Problem installing opensearch on debian in lxc unprivileged container

sena · May 12, 2025, 5:17pm

Hi.
I am installing opensearch in lxc unprivileged container or Debian. I try to follow the instructions here.

When I try to start the systemd unit I get an error:

May 12 17:14:38 titan-opensearch systemd[1]: Starting opensearch.service - OpenSearch...
May 12 17:14:38 titan-opensearch (mkdir)[6301]: opensearch.service: Failed to set up mount namespacing: /run/systemd/unit-root/sys/fs/cgroup/cpu: No such file or directory
May 12 17:14:38 titan-opensearch (mkdir)[6301]: opensearch.service: Failed at step NAMESPACE spawning /bin/mkdir: No such file or directory
May 12 17:14:38 titan-opensearch systemd[1]: opensearch.service: Control process exited, code=exited, status=226/NAMESPACE
May 12 17:14:38 titan-opensearch systemd[1]: opensearch.service: Failed with result 'exit-code'.
May 12 17:14:38 titan-opensearch systemd[1]: Failed to start opensearch.service - OpenSearch

I am completely new to opensearch, but it looks like it tries to start another lxc inside that one. I probably do not need that, as I already doing it inside the container. How to disable that and allow opensearch to run normally? Or may be something I could do better?

sena · May 13, 2025, 4:59pm

Found solution.

mkdir /var/lib/opensearch-shm

systemctl edit opensearch

and add the following overrides:

[Service]
Environment="ES_TMPDIR=/var/lib/opensearch-shm"
# Disable namespace isolation and related mount protections
RestrictNamespaces=false
PrivateTmp=false
ProtectSystem=false
ProtectHome=false
ProtectControlGroups=false
ProtectKernelModules=false
ProtectKernelTunables=false
ProtectProc=noaccess
ProtectClock=false
ProtectHostname=false
ProtectKernelLogs=false
SystemCallFilter=
CapabilityBoundingSet=

# Avoid requiring access to missing cgroup paths in LXC
ReadOnlyPaths=

ExecStartPre=
ExecStartPre=/bin/mkdir -p /var/lib/opensearch-shm/performanceanalyzer
ExecStartPre=/bin/chown opensearch:opensearch /var/lib/opensearch-shm/performanceanalyzer
ReadWritePaths=/var/lib/opensearch-shm

May be it is too much, that needs to be tested, but it works.

Gsmitt · May 14, 2025, 3:32am

@sena

Have you tried to just install OpenSearch and OpenSearch Dashboard with APT? Shown here

Topic		Replies	Views
Deb install systemd service fails to start - Could not initialize class com.sun.jna.Native OpenSearch troubleshoot , install	1	1193	April 4, 2024
Systemd Service File for Opensearch tar Installation OpenSearch	1	2046	August 1, 2022
Opensearch.service: Main process exited, code=exited, status=1/FAILURE \| opensearch.service: Failed with result 'exit-code'. \|Failed to start OpenSearch Community	0	1830	May 21, 2024
Opensearch failing to start OpenSearch troubleshoot , install	4	6662	February 15, 2023
Docker and file system volmes OpenSearch troubleshoot , install	1	57	February 7, 2025

Problem installing opensearch on debian in lxc unprivileged container

Related topics