| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257 | [[bootstrap-checks]]== Bootstrap ChecksCollectively, we have a lot of experience with users sufferingunexpected issues because they have not configured<<important-settings,important settings>>. In previous versions ofElasticsearch, misconfiguration of some of these settings were loggedas warnings. Understandably, users sometimes miss these log messages.To ensure that these settings receive the attention that they deserve,Elasticsearch has bootstrap checks upon startup.These bootstrap checks inspect a variety of Elasticsearch and systemsettings and compare them to values that are safe for the operation ofElasticsearch. If Elasticsearch is in development mode, any bootstrapchecks that fail appear as warnings in the Elasticsearch log. IfElasticsearch is in production mode, any bootstrap checks that fail willcause Elasticsearch to refuse to start.There are some bootstrap checks that are always enforced to preventElasticsearch from running with incompatible settings. These checks aredocumented individually.[discrete][[dev-vs-prod-mode]]=== Development vs. production modeBy default, Elasticsearch binds to loopback addresses for <<modules-http,HTTP>>and <<modules-transport,transport (internal)>> communication. This is fine fordownloading and playing with Elasticsearch as well as everyday development, butit's useless for production systems. To join a cluster, an Elasticsearch nodemust be reachable via transport communication. To join a cluster via anon-loopback address, a node must bind transport to a non-loopback address andnot be using <<single-node-discovery,single-node discovery>>. Thus, we consideran Elasticsearch node to be in development mode if it can not form a clusterwith another machine via a non-loopback address, and is otherwise in productionmode if it can join a cluster via non-loopback addresses.Note that HTTP and transport can be configured independently via<<modules-http,`http.host`>> and <<modules-transport,`transport.host`>>; thiscan be useful for configuring a single node to be reachable via HTTP for testingpurposes without triggering production mode.[[single-node-discovery]][discrete]=== Single-node discoveryWe recognize that some users need to bind transport to an external interface fortesting their usage of the transport client. For this situation, we provide thediscovery type `single-node` (configure it by setting `discovery.type` to`single-node`); in this situation, a node will elect itself master and will notjoin a cluster with any other node.[discrete]=== Forcing the bootstrap checksIf you are running a single node in production, it is possible to evade thebootstrap checks (either by not binding transport to an external interface, orby binding transport to an external interface and setting the discovery type to`single-node`). For this situation, you can force execution of the bootstrapchecks by setting the system property `es.enforce.bootstrap.checks` to `true`(set this in <<jvm-options>>, or by adding `-Des.enforce.bootstrap.checks=true`to the environment variable `ES_JAVA_OPTS`). We strongly encourage you to dothis if you are in this specific situation. This system property can be used toforce execution of the bootstrap checks independent of the node configuration.=== Heap size checkBy default, {es} automatically sizes JVM heap based on a node's<<node-roles,roles>> and total memory. If you manually override the defaultsizing and start the JVM with different initial and max heap sizes, the JVM maypause as it resizes the heap during system usage. If you enable<<bootstrap-memory_lock,`bootstrap.memory_lock`>>, the JVM locks the initial heapsize on startup. If the initial heap size is not equal to the maximum heap size,some JVM heap may not be locked after a resize. To avoid these issues, start theJVM with an initial heap size equal to the maximum heap size.=== File descriptor checkFile descriptors are a Unix construct for tracking open "files". In Unixthough, {wikipedia}/Everything_is_a_file[everything isa file]. For example, "files" could be a physical file, a virtual file(e.g., `/proc/loadavg`), or network sockets. Elasticsearch requireslots of file descriptors (e.g., every shard is composed of multiplesegments and other files, plus connections to other nodes, etc.). Thisbootstrap check is enforced on OS X and Linux. To pass the filedescriptor check, you might have to configure <<file-descriptors,filedescriptors>>.=== Memory lock checkWhen the JVM does a major garbage collection it touches every page ofthe heap. If any of those pages are swapped out to disk they will haveto be swapped back in to memory. That causes lots of disk thrashing thatElasticsearch would much rather use to service requests. There areseveral ways to configure a system to disallow swapping. One way is byrequesting the JVM to lock the heap in memory through `mlockall` (Unix)or virtual lock (Windows). This is done via the Elasticsearch setting<<bootstrap-memory_lock,`bootstrap.memory_lock`>>. However, there arecases where this setting can be passed to Elasticsearch butElasticsearch is not able to lock the heap (e.g., if the `elasticsearch`user does not have `memlock unlimited`). The memory lock check verifiesthat *if* the `bootstrap.memory_lock` setting is enabled, that the JVMwas successfully able to lock the heap. To pass the memory lock check,you might have to configure <<bootstrap-memory_lock,`bootstrap.memory_lock`>>.[[max-number-threads-check]]=== Maximum number of threads checkElasticsearch executes requests by breaking the request down into stagesand handing those stages off to different thread pool executors. Thereare different <<modules-threadpool,thread pool executors>> for a varietyof tasks within Elasticsearch. Thus, Elasticsearch needs the ability tocreate a lot of threads. The maximum number of threads check ensuresthat the Elasticsearch process has the rights to create enough threadsunder normal use. This check is enforced only on Linux. If you are onLinux, to pass the maximum number of threads check, you must configureyour system to allow the Elasticsearch process the ability to create atleast 4096 threads. This can be done via `/etc/security/limits.conf`using the `nproc` setting (note that you might have to increase thelimits for the `root` user too).