Why is it ElasticSearch is not allowed to run as r

2019-08-19 16:31发布

问题:

I'm deploying ElasticSearch inside of a Docker container, which usually run processes as a root user. I get

"org.elasticsearch.bootstrap.StartupError: java.lang.RuntimeException: cannot run elasticsearch as root"

error when trying to start ElasticSearch.

What's the reason ElasticSearch can't run as root?

Inside of the docker container, things are isolated and root processes are considered safe. I may be able to configure my image to run as non-root but it requires lots of heavy lifting and is anti-pattern to our deployment model.

I have also tried without docker container but got following error.

./elasticsearch

Exception in thread "main" java.lang.RuntimeException: don't run elasticsearch as root.at

org.elasticsearch.bootstrap.Bootstrap.initializeNatives(Bootstrap.java:93) at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:144) at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:270) at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:35)

Refer to the log for complete error details.

回答1:

This has been discussed a few times already. Quoting from the Elastic maintained Docker images:

Elasticsearch has checks that will not allow running it as root. This has been discussed in https://discuss.elastic.co/t/why-is-it-elasticsearch-is-not-allowed-to-run-as-root/60413/2 and running processes as root inside a docker container is not a best practice. You can see some reasons in the aforementioned discussion, in https://forums.docker.com/t/root-user-or-non-root-user-inside-container/966/10, http://blog.dscpl.com.au/2015/12/don-run-as-root-inside-of-docker.html and other places. The risks are especially profound for containers like Elasticsearch where users frequently bind mount host directories with write access.

PS: In case you don't want to build your own images, there are officially maintained ones: https://www.docker.elastic.co