Bug 1807201 - Elasticsearch shows UnsupportedOperationException seccomp unavailable ppc64le architecture unsupported
Summary: Elasticsearch shows UnsupportedOperationException seccomp unavailable ppc64le...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Multi-Arch
Version: 3.11.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 3.11.z
Assignee: Yaakov Selkowitz
QA Contact: Barry Donahue
URL:
Whiteboard: Logging
: 1842412 (view as bug list)
Depends On: 1855072
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-02-25 19:38 UTC by Steven Walter
Modified: 2023-12-15 17:24 UTC (History)
26 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: Elasticsearch checks at startup for system call support in a way that works on x86_64 but not other architectures. Consequence: With OCP 3.11 on IBM Power, Cluster Logging fails to deploy, with logging-elasticsearch5 giving the following error message: unable to install syscall filter: java.lang.UnsupportedOperationException: seccomp unavailable: 'ppc64le' architecture unsupported Fix: The openshift-ansible playbook which handles deployment of Elasticsearch now sets an option to override that startup test on applicable architectures. Result: Cluster Logging successfully deploy on IBM Power systems.
Clone Of:
: 1848696 (view as bug list)
Environment:
Last Closed: 2020-10-22 11:02:22 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
openshift-ansible 3.11 patch (1.15 KB, patch)
2020-07-15 17:45 UTC, Yaakov Selkowitz 		no flags Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
Github openshift openshift-ansible pull 12222 0 None closed Bug 1807201: logging_elasticsearch: disable system_call_filter check on non-amd64 architectures 2020-11-11 20:18:37 UTC
Red Hat Product Errata RHBA-2020:4170 0 None None None 2020-10-22 11:02:46 UTC

Internal Links: 1847365

Description Steven Walter 2020-02-25 19:38:55 UTC 
Description of problem:
EFK stack installed on IBM Power-based machines has logging-es fail with unsupported architecture

Version-Release number of selected component (if applicable):
3.11

How reproducible:
Unconfirmed

Actual results:

