Cortex
Cortex copied to clipboard
Published
20 hours ago •
TheHive-Project
TheHive-Project
cortex does not correctly start and brings strange warning messages about docker even it is not installed
Request Type
Bug
Work Environment
| Question | Answer |
|---|---|
| OS version (server) | RHEL 7 |
| OS version (client) | 10 |
| Cortex version / git hash | 3.0.1 |
| Package Type | Binary |
Problem Description
Cortex failes to start Analyzers (e.g. MISP) with strange error messages. In this setup there is no docker installed and everything comes from local files (classic-mode).
There are some strange warnings about missing cortexutils for python/python3, but it is installed for both python versions.
Is it required to install docker to use Cortex with Cortex 3?
Complementary information
If I directly start cortex as cortex user (for testing purpose only). /opt/cortex/bin/cortex -Dconfig.file=/etc/cortex/application.conf -Dlogger.file=/etc/cortex/logback.xml I can see the following strange errors:
[info] o.r.Reflections - Reflections took 124 ms to scan 2 urls, producing 99 keys and 979 values
[info] module - Loading model class org.thp.cortex.models.OrganizationModel
[info] module - Loading model class org.thp.cortex.models.ArtifactModel
[info] module - Loading model class org.thp.cortex.models.WorkerConfigModel
[info] module - Loading model class org.elastic4play.services.DBListModel
[info] module - Loading model class org.thp.cortex.models.ReportModel
[info] module - Loading model class org.elastic4play.services.AttachmentModel
[info] module - Loading model class org.thp.cortex.models.WorkerModel
[info] module - Loading model class org.thp.cortex.models.JobModel
[info] module - Loading model class org.thp.cortex.models.UserModel
[info] module - Loading model class org.thp.cortex.models.AuditModel
[info] module - Loading authentication module class org.thp.cortex.services.LocalAuthSrv
[info] module - Loading authentication module class org.elastic4play.services.auth.LdapAuthSrv
[info] module - Loading authentication module class org.elastic4play.services.auth.ADAuthSrv
[info] module - Loading authentication module class org.thp.cortex.services.KeyAuthSrv
[info] module - Loading authentication module class org.thp.cortex.services.OAuth2Srv
[info] a.e.s.Slf4jLogger - Slf4jLogger started
[info] c.s.e.h.ElasticClient$ - Creating HTTP client on http://127.0.0.1:9200
[warn] application - /etc/cortex/application.conf: 144: analyzer.path is deprecated, use analyzer.urls instead
[info] o.a.h.i.e.RetryExec - I/O exception (java.io.IOException) caught when processing request to {}->unix://localhost:80: No such file or directory
[info] o.a.h.i.e.RetryExec - Retrying request to {}->unix://localhost:80
[info] o.a.h.i.e.RetryExec - I/O exception (java.io.IOException) caught when processing request to {}->unix://localhost:80: No such file or directory
[info] o.a.h.i.e.RetryExec - Retrying request to {}->unix://localhost:80
[info] o.a.h.i.e.RetryExec - I/O exception (java.io.IOException) caught when processing request to {}->unix://localhost:80: No such file or directory
[info] o.a.h.i.e.RetryExec - Retrying request to {}->unix://localhost:80
[info] o.t.c.s.DockerJobRunnerSrv - Docker is not available
com.spotify.docker.client.exceptions.DockerException: java.util.concurrent.ExecutionException: javax.ws.rs.ProcessingException: java.io.IOException: No such file or directory
at com.spotify.docker.client.DefaultDockerClient.propagate(DefaultDockerClient.java:2828)
at com.spotify.docker.client.DefaultDockerClient.request(DefaultDockerClient.java:2692)
at com.spotify.docker.client.DefaultDockerClient.info(DefaultDockerClient.java:595)
at org.thp.cortex.services.DockerJobRunnerSrv.$anonfun$isAvailable$2(DockerJobRunnerSrv.scala:47)
at play.api.LoggerLike.info(Logger.scala:160)
at play.api.LoggerLike.info$(Logger.scala:157)
at play.api.Logger.info(Logger.scala:251)
at org.thp.cortex.services.DockerJobRunnerSrv.$anonfun$isAvailable$1(DockerJobRunnerSrv.scala:47)
at scala.runtime.java8.JFunction0$mcZ$sp.apply(JFunction0$mcZ$sp.java:23)
at scala.util.Try$.apply(Try.scala:213)
Caused by: java.util.concurrent.ExecutionException: javax.ws.rs.ProcessingException: java.io.IOException: No such file or directory
