mount destination [/opt/zeek/share/zeek/site/intel] not absolute: unknown

[FrancYescO]

🐛 Summary

Start script fails

To reproduce

Just follow the standard first start from readme and cloning from github (all was okay with v5.0.0)
run start script, ubuntu 16.04 docker 20.10.7

$./scripts/start
Malcolm failed to start

malcolm_file-monitor_1 is up-to-date
malcolm_htadmin_1 is up-to-date
malcolm_pcap-capture_1 is up-to-date
malcolm_freq_1 is up-to-date
malcolm_api_1 is up-to-date
malcolm_opensearch_1 is up-to-date
malcolm_name-map-ui_1 is up-to-date
malcolm_logstash_1 is up-to-date
malcolm_dashboards-helper_1 is up-to-date
malcolm_arkime_1 is up-to-date
malcolm_pcap-monitor_1 is up-to-date
malcolm_filebeat_1 is up-to-date
Creating malcolm_zeek_1 ...
malcolm_dashboards_1 is up-to-date
malcolm_upload_1 is up-to-date
Creating malcolm_zeek_1 ... error

ERROR: for malcolm_zeek_1  Cannot start service zeek: OCI runtime create failed: invalid mount {Destination:[/opt/zeek/share/zeek/site/intel] Type:bind Source:/var/lib/docker/volumes/2a847d65bbc5c7706c73d2e95bf270b82d9314dba6647fe7b9848d3c5c0eaf8d/_data Options:[rbind]}: mount destination [/opt/zeek/share/zeek/site/intel] not absolute: unknown

ERROR: for zeek  Cannot start service zeek: OCI runtime create failed: invalid mount {Destination:[/opt/zeek/share/zeek/site/intel] Type:bind Source:/var/lib/docker/volumes/2a847d65bbc5c7706c73d2e95bf270b82d9314dba6647fe7b9848d3c5c0eaf8d/_data Options:[rbind]}: mount destination [/opt/zeek/share/zeek/site/intel] not absolute: unknown
Encountered errors while bringing up the project.

[mmguero]

thanks for the report. that directory was recently added and should have been created by the git clone (see https://github.com/cisagov/Malcolm/tree/main/zeek/intel) but apparently wasn't for some reason. i should add it in to the startup scripts to ensure it exists before startup, too.

as a workaround you should be able to create them yourself. it's possible that trying to start up they were already created by docker, so do something like sudo rm -rf ./zeek/intel then mkdir ./zeek/intel then try to restart. I'll go through a clean checkout and see where we are getting hung up. Thanks

[FrancYescO]

maybe is something related to this volume line (i've seen here you changed the path #186 ), i just rebuild commenting https://github.com/cisagov/Malcolm/blob/main/Dockerfiles/zeek.Dockerfile#L242 and the start was OK

PS. the ./zeek/intel folder was correctly creating during the clone

[mmguero]

That comment in the release notes referencing changing the path was just on the sensor appliance (not the docker image) so that shouldn't be an issue. I'm getting the environment set up now.

[mmguero]

Things work fine in Ubuntu LTS (20.04) with the latest Docker targeting that platform (20.10.12). I have not tested against 16.04 for a very long time. I will try to repro it in a 16.04 environment (which i will have to spend a minute getting set up), but if it's specific to that environment then I think the best we can do is your workaround of commenting out that volume line.

[mmguero]

I do have the same issue on a fresh installation of Ubuntu 16.04 with the docker version 20.10.7 as well.

I believe this issue was fixed in opencontainers/runc#3004 which means it's fixed in later versions of docker. there might be a workaround i can do in the dockerfile, checking that now.

[mmguero]

Putting the volume value in double quotes resolves the issue for older versions of docker:

VOLUME ["${ZEEK_DIR}/share/zeek/site/intel"]

I'll get that into the next release, thanks.