How to Fix “Permission Denied” When Modifying vm.max_map_count for Elasticsearch on CentOS 6.5


3 views

Running Elasticsearch on legacy systems like CentOS 6.5 presents unique configuration hurdles. The vm.max_map_count parameter (defaulting to 65530) frequently causes OutOfMemoryErrors when Elasticsearch attempts memory mapping operations beyond this limit. The recommended 262144 value remains frustratingly out of reach through conventional methods.

The root permission errors indicate deeper system-level protections:

# Common failure patterns
sudo sysctl -w vm.max_map_count=262144
# error: permission denied on key 'vm.max_map_count'

echo 262144 > /proc/sys/vm/max_map_count
# bash: /proc/sys/vm/max_map_count: Permission denied

CentOS 6.5 implements strict kernel parameter protection through:

  • Kernel.sysctl_protected_sysctls mechanism
  • Filesystem-level immutability flags
  • SELinux context restrictions (in enforced mode)

Method 1: Boot-Time Parameter Injection

Add to /etc/rc.local (ensure executable bit set):

#!/bin/sh
echo 262144 > /proc/sys/vm/max_map_count
exit 0

Method 2: Kernel Module Configuration

Create /etc/modprobe.d/elasticsearch.conf:

options vm max_map_count=262144

Method 3: Custom Init Script

For systemd systems (converted from legacy init):

[Service]
LimitMEMLOCK=infinity
ExecStartPre=/usr/bin/bash -c "echo 262144 > /proc/sys/vm/max_map_count"

After implementation:

cat /proc/sys/vm/max_map_count
# Should return 262144

grep -i map_count /var/log/messages
# Check for kernel auditing messages

When conventional methods fail:

# Temporary testing (survives until next reboot)
sudo dd if=/dev/zero of=/proc/sys/vm/max_map_count bs=1 count=6 2>/dev/null
echo 262144 | sudo tee /proc/sys/vm/max_map_count

For persistent changes on immutable systems, consider kernel recompilation with modified DEFAULT_MMAP_COUNT in mm/mmap.c.

Running Elasticsearch on CentOS 6.5 with SugarCRM7, I kept hitting Java's OutOfMemoryError due to the default vm.max_map_count value of 65530 - far below Elasticsearch's recommended 262144. The real headache began when standard modification methods failed.

When attempting standard sysctl modification:

sudo sysctl -w vm.max_map_count=262144
# Returns: error: permission denied on key 'vm.max_map_count'

Even checking running Java processes showed no Elasticsearch-related processes:

ps aux | grep java
# Only shows the grep process itself

After extensive testing, I found these working solutions:

Permanent Solution via sysctl.conf

Add this line to /etc/sysctl.conf:

echo "vm.max_map_count=262144" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

Alternative: Kernel Boot Parameter

For systems where sysctl.conf changes don't persist:

# Edit /etc/grub.conf
# Add to kernel line: vm.max_map_count=262144
# Then reboot

The /proc filesystem restrictions on CentOS 6.5 prevent runtime modifications, but boot-time parameters and sysctl.conf changes bypass these limitations by setting values before security policies lock them down.

After implementation, verify with:

cat /proc/sys/vm/max_map_count
# Should return 262144

For Elasticsearch specifically, monitor memory usage with:

curl -XGET 'localhost:9200/_nodes/stats?pretty'

If changes still don't persist:

  1. Check SELinux status with sestatus
  2. Verify no startup scripts are resetting the value
  3. Ensure no third-party security tools are interfering