Error running Fess 12.4.3 with 3 elastic 6.5.3 nodes cluster: failed to create index

(from github.com/svalo)
Hello, I’m trying to setup Fess on linux installed with the .deb package but I’m encountering problems.

I’m using Elasticsearch 6.5.3 and Fess 12.4.3

I’d like to use a 3-nodes external Elasticsearch cluster and let Fess use that. Is the scenario where Elasticsearch is installed on 3 different servers and Fess is installed on a 4th server in the same network supported? Or does fess need a local Elasticsearch node?

As I coulnd’t make Fess start in the previous setup I tried using a different scenario using docker to experiment: 3 Elasticsearch nodes on 3 different containers and a 4th container running Fess and Elasticsearch all belonging to the same cluster.

I tried with docker after trying with actual servers but encountered the same problems.

Fess is configured to talk to the Elasticsearch running on the same container.

On all the Elasticsearch nodes the plugins are installed, same version on each, and the configsync plugin is configured pointing to the same path on each node.

As long as the 3 elastic nodes are not running fess starts correctly and talks with the Elasticsearch node running on the same container. Problems arise when the other 3 nodes are started: they correctly join the cluster and sync the files in the configsync path but on each of the new nodes I receive the following error:

[2019-01-17T14:20:29,326][WARN ][o.e.i.c.IndicesClusterStateService] [node1] [[fess.20190117][2]] marking and sending shard failed due to [failed to create index]
java.security.AccessControlException: access denied ("java.io.FilePermission" "/var/lib/elasticsearch/config/ja/mapping.txt" "read")
    at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472) ~[?:?]
    at java.security.AccessController.checkPermission(AccessController.java:895) ~[?:?]
    at java.lang.SecurityManager.checkPermission(SecurityManager.java:322) ~[?:?]
    at java.lang.SecurityManager.checkRead(SecurityManager.java:661) ~[?:?]
    at sun.nio.fs.UnixChannelFactory.open(UnixChannelFactory.java:255) ~[?:?]
    at sun.nio.fs.UnixChannelFactory.newFileChannel(UnixChannelFactory.java:143) ~[?:?]
    at sun.nio.fs.UnixChannelFactory.newFileChannel(UnixChannelFactory.java:156) ~[?:?]
    at sun.nio.fs.UnixFileSystemProvider.newByteChannel(UnixFileSystemProvider.java:213) ~[?:?]
    at java.nio.file.Files.newByteChannel(Files.java:370) ~[?:?]
    at java.nio.file.Files.newByteChannel(Files.java:421) ~[?:?]
    at java.nio.file.spi.FileSystemProvider.newInputStream(FileSystemProvider.java:420) ~[?:?]
    at java.nio.file.Files.newInputStream(Files.java:155) ~[?:?]
    at java.nio.file.Files.newBufferedReader(Files.java:2838) ~[?:?]
    at org.elasticsearch.index.analysis.Analysis.getWordList(Analysis.java:244) ~[elasticsearch-6.5.3.jar:6.5.3]

However the file is readable and writable by elastic as elastic itself created it in that very folder.

This situation result in the cluster being in a yellow state because of unallocated shards.

Here you can find the docker-compose.yml file used

elastic-img is build with this Dockerfile

fess-img is build from the fess-docker repository, I changed to elastic non-oss release, used the 6.5.3 version instead of 6.5.4 and fixed the cluster.name setting both in elasticsearch.yml and in a fess_config.properties file, the latter is then copied to /opt/fess inside the container.

What am I doing wrong? Why do I get the access denied error? Are there any constrains on the elasticsearch node role? i.e. may all the nodes be master, ingestors and data nodes?

(from github.com/marevol)
Our official docker-compose.yml is here.

(from github.com/marevol)
For the official elasticsearch image, I think it might not use /var/lib/elasticsearch/config/ as a config directory.

(from github.com/svalo)
Thanks for the answer.

I had to edit the docker-compose in order to simulate my production environment where elasticsearch is not the oss edition.

I managed to solve the issue anyway.

For me it wasn’t clear that the configsync path must be the exact same folder of elasticsearch config path and that they have to be exactly the same on each and every node of the ES cluster.

As soon as I configured the 3 nodes not running fess to be configured as the ES node running fess everything worked like a charm.

(from github.com/marevol)

the configsync path must be the exact same folder of elasticsearch config path

Elasticsearch controls a permission of read/write by Java.

(from github.com/svalo)
Maybe I misread the documentation but it may be useful to specify that the configsync path have to be the elasticseach config path.

Another thing I noticed is that the node local setting of the configsync path is not considered.

If I configure the es-fess node with configsync path set to /path/to/configsync/ and an elasticseach node with configsync path set to /a/different/path/to/configsync in the elasticsearch only node I will see in the logs that the files will be searched in /path/to/configsync/. Is this a known behaviour?

(from github.com/svalo)

the configsync path must be the exact same folder of elasticsearch config path

Elasticsearch controls a permission of read/write by Java.

Ok, thank you for the explanation, I didn’t know this and couldn’t understand why I was getting a permission denied error when the folder was actually accessible

(from github.com/jin716)

Maybe I misread the documentation but it may be useful to specify that the configsync path have to be the elasticseach config path.

Another thing I noticed is that the node local setting of the configsync path is not considered.

If I configure the es-fess node with configsync path set to /path/to/configsync/ and an elasticseach node with configsync path set to /a/different/path/to/configsync in the elasticsearch only node I will see in the logs that the files will be searched in /path/to/configsync/. Is this a known behaviour?

Same access denied problem i just encounted.
i set a path like this , is totally cant work.
-Dfess.dictionary.path=“D:/ProgramFile/synconfig/”

Maybe a better solustion is to throw a exception with message tip: elasticsearc/config folder only.
"java.lang.SecurityException: access denied " is totally misleading.