[2020-02-24T20:58:33,393][INFO ][i.f.e.p.OpenshiftRequestContextFactory] Using kibanaIndexMode: 'unique'
[2020-02-24T20:58:33,447][INFO ][c.f.s.SearchGuardPlugin  ] FLS/DLS valve not bound (noop) due to java.lang.ClassNotFoundException: com.floragunn.searchguard.configuration.DlsFlsValveImpl
[2020-02-24T20:58:33,448][INFO ][c.f.s.SearchGuardPlugin  ] Auditlog not available due to java.lang.ClassNotFoundException: com.floragunn.searchguard.auditlog.impl.AuditLogImpl
[2020-02-24T20:58:33,449][INFO ][c.f.s.SearchGuardPlugin  ] Privileges interceptor not bound (noop) due to java.lang.ClassNotFoundException: com.floragunn.searchguard.configuration.PrivilegesInterceptorImpl
[2020-02-24T20:58:33,518][INFO ][o.e.d.DiscoveryModule    ] [logging-es-data-master-m85sak2x] using discovery type [zen]
[2020-02-24T20:58:34,130][INFO ][o.e.n.Node               ] [logging-es-data-master-m85sak2x] initialized
[2020-02-24T20:58:34,130][INFO ][o.e.n.Node               ] [logging-es-data-master-m85sak2x] starting ...
[2020-02-24T20:58:34,346][INFO ][o.e.t.TransportService   ] [logging-es-data-master-m85sak2x] publish_address {10.2.4.116:9300}, bound_addresses {[::]:9300}
[2020-02-24T20:58:34,355][INFO ][o.e.b.BootstrapChecks    ] [logging-es-data-master-m85sak2x] bound or publishing to a non-loopback address, enforcing bootstrap checks
[2020-02-24T20:58:34,357][ERROR][o.e.b.Bootstrap          ] [logging-es-data-master-m85sak2x] node validation exception
[1] bootstrap checks failed
[1]: system call filters failed to install; check the logs and fix your configuration or disable system call filters at your own risk
[2020-02-24T20:58:34,358][INFO ][o.e.n.Node               ] [logging-es-data-master-m85sak2x] stopping ...
[2020-02-24T20:58:34,723][INFO ][o.e.n.Node               ] [logging-es-data-master-m85sak2x] stopped
[2020-02-24T20:58:34,723][INFO ][o.e.n.Node               ] [logging-es-data-master-m85sak2x] closing ...
[2020-02-24T20:58:34,735][INFO ][o.e.n.Node               ] [logging-es-data-master-m85sak2x] closed
[2020-02-24T20:58:37,308][WARN ][o.e.b.JNANatives         ] unable to install syscall filter:
java.lang.UnsupportedOperationException: seccomp unavailable: 'ppc64le' architecture unsupported
        at org.elasticsearch.bootstrap.SystemCallFilter.linuxImpl(SystemCallFilter.java:266) ~[elasticsearch-5.6.16.redhat-2.jar:5.6.16.redhat-2]
        at org.elasticsearch.bootstrap.SystemCallFilter.init(SystemCallFilter.java:617) ~[elasticsearch-5.6.16.redhat-2.jar:5.6.16.redhat-2]
        at org.elasticsearch.bootstrap.JNANatives.tryInstallSystemCallFilter(JNANatives.java:258) [elasticsearch-5.6.16.redhat-2.jar:5.6.16.redhat-2]
        at org.elasticsearch.bootstrap.Natives.tryInstallSystemCallFilter(Natives.java:113) [elasticsearch-5.6.16.redhat-2.jar:5.6.16.redhat-2]
        at org.elasticsearch.bootstrap.Bootstrap.initializeNatives(Bootstrap.java:111) [elasticsearch-5.6.16.redhat-2.jar:5.6.16.redhat-2]
        at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:195) [elasticsearch-5.6.16.redhat-2.jar:5.6.16.redhat-2]
        at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:342) [elasticsearch-5.6.16.redhat-2.jar:5.6.16.redhat-2]
        at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:132) [elasticsearch-5.6.16.redhat-2.jar:5.6.16.redhat-2]
        at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:123) [elasticsearch-5.6.16.redhat-2.jar:5.6.16.redhat-2]
        at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:70) [elasticsearch-5.6.16.redhat-2.jar:5.6.16.redhat-2]
        at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:134) [elasticsearch-5.6.16.redhat-2.jar:5.6.16.redhat-2]
        at org.elasticsearch.cli.Command.main(Command.java:90) [elasticsearch-5.6.16.redhat-2.jar:5.6.16.redhat-2]
        at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:91) [elasticsearch-5.6.16.redhat-2.jar:5.6.16.redhat-2]
        at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:84) [elasticsearch-5.6.16.redhat-2.jar:5.6.16.redhat-2]
[2020-02-24T20:58:37,482][INFO ][o.e.n.Node               ] [logging-es-data-master-m85sak2x] initializing ...
[2020-02-24T20:58:37,561][INFO ][o.e.e.NodeEnvironment    ] [logging-es-data-master-m85sak2x] using [1] data paths, mounts [[/elasticsearch/persistent (/dev/mapper/mpathr)]], net usable_space [37.1gb], net total_space [39.2gb], spins? [possibly], types [ext4]
[2020-02-24T20:58:37,561][INFO ][o.e.e.NodeEnvironment    ] [logging-es-data-master-m85sak2x] heap size [3.9gb], compressed ordinary object pointers [true]
[2020-02-24T20:58:37,562][INFO ][o.e.n.Node               ] [logging-es-data-master-m85sak2x] node name [logging-es-data-master-m85sak2x], node ID [eStC9bwpTjejfov_rIse3Q]
[2020-02-24T20:58:37,562][INFO ][o.e.n.Node               ] [logging-es-data-master-m85sak2x] version[5.6.16], pid[1], build[8dc130e/2019-09-10T20:07:09.564Z], OS[Linux/3.10.0-1062.12.1.el7.ppc64le/ppc64le], JVM[Oracle Corporation/OpenJDK 64-Bit Server VM/1.8.0_242/25.242-b08]

Expected results:


Additional info:
Comment 1 Yaakov Selkowitz 2020-02-25 21:27:53 UTC 
According to the following upstream discussion, this is simply a warning:

https://discuss.elastic.co/t/java-lang-unsupportedoperationexception-on-starting-elasticsearch/64548/2

The following blog post discusses how this could be fixed:

https://www.clarenceho.net/2016/06/adding-seccomp-support-to-elasticsearch.html

Although please note that the relevant code has since been moved multiple times:

https://github.com/elastic/elasticsearch/blob/5.6/core/src/main/java/org/elasticsearch/bootstrap/SystemCallFilter.java#L239

https://github.com/elastic/elasticsearch/blob/master/server/src/main/java/org/elasticsearch/bootstrap/SystemCallFilter.java#L238

I cannot say as to how far back upstream would take backports, or if we would carry a backport as a patch in our builds, but the first step would be to get upstream master fixed (and please consider fixing s390x too while you're at it).
Comment 4 Yaakov Selkowitz 2020-03-02 20:49:14 UTC 
Could someone please verify the following:

--- a/server/src/main/java/org/elasticsearch/bootstrap/SystemCallFilter.java
+++ b/server/src/main/java/org/elasticsearch/bootstrap/SystemCallFilter.java
@@ -241,6 +241,8 @@ final class SystemCallFilter {
         ARCHITECTURES = Map.of(
                 "amd64", new Arch(0xC000003E, 0x3FFFFFFF, 57, 58, 59, 322, 317),
                 "aarch64", new Arch(0xC00000B7, 0xFFFFFFFF, 1079, 1071, 221, 281, 277));
+                "ppc64le", new Arch(0xC00000A5, 0xFFFFFFFF, 2, 189, 11, 362, 358));
+                "s390x", new Arch(0x800000A6, 0x3FFFFFFF, 2, 190, 11, 354, 348));
     }
 
