689394 – app-misc/elasticsearch-7.2.0: unable to create temporary keystore at [/etc/elasticsearch/elasticsearch.keystore.tmp], please check filesystem permissions

Bug 689394 - app-misc/elasticsearch-7.2.0: unable to create temporary keystore at [/etc/elasticsearch/elasticsearch.keystore.tmp], please check filesystem permissions

Summary: app-misc/elasticsearch-7.2.0: unable to create temporary keystore at [/etc/el...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Tomáš Mózes

URL:
Whiteboard:
Keywords:	PullRequest

Depends on:
Blocks:

Reported:	2019-07-07 07:08 UTC by Karl-Johan Karlsson
Modified:	2019-07-31 06:44 UTC (History)
CC List:	2 users (show)

See Also:	https://github.com/gentoo/gentoo/pull/12584
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Karl-Johan Karlsson 2019-07-07 07:08:45 UTC

app-misc/elasticsearch has long said the following when installed:

 * Please make sure you have proper permissions on /etc/elasticsearch
 * prior to keystore generation or you may experience startup fails.
 * chown root:elasticsearch /etc/elasticsearch && chmod 2750 /etc/elasticsearch
 * chown root:elasticsearch /etc/elasticsearch/elasticsearch.keystore && chmod 0660 /etc/elasticsearch/elasticsearch.keystore

However, with version 7.2.0, this no longer seems to be sufficient. Trying to start it after upgrading, I got this error:

Exception in thread "main" org.elasticsearch.bootstrap.BootstrapException: org.elasticsearch.cli.UserException: unable to create temporary keystore at [/etc/elasticsearch/elasticsearch.keystore.tmp], please check filesystem permissions
Likely root cause: java.nio.file.AccessDeniedException: /etc/elasticsearch/elasticsearch.keystore.tmp
        at sun.nio.fs.UnixException.translateToIOException(UnixException.java:84)
        at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:102)
        at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:107)
        at sun.nio.fs.UnixFileSystemProvider.newByteChannel(UnixFileSystemProvider.java:214)
        at java.nio.file.spi.FileSystemProvider.newOutputStream(FileSystemProvider.java:434)
        at java.nio.file.Files.newOutputStream(Files.java:216)
        at org.apache.lucene.store.FSDirectory$FSIndexOutput.<init>(FSDirectory.java:411)
        at org.apache.lucene.store.FSDirectory$FSIndexOutput.<init>(FSDirectory.java:407)
        at org.apache.lucene.store.FSDirectory.createOutput(FSDirectory.java:255)
        at org.elasticsearch.common.settings.KeyStoreWrapper.save(KeyStoreWrapper.java:462)
        at org.elasticsearch.common.settings.KeyStoreWrapper.upgrade(KeyStoreWrapper.java:274)
        at org.elasticsearch.bootstrap.Bootstrap.loadSecureSettings(Bootstrap.java:246)
        at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:305)
        at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:159)
        at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:150)
        at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86)
        at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124)
        at org.elasticsearch.cli.Command.main(Command.java:90)
        at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:115)
        at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:92)
Refer to the log for complete error details.

Which makes sense; with those permissions, it cannot create /etc/elasticsearch/elasticsearch.keystore.tmp.

After opening up write permissions by doing
   chmod 2770 /etc/elasticsearch
instead, it now starts, but I haven't looked at the security implications of doing so.

Comment 1 Tomáš Mózes 2019-07-07 20:45:49 UTC

Yes, the workaround is to set: 
chmod 2770 /etc/elasticsearch

And then revert back after the keystore is generated.

I'll check what changed and update the info, thanks for the report.

Comment 2 Tomáš Mózes 2019-07-30 21:50:12 UTC

Do you have x-pack installed?

Comment 3 Tomáš Mózes 2019-07-30 22:12:18 UTC

Seems like in some cases it does a keystore upgrade, so I'll add that call (under root) to the init scripts and hopefully it will help. It's included in the rpm/deb version too.

From which version were you upgrading to 7.2.0 by the way?

Comment 4 Larry the Git Cow gentoo-dev

2019-07-31 00:50:34 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1e4a23a801b0236689bc4663b8d5712a29422791

commit 1e4a23a801b0236689bc4663b8d5712a29422791
Author:     Tomas Mozes <hydrapolic@gmail.com>
AuthorDate: 2019-07-30 22:13:50 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2019-07-31 00:49:21 +0000

    app-misc/elasticsearch: bump to 7.2.1
    
    Closes: https://bugs.gentoo.org/689394
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Closes: https://github.com/gentoo/gentoo/pull/12584
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 app-misc/elasticsearch/Manifest                   |  2 +
 app-misc/elasticsearch/elasticsearch-7.2.1.ebuild | 86 +++++++++++++++++++++++
 app-misc/elasticsearch/files/elasticsearch.init.7 | 71 +++++++++++++++++++
 3 files changed, 159 insertions(+)

Comment 5 Karl-Johan Karlsson 2019-07-31 05:04:07 UTC

I was upgrading from 7.0.0, and do not have x-pack installed.

Comment 6 Tomáš Mózes 2019-07-31 06:44:23 UTC

Thanks for the info, it should be fixed in 7.2.1. If it happens again please re-open.