Comments (10)
@Analect Great to hear that the image is (mostly!) working out for you, here are a few suggestions that may help.
Volumes and permissions
The VOLUME
directive just makes the directory persistent across restarts (/var/lib/elasticsearch
is where Elasticsearch stores its data), and if you want to map it to a directory on your host, then the way you went about binding volumes is the right one.
The most likely reason it's failing is indeed because of permissions… and this is where it gets a tad ugly (see here for Docker permission-related nightmares).
The Elasticsearch process in the container runs as the elasticsearch
user (with UID 103, belonging to group elasticsearch
, GID 107), so that user or group must be allowed to write to /home/mccoole/Development/Tools/data/elastic/data
($HOST_DIR
hereafter for the sake of readability).
Here are three options that should work (in increasing order of cleanliness… and complexity):
- Do a
chmod a+w
on$HOST_DIR
. Quick, but dirty and insecure. - Do a
chgrp 107
(107 iselasticsearch
's GID in the image) and achmod g+w
on$HOST_DIR
. Slightly better, but hardly portable ifelasticsearch
's GID changes in a future version of the image, and still not secure if 107 corresponds to an "untrusted" GID on your host. - Do a
chmod g+w
on$HOST_DIR
, and rework the launch script (start.sh
) in the image to dynamically addelasticsearch
to$HOST_DIR
owner group when the container is started. See here for details on how to do that.
Logstash config file(s)
You want to put config files for Logstash in /etc/logstash/conf.d
(here's where the default ones get added to the image in the Dockerfile
). They'll be loaded in alphabetical order when Logstash is started, as per the options that are passed to logstash
.
tl;dr – logstash
's use of the -f
option in /etc/init.d/logstash
is how the config files' location is declared.
What you did for Kafka in your Dockerfile looks fine to me, not sure what issue you're having there.
Referencing another container in Docker Compose
I assume that you have entry like this in your docker-compose.yml
file:
zk:
- ...
You need to add a links
directive pointing to zk
to your elk
entry:
elk:
...
links:
- zk
In your configuration file, instead of the ZooKeeper container's IP address, you can now use the hostname zk
:
zk_connect => "zk:2181"
Bonus: Logstash web interface
Had added it to the image, but later realised – just as you did – that I shouldn't have so ended up removing it.
Let me know how it goes.
from elk-docker.
No news is good news? Closing, but feel free to reopen if needed.
from elk-docker.
@spujadas
Sorry for the delayed feedback.
I have to admit, the whole permissioning around attached volumes is something I haven't been able to properly resolve. Part of the reason I'm mounting back to the host is to be able to drop in new elasticsearch databases, but often elasticsearch isn't then able to open up these on a container restart. I worked through your suggestions above ...
... but the only 'fix' that has worked for me is to 'chown -R elasticsearch:elasticsearch' the /var/lib/elasticsearch folder in the container. This seems to somehow resolve problems with elasticsearch failing to start. I note from the dockerfile (linked below) in the docker-elasticsearch repo that this is what they seem to do.
https://github.com/airdock-io/docker-elasticsearch/blob/master/Dockerfile
As regards the zk container references within the logstash config file, I've been able to integrate that into the compose file, so thanks for your guidance on that.
Next big step will be getting everything working under ver 2.0 of ES!
from elk-docker.
Thanks for the feedback. I've had quite a few headaches of my own with both volume mounting and permissions, and have yet to find a way to make everything work consistently. 😕
Anyway, good to hear that you found a solution that works out for you.
/var/lib/elasticsearch
is actually chown
ed to elasticsearch:elasticsearch
in the image when Elasticsearch is installed, but this gets overridden when a volume is mounted, so what you're saying is if you re-chown
it after it's mounted then it works… which makes sense, even though having to do this by in the container each time is hardly user-friendly: I'll do a few tests to see if I can put a chown
in the start.sh
script to automate this in the container without breaking permissions on the host.