     /** invokes prctl() from linux libc library */
--
Comment 5 Rashmi 2020-03-04 09:20:43 UTC 
Hi Yaakov,

The above change mentioned by you is required to build elasticsearch on Power. 
Please find the below reference link to build elasticsearch on Power.(validated on Power PC)

https://github.com/ppc64le/build-scripts/blob/master/elasticsearch/elasticsearch_7.4_rhel_7.6.sh
Comment 6 Yaakov Selkowitz 2020-03-05 21:58:48 UTC 
Fixing typos:

--- a/server/src/main/java/org/elasticsearch/bootstrap/SystemCallFilter.java
+++ b/server/src/main/java/org/elasticsearch/bootstrap/SystemCallFilter.java
@@ -241,6 +241,8 @@ final class SystemCallFilter {
         ARCHITECTURES = Map.of(
                 "amd64", new Arch(0xC000003E, 0x3FFFFFFF, 57, 58, 59, 322, 317),
                 "aarch64", new Arch(0xC00000B7, 0xFFFFFFFF, 1079, 1071, 221, 281, 277));
+                "ppc64le", new Arch(0xC0000015, 0xFFFFFFFF, 2, 189, 11, 362, 358));
+                "s390x", new Arch(0x80000016, 0x3FFFFFFF, 2, 190, 11, 354, 348));
     }
 
     /** invokes prctl() from linux libc library */
--
Comment 7 Yaakov Selkowitz 2020-03-06 18:19:08 UTC 
Submitted upstream PR: https://github.com/elastic/elasticsearch/pull/53239
Comment 8 Yaakov Selkowitz 2020-03-06 18:44:08 UTC 
Upstream has rejected this patch outright because they do not want to even appear to claim support for architectures other than x86_64.  Therefore, if we're going to fix this, it will have to be downstream only.

Jeff, if I provide the patches for review, would we be willing to take the patch and carry it in our future builds of the elasticsearch jar?
Comment 15 Jeff Cantrill 2020-06-02 21:13:05 UTC 
Moving to the multiarch team as I understand they are the ones responsible for testing and ensuring support.
Comment 19 Yaakov Selkowitz 2020-06-12 15:57:13 UTC 
*** Bug 1842412 has been marked as a duplicate of this bug. ***
Comment 26 Nicolas Nosenzo 2020-07-01 10:04:38 UTC 
I had a customer testing this in a cluster on Z (s390x) with OCP 4.4. 

$ oc patch elasticsearch.logging.openshift.io/elasticsearch --type merge --patch '{"spec":{"managementState": "Unmanaged"}}'
$ oc edit cm elasticsearch
-------------------------------------------------------
apiVersion: v1
data:
  elasticsearch.yml: |2-
    bootstrap.system_call_filter: false
    cluster:
      name: ${CLUSTER_NAME}
-------------------------------------------------------

After this change, ES fails to start with the following message

~~~
[2020-06-29T09:48:43,603][ERROR][c.f.s.s.t.SearchGuardSSLNettyTransport] [elasticsearch-cdm-1cb87h5k-1] SSL Problem Received close_notify during handshake
javax.net.ssl.SSLException: Received close_notify during handshake
	at sun.security.ssl.Alerts.getSSLException(Alerts.java:214) ~[?:?]
	at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1667) ~[?:?]
	at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1635) ~[?:?]
	at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1777) ~[?:?]
	at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1090) ~[?:?]
	at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:913) ~[?:?]
	at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:783) ~[?:?]
~~~

Anyone knows if this is related to the bootstrap checks mentioned in comment #16?
Comment 27 Lukas Vlcek 2020-07-08 16:19:04 UTC 
Hi,

do you think we can get full ES node log?

Lukáš
Comment 29 Nicolas Nosenzo 2020-07-14 09:04:57 UTC 
@Lukas, Hi, will share the logs within bug 1854472
Comment 30 Yaakov Selkowitz 2020-07-15 17:45:16 UTC 
Created attachment 1701284 [details]
openshift-ansible 3.11 patch
Comment 31 Yaakov Selkowitz 2020-07-15 18:27:09 UTC 
Steven, if you could please take attachment 1701284 [details] back to the customer on 3.11 and see if redeploying with that applied on top of openshift-ansible solves their issue?
Comment 37 Steven Walter 2020-08-31 21:21:47 UTC 
Hi,
The patch seems to have worked allowing the playbook to finish! Thanks!
Comment 44 Jeremy Poulin 2020-09-14 15:22:25 UTC 
@Doug - let me know if there is anything I can do to help you with this one.
Comment 46 Douglas Slavens 2020-09-15 21:03:04 UTC 
The fix for this in openshift-ansible appears to have worked using version OCP 3.11.286. Here are the results - http://pastebin.test.redhat.com/902499
Comment 49 errata-xmlrpc 2020-10-22 11:02:22 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 3.11.306 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4170
Note You need to log in before you can comment on or make changes to this bug.