Can not run Metabase as a service on Centos 7

gmil · November 18, 2021, 5:06pm

Hello everyone,

I am facing some difficulties to run Metabase as a service on Centos 7 with systemd.

When I run the following command in CLI, it works.

java -Xms2G -Xmx2G -DMB_JETTY_HOST=0.0.0.0 -DMB_JETTY_PORT=80 -DMB_EMOJI_IN_LOGS=false -DMB_PASSWORD_COMPLEXITY=strong -DMB_PASSWORD_LENGTH=10 -DMB_DB_TYPE=postgres -DMB_DB_DBNAME=metabase -DMB_DB_PORT=5432 -DMB_DB_USER=metabase -DMB_DB_PASS='aStrongPassword' -DMB_DB_HOST=dbserver.sub.example.com -jar metabase.jar

But if I put it in my metabase.service file, it will not start with the following error message :

Nov 18 17:57:47 metabase metabase: WARNING: sun.reflect.Reflection.getCallerClass is not supported. This will impact performance.
Nov 18 17:57:48 metabase metabase: 2021-11-18 17:57:48,625 INFO metabase.util :: Maximum memory available to JVM: 2.0 GB
Nov 18 17:58:00 metabase metabase: 2021-11-18 17:58:00,740 INFO util.encryption :: Saved credentials encryption is DISABLED for this Metabase instance.
Nov 18 17:58:00 metabase metabase: For more information, see https://metabase.com/docs/latest/operations-guide/encrypting-database-details-at-rest.html
Nov 18 17:58:04 metabase metabase: 2021-11-18 17:58:04,553 INFO driver.impl :: #033[34mRegistered abstract driver :sql#033[0m
Nov 18 17:58:04 metabase metabase: #033[32m ↙ Load driver :sql took 760.9 ms#033[0m
Nov 18 17:58:04 metabase metabase: 2021-11-18 17:58:04,571 INFO driver.impl :: #033[34mRegistered abstract driver :sql-jdbc#033[0m (parents: [:sql])
Nov 18 17:58:04 metabase metabase: #033[32mLoad driver :sql-jdbc took 783.5 ms#033[0m
Nov 18 17:58:04 metabase metabase: 2021-11-18 17:58:04,580 INFO driver.impl :: #033[34mRegistered driver :h2#033[0m (parents: [:sql-jdbc])
Nov 18 17:58:04 metabase metabase: 2021-11-18 17:58:04,605 INFO driver.impl :: #033[34mRegistered driver :mysql#033[0m (parents: [:sql-jdbc])
Nov 18 17:58:05 metabase metabase: 2021-11-18 17:58:05,318 INFO driver.impl :: #033[34mRegistered driver :postgres#033[0m (parents: [:sql-jdbc])
Nov 18 17:58:07 metabase metabase: 2021-11-18 17:58:07,712 INFO metabase.core ::
Nov 18 17:58:07 metabase metabase: Metabase v0.41.1 (76aa4a5 release-x.41.x)
Nov 18 17:58:07 metabase metabase: Copyright © 2021 Metabase, Inc.
Nov 18 17:58:07 metabase metabase: Metabase Enterprise Edition extensions are NOT PRESENT.
Nov 18 17:58:07 metabase metabase: 2021-11-18 17:58:07,724 WARN metabase.core :: WARNING: You have enabled namespace tracing, which could log sensitive information like db passwords.
Nov 18 17:58:07 metabase metabase: 2021-11-18 17:58:07,724 INFO metabase.core :: Starting Metabase in STANDALONE mode
Nov 18 17:58:07 metabase metabase: 2021-11-18 17:58:07,811 INFO metabase.server :: Launching Embedded Jetty Webserver with config:
Nov 18 17:58:07 metabase metabase: {:port 80, :host "0.0.0.0"}
Nov 18 17:58:07 metabase metabase: 2021-11-18 17:58:07,851 ERROR metabase.core :: Metabase Initialization FAILED
Nov 18 17:58:07 metabase metabase: java.io.IOException: Failed to bind to /0.0.0.0:80
Nov 18 17:58:07 metabase metabase: at org.eclipse.jetty.server.ServerConnector.openAcceptChannel(ServerConnector.java:349)
Nov 18 17:58:07 metabase metabase: at org.eclipse.jetty.server.ServerConnector.open(ServerConnector.java:310)
Nov 18 17:58:07 metabase metabase: at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:80)
Nov 18 17:58:07 metabase metabase: at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:234)
Nov 18 17:58:07 metabase metabase: at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
Nov 18 17:58:07 metabase metabase: at org.eclipse.jetty.server.Server.doStart(Server.java:401)
Nov 18 17:58:07 metabase metabase: at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
Nov 18 17:58:07 metabase metabase: at metabase.server$start_web_server_BANG_.invokeStatic(server.clj:114)
Nov 18 17:58:07 metabase metabase: at metabase.server$start_web_server_BANG_.invoke(server.clj:100)
Nov 18 17:58:07 metabase metabase: at metabase.core$start_normally.invokeStatic(core.clj:133)
Nov 18 17:58:07 metabase metabase: at metabase.core$start_normally.invoke(core.clj:129)
Nov 18 17:58:07 metabase metabase: at metabase.core$_main.invokeStatic(core.clj:168)
Nov 18 17:58:07 metabase metabase: at metabase.core$_main.doInvoke(core.clj:162)
Nov 18 17:58:07 metabase metabase: at clojure.lang.RestFn.invoke(RestFn.java:397)
Nov 18 17:58:07 metabase metabase: at clojure.lang.AFn.applyToHelper(AFn.java:152)
Nov 18 17:58:07 metabase metabase: at clojure.lang.RestFn.applyTo(RestFn.java:132)
Nov 18 17:58:07 metabase metabase: at metabase.core.main(Unknown Source)
Nov 18 17:58:07 metabase metabase: Caused by: java.net.SocketException: Permission denied
Nov 18 17:58:07 metabase metabase: at java.base/sun.nio.ch.Net.bind0(Native Method)
Nov 18 17:58:07 metabase metabase: at java.base/sun.nio.ch.Net.bind(Net.java:455)
Nov 18 17:58:07 metabase metabase: at java.base/sun.nio.ch.Net.bind(Net.java:447)
Nov 18 17:58:07 metabase metabase: at java.base/sun.nio.ch.ServerSocketChannelImpl.bind(ServerSocketChannelImpl.java:227)
Nov 18 17:58:07 metabase metabase: at java.base/sun.nio.ch.ServerSocketAdaptor.bind(ServerSocketAdaptor.java:80)
Nov 18 17:58:07 metabase metabase: at org.eclipse.jetty.server.ServerConnector.openAcceptChannel(ServerConnector.java:344)
Nov 18 17:58:07 metabase metabase: ... 16 more

