autopsy icon indicating copy to clipboard operation
autopsy copied to clipboard

Published 20 hours ago verified publisher icon sleuthkit

can't create new case in multi-user mode 4.22x // Unable to access ZooKeeper

Open chrismade opened this issue 5 months ago • 1 comments

** bug report **

situation

I run autopsy in multi-user mode - and I set up a separate server to provide postgres, activemq, solr and zookeeper.

while creating new cases in 4.21.0 is still working as expected, it is throwing error in 4.22.0 and 4.22.1

org.sleuthkit.autopsy.coordinationservice.CoordinationService$CoordinationServiceException: Unable to access ZooKeeper

and with this error no new case had been created.

also the "test" procedure in options > multi-user settings is showing red instead of green in approx 9 out of 10 cases for zookeeper - while postgres, activemq and solr have no issues.

  • to me it seems that the code in autopsy to check connections and handle external resources has not changed for years - nevertheless, I reproduced the described issue a few dozend times before I opened this bug report - just to be sure

  • the server providing postgres, activemq, solr and zookeeper is ok which I can see from the fact that going back to 4.21.0 everything works as expected - I also changed zookeeper port number from 2181 to 9983 and back - that is not the root cause

  • I can check zookeeper connection with netcat

echo ruok | nc 192.168.56.199 9983

and getting the expected response 'imok' from any other machine in my network - so I conclude there is no firewall or 'portnumber already in use' issue in blocking the connection

Also I checked zookeeper status in solr at

http://192.168.56.199:8983/solr/#/~cloud?view=zkstatus

it is showing 'green' plus

Status: green
ZK connection string: localhost:9983
Ensemble size: 1
Ensemble mode: standalone
Dynamic reconfig enabled: false
localhost:9983
ok	true
clientPort	9983
secureClientPort	-1
zk_server_state	standalone
zk_version	3.5.7
zk_approximate_data_size	620645
zk_znode_count	108
zk_num_alive_connections	2

I also looked into the source code at

/Core/src/org/sleuthkit/autopsy/coordinationservice/utils/CoordinationServiceUtils.java

to understand how the check is done in

public static boolean isZooKeeperAccessible(String hostName, String port) throws InterruptedException, IOException {

but instead of the expected 'ruok' / 'imok' check I found a different kind ok check - which - I assume - is there for a good reason.

So I better stop here and ask the code owners if I missed something in the documentation which changed from 4.21.0 to 4.22.x or if you can confirm the issue is reproducable on your end ?

chrismade avatar May 04 '25 09:05 chrismade