at jersey.repackaged.com.google.common.util.concurrent.AbstractFuture$Sync.getValue(AbstractFuture.java:299)
at jersey.repackaged.com.google.common.util.concurrent.AbstractFuture$Sync.get(AbstractFuture.java:286)
at jersey.repackaged.com.google.common.util.concurrent.AbstractFuture.get(AbstractFuture.java:116)
at com.spotify.docker.client.DefaultDockerClient.request(DefaultDockerClient.java:2690)
at com.spotify.docker.client.DefaultDockerClient.info(DefaultDockerClient.java:595)
at org.thp.cortex.services.DockerJobRunnerSrv.$anonfun$isAvailable$2(DockerJobRunnerSrv.scala:47)
at play.api.LoggerLike.info(Logger.scala:160)
at play.api.LoggerLike.info$(Logger.scala:157)
at play.api.Logger.info(Logger.scala:251)
at org.thp.cortex.services.DockerJobRunnerSrv.$anonfun$isAvailable$1(DockerJobRunnerSrv.scala:47)
Caused by: javax.ws.rs.ProcessingException: java.io.IOException: No such file or directory
at org.glassfish.jersey.apache.connector.ApacheConnector.apply(ApacheConnector.java:481)
at org.glassfish.jersey.apache.connector.ApacheConnector$1.run(ApacheConnector.java:491)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at jersey.repackaged.com.google.common.util.concurrent.MoreExecutors$DirectExecutorService.execute(MoreExecutors.java:299)
at java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:112)
at jersey.repackaged.com.google.common.util.concurrent.AbstractListeningExecutorService.submit(AbstractListeningExecutorService.java:50)
at jersey.repackaged.com.google.common.util.concurrent.AbstractListeningExecutorService.submit(AbstractListeningExecutorService.java:37)
at org.glassfish.jersey.apache.connector.ApacheConnector.apply(ApacheConnector.java:487)
at org.glassfish.jersey.client.ClientRuntime$2.run(ClientRuntime.java:178)
Caused by: java.io.IOException: No such file or directory
at jnr.unixsocket.UnixSocketChannel.doConnect(UnixSocketChannel.java:127)
at jnr.unixsocket.UnixSocketChannel.connect(UnixSocketChannel.java:136)
at jnr.unixsocket.UnixSocketChannel.connect(UnixSocketChannel.java:223)
at com.spotify.docker.client.UnixConnectionSocketFactory.connectSocket(UnixConnectionSocketFactory.java:85)
at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:141)
at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353)
at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380)
at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)
at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)
Traceback (most recent call last):
File "/usr/local/bin/pip", line 7, in <module>
from pip._internal.cli.main import main
ModuleNotFoundError: No module named 'pip._internal'
Traceback (most recent call last):
File "/usr/local/bin/pip", line 7, in <module>
from pip._internal.cli.main import main
ModuleNotFoundError: No module named 'pip._internal'
[warn] o.t.c.s.JobRunnerSrv - The package cortexutils for python hasn't been found
[warn] o.t.c.s.JobRunnerSrv - The package cortexutils for python hasn't been found
Traceback (most recent call last):
File "/bin/pip2", line 7, in <module>
from pip._internal.cli.main import main
ImportError: No module named pip._internal.cli.main
[warn] o.t.c.s.JobRunnerSrv - The package cortexutils for python2 hasn't been found
Traceback (most recent call last):
File "/bin/pip2", line 7, in <module>
from pip._internal.cli.main import main
ImportError: No module named pip._internal.cli.main
[warn] o.t.c.s.JobRunnerSrv - The package cortexutils for python2 hasn't been found
Traceback (most recent call last):
File "/usr/local/bin/pip3", line 7, in <module>
from pip._internal.cli.main import main
ModuleNotFoundError: No module named 'pip._internal'
[warn] o.t.c.s.JobRunnerSrv - The package cortexutils for python3 hasn't been found
Traceback (most recent call last):
File "/usr/local/bin/pip3", line 7, in <module>
from pip._internal.cli.main import main
ModuleNotFoundError: No module named 'pip._internal'
[warn] o.t.c.s.JobRunnerSrv - The package cortexutils for python3 hasn't been found
[info] o.t.c.s.WorkerSrv - New worker list:
IPVoid 1.0
HIBP_Query 2.0
DNSSinkhole 1.0
Cyberprotect_ThreatScore 1.0
Autofocus_SearchJSON 1.0
DomainTools_Reputation 2.0
[...]
