Elasticsearch Service Fails to Start

So this is the second RockNSM server I’ve built. The previous one was just a test, and making sure that I understood how it worked, and getting a baseline on my firewall, as far as where it was talking and such. ya’ll helped me greatly there. Now I’m trying to get my home production Rock server built, and I’m having some major issues…
Everything runs great, until the Deploy phase of the process. Halfway through running the installer, it consistently fails to start the Elasticsearch service. It appears that the root cause might be a Java runtime issue, but I’m still quite new to this NSM. Please see the attached screenshots, and if you have an idea of what I am doing wrong, PLEASE let me know. I’m on my 8th attempt at rebuilding this server from scratch, and I’m not any closer to figuring out the issue. Thank you!

Looks like setting that are only compatible with JDK version 10 or later. saw a pull request for this today.
if you look inside of


you should be able to comment out


So that kinda works… Lol. If i go in there and comment those items out, I can then start Elasticsearch, so thank you. However, I still have a problem. It errors out during the installation of components, and thus is never installing the last five components. I run the rock setup command, and then select all services BUT Elasticsearch, and I enable all components BUT Elasticsearch. I figured that, since it is obviously already installed, I should be able to do that. However, the installer overwrites the mentioned items in /etc/elasticsearch/jvm.options. Then it fails to start Elasticsearch, and never installs the remaining five components.
This is my first foray into the world of Centos, as I usually use Ubuntu and Debian, and even then I’m not a rockstar in either of those flavors of Linux. Is there something that I can do to prevent that particular section of the jvm.options from being changed?

Thank you much for your help thus far. You’ve gotten me much farther than I was able to on my own.

I would go to /etc/rocknsm/config.yml

set elasticsearch to false, then run sudo rock deploy… i’ve had issues in the past with the rock setup.

when i do new deploys i acutally just run the sudo rock genconfig command, then go to the above location and set the pieces that i want to trure/false for installed or enabled ( for instance i install zeek and suricata, but dont enable them as i’m specifically just using them to parse historic pcap files ). then run rock deploy.

@Thibs (or anyone else that wants to jump in here)

Still no dice… I’ve even gone so far as to create an entirely new VM

  1. then sudo rock genconfig
  2. then sudo vi /etc/rocknsm/config.yml
  3. for Elasticsearch entry:
    a. Enable: false
    b. Install: false (I’ve also run these same steps with Install: true)
  4. sudo rock deploy (fails at Elasticsearch)
  5. sudo vi /etc/elasticsearch/jvm.options
    a. #-XX: +UseConcMarkSweepGC
    b. #-XX:CMSInitiatingOccupancyFraction=75
    c. #=XX: +UseCMSInitiatingOccupancyOnly
  6. Checked /etc/rocknsm/config.yml to ensure it was still showing false for Elasticsearch
  7. sudo rock deploy

It failed still. After each failure, I would go back into /etc/elasticsearch/jvm.options and see that the three lines had be un-commented again.

What I don’t understand is, what exactly changed in just a week and a half? I had no issues at all installing on my test box. This last try I actually rebuilt the VM exactly the same as my initial good box, and selected exactly the same settings in Anaconda as I did when I installed my first good box. I am running an Online install, so I’m guessing that something up the line in a repo is all messed up?

Either way, this is beginning to get a bit frustrating. However, if one of you Rock vets helps me to see a super simple solution, or a stupid mistake that I’ve made, I would be extremely grateful! I’m not above a bit of humility :stuck_out_tongue:

I get the same results @hellix22. I have been trying to install Rock for the last two days and the same thing you called out above happens. Even if you set elasticsearch to False, the jvm.options file get over written and causes the same result. Install fails of course. My next option is to try and install without elasticsearch completely.

Okay figured it out. If you go to /usr/share/rock/roles/elasticsearch/templates/es-jvm.options.j2 and make the same changes as suggested by @Thibs, you can work around the problem. The template is what keeps overwriting the file. Once you make this change and run rock deploy you should be good.