=== Max file size checkThe segment files that are the components of individual shards and the transloggenerations that are components of the translog can get large (exceedingmultiple gigabytes). On systems where the max size of files that can be createdby the Elasticsearch process is limited, this can lead to failedwrites. Therefore, the safest option here is that the max file size is unlimitedand that is what the max file size bootstrap check enforces. To pass the maxfile check, you must configure your system to allow the Elasticsearch processthe ability to write files of unlimited size. This can be done via`/etc/security/limits.conf` using the `fsize` setting to `unlimited` (note thatyou might have to increase the limits for the `root` user too).[[max-size-virtual-memory-check]]=== Maximum size virtual memory checkElasticsearch and Lucene use `mmap` to great effect to map portions ofan index into the Elasticsearch address space. This keeps certain indexdata off the JVM heap but in memory for blazing fast access. For this tobe effective, the Elasticsearch should have unlimited address space. Themaximum size virtual memory check enforces that the Elasticsearchprocess has unlimited address space and is enforced only on Linux. Topass the maximum size virtual memory check, you must configure yoursystem to allow the Elasticsearch process the ability to have unlimitedaddress space. This can be done via adding `<user> - as unlimited`to `/etc/security/limits.conf`. This may require you to increase the limitsfor the `root` user too.=== Maximum map count checkContinuing from the previous <<max-size-virtual-memory-check,point>>, touse `mmap` effectively, Elasticsearch also requires the ability tocreate many memory-mapped areas. The maximum map count check checks thatthe kernel allows a process to have at least 262,144 memory-mapped areasand is enforced on Linux only. To pass the maximum map count check, youmust configure `vm.max_map_count` via `sysctl` to be at least `262144`.Alternatively, the maximum map count check is only needed if you are using`mmapfs` or `hybridfs` as the <<index-modules-store,store type>> for yourindices. If you <<allow-mmap,do not allow>> the use of `mmap` then thisbootstrap check will not be enforced.=== Client JVM checkThere are two different JVMs provided by OpenJDK-derived JVMs: theclient JVM and the server JVM. These JVMs use different compilers forproducing executable machine code from Java bytecode. The client JVM istuned for startup time and memory footprint while the server JVM istuned for maximizing performance. The difference in performance betweenthe two VMs can be substantial. The client JVM check ensures thatElasticsearch is not running inside the client JVM. To pass the clientJVM check, you must start Elasticsearch with the server VM. On modernsystems and operating systems, the server VM is thedefault.=== Use serial collector checkThere are various garbage collectors for the OpenJDK-derived JVMstargeting different workloads. The serial collector in particular isbest suited for single logical CPU machines or extremely small heaps,neither of which are suitable for running Elasticsearch. Using theserial collector with Elasticsearch can be devastating for performance.The serial collector check ensures that Elasticsearch is not configuredto run with the serial collector. To pass the serial collector check,you must not start Elasticsearch with the serial collector (whether it'sfrom the defaults for the JVM that you're using, or you've explicitlyspecified it with `-XX:+UseSerialGC`). Note that the default JVMconfiguration that ships with Elasticsearch configures Elasticsearch touse the G1GC garbage collector with JDK14 and later versions. For earlierJDK versions, the configuration defaults to the CMS collector.=== System call filter checkElasticsearch installs system call filters of various flavors dependingon the operating system (e.g., seccomp on Linux). These system callfilters are installed to prevent the ability to execute system callsrelated to forking as a defense mechanism against arbitrary codeexecution attacks on Elasticsearch. The system call filter check ensuresthat if system call filters are enabled, then they were successfullyinstalled. To pass the system call filter check you must either fix anyconfiguration errors on your system that prevented system call filtersfrom installing (check your logs), or *at your own risk* disable systemcall filters by setting `bootstrap.system_call_filter` to `false`.=== OnError and OnOutOfMemoryError checksThe JVM options `OnError` and `OnOutOfMemoryError` enable executingarbitrary commands if the JVM encounters a fatal error (`OnError`) or an`OutOfMemoryError` (`OnOutOfMemoryError`). However, by default,Elasticsearch system call filters (seccomp) are enabled and thesefilters prevent forking. Thus, using `OnError` or `OnOutOfMemoryError`and system call filters are incompatible. The `OnError` and`OnOutOfMemoryError` checks prevent Elasticsearch from starting ifeither of these JVM options are used and system call filters areenabled. This check is always enforced. To pass this check do not enable`OnError` nor `OnOutOfMemoryError`; instead, upgrade to Java 8u92 anduse the JVM flag `ExitOnOutOfMemoryError`. While this does not have thefull capabilities of `OnError` nor `OnOutOfMemoryError`, arbitraryforking will not be supported with seccomp enabled.=== Early-access checkThe OpenJDK project provides early-access snapshots of upcoming releases. Thesereleases are not suitable for production. The early-access check detects theseearly-access snapshots. To pass this check, you must start Elasticsearch on arelease build of the JVM.=== G1GC checkEarly versions of the HotSpot JVM that shipped with JDK 8 are known tohave issues that can lead to index corruption when the G1GC collector isenabled.  The versions impacted are those earlier than the version ofHotSpot that shipped with JDK 8u40. The G1GC check detects these earlyversions of the HotSpot JVM.=== All permission checkThe all permission check ensures that the security policy used during bootstrapdoes not grant the `java.security.AllPermission` to Elasticsearch. Running withthe all permission granted is equivalent to disabling the security manager.=== Discovery configuration checkBy default, when Elasticsearch first starts up it will try and discover othernodes running on the same host. If no elected master can be discovered within afew seconds then Elasticsearch will form a cluster that includes any othernodes that were discovered. It is useful to be able to form this clusterwithout any extra configuration in development mode, but this is unsuitable forproduction because it's possible to form multiple clusters and lose data as aresult.This bootstrap check ensures that discovery is not running with the defaultconfiguration. It can be satisfied by setting at least one of the followingproperties:- `discovery.seed_hosts`- `discovery.seed_providers`- `cluster.initial_master_nodes`
 |