Closed philrz closed 5 years ago
Hi @philrz !!!
Yeah, I think me trying to "bundle" elasticsearch with malice is causing a lot of head aches because a lot of people's issues with running malice are with elasticsearch.
So maybe I'll change the steps to get elasticsearch up and running first by yourself and THEN use malice 😁
I do ❤️ elasticsearch though.... 🤔
Thanks for the quick response. Yeah, I saw the list of known issues with ES, but since mine wasn't in there, figured I'd point it out for completeness.
I agree that including a brief ES cookbook and calling it a prerequisite might be easier than trying to bundle it. Thankfully with all the Elastic docs, containers, articles, etc. it'd probably not be hard to point to simple "hello world" level steps to get something basic running and not slow down beginners too much.
BTW, I tried to ping you on Keybase because I really like the look of malice but I have a couple general questions I was hoping to ask you about the project. I'm guessing it's all stuff you probably covered at your Blackhat 2018 presentation, but unfortunately I wasn't able to attend that. :-/ I'm local to the bay area and I sense you may be local as well, so if I can bribe you with free lunch, just name the place. :)
Do you mean your solution was different?
It seems like sudo sysctl -w vm.max_map_count=262144
would have fixed it? If not, then I apologize, I see SO many issues created by people with elasticsearch issues that I assumed it was the "main" issue that I linked to.
I'll hit you up on keybase soon!
Yeah, it's separate issues. You're right that the max_map_count setting is important, but I knew to up my sysctl
there because I've been bitten by it in other ES contexts. The file descriptors limit is a separate roadblock that I hadn't run into before, so I did some searches to come up with my workaround.
I'm not sure why nobody else had reported it before me. Maybe most others are running on other platforms and this limit doesn't affect them? Just a guess. I've only tried on Ubuntu 18.04.1 thus far.
Describe the bug
When I tried to do my first run of malice using a command-line from the examples/lookup doc, the Elasticsearch launched by Docker failed to start. The error message:
To Reproduce
malice lookup 6fe80e56ad4de610304bab1675ce84d16ab6988e
Environment (please complete the following information):
Ubuntu 18.04.1
Output of
docker version
:Output of
docker info
:Additional context I've been able to work around this problem via two steps:
/etc/security/limits.conf
:I'm not sure if this is the best way to address the issue.