{"id":5908,"date":"2022-06-10T06:57:31","date_gmt":"2022-06-09T21:57:31","guid":{"rendered":"https:\/\/mimumimu.net\/blog\/?p=5908"},"modified":"2022-06-10T06:57:32","modified_gmt":"2022-06-09T21:57:32","slug":"elasticsearch-oss-opensearch-%e3%81%ae-beats-%e3%81%8c-runtime-cgo-pthread_create-failed-operation-not-permitted-%e3%81%a7%e8%90%bd%e3%81%a1%e3%82%8b%e3%81%ae%e3%82%92%e7%9b%b4%e3%81%99","status":"publish","type":"post","link":"https:\/\/mimumimu.net\/blog\/2022\/06\/10\/elasticsearch-oss-opensearch-%e3%81%ae-beats-%e3%81%8c-runtime-cgo-pthread_create-failed-operation-not-permitted-%e3%81%a7%e8%90%bd%e3%81%a1%e3%82%8b%e3%81%ae%e3%82%92%e7%9b%b4%e3%81%99\/","title":{"rendered":"ElasticSearch OSS \/ OpenSearch \u306e Beats \u304c “runtime\/cgo: pthread_create failed: operation not permitted” \u3067\u843d\u3061\u308b\u306e\u3092\u76f4\u3059"},"content":{"rendered":"\n

\u3069\u3046\u3082\u3001\u307f\u3080\u3089\u3067\u3059\u3002<\/p>\n\n\n\n

\u67d0\u6240\u306e\u76e3\u8996\u306b Wazuh ( https:\/\/wazuh.com\/<\/a> )\u3092\u3088\u304f\u4f7f\u3063\u3066\u3044\u308b\u306e\u3067\u3059\u304c
\u5185\u90e8\u7684\u306b ElasticSearch OSS 7.10.2 \u3092\u4f7f\u3063\u3066\u3044\u308b\u305f\u3081\u3001\u65b0\u3057\u3059\u304e\u308b OS \u4e0a\u3067\u52d5\u304b\u305d\u3046\u3068\u3059\u308b\u3068 filebeat \u304c\u4e0b\u8a18\u306e\u3088\u3046\u306b\u843d\u3061\u3066\u3057\u307e\u3046\u3053\u3068\u304c\u3042\u308a\u307e\u3059<\/p>\n\n\n\n

\"\"
runtime\/cgo: pthread_create failed: Operation not permitted<\/figcaption><\/figure>\n\n\n\n

\u3082\u3061\u308d\u3093\u3001\u3053\u306e\u554f\u984c\u306f\u65b0\u3057\u3044\u30d0\u30fc\u30b8\u30e7\u30f3\u306e Beats \u3067\u306f\u89e3\u6c7a\u3055\u308c\u3066\u3044\u308b\u306e\u3067\u3059\u304c
\u4ed6\u65b9\u3067 7.13 \u4ee5\u964d\u306e Beats \u306f OpenSearch 1.x \u3084 Elasticsearch OSS \u306a\u3069\u3067\u4f7f\u3048\u306a\u3044\u3068\u3044\u3046\u554f\u984c\u304c\u3042\u308a\u307e\u3059\u3002<\/p>\n\n\n\n

\"\"
https:\/\/opensearch.org\/docs\/latest\/clients\/agents-and-ingestion-tools\/index\/<\/a><\/figcaption><\/figure>\n\n\n\n

\u3053\u306e\u554f\u984c\u306b\u3064\u3044\u3066\u306f\u3001\u4e0b\u8a18\u306e\u30b3\u30e1\u30f3\u30c8\u306b\u3042\u308b\u3088\u3046\u306b elasticsearch \u5074\u3082\u30a2\u30c3\u30d7\u30c7\u30fc\u30c8\u3059\u308b\u3053\u3068\u304c\u63a8\u5968\u3055\u308c\u3066\u3044\u307e\u3059\u306e\u3067\u3001\u516c\u5f0f\u306b\u89e3\u6c7a\u3055\u308c\u308b\u53ef\u80fd\u6027\u306f\u4f4e\u305d\u3046\u3067\u3059\u3002<\/p>\n\n\n\n

https:\/\/github.com\/elastic\/beats\/pull\/26305#issuecomment-863472649<\/a><\/p>\n\n\n\n

