Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to run wazuh index as rootless container #933

Open
narenarora opened this issue Aug 11, 2023 · 1 comment
Open

Unable to run wazuh index as rootless container #933

narenarora opened this issue Aug 11, 2023 · 1 comment

Comments

@narenarora
Copy link

I am trying to run the wazuh docker containers in a rootless docker setup.
The first hurdle I've run into is with the index container.

[2023-08-11T03:28:10,528][ERROR][o.o.b.OpenSearchUncaughtExceptionHandler] [wazuh.indexer] uncaught exception in thread [main]
org.opensearch.bootstrap.StartupException: OpenSearchException[failed to bind service]; nested: AccessDeniedException[/var/lib/wazuh-indexer/nodes];
        at org.opensearch.bootstrap.OpenSearch.init(OpenSearch.java:184) ~[opensearch-2.6.0.jar:2.6.0]
        at org.opensearch.bootstrap.OpenSearch.execute(OpenSearch.java:171) ~[opensearch-2.6.0.jar:2.6.0]
        at org.opensearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:104) ~[opensearch-2.6.0.jar:2.6.0]
        at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138) ~[opensearch-cli-2.6.0.jar:2.6.0]
        at org.opensearch.cli.Command.main(Command.java:101) ~[opensearch-cli-2.6.0.jar:2.6.0]
        at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:137) ~[opensearch-2.6.0.jar:2.6.0]
        at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:103) ~[opensearch-2.6.0.jar:2.6.0]
Caused by: org.opensearch.OpenSearchException: failed to bind service
        at org.opensearch.node.Node.<init>(Node.java:1124) ~[opensearch-2.6.0.jar:2.6.0]
        at org.opensearch.node.Node.<init>(Node.java:361) ~[opensearch-2.6.0.jar:2.6.0]
        at org.opensearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:242) ~[opensearch-2.6.0.jar:2.6.0]
        at org.opensearch.bootstrap.Bootstrap.setup(Bootstrap.java:242) ~[opensearch-2.6.0.jar:2.6.0]
        at org.opensearch.bootstrap.Bootstrap.init(Bootstrap.java:404) ~[opensearch-2.6.0.jar:2.6.0]
        at org.opensearch.bootstrap.OpenSearch.init(OpenSearch.java:180) ~[opensearch-2.6.0.jar:2.6.0]
        ... 6 more
Caused by: java.nio.file.AccessDeniedException: /var/lib/wazuh-indexer/nodes
        at sun.nio.fs.UnixException.translateToIOException(UnixException.java:90) ~[?:?]
        at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:106) ~[?:?]
        at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111) ~[?:?]
        at sun.nio.fs.UnixFileSystemProvider.createDirectory(UnixFileSystemProvider.java:397) ~[?:?]
        at java.nio.file.Files.createDirectory(Files.java:700) ~[?:?]
        at java.nio.file.Files.createAndCheckIsDirectory(Files.java:807) ~[?:?]
        at java.nio.file.Files.createDirectories(Files.java:793) ~[?:?]
        at org.opensearch.env.NodeEnvironment.lambda$new$0(NodeEnvironment.java:313) ~[opensearch-2.6.0.jar:2.6.0]
        at org.opensearch.env.NodeEnvironment$NodeLock.<init>(NodeEnvironment.java:251) ~[opensearch-2.6.0.jar:2.6.0]
        at org.opensearch.env.NodeEnvironment.<init>(NodeEnvironment.java:311) ~[opensearch-2.6.0.jar:2.6.0]
        at org.opensearch.node.Node.<init>(Node.java:464) ~[opensearch-2.6.0.jar:2.6.0]
        at org.opensearch.node.Node.<init>(Node.java:361) ~[opensearch-2.6.0.jar:2.6.0]
        at org.opensearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:242) ~[opensearch-2.6.0.jar:2.6.0]
        at org.opensearch.bootstrap.Bootstrap.setup(Bootstrap.java:242) ~[opensearch-2.6.0.jar:2.6.0]
        at org.opensearch.bootstrap.Bootstrap.init(Bootstrap.java:404) ~[opensearch-2.6.0.jar:2.6.0]
        at org.opensearch.bootstrap.OpenSearch.init(OpenSearch.java:180) ~[opensearch-2.6.0.jar:2.6.0]
        ... 6 more
uncaught exception in thread [main]
OpenSearchException[failed to bind service]; nested: AccessDeniedException[/var/lib/wazuh-indexer/nodes];
Likely root cause: java.nio.file.AccessDeniedException: /var/lib/wazuh-indexer/nodes
        at java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:90)
        at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:106)
        at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111)
        at java.base/sun.nio.fs.UnixFileSystemProvider.createDirectory(UnixFileSystemProvider.java:397)
        at java.base/java.nio.file.Files.createDirectory(Files.java:700)
        at java.base/java.nio.file.Files.createAndCheckIsDirectory(Files.java:807)
        at java.base/java.nio.file.Files.createDirectories(Files.java:793)
        at org.opensearch.env.NodeEnvironment.lambda$new$0(NodeEnvironment.java:313)
        at org.opensearch.env.NodeEnvironment$NodeLock.<init>(NodeEnvironment.java:251)
        at org.opensearch.env.NodeEnvironment.<init>(NodeEnvironment.java:311)
        at org.opensearch.node.Node.<init>(Node.java:464)
        at org.opensearch.node.Node.<init>(Node.java:361)
        at org.opensearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:242)
        at org.opensearch.bootstrap.Bootstrap.setup(Bootstrap.java:242)
        at org.opensearch.bootstrap.Bootstrap.init(Bootstrap.java:404)
        at org.opensearch.bootstrap.OpenSearch.init(OpenSearch.java:180)
        at org.opensearch.bootstrap.OpenSearch.execute(OpenSearch.java:171)
        at org.opensearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:104)
        at org.opensearch.cli.Command.mainWithoutErrorHandling(Command.java:138)
        at org.opensearch.cli.Command.main(Command.java:101)
        at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:137)
        at org.opensearch.bootstrap.OpenSearch.main(OpenSearch.java:103)
For complete error details, refer to the log at /var/log/wazuh-indexer/opensearch.log

