, please use options.freeSocketTimeout instead
opensearch-dashboards | {"type":"log","@timestamp":"2023-11-02T17:35:36Z","tags":["info","plugins-system"],"pid":1,"message":"Setting up [50] plugins: [usageCollection,opensearchDashboardsUsageCollection,opensearchDashboardsLegacy,mapsLegacy,share,opensearchUiShared,legacyExport,embeddable,expressions,data,securityAnalyticsDashboards,home,apmOss,savedObjects,searchRelevanceDashboards,reportsDashboards,dashboard,mlCommonsDashboards,visualizations,visTypeVega,visTypeTimeline,visTypeTable,visTypeMarkdown,visBuilder,visAugmenter,anomalyDetectionDashboards,alertingDashboards,tileMap,regionMap,customImportMapDashboards,inputControlVis,ganttChartDashboards,visualize,queryWorkbenchDashboards,indexManagementDashboards,notificationsDashboards,management,indexPatternManagement,advancedSettings,console,dataExplorer,charts,visTypeVislib,visTypeTimeseries,visTypeTagcloud,visTypeMetric,observabilityDashboards,discover,savedObjectsManagement,bfetch]"}
opensearch | at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:106) ~[?:?]
opensearch-dashboards | [agentkeepalive:deprecated] options.freeSocketKeepAliveTimeout is deprecated, please use options.freeSocketTimeout instead
opensearch | at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111) ~[?:?]
opensearch-dashboards | [agentkeepalive:deprecated] options.freeSocketKeepAliveTimeout is deprecated, please use options.freeSocketTimeout instead
opensearch | at sun.nio.fs.UnixFileSystemProvider.newByteChannel(UnixFileSystemProvider.java:218) ~[?:?]
opensearch-dashboards | [agentkeepalive:deprecated] options.freeSocketKeepAliveTimeout is deprecated, please use options.freeSocketTimeout instead
opensearch-dashboards | [agentkeepalive:deprecated] options.freeSocketKeepAliveTimeout is deprecated, please use options.freeSocketTimeout instead
...
opensearch | OpenSearchException[failed to bind service]; nested: AccessDeniedException[/usr/share/opensearch/data/nodes];
opensearch | Likely root cause: java.nio.file.AccessDeniedException: /usr/share/opensearch/data/nodes
opensearch | at java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:90)
opensearch | at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:106)
opensearch | at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111)
opensearch | at java.base/sun.nio.fs.UnixFileSystemProvider.createDirectory(UnixFileSystemProvider.java:397)
opensearch | at java.base/java.nio.file.Files.createDirectory(Files.java:700)
opensearch | at java.base/java.nio.file.Files.createAndCheckIsDirectory(Files.java:807)
opensearch | at java.base/java.nio.file.Files.createDirectories(Files.java:793)
opensearch | at org.opensearch.env.NodeEnvironment.lambda$new$0(NodeEnvironment.java:325)
opensearch | at org.opensearch.env.NodeEnvironment$NodeLock.<init>(NodeEnvironment.java:262)
opensearch | at org.opensearch.env.NodeEnvironment.<init>(NodeEnvironment.java:323)
opensearch | at org.opensearch.node.Node.<init>(Node.java:525)
opensearch | at org.opensearch.node.Node.<init>(Node.java:407)
opensearch | at org.opensearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:242)
opensearch | at org.opensearch.bootstrap.Bootstrap.setup(Bootstrap.java:242)
opensearch | at org.opensearch.bootstrap.Bootstrap.init(Bootstrap.java:404)
opensearch | at org.opensearch.bootstrap.OpenSearch.init(OpenSearch.java:180)
opensearch | at org.opensearch.bootstrap.OpenSearch.execute(OpenSearch.java:171)
opensearch | at org.opensearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:104)
opensearch | at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138)
opensearch | at org.opensearch.cli.Command.main(Command.java:101)
opensearch | at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:137)
opensearch | at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:103)
opensearch | For complete error details, refer to the log at /usr/share/opensearch/logs/docker-cluster.log
opensearch-dashboards | {"type":"log","@timestamp":"2023-11-03T10:10:44Z","tags":["error","opensearch","data"],"pid":1,"message":"[ConnectionError]: connect ECONNREFUSED 172.19.0.2:9200"}
opensearch-dashboards | {"type":"log","@timestamp":"2023-11-03T10:10:47Z","tags":["error","opensearch","data"],"pid":1,"message":"[ConnectionError]: connect ECONNREFUSED 172.19.0.2:9200"}
opensearch-dashboards | {"type":"log","@timestamp":"2023-11-03T10:10:49Z","tags":["error","opensearch","data"],"pid":1,"message":"[ConnectionError]: connect ECONNREFUSED 172.19.0.2:9200"}