"Cuckoo is already running" if cuckoo crashed before

[reox]

My issue is:

It looks like that cuckoo refuses to start if the old instance was killed but the new one get's the same PID or the PID is now used by another process:

Oct 16 08:57:54 cuckooc3 systemd[1]: Started Cuckoo Sandbox Service.
Oct 16 08:58:47 cuckooc3 cuckoo[640]:
Oct 16 08:58:47 cuckooc3 cuckoo[640]:             _       _                   _             _              _            _
Oct 16 08:58:47 cuckooc3 cuckoo[640]:           /\ \     /\_\               /\ \           /\_\           /\ \         /\ \
Oct 16 08:58:47 cuckooc3 cuckoo[640]:          /  \ \   / / /         _    /  \ \         / / /  _       /  \ \       /  \ \
Oct 16 08:58:47 cuckooc3 cuckoo[640]:         / /\ \ \  \ \ \__      /\_\ / /\ \ \       / / /  /\_\    / /\ \ \     / /\ \ \
Oct 16 08:58:47 cuckooc3 cuckoo[640]:        / / /\ \ \  \ \___\    / / // / /\ \ \     / / /__/ / /   / / /\ \ \   / / /\ \ \
Oct 16 08:58:47 cuckooc3 cuckoo[640]:       / / /  \ \_\  \__  /   / / // / /  \ \_\   / /\_____/ /   / / /  \ \_\ / / /  \ \_\
Oct 16 08:58:47 cuckooc3 cuckoo[640]:      / / /    \/_/  / / /   / / // / /    \/_/  / /\_______/   / / /   / / // / /   / / /
Oct 16 08:58:47 cuckooc3 cuckoo[640]:     / / /          / / /   / / // / /          / / /\ \ \     / / /   / / // / /   / / /
Oct 16 08:58:47 cuckooc3 cuckoo[640]:    / / /________  / / /___/ / // / /________  / / /  \ \ \   / / /___/ / // / /___/ / /
Oct 16 08:58:47 cuckooc3 cuckoo[640]:   / / /_________\/ / /____\/ // / /_________\/ / /    \ \ \ / / /____\/ // / /____\/ /
Oct 16 08:58:47 cuckooc3 cuckoo[640]:   \/____________/\/_________/ \/____________/\/_/      \_\_\\/_________/ \/_________/
Oct 16 08:58:47 cuckooc3 cuckoo[640]:  Cuckoo Sandbox 2.0.6
Oct 16 08:58:47 cuckooc3 cuckoo[640]:  www.cuckoosandbox.org
Oct 16 08:58:47 cuckooc3 cuckoo[640]:  Copyright (c) 2010-2018
Oct 16 08:58:47 cuckooc3 cuckoo[640]: 2018-10-16 08:58:47,243 [cuckoo] ERROR: Cuckoo is already running. PID: 640

In this case, both processes had PID 640 but the PID file is much older:

$ stat cuckoo.pid
  File: cuckoo.pid
  Size: 3               Blocks: 8          IO Block: 4096   regular file
Device: 801h/2049d      Inode: 3151843     Links: 1
Access: (0644/-rw-r--r--)  Uid: ( 1000/  cuckoo)   Gid: ( 1000/  cuckoo)
Access: 2018-10-16 08:58:47.238652686 +0200
Modify: 2018-09-25 14:50:22.417443043 +0200
Change: 2018-09-25 14:50:22.417443043 +0200
 Birth: -

My Cuckoo version and operating system are:

2.0.6

This can be reproduced by:

You can test this by writing some existing PID into the pid file:

# assume that pid 1796 is used by some process
$ echo -n 1796 > .cuckoo/pidfiles/cuckoo.pid

Testing the same PID is a little bit hard to do, as you would need to guess the PID of the cuckoo process beforehand.

[doomedraven]

and what if you just remove the .cuckoo/pidfiles/cuckoo.pid ?

[reox]

obviously it works then... As a workaround you can put the pid files on a filesystem which is cleaned after a reboot. This solves the issue of a hard resetted PC.

But if cuckoo crashes and the PID file is not removed AND (the same PID is either attached to the new cuckoo process OR the PID was used in the meantime for a new process), cuckoo will not start.

[reox]

Btw: cuckoo exists with an exit code of 0 in this case allthough the message indicates an error.

[reox]

Same problem for the processing units:

Oct 16 13:15:41 cuckooc3 cuckoo[2012]: 2018-10-16 13:15:41,984 [cuckoo] ERROR: Cuckoo process instance 'processor_3' already exists. PID: 592

but:

ps -p 592
  PID TTY          TIME CMD
  592 tty1     00:00:00 agetty

but the processing units exit with an exit code of 1 if they fail to start ;)

[reox]

So i looked a little bit in the code and saw that cuckoo uses some custom Pidfile class: https://github.com/cuckoosandbox/cuckoo/blob/master/cuckoo/misc.py#L220 It just writes the pid into that file and compares it later. Why not use a file lock approach? As long as the file is locked by a process, this process is the only one, as all other processes are not able to lock the file. If the file can be locked by another process, this means that the old process has terminated.

[RicoVZ]

Hi @reox

Thanks for posting an issue. :slightly_smiling_face:

Why not use a file lock approach?

This does sound like better approach. I will add it to the todo list, as the current approach can cause issues like in your case. I should probably have put a little more thought into it when adding this last year.