\u67af\u308c\u305f\u3082\u306e\u3092\u4f7f\u3048\u3001\u516c\u5f0f\u3067\u30b5\u30dd\u30fc\u30c8\u3057\u3066\u3044\u306a\u3044\u30c7\u30a3\u30b9\u30c8\u30ea\u30d3\u30e5\u30fc\u30b7\u30e7\u30f3\u3092\u4f7f\u3046\u306a\u3001\u3068\u3044\u3046\u306e\u306f\u4e00\u7406\u3042\u308b\u306e\u3067\u3059\u304c\u3001\u305d\u306e\u65b9\u6cd5\u3067\u56de\u907f\u3059\u308b\u306e\u306f\u9762\u767d\u304f\u306a\u3044\u3067\u3059\u306e\u3067\u3001\u4fee\u6b63\u542b\u3081\u3066\u3084\u3063\u3066\u307f\u307e\u3057\u305f\u3002<\/p>\n\n\n\n

\uff08wazuh \u306e\u30b5\u30dd\u30fc\u30c8\u3067\u89e3\u6c7a\u3057\u3066\u3044\u308b\u4f8b\u304c\u898b\u5f53\u305f\u3089\u306a\u304b\u3063\u305f\u3053\u3068\u3082\u3042\u308a\u3001\u6700\u521d\u3060\u3051\u82f1\u8a9e\u3067\u4f75\u8a18\u3057\u307e\u3059\u3002\uff09<\/p>\n\n\n\n

\u6ce8\u610f\uff1a<\/h3>\n\n\n\n

\u4fee\u6b63\u306f\u81ea\u5df1\u8cac\u4efb\u3067\u304a\u9858\u3044\u3057\u307e\u3059\u3002\u672c\u756a\u7528\u74b0\u5883\u306b\u5bfe\u3057\u3066\u72ec\u81ea\u30d3\u30eb\u30c9\u3092\u884c\u3063\u305f\u3082\u306e\u3092\u9069\u7528\u3057\u305f\u3053\u3068\u306b\u3088\u308a\u554f\u984c\u304c\u767a\u751f\u3057\u3066\u3082\u5f53\u65b9\u3067\u306f\u8cac\u4efb\u3092\u8ca0\u3048\u307e\u305b\u3093\u3002<\/p>\n\n\n\n

\n\n\n\n

\u843d\u3061\u308b\u539f\u56e0 (Cause)\uff1a<\/h2>\n\n\n\n

“clone3” \u306e\u30b7\u30b9\u30c6\u30e0\u30b3\u30fc\u30eb\u304c seccomp \u306e\u8a31\u53ef\u30ea\u30b9\u30c8\u306b\u767b\u9332\u3055\u308c\u3066\u3044\u306a\u3044\u305f\u3081\u3002<\/strong>
en : The systemcall “clone3” is not allowed by seccomp. <\/p>\n\n\n\n

glibc 2.34 \u4ee5\u964d\u306b\u304a\u3044\u3066\u3001 pthread_create() \u3092\u547c\u3073\u51fa\u3059\u969b\u306b clone3 \u30b7\u30b9\u30c6\u30e0\u30b3\u30fc\u30eb\u304c\u7528\u3044\u3089\u308c\u308b\u3088\u3046\u306b\u306a\u3063\u305f\u3053\u3068\u304c\u539f\u56e0\u3068\u306a\u3063\u3066\u3044\u307e\u3059\u3002
<\/p>\n\n\n\n

\u4fee\u6b63\u65b9\u6cd5 (Solution):<\/h2>\n\n\n\n

libbeat\/common\/seccomp \u4ee5\u4e0b\u306e “policy_linux_386.go” \u3068 “policy_linux_amd64.go” \u306b “clone3” \u3092\u8ffd\u8a18\u3059\u308b<\/strong>
en: Add “clone3” to policy_linux_386.go and policy_linux_amd64.go under libbeat\/common\/seccomp.<\/p>\n\n\n\n

\u5177\u4f53\u7684\u306a\u8ffd\u52a0\u5185\u5bb9\u306b\u3064\u3044\u3066\u306f\u3001\u307e\u3055\u3057\u304f\u5f53\u8a72\u3059\u308b patch \u304c\u3042\u308a\u307e\u3059\u306e\u3067\u3053\u308c\u306b\u5f93\u3044\u307e\u3059\u3002
https:\/\/github.com\/elastic\/beats\/commit\/82507fda20bee46cee4808d388a0c809dd01ff13<\/a><\/p>\n\n\n\n