I see the :

java.io.IOException: Failed to bind to /0.0.0.0:80

But, I don't why it can't bind it. SELinux is in permissive during test and there is no other service that is using the port 80.
Also, if I remove the MB_JETTY_PORT=80 variable, it starts using the port 3000 but only on IPv6...

Here is my metabase.service file :

[Unit]
Description=Metabase server
After=syslog.target
After=network.target

[Service]
WorkingDirectory=/opt/metabase/
ExecStart=/usr/bin/java -Xms2G -Xmx2G -DMB_JETTY_HOST=0.0.0.0 -DMB_JETTY_PORT=80 -DMB_EMOJI_IN_LOGS=false -DMB_PASSWORD_COMPLEXITY=strong -DMB_PASSWORD_LENGTH=10 -DMB_DB_TYPE=postgres -DMB_DB_DBNAME=metabase -DMB_DB_PORT=5432 -DMB_DB_USER=metabase -DMB_DB_PASS='aStrongPassword' -DMB_DB_HOST=dbserver.sub.example.com -jar metabase.jar
User=metabase
Type=simple
StandardOutput=syslog
StandardError=syslog
SyslogIdentifier=metabase
SuccessExitStatus=143
TimeoutStopSec=120
Restart=always

[Install]
WantedBy=multi-user.target

Any idea ?

flamber · November 18, 2021, 5:14pm

Hi @gmil
It's not SELinux, but the kernel that doesn't allow that. I don't use Centos, but I guess it's similar.
https://unix.stackexchange.com/questions/10735/allowing-a-user-to-let-listen-to-a-port-below-1024
I would generally recommend setting up a reverse-proxy, so you can handle certificates and stuff like that there and just proxy to Metabase.

gmil · November 19, 2021, 5:05pm

Hello @flamber,

It is a good point. We usually use a shared WAF that filters and redirects traffic to our different web app.

My original problem was that I could not make Java listen on 0.0.0.0:3000, it was stuck on ::1:3000 until I put the argument -Djava.net.preferIPv4Stack=true in my java command… So it is fixed now and work perfectly

Thank you !