Shawn, On 4/9/18 8:04 PM, Shawn Heisey wrote: > On 4/9/2018 12:58 PM, Christopher Schultz wrote: >> After playing-around with a Solr 7.2.1 instance launched from the >> extracted tarball, I decided to go ahead and create a "real service" on >> my Debian-based server. >> >> I've run the 7.3.0 install script, configured Solr for TLS, and moved my >> existing configuration into the data directory, here: > > What was the *precise* command you used to install Solr?
$ sudo bin/install_solr_service.sh ../solr-7.3.0.tgz -i /usr/local/ > Looking for > all the options you used, so I know where things are. There shouldn't > be anything sensitive in that command, so I don't think you need to > redact it at all. Also, what exactly did you add to > /etc/default/solr.in.sh? Redact any passwords you put there if you need to. # Set by installer SOLR_PID_DIR="/var/solr" SOLR_HOME="/var/solr/data" LOG4J_PROPS="/var/solr/log4j.properties" SOLR_LOGS_DIR="/var/solr/logs" SOLR_PORT="8983" # Set by me SOLR_JAVA_HOME=/usr/local/java-8 SOLR_SSL_KEY_STORE=/etc/solr/solr.p12 SOLR_SSL_KEY_STORE_PASSWORD=xxx SOLR_SSL_KEY_STORE_TYPE=PKCS12 SOLR_SSL_TRUST_STORE=/etc/solr/solr-client.p12 SOLR_SSL_TRUST_STORE_PASSWORD=xxx SOLR_SSL_TRUST_STORE_TYPE=PKCS12 >> When trying to create a new core, I get an NPE running: >> >> $ /usr/local/solr/bin/solr create -V -c new_core >> >> WARNING: Using _default configset with data driven schema functionality. >> NOT RECOMMENDED for production use. >> To turn off: bin/solr config -c new_core -p 8983 -property >> update.autoCreateFields -value false >> Exception in thread "main" java.lang.NullPointerException >> at org.apache.solr.util.SolrCLI.getJson(SolrCLI.java:731) >> at org.apache.solr.util.SolrCLI.getJson(SolrCLI.java:642) >> at org.apache.solr.util.SolrCLI$CreateTool.runImpl(SolrCLI.java:1773) >> at org.apache.solr.util.SolrCLI$ToolBase.runTool(SolrCLI.java:176) >> at org.apache.solr.util.SolrCLI.main(SolrCLI.java:282) > > Due to the way the code is written there in version 7.3, the exact > nature of the problem is lost and it's not possible to see it without a > change to the source code. If you want to build a patched version of > 7.3, you could re-run it to see exactly what happened. Here's an issue > for the NPE problem: > > https://issues.apache.org/jira/browse/SOLR-12206 Thanks. > Best guess about the error that it got: When you ran the create > command, I think that Java was not able to validate the SSL certificate > from the Solr server. This would be consistent with what I saw in the > source code. This particular scenario was that the solr client was trying to use HTTP on port 8983 (because solr.in.sh could not be read with the TLS hints) and getting a (broken) TLS handshake response. So it wasn't even an HTTP response, which is probably why the client was (very) confused. > For the problem you had later with "-force" ... this is *exactly* why > you shouldn't run bin/solr as root. Not running as root. I'm on the Tomcat security team. I'm obviously not wanting to run the server as root. $ ps aux | grep -e 'PID\|solr' USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND solr 18309 0.0 3.3 2148524 257164 ? Sl Apr09 0:22 [cmd] File permissions make sense, too: $ sudo ls -ld /var/solr/data drwxr-x--- 3 solr solr 4096 Apr 9 15:06 /var/solr/data $ sudo ls -l /var/solr/data total 12 drwxr-xr-x 4 solr solr 4096 Mar 5 15:12 test_core -rw-r----- 1 solr solr 2117 Apr 9 09:49 solr.xml -rw-r----- 1 solr solr 975 Apr 9 09:49 zoo.cfg > What happened is that the new core directory was created as root, > owned by root. Was it? If my server is running as solr, how can it create directories as root? > But then when Solr tried to add the core, it needed to write a > core.properties file to that directory, but was not able to do so, > probably because it's running as "solr" and has no write permission > in a directory owned by root. That makes absolutely no sense whatsoever. The server is running under a single egid, and it's 'solr', not 'root'. Also, there is no new directory in /var/solr/data (owned by either solr OR root) and if Solr was able to create that directory, it should be able to write to it. The client may be running as root, but the server is running as 'solr'. And the error occurs on the server, not the client. So, what's really going on, here? > The error in the message from the command with "-force" seems to have > schizophrenia. I absolutely edited the log and failed to do so completely. -chris