\u307e\u305f glibc 2.35 \u4ee5\u964d\u3067\u306f “rseq” \u30b7\u30b9\u30c6\u30e0\u30b3\u30fc\u30eb\u3082\u7528\u3044\u308b<\/strong>\u305d\u3046\u3067\u3059\u306e\u3067
\u3053\u3061\u3089\u3082\u4f75\u305b\u3066\u5bfe\u5fdc\u3057\u3066\u304a\u304f\u3068\u3088\u3044\u3068\u601d\u3044\u307e\u3059\u3002
en: It is a recommend to also add “rseq” to policy_linux_386.go and policy_linux_amd64.go under libbeat\/common\/seccomp, due to the syscall is used glibc >= 2.35.<\/p>\n\n\n\n

https:\/\/github.com\/elastic\/beats\/commit\/f02fa32e0a37d6529983e2181b80bf62e4a16b41<\/a><\/p>\n\n\n\n

\n\n\n\n

\u5b9f\u969b\u306b\u3084\u3063\u3066\u307f\u308b<\/h2>\n\n\n\n

\u5b9f\u969b\u306b\u4e0a\u8a18\u306e\u30d1\u30c3\u30c1\u3092\u5f53\u3066\u3066\u554f\u984c\u304c\u89e3\u6c7a\u3059\u308b\u304b\u78ba\u8a8d\u3057\u3066\u307f\u307e\u3057\u305f\u3002<\/p>\n\n\n\n

\u78ba\u8a8d\u74b0\u5883 : Fedora 36 x86_64<\/p>\n\n\n\n\n\n\n\n

1. beats \u306e\u30bd\u30fc\u30b9\u30b3\u30fc\u30c9\u3092\u53d6\u3063\u3066\u304f\u308b<\/h3>\n\n\n\n

\u4eca\u56de\u306e\u4f8b\u3067\u306f wazuh \u3067\u914d\u4fe1\u3055\u308c\u3066\u3044\u308b\u306e\u304c filebeat 7.10 \u3067\u3059\u306e\u3067\u3053\u3061\u3089\u306b\u5408\u308f\u305b\u307e\u3059\u3002
(Elasticsearch OSS \u306b\u5bfe\u5fdc\u3057\u3066\u3044\u308b\u6700\u65b0\u30d0\u30fc\u30b8\u30e7\u30f3\u3092\u7528\u3044\u308b\u5834\u5408\u306f 7.12 \u3092\u4f7f\u3063\u3066\u304f\u3060\u3055\u3044)<\/p>\n\n\n\n

