You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@solr.apache.org by Ricardo Ruiz <ri...@gmail.com> on 2023/03/30 01:10:18 UTC
Can't start solr with 9.2.0
Hi!
I'm building and provisioning Solr images using
geerlingguy/ansible-role-solr
<https://github.com/geerlingguy/ansible-role-solr> for versions 9.1.1,
9.0.0, 8.11.2, and the newest version 9.2.0.
My configuration works for the other three versions, but when I try to
start the service for 9.2.0, the start process fails and keeps restarting
over and over.
From the logs, this is what I can see (please see the attached file).
I'm not sure what could have changed in this new version, or if this is a
problem with the Ansible role, but any insight would be appreciated.
Thanks,
Ricardo Ruiz
Re: Can't start solr with 9.2.0
Posted by Shawn Heisey <ap...@elyograg.org>.
On 3/30/23 10:48, Ricardo Ruiz wrote:
> Unfortunately, I can't avoid symlinks for the Solr data directory. Is
> there anything else I can try?
Set Solr's data directories directly into the real path, don't use a
path with a symlink.
Since Solr 9.1, Solr uses a Java security manager that limits what
rights it has outside of its own directories.
We found problems with this for installs using the service installer,
because the install dir (usually /opt/solr) is a symlink to solr-X.Y.Z.
In 9.2.0, that problem is mostly fixed.
Unfortunately, there is still a problem with the security manager if
symlinks are involved for other directories, like data and logs. So for
right now you can't use symlinks for those directories with an
out-of-the-box setup.
Fixing the remaining problem is going to require some intricate surgery
on the bin/solr script. I've begun work on it, but it might take me a
little while.
Just saw that you edited the security policy directly, which is another
way to fix it.
Thanks,
Shawn
Re: Can't start solr with 9.2.0
Posted by Ricardo Ruiz <ri...@gmail.com>.
Thank you very much for your insights Kevin,
I opted for adding the permission to security policy with:
*permission java.io.FilePermission "/mnt/instance-data/solr/-",
"read,write";*
I tested it and It's working now, Thanks.
Ricardo Ruiz.
On Thu, Mar 30, 2023 at 11:13 AM Kevin Risden <kr...@apache.org> wrote:
> >
> > *- Avoiding **symlinks for Solr's data directories would be a good idea.*
> > Unfortunately, I can't avoid symlinks for the Solr data directory. Is
> there
> > anything else I can try?
> >
>
> There are configs in solr.in.sh to actually set the right paths instead of
> using symlinks - like setting SOLR_DATA_HOME but I gave other examples
> instead.
>
> Kevin Risden
>
>
> On Thu, Mar 30, 2023 at 1:11 PM Kevin Risden <kr...@apache.org> wrote:
>
> > add /mnt/instance-data/solr to etc/server/security.policy under the Solr
> > install directory. (
> > https://github.com/apache/solr/blob/main/solr/server/etc/security.policy
> )
> >
> > or disable the security manager
> > with setting SOLR_SECURITY_MANAGER_ENABLED=false in solr.in.sh
> >
> > Kevin Risden
> >
> >
> > On Thu, Mar 30, 2023 at 12:49 PM Ricardo Ruiz <ri...@gmail.com>
> > wrote:
> >
> >> Thanks, Shawn
> >>
> >> *- Is any part of /mnt/instance-data/solr/logs a symlink, *
> >> Yes, */var/solr -> * */mnt/instance-data/solr. *
> >>
> >> *- Does the user that is running Solr have read/write permission to
> that*
> >> *location?*
> >> The user that runs Solr is the *Solr *user and it does have read/write
> >> permissions.
> >>
> >> solr@solr-sa-9-2-0:/mnt/instance-data/solr$ ls -la /mnt/instance-data/
> >> total 4
> >> drwxr-xr-x 3 root root 18 Mar 29 21:30 .
> >> drwxr-xr-x 3 root root 4096 Mar 29 21:30 ..
> >> drwxr-xr-x 4 solr solr 219 Mar 30 00:45 solr
> >>
> >> solr@solr-sa-9-2-0:/mnt/instance-data/solr$ ls -la
> >> total 72
> >> drwxr-xr-x 4 solr solr 219 Mar 30 00:45 .
> >> drwxr-xr-x 3 root root 18 Mar 29 21:30 ..
> >> drwxr-x--- 2 solr solr 22 Mar 29 21:31 data
> >> -rw-r----- 1 solr solr 3853 Mar 29 18:37 log4j2.xml
> >> drwxr-x--- 2 solr solr 243 Mar 30 04:07 logs
> >> -rw-r--r-- 1 solr solr 7 Mar 30 04:07 solr-8983.pid
> >> -rw-r--r-- 1 solr solr 14778 Mar 30 00:23 solr.in.sh
> >>
> >> *- Avoiding **symlinks for Solr's data directories would be a good
> idea.*
> >> Unfortunately, I can't avoid symlinks for the Solr data directory. Is
> >> there
> >> anything else I can try?
