plaso icon indicating copy to clipboard operation
plaso copied to clipboard

Published 20 hours ago verified publisher icon log2timeline

Docker: _start_new_thread(self._bootstrap, ()) RuntimeError: can't start new thread

Open marcobrotto opened this issue 3 years ago • 2 comments

Description of problem:

After installing the latest version of Plaso (20220724) via Docker, I failed to run log2timeline and I received this error:

Traceback (most recent call last):
  File "/usr/bin/log2timeline.py", line 99, in <module>
Checking availability and versions of dependencies.
[OK]


Source path             : /data/samples/evtx/HuntingMetasploit.evtx
Source type             : single file
Processing time         : 00:00:00

Processing started.
    if not Main():
  File "/usr/bin/log2timeline.py", line 73, in Main
    tool.ExtractEventsFromSources()
  File "/usr/lib/python3/dist-packages/plaso/cli/extraction_tool.py", line 730, in ExtractEventsFromSources
    processing_status = self._ProcessSources(session, storage_writer)
  File "/usr/lib/python3/dist-packages/plaso/cli/extraction_tool.py", line 572, in _ProcessSources
    processing_status = extraction_engine.ProcessSources(
  File "/usr/lib/python3/dist-packages/plaso/single_process/extraction_engine.py", line 333, in ProcessSources
    self._StartStatusUpdateThread()
  File "/usr/lib/python3/dist-packages/plaso/single_process/extraction_engine.py", line 204, in _StartStatusUpdateThread
    self._status_update_thread.start()
  File "/usr/lib/python3.10/threading.py", line 928, in start
    _start_new_thread(self._bootstrap, ())
RuntimeError: can't start new thread

Command line and arguments:

  1. Pull the last version of log2timeline/plaso from Docker Hub: docker pull log2timeline/plaso
  2. Verify the version is correct: docker run log2timeline/plaso log2timeline.py --version
  3. Copying the Plaso Docker image to a non-Internet connected system: docker save log2timeline/plaso | gzip -c > saved_docker_image.tgz and zcat saved_docker_image.tgz | docker load
  4. Run log2timeline docker run -v 'pwd':/data log2timeline/plaso log2timeline --storage-file /data/samples/plaso/sample.plaso /data/samples/evtx/sysmon_13_1_persistence_via_winlogon_shell.evtx (note: ' -> `) The last command fails and it generates the error described above.

Source data:

Evtx to test: https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/raw/master/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx

Plaso version:

20220724

Docker version:

Docker version 20.10.2, build 2291f61

Operating system Plaso is running on:

Linux, Debian

Installation method:

See commands above (Command Line and Arguments)

marcobrotto avatar Aug 10 '22 10:08 marcobrotto

The image was built with

docker --version
Docker version 20.10.17, build aa7e414

joachimmetz avatar Aug 10 '22 17:08 joachimmetz

Per https://stackoverflow.com/questions/70087344/python-in-docker-runtimeerror-cant-start-new-thread

This is because the default seccomp profile of Docker 20.10.9 is not adjusted to support the clone() syscall wrapper of glibc 2.34 adopted in Ubuntu 21.10 and Fedora 35.

Which sounds like a plausible cause, so let's see if you can update Docker first

joachimmetz avatar Aug 10 '22 17:08 joachimmetz

per separate conversation updated version of Docker did the trick

joachimmetz avatar Aug 31 '22 17:08 joachimmetz