git clone https:\/\/github.com\/elastic\/beats -b v7.10<\/code><\/pre><\/div>\n\n\n\n
\n\n\n\n
2. \u30d1\u30c3\u30c1\u3092\u5f53\u3066\u308b<\/h3>\n\n\n\n
\u4e0b\u8a18\u306e\uff12\u3064\u306e\u30b3\u30df\u30c3\u30c8\u306b\u4f75\u305b\u3066\u30d5\u30a1\u30a4\u30eb\u3092\u4fee\u6b63\u3057\u307e\u3059\u3002<\/p>\n\n\n\n
common\/seccomp: add rseq syscall (#30620<\/a>)
https:\/\/github.com\/elastic\/beats\/commit\/f02fa32e0a37d6529983e2181b80bf62e4a16b41<\/a><\/p>\n\n\n\n
seccomp: allow clone3 syscall for x86 (#28117<\/a>)
https:\/\/github.com\/elastic\/beats\/commit\/82507fda20bee46cee4808d388a0c809dd01ff13<\/a><\/p>\n\n\n\n
\u4fee\u6b63\u3057\u305f\u5dee\u5206\u3068\u3057\u3066\u306f\u4e0b\u8a18\u306e\u901a\u308a\u3068\u306a\u308a\u307e\u3059\u3002<\/p>\n\n\n\n
diff -r -u old\/libbeat\/common\/seccomp\/policy_linux_386.go new\/libbeat\/common\/seccomp\/policy_linux_386.go\n--- old\/libbeat\/common\/seccomp\/policy_linux_386.go      2022-06-10 06:19:17.664958700 +0900\n+++ new\/libbeat\/common\/seccomp\/policy_linux_386.go      2022-06-10 06:20:36.020958700 +0900\n@@ -35,6 +35,7 @@\n                                        "chown",\n                                        "clock_gettime",\n                                        "clone",\n+                                       "clone3",\n                                        "close",\n                                        "dup",\n                                        "dup2",\n@@ -99,6 +100,7 @@\n                                        "rename",\n                                        "renameat",\n                                        "restart_syscall",\n+                                       "rseq",\n                                        "rt_sigaction",\n                                        "rt_sigprocmask",\n                                        "rt_sigreturn",\ndiff -r -u old\/libbeat\/common\/seccomp\/policy_linux_amd64.go new\/libbeat\/common\/seccomp\/policy_linux_amd64.go\n--- old\/libbeat\/common\/seccomp\/policy_linux_amd64.go    2022-06-10 06:17:27.775958700 +0900\n+++ new\/libbeat\/common\/seccomp\/policy_linux_amd64.go    2022-06-10 06:20:47.961958700 +0900\n@@ -38,6 +38,7 @@\n                                        "chown",\n                                        "clock_gettime",\n                                        "clone",\n+                                       "clone3",\n                                        "close",\n                                        "connect",\n                                        "dup",\n@@ -111,6 +112,7 @@\n                                        "recvmsg",\n                                        "rename",\n                                        "renameat",\n+                                       "rseq",\n                                        "rt_sigaction",\n                                        "rt_sigprocmask",\n                                        "rt_sigreturn",\ndiff -r -u old\/libbeat\/common\/seccomp\/seccomp-profiler-allow.txt new\/libbeat\/common\/seccomp\/seccomp-profiler-allow.txt\n--- old\/libbeat\/common\/seccomp\/seccomp-profiler-allow.txt       2022-06-10 06:21:00.270958700 +0900\n+++ new\/libbeat\/common\/seccomp\/seccomp-profiler-allow.txt       2022-06-10 06:21:11.876958700 +0900\n@@ -3,6 +3,7 @@\n set_robust_list\n tgkill\n time\n+rseq\n\n # cgo os\/user\n access<\/code><\/pre><\/div>\n\n\n\n
\u306a\u304a\u4e0a\u8a18\u306e patch \u3092\u4f7f\u3046\u5834\u5408\u306f\u4e0b\u8a18\u306e\u3088\u3046\u306a\u30b3\u30de\u30f3\u30c9\u3067\u9069\u7528\u53ef\u80fd\u3067\u3059<\/p>\n\n\n\n
# beats = git clone \u3057\u305f\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\n# patch.patch = \u4e0a\u8a18\u306e\u5185\u5bb9\u3092\u8a18\u9332\u3057\u305f\u30c6\u30ad\u30b9\u30c8\u30d5\u30a1\u30a4\u30eb\n\npatch -d beats -p1 < patch.patch<\/code><\/pre><\/div>\n\n\n\n
\n\n\n\n
3. \u4f9d\u5b58\u3059\u308b\u30e2\u30b8\u30e5\u30fc\u30eb\u3092\u4fee\u6b63\u3059\u308b<\/h3>\n\n\n\n
\u5f53\u65b9\u3067\u78ba\u8a8d\u3092\u9032\u3081\u305f\u969b\u3001 “service” \u304c blakerouse \u3055\u3093\u306e\u30ea\u30dd\u30b8\u30c8\u30ea\u304b\u3089\u4e0a\u624b\u304f\u53d6\u5f97\u51fa\u6765\u307e\u305b\u3093\u3067\u3057\u305f\u3002<\/p>\n\n\n\n
\u305d\u306e\u305f\u3081\u3001\u4e0b\u8a18\u306e\u3088\u3046\u306b “go.mod” \u5185\u306e replace \u53e5\u5185\u306b\u3042\u308b\u884c\u3092\uff11\u884c\u524a\u9664\u3057\u307e\u3059\u3002<\/p>\n\n\n\n
