SonarQube lts-comminity custom Docker on ECS/Fargate tries to run elasticsearch as root and fails

• Product: SonarQube docker container (lts-community)

• I’m trying to run Sonarqube in a ECS/Fargate cluster.

• SonarQube deployment itself goes fine up until the elasticsearch part where it executes as root and this is something elasticsearch doesn’t allow. I have tried the solution documented here: SonarQube 9.1 Developer Edition Docker on ECS/Fargate tries to run elasticsearch as root (& fails) with a custom Docker image but the issue still persists.

Any suggestions/alternatives on what else I can try?

Error Log sequence:

INFO app[][o.s.a.AppFileSystem] Cleaning or creating temp directory /opt/sonarqube/temp

INFO app[][o.s.a.es.EsSettings] Elasticsearch listening on [HTTP: 127.0.0.1:9001, TCP: 127.0.0.1:44711]

INFO app[][o.s.a.ProcessLauncherImpl] Launch process[ELASTICSEARCH] from [/opt/sonarqube/elasticsearch]: /opt/java/openjdk/bin/java -Xms4m -Xmx64m -XX:+UseSerialGC -Dcli.name=server -Dcli.script=./bin/elasticsearch -Dcli.libs=lib/tools/server-cli -Des.path.home=/opt/sonarqube/elasticsearch -Des.path.conf=/opt/sonarqube/temp/conf/es -Des.distribution.type=tar -cp /opt/sonarqube/elasticsearch/lib/*:/opt/sonarqube/elasticsearch/lib/cli-launcher/* org.elasticsearch.launcher.CliToolLauncher

INFO app[][o.s.a.SchedulerImpl] Waiting for Elasticsearch to be up and running

ERROR es[][o.e.b.Elasticsearch] fatal exception while booting Elasticsearch

java.lang.RuntimeException: can not run elasticsearch as root

at org.elasticsearch.bootstrap.Elasticsearch.initializeNatives(Elasticsearch.java:282) ~[elasticsearch-8.11.0.jar:?]

at org.elasticsearch.bootstrap.Elasticsearch.initPhase2(Elasticsearch.java:167) ~[elasticsearch-8.11.0.jar:?]

at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:72) ~[elasticsearch-8.11.0.jar:?]

ERROR: Elasticsearch did not exit normally - check the logs at /opt/sonarqube/logs/sonarqube.log

ERROR: Elasticsearch exited unexpectedly, with exit code 1

WARN app[][o.s.a.p.AbstractManagedProcess] Process exited with exit value [ElasticSearch]: 1

INFO app[][o.s.a.SchedulerImpl] Process[ElasticSearch] is stopped

INFO app[][o.s.a.SchedulerImpl] SonarQube is stopped

Hi,

Welcome to the community!

What happens if you use the official image and follow the docs?

 
Ann

Hello Ann,

Thanks for your reply. My initial attempts were with the official image which led me to search for an alternative, hence I stumbled upon this old thread SonarQube 9.1 Developer Edition Docker on ECS/Fargate tries to run elasticsearch as root (& fails). Official image usage, leads to the same error that I can not run elasticsearch as root.

Hi,

How are you starting your image? Is it, per the docs, with the SONAR_ES_BOOTSTRAP_CHECKS_DISABLE=true argument?

 
Ann

Hello,

I am deploying it to Fargate. More specificaly I tried using the Dsonar.es.bootstrap.checks.disable=true command in my within the container definition for Fargate but again no luck, I keep getting the same exception for elasticsearch.

Here is the container definition settings:

"containerDefinitions": [
        {
            "name": "sonarqube",
            "image": "sonarqube:lts-community",

            "essential": true,
            "command": [
                "-Dsonar.es.bootstrap.checks.disable=true"
            ],
            "environment": [
                {
                    "name": "SONARQUBE_JDBC_PASSWORD",
                    "value": "..."
                },
                {
                    "name": "SONARQUBE_JDBC_URL",
                    "value": "..."
                },
                {
                    "name": "SONARQUBE_JDBC_USERNAME",
                    "value": "..."
                }
            ],
           ....
    ],

and here are the failing logs once again:

org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:173) ~[elasticsearch-7.17.15.jar:7.17.15]	sonarqube
org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:160) ~[elasticsearch-7.17.15.jar:7.17.15]	sonarqube
org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:77) ~[elasticsearch-7.17.15.jar:7.17.15]	sonarqube
 org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:112) ~[elasticsearch-cli-7.17.15.jar:7.17.15]	sonarqube
org.elasticsearch.cli.Command.main(Command.java:77) ~[elasticsearch-cli-7.17.15.jar:7.17.15]	a9735dabc41f4c7982f1779a170d51b1	sonarqube
org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:125) ~[elasticsearch-7.17.15.jar:7.17.15]	sonarqube
org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:80) ~[elasticsearch-7.17.15.jar:7.17.15]	sonarqube
	**Caused by: java.lang.RuntimeException: can not run elasticsearch as root**	sonarqube
INFO app[][o.s.a.SchedulerImpl] Waiting for Elasticsearch to be up and running	sonarqube
INFO app[][o.s.a.ProcessLauncherImpl] Launch process[ELASTICSEARCH] from [/opt/sonarqube/elasticsearch]: /opt/sonarqube/elasticsearch/bin/elasticsearch	sonarqube
INFO app[][o.s.a.es.EsSettings] Elasticsearch listening on [HTTP: 127.0.0.1:9001, TCP: 127.0.0.1:34347]	sonarqube
INFO app[][o.s.a.AppFileSystem] Cleaning or creating temp directory /opt/sonarqube/temp

Hi,

I’m not sure why you tried that as a command, rather than as an environment variable, but… okay.

Have you tried doing this as a non-root user? It does seem to be best practice…

 
Ann

Turns out that the default ECS Fargate configurations are using a “user”:0 which was probably the admin one even though the lts-community image sets a USER sonarqube. When I configured the “user”:“sonarqube” in ECS container definitions everything worked.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.