> >>
> >> Thank you again for your help,
> >> Ricardo Ruiz
> >>
> >> On Wed, Mar 29, 2023 at 10:19 PM Shawn Heisey <ap...@elyograg.org>
> >> wrote:
> >>
> >> > On 3/29/2023 7:10 PM, Ricardo Ruiz wrote:
> >> > > My configuration works for the other three versions, but when I try
> to
> >> > > start the service for 9.2.0, the start process fails and keeps
> >> > > restarting over and over.
> >> > >
> >> > > From the logs, this is what I can see (please see the attached
> file).
> >> > >
> >> > > I'm not sure what could have changed in this new version, or if this
> >> is
> >> > > a problem with the Ansible role, but any insight would be
> appreciated.
> >> >
> >> > This is the relevant line from the log:
> >> >
> >> > Caused by: java.security.AccessControlException: access denied
> >> > ("java.io.FilePermission" "/mnt/instance-data/solr/logs" "read")
> >> >
> >> > Is any part of /mnt/instance-data/solr/logs a symlink, or is Solr
> >> > started with a directory setting that has a symlink to that location?
> >> > Does the user that is running Solr have read/write permission to that
> >> > location?
> >> >
> >> > The reason that I ask about symlinks is that Solr 9 starts with a
> >> > security manager that restricts what directories it can access. We've
> >> > already seen and fixed problems with symlinks for the install
> directory,
> >> > similar problems could exist for the data directories too. Avoiding
> >> > symlinks for Solr's data directories would be a good idea. We'd like
> to
> >> > know about any problems there so we can fix them in a future version.
> >> >
> >> > Thanks,
> >> > Shawn
> >> >
> >>
> >
>
Re: Can't start solr with 9.2.0
Posted by Kevin Risden <kr...@apache.org>.
>
> *- Avoiding **symlinks for Solr's data directories would be a good idea.*
> Unfortunately, I can't avoid symlinks for the Solr data directory. Is there
> anything else I can try?
>
There are configs in solr.in.sh to actually set the right paths instead of
using symlinks - like setting SOLR_DATA_HOME but I gave other examples
instead.
Kevin Risden
On Thu, Mar 30, 2023 at 1:11 PM Kevin Risden <kr...@apache.org> wrote:
> add /mnt/instance-data/solr to etc/server/security.policy under the Solr
> install directory. (
> https://github.com/apache/solr/blob/main/solr/server/etc/security.policy)
>
> or disable the security manager
> with setting SOLR_SECURITY_MANAGER_ENABLED=false in solr.in.sh
>
> Kevin Risden
>
>
> On Thu, Mar 30, 2023 at 12:49 PM Ricardo Ruiz <ri...@gmail.com>
> wrote:
>
>> Thanks, Shawn
>>
>> *- Is any part of /mnt/instance-data/solr/logs a symlink, *
>> Yes, */var/solr -> * */mnt/instance-data/solr. *
>>
>> *- Does the user that is running Solr have read/write permission to that*
>> *location?*
>> The user that runs Solr is the *Solr *user and it does have read/write
>> permissions.
>>
>> solr@solr-sa-9-2-0:/mnt/instance-data/solr$ ls -la /mnt/instance-data/
>> total 4
>> drwxr-xr-x 3 root root 18 Mar 29 21:30 .
>> drwxr-xr-x 3 root root 4096 Mar 29 21:30 ..
>> drwxr-xr-x 4 solr solr 219 Mar 30 00:45 solr
>>
>> solr@solr-sa-9-2-0:/mnt/instance-data/solr$ ls -la
>> total 72
>> drwxr-xr-x 4 solr solr 219 Mar 30 00:45 .
>> drwxr-xr-x 3 root root 18 Mar 29 21:30 ..
>> drwxr-x--- 2 solr solr 22 Mar 29 21:31 data
>> -rw-r----- 1 solr solr 3853 Mar 29 18:37 log4j2.xml
>> drwxr-x--- 2 solr solr 243 Mar 30 04:07 logs
>> -rw-r--r-- 1 solr solr 7 Mar 30 04:07 solr-8983.pid
>> -rw-r--r-- 1 solr solr 14778 Mar 30 00:23 solr.in.sh
>>
>> *- Avoiding **symlinks for Solr's data directories would be a good idea.*
>> Unfortunately, I can't avoid symlinks for the Solr data directory. Is
>> there
>> anything else I can try?