--- old_go.mod  2022-06-10 06:40:17.691958700 +0900\n+++ go.mod      2022-06-10 06:40:27.436958700 +0900\n@@ -199,7 +199,6 @@\n        github.com\/fsnotify\/fsnotify => github.com\/adriansr\/fsnotify v0.0.0-20180417234312-c9bbe1f46f1d\n        github.com\/google\/gopacket => github.com\/adriansr\/gopacket v1.1.18-0.20200327165309-dd62abfa8a41\n        github.com\/insomniacslk\/dhcp => github.com\/elastic\/dhcp v0.0.0-20200227161230-57ec251c7eb3 \/\/ indirect\n-       github.com\/kardianos\/service => github.com\/blakerouse\/service v1.1.1-0.20200924160513-057808572ffa\n        github.com\/tonistiigi\/fifo => github.com\/containerd\/fifo v0.0.0-20190816180239-bda0ff6ed73c\n        golang.org\/x\/tools => golang.org\/x\/tools v0.0.0-20200602230032-c00d67ef29d0 \/\/ release 1.14\n )<\/code><\/pre><\/div>\n\n\n\n
\n\n\n\n
4. \u30d3\u30eb\u30c9\u3059\u308b<\/h3>\n\n\n\n
\u5168\u90e8\u3092\u30d3\u30eb\u30c9\u3057\u3066\u3082\u3088\u3044\u3067\u3059\u304c\u3001
\u4eca\u56de\u306f wazuh \u7528\u306b filebeat \u306e\u307f\u30d3\u30eb\u30c9\u3057\u3066\u307f\u307e\u3059\u3002<\/p>\n\n\n\n
cd filebeat\ngo get\nmake<\/code><\/pre><\/div>\n\n\n\n
\u5b8c\u4e86\u3059\u308b\u3068\u3001\u540c\u3058\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u306b “filebeat” \u3068\u3044\u3046\u540d\u524d\u306e\u5b9f\u884c\u30d5\u30a1\u30a4\u30eb\u304c\u751f\u6210\u3055\u308c\u307e\u3059\u3002<\/p>\n\n\n\n
\n\n\n\n
5. \u5dee\u66ff\u3048\u308b<\/h3>\n\n\n\n
\u304a\u884c\u5100\u306f\u4f59\u308a\u826f\u304f\u306a\u3044\u3067\u3059\u304c\u3001
\u4eca\u56de\u751f\u6210\u3057\u305f filebeat \u3092 systemd \u304b\u3089\u547c\u3073\u51fa\u3055\u308c\u308b filebeat \u306e\u30d5\u30a1\u30a4\u30eb\u3068\u5dee\u66ff\u3048\u307e\u3059\u3002<\/p>\n\n\n\n
cp .\/filebeat \/usr\/share\/filebeat\/bin\/filebeat\ncp .\/filebeat \/usr\/bin\/filebeat<\/code><\/pre><\/div>\n\n\n\n
\u5dee\u66ff\u3048\u305f\u5f8c\u3001 systemctl \u7b49\u3067\u8d77\u52d5\u3059\u308c\u3070\u843d\u3061\u306a\u3044 filebeat \u306e\u3067\u304d\u3042\u304c\u308a\u3067\u3059\u3002<\/p>\n\n\n\n
\n\n\n\n
\u307e\u3068\u3081<\/h2>\n\n\n\n
glibc 2.34 \u4ee5\u964d\u306e\u74b0\u5883\u3067 wazuh \u7b49\u306e Elasticsearch-oss \u3068\u5408\u308f\u305b\u305f beats \u3092\u4f7f\u3046\u5834\u5408\u306b\u3001seccomp \u306e\u4fee\u6b63\u304c\u5fc5\u8981\u3068\u3044\u3046\u5185\u5bb9\u3067\u3059\u3002<\/p>\n\n\n\n
\u5192\u982d\u306b\u3082\u66f8\u304d\u307e\u3057\u305f\u304c\u3001\u3053\u308c\u3092\u884c\u3046\u3053\u3068\u306b\u3064\u3044\u3066\u306f\u81ea\u5df1\u8cac\u4efb\u3068\u306a\u308a\u307e\u3059\u304c
\u3082\u3057\u56f0\u3063\u3066\u3044\u308b\u65b9\u306e\u52a9\u3051\u3068\u306a\u308a\u307e\u3057\u305f\u3089\u5e78\u3044\u3067\u3059\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"
\u3069\u3046\u3082\u3001\u307f\u3080\u3089\u3067\u3059\u3002 \u67d0\u6240\u306e\u76e3\u8996\u306b Wazuh ( https:\/\/wazuh.com\/ )\u3092\u3088\u304f\u4f7f\u3063\u3066\u3044\u308b\u306e\u3067\u3059\u304c\u5185\u90e8\u7684\u306b ElasticSearch OSS 7.10.2 \u3092\u4f7f\u3063\u3066\u3044\u308b\u305f\u3081\u3001\u65b0\u3057\u3059\u304e\u308b OS \u4e0a\u3067\u52d5\u304b […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[13],"tags":[602,599,600,604,603,601],"class_list":["post-5908","post","type-post","status-publish","format-standard","hentry","category-unix-linux","tag-beats","tag-elasticsearch","tag-opensearch","tag-pthread_create","tag-runtime-cgo","tag-wazuh"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/mimumimu.net\/blog\/wp-json\/wp\/v2\/posts\/5908","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mimumimu.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mimumimu.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mimumimu.net\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/mimumimu.net\/blog\/wp-json\/wp\/v2\/comments?post=5908"}],"version-history":[{"count":0,"href":"https:\/\/mimumimu.net\/blog\/wp-json\/wp\/v2\/posts\/5908\/revisions"}],"wp:attachment":[{"href":"https:\/\/mimumimu.net\/blog\/wp-json\/wp\/v2\/media?parent=5908"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mimumimu.net\/blog\/wp-json\/wp\/v2\/categories?post=5908"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mimumimu.net\/blog\/wp-json\/wp\/v2\/tags?post=5908"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}