And yeah, I also definitely need to get cracking on ES 2 and Logstash 2 RCs and betas!
from elk-docker.
I'm finding when running docker on OSX that even chown'ing the directory isn't then allowing me to restart the service and have it run correctly. I am mounting a local dir into the contain in my docker compose file. It seems i can run the chown command over and over and keep getting:
changed ownership of '/var/lib/elasticsearch/elasticsearch/' from 1000:staff to elasticsearch:elasticsearch
from elk-docker.
@LoungeFlyZ Disclaimer: haven't got an OS X handy and not familiar with the intricacies of HFS+, so I'll do my best for this one.
First of all some questions for the purposes of situational awareness.
Have you tried the three options from my original comment (#7 (comment))?
What are the permissions on the directory you're mounting?
What user are your running docker under?
When chown
ing from inside the container and getting changed ownership…
, what permissions are showing up on /var/lib/elasticsearch
?
(By the way couldn't help but notice that you have two elasticsearch/
s in /var/lib/elasticsearch/elasticsearch/
in your message – would have expected only one.)
Also, could you post your docker-compose.yml
?
from elk-docker.
@spujadas, thanks for replying. I didn't try the first two as those would mean our team need to do setup steps on each machine when they want to spin up our project.
Permissions on the directory on the host: drwxr-xr-x 4 Chris staff
Docker is running on VirtualBox with boot2docker VM.
When chown'ing the permissions on the dir in the container dont change from 1000 staff no matter how many times i run it.
Sorry about the dir path typo. I can confirm this is the same for the /var/lib/elasticsearch.
Here is the docker compose config i was using at the time:
elk: image: sebp/elk ports: - "5601:5601" - "9200:9200" - "5044:5044" - "5000:5000" volumes: - ./tmp/elasticsearch:/var/lib/elasticsearch
I gave up and moved to mounting a volume from a data container using volumes_from and its working well. From what i read this isn't a problem with your image but an issue many are facing with docker volumes in general. I don't see how you could solve it other than moving to running the app as root or a user that is shared between container and host.
from elk-docker.
Unfortunately, you're right: a) there's indeed not much I can do about it, and b) it's a general issue with Docker volumes, which are (still…) a bit of a nightmare. 😕
So indeed if you can't change the permissions of the volumes on your host to match the ones in the container (which admittedly isn't practical), then your volumes_from
approach sounds like the best plan B!
from elk-docker.
I was facing a similar issue as @Analect's OP, where the elasticsearch service couldn't start because of volume permissions with /var/lib/elasticsearch
being unable to write to a mounted VirtualBox shared folder:
curl: (7) Failed to connect to localhost port 9200: Connection refused
elk_1 |
elk_1 | at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:285)
elk_1 | at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:35)
elk_1 | Caused by: java.nio.file.AccessDeniedException: /var/lib/elasticsearch
elk_1 | at sun.nio.fs.UnixException.translateToIOException(UnixException.java:84)
elk_1 | at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:102)
elk_1 | at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:107)
elk_1 | at sun.nio.fs.UnixFileSystemProvider.checkAccess(UnixFileSystemProvider.java:308)
elk_1 | at org.elasticsearch.bootstrap.Security.ensureDirectoryExists(Security.java:333)
elk_1 | at org.elasticsearch.bootstrap.Security.addPath(Security.java:314)
elk_1 | ... 7 more
elk_1 | [2016-02-16 20:36:01,782][ERROR][bootstrap ] Exception
elk_1 | java.lang.IllegalStateException: Unable to access 'path.data' (/var/lib/elasticsearch)
elk_1 | at org.elasticsearch.bootstrap.Security.addPath(Security.java:316)
elk_1 | at org.elasticsearch.bootstrap.Security.addFilePermissions(Security.java:256)
elk_1 | at org.elasticsearch.bootstrap.Security.createPermissions(Security.java:212)
elk_1 | at org.elasticsearch.bootstrap.Security.configure(Security.java:118)
elk_1 | at org.elasticsearch.bootstrap.Bootstrap.setupSecurity(Bootstrap.java:196)
elk_1 | at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:167)
elk_1 | at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:285)
elk_1 | at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:35)
elk_1 | Caused by: java.nio.file.AccessDeniedException: /var/lib/elasticsearch
elk_1 | at sun.nio.fs.UnixException.translateToIOException(UnixException.java:84)
elk_1 | at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:102)
elk_1 | at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:107)
elk_1 | at sun.nio.fs.UnixFileSystemProvider.checkAccess(UnixFileSystemProvider.java:308)
elk_1 | at org.elasticsearch.bootstrap.Security.ensureDirectoryExists(Security.java:333)
elk_1 | at org.elasticsearch.bootstrap.Security.addPath(Security.java:314)
My setup is a Windows 7 host running VirtualBox with an Ubuntu 14.04 guest with Docker running inside Ubuntu. My Ubuntu VM was running out of disk space when I allowed elasticsearch to store it's data there, which is why I was wanting to store it outside Ubuntu in a VirtualBox shared folder instead, where my Windows host has plenty of disk space.