When I login to the container, I see the user is wazuh-indexer, but the dir /var/lib/wazuh-indexer/ is still owned by root, even though the mapped dir on the host is owned by uid 1000.

$ id
uid=1000(wazuh-indexer) gid=1000(wazuh-indexer) groups=1000(wazuh-indexer)
$ cd /var/lib/wazuh-indexer
$ ls -ltr
total 0
$ ls -ld .
drwxr-xr-x 2 root root 4096 Aug 11 02:32 .

Can someone help me fix this ?

My Setup :
Debian GNU/Linux 12 (bookworm)
Docker version 24.0.5
docker info -

Client: Docker Engine - Community
 Version:    24.0.5
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.11.2
    Path:     /usr/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.20.2
    Path:     /usr/libexec/docker/cli-plugins/docker-compose

Server:
 Containers: 10
  Running: 10
  Paused: 0
  Stopped: 0
 Images: 12
 Server Version: 24.0.5
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: false
  userxattr: true
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 8165feabfdfe38c65b599c4993d227328c231fca
 runc version: v1.1.8-0-g82f18fe
 init version: de40ad0
 Security Options:
  seccomp
   Profile: builtin
  rootless
  cgroupns
 Kernel Version: 6.1.0-10-amd64
 Operating System: Debian GNU/Linux 12 (bookworm)
 OSType: linux
 Architecture: x86_64
 CPUs: 4
 Total Memory: 15.5GiB
 Name: hpsrv1
 ID: ad9d8ed9-d150-48b4-81fe-6f8bffd494c0
 Docker Root Dir: /data/docker_r_overlay
 Debug Mode: false
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: No cpuset support
WARNING: No io.weight support
WARNING: No io.weight (per device) support
WARNING: No io.max (rbps) support
WARNING: No io.max (wbps) support
WARNING: No io.max (riops) support
WARNING: No io.max (wiops) support

Do let me know if any more information is needed. Thank you!
@schneich
Copy link

I am facing the same issue. Was anybody able to solve this? How?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@schneich @narenarora