>>
>> Thank you again for your help,
>> Ricardo Ruiz
>>
>> On Wed, Mar 29, 2023 at 10:19 PM Shawn Heisey <ap...@elyograg.org>
>> wrote:
>>
>> > On 3/29/2023 7:10 PM, Ricardo Ruiz wrote:
>> > > My configuration works for the other three versions, but when I try to
>> > > start the service for 9.2.0, the start process fails and keeps
>> > > restarting over and over.
>> > >
>> > > From the logs, this is what I can see (please see the attached file).
>> > >
>> > > I'm not sure what could have changed in this new version, or if this
>> is
>> > > a problem with the Ansible role, but any insight would be appreciated.
>> >
>> > This is the relevant line from the log:
>> >
>> > Caused by: java.security.AccessControlException: access denied
>> > ("java.io.FilePermission" "/mnt/instance-data/solr/logs" "read")
>> >
>> > Is any part of /mnt/instance-data/solr/logs a symlink, or is Solr
>> > started with a directory setting that has a symlink to that location?
>> > Does the user that is running Solr have read/write permission to that
>> > location?
>> >
>> > The reason that I ask about symlinks is that Solr 9 starts with a
>> > security manager that restricts what directories it can access. We've
>> > already seen and fixed problems with symlinks for the install directory,
>> > similar problems could exist for the data directories too. Avoiding
>> > symlinks for Solr's data directories would be a good idea. We'd like to
>> > know about any problems there so we can fix them in a future version.
>> >
>> > Thanks,
>> > Shawn
>> >
>>
>
Re: Can't start solr with 9.2.0
Posted by Kevin Risden <kr...@apache.org>.
add /mnt/instance-data/solr to etc/server/security.policy under the Solr
install directory. (
https://github.com/apache/solr/blob/main/solr/server/etc/security.policy)
or disable the security manager
with setting SOLR_SECURITY_MANAGER_ENABLED=false in solr.in.sh
Kevin Risden
On Thu, Mar 30, 2023 at 12:49 PM Ricardo Ruiz <ri...@gmail.com> wrote:
> Thanks, Shawn
>
> *- Is any part of /mnt/instance-data/solr/logs a symlink, *
> Yes, */var/solr -> * */mnt/instance-data/solr. *
>
> *- Does the user that is running Solr have read/write permission to that*
> *location?*
> The user that runs Solr is the *Solr *user and it does have read/write
> permissions.
>
> solr@solr-sa-9-2-0:/mnt/instance-data/solr$ ls -la /mnt/instance-data/
> total 4
> drwxr-xr-x 3 root root 18 Mar 29 21:30 .
> drwxr-xr-x 3 root root 4096 Mar 29 21:30 ..
> drwxr-xr-x 4 solr solr 219 Mar 30 00:45 solr
>
> solr@solr-sa-9-2-0:/mnt/instance-data/solr$ ls -la
> total 72
> drwxr-xr-x 4 solr solr 219 Mar 30 00:45 .
> drwxr-xr-x 3 root root 18 Mar 29 21:30 ..
> drwxr-x--- 2 solr solr 22 Mar 29 21:31 data
> -rw-r----- 1 solr solr 3853 Mar 29 18:37 log4j2.xml
> drwxr-x--- 2 solr solr 243 Mar 30 04:07 logs
> -rw-r--r-- 1 solr solr 7 Mar 30 04:07 solr-8983.pid
> -rw-r--r-- 1 solr solr 14778 Mar 30 00:23 solr.in.sh
>
> *- Avoiding **symlinks for Solr's data directories would be a good idea.*
> Unfortunately, I can't avoid symlinks for the Solr data directory. Is there
> anything else I can try?
>
> Thank you again for your help,
> Ricardo Ruiz
>
> On Wed, Mar 29, 2023 at 10:19 PM Shawn Heisey <ap...@elyograg.org> wrote:
>
> > On 3/29/2023 7:10 PM, Ricardo Ruiz wrote:
> > > My configuration works for the other three versions, but when I try to
> > > start the service for 9.2.0, the start process fails and keeps
> > > restarting over and over.
> > >
> > > From the logs, this is what I can see (please see the attached file).
> > >
> > > I'm not sure what could have changed in this new version, or if this is
> > > a problem with the Ansible role, but any insight would be appreciated.
> >
> > This is the relevant line from the log:
> >
> > Caused by: java.security.AccessControlException: access denied
> > ("java.io.FilePermission" "/mnt/instance-data/solr/logs" "read")
> >
> > Is any part of /mnt/instance-data/solr/logs a symlink, or is Solr
> > started with a directory setting that has a symlink to that location?
