11

I've tried to start Elasticsearch and failed.I've checked the logs and got the following error:

[...][WARN ][o.e.b.JNANatives         ] unable to install syscall filter:
java.lang.UnsupportedOperationException: seccomp unavailable: CONFIG_SECCOMP not compiled into kernel, CONFIG_SECCOMP and CONFIG_SECCOMP_FILTER are needed
at org.elasticsearch.bootstrap.SystemCallFilter.linuxImpl(SystemCallFilter.java:342) ~[elasticsearch-5.6.9.jar:5.6.9]
at org.elasticsearch.bootstrap.SystemCallFilter.init(SystemCallFilter.java:617) ~[elasticsearch-5.6.9.jar:5.6.9]
at org.elasticsearch.bootstrap.JNANatives.tryInstallSystemCallFilter(JNANatives.java:258) [elasticsearch-5.6.9.jar:5.6.9]
at org.elasticsearch.bootstrap.Natives.tryInstallSystemCallFilter(Natives.java:113) [elasticsearch-5.6.9.jar:5.6.9]
at org.elasticsearch.bootstrap.Bootstrap.initializeNatives(Bootstrap.java:111) [elasticsearch-5.6.9.jar:5.6.9]
at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:195) [elasticsearch-5.6.9.jar:5.6.9]
at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:342) [elasticsearch-5.6.9.jar:5.6.9]
at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:132) [elasticsearch-5.6.9.jar:5.6.9]
at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:123) [elasticsearch-5.6.9.jar:5.6.9]
at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:70) [elasticsearch-5.6.9.jar:5.6.9]
at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:134) [elasticsearch-5.6.9.jar:5.6.9]
at org.elasticsearch.cli.Command.main(Command.java:90) [elasticsearch-5.6.9.jar:5.6.9]
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:91) [elasticsearch-5.6.9.jar:5.6.9]
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:84) [elasticsearch-5.6.9.jar:5.6.9]

Why is this happening?

What can I do to handle it?

raven99
  • 1,341
  • 4
  • 13
  • 28

1 Answers1

18

The reason why this error occurs is because you did not set the following parameter in the elasticsearch.yml

bootstrap.system_call_filter: false

It means that you know that the seccomp security feature is offline.

This is leading to another question...

If the SecComp feature is offline, can I use the Elasticsearch security features? or not?

I've searched for an answer until I got one from Elasticsearch itself:

Disabling the bootstrap.system_call_filter does not have an effect in the rest of the stack. This check were meant to prevent scenarios when SecComp is silently not initialized yet configured to be initialized - i.e, to prevent that we start Elasticsearch under conditions not wanted by the OS admins.

Which means that all you need to do is set the configuration in elasticsearch.yml:

bootstrap.system_call_filter: false

And let your DevOps know that Elasticsearch works with a disabled SecComp.

danronmoon
  • 3,814
  • 5
  • 34
  • 56
raven99
  • 1,341
  • 4
  • 13
  • 28
  • 1
    Doesnt sound like this is an encouraged or recommended approach: They are *...installed to prevent the ability to execute system calls related to forking as a defense mechanism against arbitrary code execution attacks on Elasticsearch.* https://www.elastic.co/guide/en/elasticsearch/reference/master/_system_call_filter_check.html – user9074332 Jan 22 '19 at 03:48
  • 2
    That eliminates the symptom. It doesn't solve the problem of getting seccomp to work properly. – Ken Ingram May 24 '19 at 01:22
  • 1
    This is now deprecated, at least in es7.16 – radtek Mar 24 '22 at 23:37