macOS ARM Import Failure: Another instance of RITA is currently running

[joswr1ght]

When running RITA on a macOS ARM system, RITA fails to start an import with the error Another instance of RITA is currently running.

MacBookPro M3, up-to-date macOS and Docker Desktop:

rita main ﹪sw_vers
ProductName:        macOS
ProductVersion:     14.5
BuildVersion:       23F79
rita main ﹪uname -a
Darwin Joshuas-MBP.localdomain 23.5.0 Darwin Kernel Version 23.5.0: Wed May  1 20:17:33 PDT 2024; root:xnu-10063.121.3~5/RELEASE_ARM64_T6031 arm64
rita main ﹪docker -v
Docker version 27.1.1, build 6312585
rita main ﹪git log -1
commit 0ce0c799e51766e623574c3d7e8f35a008d30e80 (HEAD -> main, origin/main, origin/HEAD)
Author: Naomi Kramer <naomi@activecountermeasures.com>
Date:   Mon Jul 29 16:56:06 2024 -0400

    Update one line installer

RITA error:

rita main ﹪./rita.sh
[+] Running 3/3
 ✔ Container syslog-ng    Running                                          0.0s
 ✔ Container clickhouse   Running                                          0.0s
 ✔ Container rita-rita-1  Started                                          0.1s
[+] Creating 2/0
 ✔ Container syslog-ng   Running                                           0.0s
 ✔ Container clickhouse  Running                                           0.0s
NAME:
   RITA - Look for evil needles in big haystacks

USAGE:
   rita [-d] command [command options]

VERSION:
   0ce0c799e51766e623574c3d7e8f35a008d30e80

COMMANDS:
   import    import zeek logs into a target database
   view      view <dataset name>
   delete    delete a dataset
   list      list available datasets
   validate  validate a configuration file
   help, h   Shows a list of commands or help for one command

GLOBAL OPTIONS:
   --debug, -d    Run in debug mode (default: false)
   --help, -h     show help
   --version, -v  print the version
[+] Stopping 1/0
 ✔ Container rita-rita-1  Stopped                                          0.0s
rita main ﹪./rita.sh import -l ~/wardrobe99logs -d wardrobe99
[+] Running 3/3
 ✔ Container syslog-ng    Running                                          0.0s
 ✔ Container clickhouse   Running                                          0.0s
 ✔ Container rita-rita-1  Started                                          0.1s
Another instance of RITA is currently running... Please exit it and try again.

I haven't looked into this in detail yet, but stopping running containers and trying again does not fix:

rita main ﹪docker ps -q
2e345537ba78
bece96b00275
rita main ﹪docker ps
CONTAINER ID   IMAGE                                  COMMAND            CREATED         STATUS                   PORTS                                                          NAMES
2e345537ba78   clickhouse/clickhouse-server:24.1.6    "/entrypoint.sh"   8 minutes ago   Up 7 minutes (healthy)   127.0.0.1:8123->8123/tcp, 127.0.0.1:9000->9000/tcp, 9009/tcp   clickhouse
bece96b00275   lscr.io/linuxserver/syslog-ng:latest   "/init"            8 minutes ago   Up 7 minutes             6514/tcp, 6601/tcp, 0.0.0.0:514->5514/udp                      syslog-ng
rita main ﹪docker kill $(docker ps -q)
2e345537ba78
bece96b00275
rita main ﹪docker ps
CONTAINER ID   IMAGE     COMMAND   CREATED   STATUS    PORTS     NAMES
rita main ﹪./rita.sh import -l ~/wardrobe99logs -d wardrobe99
[+] Running 3/3
 ✔ Container clickhouse   Started                                          0.1s
 ✔ Container syslog-ng    Started                                          0.1s
 ✔ Container rita-rita-1  Started                                          0.2s
Another instance of RITA is currently running... Please exit it and try again.

This error does not happen on an Intel MBP:

rita (main) $ uname -a
Darwin Joshuas-MBP-2.localdomain 23.1.0 Darwin Kernel Version 23.1.0: Mon Oct  9 21:27:27 PDT 2023; root:xnu-10002.41.9~6/RELEASE_X86_64 x86_64
rita (main) $ sw_vers
ProductName:        macOS
ProductVersion:     14.1.2
BuildVersion:       23B92
rita (main) $ docker -v
Docker version 26.1.1, build 4cf5afa
rita (main) $ ./rita.sh import -l ~/wardrobe99logs -d wardrobe99
[+] Running 3/3
 ✔ Container syslog-ng    Running                                          0.0s
 ✔ Container clickhouse   Running                                          0.0s
 ✔ Container rita-rita-1  Started                                          0.2s
[+] Creating 2/0
 ✔ Container syslog-ng   Running                                           0.0s
 ✔ Container clickhouse  Running                                           0.0s
2024-07-30T10:47:38Z INF Initiating new import... dataset=wardrobe99 directory=/tmp/zeek_logs rebuild=false rolling=false started_at="2024-07-30 10:47:38.771166037 +0000 UTC m=+0.006652446"
...

[joswr1ght]

I'm not convinced this is actually an ARM vs. amd64 issue, though I can't get RITA to run on my MBP M3 and it runs fine on my MBP x64 system. On the M3, I used export DOCKER_DEFAULT_PLATFORM=linux/amd64 to force the use of x64 images, but I still get the same RITA error on import. Steps:

1. docker image prune -a && docker volume prune -a
2. export DOCKER_DEFAULT_PLATFORM=linux/amd64
3. ./rita.sh import -l DIR -d DATABASE

This produces the same Another instance of RITA is currently running error. Confirmed that the containers are linux/amd64 using docker inspect.

[caffeinatedpixel]

The ghcr.io/activecm/rita docker image is built for both amd64 and arm64. If you're running in development using Docker, then setting DOCKER_DEFAULT_PLATFORM will determine which platform to build for when running docker compose build. This issue should be resolved by https://github.com/activecm/rita/commit/10c186ec6ca7e24961d114d7ec53a34dd6a03faf, where the compose project was brought up before the check for an existing instance was made. I'm also running on an M3 and noticed that sometimes the initial rita container would be brought down fast enough to allow the rest of the script to continue. Not sure why it would behave differently than a x64 install of Docker... but nonetheless a simple fix.