Here's my docker-compose.yml
:
elk:
build: .
ports:
- "5601:5601"
- "9200:9200"
- "5000:5000"
- "5044:5044"
volumes:
# this is the mounted Vbox share folder
- /media/sf_Desktop/elastic_data:/var/lib/elasticsearch
The problem was that the ownership of the VirtualBox shared folder is root:vboxsf
. So on my Ubuntu VM, I ran vim /etc/group
to learn that the GID of the vboxsf
group was 999. Then I ran docker exec -it [elk_container_id] bash
and then vim /etc/group
to see if there was an existing group already using GID 999. It turned out that the logstash
and kibana
groups created by the Dockerfile were being assigned GIDs of 998 and 999, respectively. So I made the following changes to the Dockerfile to manually assign those groups different GIDs:
&& groupadd -r logstash -g 997 \
&& groupadd -r kibana -g 998 \
Then I created a "fake" vboxsf
group and assigned it the GID of 999, so it would match the real vboxsf
outside of the docker container in Ubuntu world. And then I added the elasticsearch
user to this newly created vboxsf
group.
RUN groupadd -r vboxsf -g 999 \
&& usermod -aG vboxsf elasticsearch
Now the elasticsearch
user can write to the mounted VirtualBox share folder /media/sf_Desktop/elastic_data
.
I realize this kind of group GID hardcoding is a hacky workaround and that the GID of the vboxsf
group in Ubuntu can possibly change, rendering a GID mismatch between the docker container's vboxsf
group and Ubuntu's vboxsf
group, but I'll cross that bridge when I come to it. :)
from elk-docker.
Thanks for sharing that, @wesleymusgrove
From what your experience and what I've read here and there, it would seem that "Docker volume permissions" and "hacky" often go hand in hand! 😄
from elk-docker.
Related Issues (20)
- Can't get Elk started HOT 7
- cannot add login page to kibana HOT 1
- How to use environment variable in 30-output.conf file HOT 2
- ELK fails to start on MAC M1 HOT 8
- Setting up APM question HOT 4
- Question: user authentication for https HOT 1
- Error in Security section HOT 1
- Issues installing on TrueNAS Scale HOT 1
- Update ELK to latest version (currently 8.3.3) HOT 4
- Issues running on AWS Fargate HOT 2
- Add sample docker-compose.yml with persistance + traefik configuration HOT 1
- example using image never starts as elasticsearch doesn't start HOT 1
- Kibana refuses connection, nothing in logs HOT 2
- filebeat x509 certificate signed by unknown authority when calling api endpoint HOT 1
- Kibana enrollement token
- Update ELK to 8.9.0 HOT 1
- Kibana 8.11.1 Security Update (ESA-2023-25) HOT 1
- want to move data from this running stack to another machine (arm64-amd64) how to
- how to disable the features that require a licence.
- Please update to 8.13.2 HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from elk-docker.