> > Does the user that is running Solr have read/write permission to that
> > location?
> >
> > The reason that I ask about symlinks is that Solr 9 starts with a
> > security manager that restricts what directories it can access. We've
> > already seen and fixed problems with symlinks for the install directory,
> > similar problems could exist for the data directories too. Avoiding
> > symlinks for Solr's data directories would be a good idea. We'd like to
> > know about any problems there so we can fix them in a future version.
> >
> > Thanks,
> > Shawn
> >
>
Re: Can't start solr with 9.2.0
Posted by Ricardo Ruiz <ri...@gmail.com>.
Thanks, Shawn
*- Is any part of /mnt/instance-data/solr/logs a symlink, *
Yes, */var/solr -> * */mnt/instance-data/solr. *
*- Does the user that is running Solr have read/write permission to that*
*location?*
The user that runs Solr is the *Solr *user and it does have read/write
permissions.
solr@solr-sa-9-2-0:/mnt/instance-data/solr$ ls -la /mnt/instance-data/
total 4
drwxr-xr-x 3 root root 18 Mar 29 21:30 .
drwxr-xr-x 3 root root 4096 Mar 29 21:30 ..
drwxr-xr-x 4 solr solr 219 Mar 30 00:45 solr
solr@solr-sa-9-2-0:/mnt/instance-data/solr$ ls -la
total 72
drwxr-xr-x 4 solr solr 219 Mar 30 00:45 .
drwxr-xr-x 3 root root 18 Mar 29 21:30 ..
drwxr-x--- 2 solr solr 22 Mar 29 21:31 data
-rw-r----- 1 solr solr 3853 Mar 29 18:37 log4j2.xml
drwxr-x--- 2 solr solr 243 Mar 30 04:07 logs
-rw-r--r-- 1 solr solr 7 Mar 30 04:07 solr-8983.pid
-rw-r--r-- 1 solr solr 14778 Mar 30 00:23 solr.in.sh
*- Avoiding **symlinks for Solr's data directories would be a good idea.*
Unfortunately, I can't avoid symlinks for the Solr data directory. Is there
anything else I can try?
Thank you again for your help,
Ricardo Ruiz
On Wed, Mar 29, 2023 at 10:19 PM Shawn Heisey <ap...@elyograg.org> wrote:
> On 3/29/2023 7:10 PM, Ricardo Ruiz wrote:
> > My configuration works for the other three versions, but when I try to
> > start the service for 9.2.0, the start process fails and keeps
> > restarting over and over.
> >
> > From the logs, this is what I can see (please see the attached file).
> >
> > I'm not sure what could have changed in this new version, or if this is
> > a problem with the Ansible role, but any insight would be appreciated.
>
> This is the relevant line from the log:
>
> Caused by: java.security.AccessControlException: access denied
> ("java.io.FilePermission" "/mnt/instance-data/solr/logs" "read")
>
> Is any part of /mnt/instance-data/solr/logs a symlink, or is Solr
> started with a directory setting that has a symlink to that location?
> Does the user that is running Solr have read/write permission to that
> location?
>
> The reason that I ask about symlinks is that Solr 9 starts with a
> security manager that restricts what directories it can access. We've
> already seen and fixed problems with symlinks for the install directory,
> similar problems could exist for the data directories too. Avoiding
> symlinks for Solr's data directories would be a good idea. We'd like to
> know about any problems there so we can fix them in a future version.
>
> Thanks,
> Shawn
>
Re: Can't start solr with 9.2.0
Posted by Shawn Heisey <ap...@elyograg.org>.
On 3/29/2023 7:10 PM, Ricardo Ruiz wrote:
> My configuration works for the other three versions, but when I try to
> start the service for 9.2.0, the start process fails and keeps
> restarting over and over.
>
> From the logs, this is what I can see (please see the attached file).
>
> I'm not sure what could have changed in this new version, or if this is
> a problem with the Ansible role, but any insight would be appreciated.
This is the relevant line from the log:
Caused by: java.security.AccessControlException: access denied
("java.io.FilePermission" "/mnt/instance-data/solr/logs" "read")
Is any part of /mnt/instance-data/solr/logs a symlink, or is Solr
started with a directory setting that has a symlink to that location?
Does the user that is running Solr have read/write permission to that
location?
The reason that I ask about symlinks is that Solr 9 starts with a
security manager that restricts what directories it can access. We've
already seen and fixed problems with symlinks for the install directory,
similar problems could exist for the data directories too. Avoiding
symlinks for Solr's data directories would be a good idea. We'd like to
know about any problems there so we can fix them in a future version.
Thanks,
Shawn