Mnemonic_pDNS_Closed 3.0
UnshortenLink 1.2
[info] play.api.Play - Application started (Prod)
[info] p.c.s.AkkaHttpServer - Enabling HTTP/2 on Akka HTTP server...
[info] p.c.s.AkkaHttpServer - Listening for HTTP on /0.0.0.0:9001
^[[5~ ^C[info] p.c.s.AkkaHttpServer - Stopping server...
Cortex is started, and correctly working, never the less systemd seems also have a strange status:
systemctl status cortex
* cortex.service - cortex
Loaded: loaded (/etc/systemd/system/cortex.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Mon 2020-05-04 08:28:17 CDT; 17min ago
Docs: https://thehive-project.org
Process: 89796 ExecStart=/opt/cortex/bin/cortex -Dconfig.file=/etc/cortex/application.conf -Dlogger.file=/etc/cortex/logback.xml -Dpidfile.path=/dev/null (code=exited, status=255)
Main PID: 89796 (code=exited, status=255)
May 04 08:28:09 hostname systemd[1]: Started cortex.
May 04 08:28:17 hostname systemd[1]: cortex.service: main process exited, code=exited, status=255/n/a
May 04 08:28:17 hostname systemd[1]: Unit cortex.service entered failed state.
May 04 08:28:17 hostname systemd[1]: cortex.service failed.
True. its really annoying. even I did create Dockerfile using cortex binary and I see this issue. Sounds like they require docker dependency. although its not required. Really I am also awaiting for cortex founder response. Unfortunately no response on their end on any questions.
Confg looks like this:
play.http.secret.key="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
MISP {
url=["https://XXXXX"]
key=["YYYYYYYYYYYYYYYYYYYYYYYYYYY"]
certpath=["/opt/Cortex-Analyzers/analyzers/MISP/misp.pem"]
name=["MISP"]
}
search {
index = cortex
uri = "http://127.0.0.1:9200"
}
auth {
provider = [local]
ad {
}
ldap {
}
}
analyzer {
path = ["/opt/Cortex-Analyzers/analyzers"]
fork-join-executor {
parallelism-min = 2
parallelism-factor = 2.0
parallelism-max = 4
}
}
responder {
path = ["/opt/Cortex-Analyzers/responders"]
fork-join-executor {
parallelism-min = 2
parallelism-factor = 2.0
parallelism-max = 4
}
}
Do you start it as Docker container? If yes how looks your docker-compose, or docker commands?
Just hit the same issue with Cortex running in a Docker container and making worker to use Docker Engine installed on the host (via bind mounting /var/run/docker.sock.
Why is Cortex trying to connect to unix://localhost:80 socket instead of /var/run/docker.sock?
Hi! Since I'm not running analyzers/responders as dockers, I've tried to set up start_docker environment variable to 0 but they continue appearing. Any news about this? Someone has managed to solve those errors? Thanks!
Hi! For me this docker-compose settings work:
version: "2"
services:
elasticsearch:
image: docker.elastic.co/elasticsearch/elasticsearch:7.17.9
environment:
- http.host=0.0.0.0
- discovery.type=single-node
ulimits:
nofile:
soft: 65536
hard: 65536
ports:.
- "0.0.0.0:9300:9300"
cortex:
image: thehiveproject/cortex:latest
ports:
- "0.0.0.0:9001:9001"
thehive:
image: thehiveproject/thehive:latest
depends_on:
- elasticsearch
- cortex
ports:
- "0.0.0.0:9000:9000"
using UBUNTU 22.04
