SecurityOnion 2.3.80 install error

[osotob]

Hi
I tried to install 2.3.80 from network (bash so-setup-network). It fails both evaluation and standalone. Log from /root/sosetup.log:

[ERROR ] Container 'so-elasticsearch' is already configured as specified. Failed to start container 'so-elasticsearch': 'Error 400: OCI runtime create failed: container_linux.go:367: starting container process caused: process_linux.go:495: container init caused: rootfs_linux.go:60: mounting "/opt/so/conf/elasticsearch/users" to rootfs at "/var/lib/docker/overlay2/85e753944619de8050760c85ae6719c2b657ff69520189f4953e9dcffc03cb0f/merged/usr/share/elasticsearch/config/users" caused: not a directory: unknown: Are you trying to mount a directory onto a file (or vice-versa)? Check if the specified host path exists and is the expected type'.

[INFO ] {'pid': 184927, 'retcode': 0, 'stdout': "Waiting for ElasticSearch....................................................................................................................................................................................................................................................\nConnection attempt timed out. Unable to connect to ElasticSearch. \nPlease try: \n -checking log(s) in /var/log/elasticsearch/\n -running 'sudo docker ps' \n -running 'sudo so-elastic-restart'\n\nLoading templates...\nso-beats\n\nso-common\n\nso-firewall\n\nso-flow\n\nso-ids\n\nso-import\n\nso-osquery\n\nso-ossec\n\nso-strelka\n\nso-syslog\n\nso-zeek", 'stderr': ''}

When trying to restart elastic:

[ERROR ] Source file salt://elasticsearch/files/users not found in saltenv 'base'
[ERROR ] Source file salt://elasticsearch/files/users_roles not found in saltenv 'base'
[ERROR ] {'container_id': {'added': '6c3278404eecc40f127bb76539cb3c505f9a66e7e5448ed7f42c319113a9ee99'}}

Any help please?
Thanks

[jertel]

It looks like the so-user sync process failed to generate the Elasticsearch users and users_roles file. If that's the case there would be other logging related to that command earlier in the installation process. Also check /opt/so/log/soc/sync.log.

[osotob]

Hi jertel
The sync.log is full of this lines:

Another process is using so-user; if the system was not shutdown gracefully you may need to remove /var/tmp/so-user.lock manually.
Another process is using so-user; if the system was not shutdown gracefully you may need to remove /var/tmp/so-user.lock manually.

I've tested the upgrade from 53 to 80 in a VM and it also fails to install. Same error. Something is not working right with the network upgrade.

Thanks

[dougburks]

Per the message, have you tried removing /var/tmp/so-user.lock?

Have you tried wiping the machine and performing a fresh OS installation?

[osotob]

Hi
Yes. At the end I did a fresh OS install. Now it works ok but the problem is that I wanted to upgrade the old version so I didn't lose the data.
Anyway thanks for help