634772 – =app-misc/elasticsearch-5.6.2 fails to start with systemd

Bug 634772 - =app-misc/elasticsearch-5.6.2 fails to start with systemd

Summary: =app-misc/elasticsearch-5.6.2 fails to start with systemd

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	AMD64 Linux

Importance:	Normal normal
Assignee:	Tomáš Mózes

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2017-10-19 12:55 UTC by mattiaskarlsson4
Modified:	2017-11-05 15:59 UTC (History)
CC List:	4 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Patch to fix systemd issues (es-5.6.2.patch,1.90 KB, patch) 2017-10-19 12:55 UTC, mattiaskarlsson4	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description mattiaskarlsson4 2017-10-19 12:55:05 UTC

Created attachment 499278 [details, diff]
Patch to fix systemd issues

elasticsearch.service does not set the correct ownership for directories needed at runtime. 

Provided patch fixes the issue

Comment 1 mattiaskarlsson4 2017-10-19 12:56:32 UTC

Portage 2.3.8 (python 3.4.5-final-0, default/linux/amd64/13.0/desktop/gnome/systemd, gcc-5.4.0, glibc-2.23-r4, 4.12.12-gentoo x86_64)
=================================================================
System uname: Linux-4.12.12-gentoo-x86_64-Intel-R-_Core-TM-_i5-4670K_CPU_@_3.40GHz-with-gentoo-2.4.1
KiB Mem:     8102060 total,    562252 free
KiB Swap:          0 total,         0 free
Timestamp of repository gentoo: Wed, 18 Oct 2017 19:30:01 +0000
Head commit of repository gentoo: 7add6e3e67c9f6c84a80884bae529399c5274964
Head commit of repository science: f5fa3d050a6ae98a14266167c00241f7208c8452

sh bash 4.3_p48-r1
ld GNU ld (Gentoo 2.28.1 p1.0) 2.28.1
app-shells/bash:          4.3_p48-r1::gentoo
dev-java/java-config:     2.2.0-r3::gentoo
dev-lang/perl:            5.24.3::gentoo
dev-lang/python:          2.7.12::gentoo, 3.4.5::gentoo
dev-util/cmake:           3.8.2::gentoo
dev-util/pkgconfig:       0.28-r2::gentoo
sys-apps/baselayout:      2.4.1-r2::gentoo
sys-apps/openrc:          0.32.1::gentoo
sys-apps/sandbox:         2.10-r3::gentoo
sys-devel/autoconf:       2.13::gentoo, 2.69::gentoo
sys-devel/automake:       1.11.6-r1::gentoo, 1.15-r2::gentoo
sys-devel/binutils:       2.28.1::gentoo
sys-devel/gcc:            5.4.0-r3::gentoo
sys-devel/gcc-config:     1.8-r1::gentoo
sys-devel/libtool:        2.4.6-r3::gentoo
sys-devel/make:           4.2.1::gentoo
sys-kernel/linux-headers: 4.4::gentoo (virtual/os-headers)
sys-libs/glibc:           2.23-r4::gentoo
Repositories:

gentoo
    location: /usr/portage
    sync-type: rsync
    sync-uri: rsync://rsync.gentoo.org/gentoo-portage
    priority: -1000

science
    location: /usr/local/overlay/science
    sync-type: git
    sync-uri: https://github.com/gentoo/sci
    masters: gentoo

ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="* -@EULA"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -pipe -march=native -fomit-frame-pointer -ftree-vectorize"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/chromium/policies/managed/chrome-gnome-shell.json /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/opt/chrome/policies/managed/chrome-gnome-shell.json /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-O2 -pipe -march=native -fomit-frame-pointer -ftree-vectorize"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--load-average 3.5 --jobs 3"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync multilib-strict news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="ftp://trumpetti.atm.tut.fi/gentoo/ http://trumpetti.atm.tut.fi/gentoo/ rsync://trumpetti.atm.tut.fi/gentoo/ ftp://ftp.free.fr/mirrors/ftp.gentoo.org/ http://mirror.mdfnet.se/gentoo ftp://mirror.mdfnet.se/gentoo"
LANG="en_US.utf8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j4"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git"
PORTAGE_TMPDIR="/var/tmp"
USE="X a52 aac acl acpi alsa amd64 bash-completion berkdb branding bzip2 cairo cdda cli colord cracklib crypt cups cxx dbus dri dts eds emboss encode evo exif fam firefox flac fontconfig fortran gdbm gif glamor gnome gnome-keyring gnome-online-accounts gpm gstreamer gtk iconv infinality introspection ipv6 jpeg lcms ldap libnotify libsecret mad mng modules mp3 mp4 mpeg multilib nautilus ncurses nls nptl offensive ogg opengl openmp pam pango pcre pdf png policykit ppds pulseaudio readline sdl seccomp session spell ssl startup-notification svg systemd tcpd tiff tracker truetype udev udisks unicode upower usb vorbis wxwidgets x264 xattr xcb xml xv xvid zlib zsh-completion" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="aes avx avx2 fma3 mmx mmxext pclmul popcnt sse sse2 sse3 sse4_1 sse4_2 ssse3" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" GRUB_PLATFORMS="efi-64" INPUT_DEVICES="libinput" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-6" POSTGRES_TARGETS="postgres9_5" PYTHON_SINGLE_TARGET="python3_4" PYTHON_TARGETS="python2_7 python3_4" QEMU_USER_TARGETS="x86_64" RUBY_TARGETS="ruby22" USERLAND="GNU" VIDEO_CARDS="amdgpu radeonsi" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CC, CPPFLAGS, CTARGET, CXX, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

Comment 2 Richard Nespithal (rndevfx) 2017-10-21 06:04:36 UTC

And the other default settings (not only default.path.home) in elasticsearch.service will be removed, too: https://www.elastic.co/guide/en/elasticsearch/reference/5.4/breaking-changes-5.4.html

Comment 3 Tomáš Mózes 2017-10-25 14:48:17 UTC

Thanks, added fowners/fperms to https://github.com/gentoo/gentoo/pull/6048.

I suppose that the additions to elasticsearch-systemd-pre-exec are not needed then.

Why do you need PermissionsStartOnly=true?
"Takes a boolean argument. If true, the permission-related execution options, as configured with User= and similar options (see systemd.exec(5) for more information), are only applied to the process started with ExecStart=, and not to the various other ExecStartPre=, ExecStartPost=, ExecReload=, ExecStop=, and ExecStopPost= commands. If false, the setting is applied to all configured commands the same way. Defaults to false."

Why do you set ExecStartPre=-/usr/share/elasticsearch/bin/elasticsearch-systemd-pre-exec?
"If the executable path is prefixed with "-", an exit code of the command normally considered a failure (i.e. non-zero exit status or abnormal exit due to signal) is ignored and considered success."

In the next release I'll swap -EDefault.path.x with -Epath.x. Thanks for noticing.

Comment 4 mattiaskarlsson4 2017-10-25 18:43:29 UTC

Adding /run/elastic in the ebuild gave me a QA warning about not creating runtime 
directories as part of the installation. Instead it's created in ExecPreStart.

PermissionsStartOnly=true is needed because elasticsearch:elasticsearch is not allowed to create /run/elasticsearch and by setting it to true privs are dropped to elasticsearch:elasticsearch after ExecPreStart. 

It's not needed if you disregard the qa warning and create the needed runtime directories in as part of the install.

Comment 5 Michał Górny archtester

2017-10-25 19:09:58 UTC

(In reply to mattiaskarlsson4 from comment #4)
> Adding /run/elastic in the ebuild gave me a QA warning about not creating
> runtime 
> directories as part of the installation. Instead it's created in
> ExecPreStart.

That's wrong, see below.

> It's not needed if you disregard the qa warning and create the needed
> runtime directories in as part of the install.

...and it will get removed on next reboot.

You are supposed to install a tmpfiles.d file for it, and use tmpfiles.eclass to instantiate it in pkg_postinst.

Comment 6 Tomáš Mózes 2017-10-26 05:58:04 UTC

That is strange. I thought this takes care of /run/elasticsearch for systemd:
https://github.com/gentoo/gentoo/blob/master/app-misc/elasticsearch/files/elasticsearch.tmpfiles.d

I'm aware that /var/{lib,log}/elasticsearch was only writable when running with openrc since the ebuild does not set the correct permissions. That should be fixed by the PR.

Comment 7 Tomáš Mózes 2017-11-05 15:59:47 UTC

Should be fixed in 5.6.3-r1.