Operation not permitted <= New Beat

kmacew · September 5, 2018, 6:33pm

Hi

I followed tutorial how to create new beat (https://www.elastic.co/guide/en/beats/devguide/current/new-beat.html). With tutorial I didn't have much problems. Since trying to add some logic to new beat I encountered something strange. I wanted to execute command within Run function inside beater/xxx.go. I added following to xxx.go:
import (
[...]
"os/exec"
[...]
)
Under the:
func (bt *xxx) Run(b *beat.Beat) error {
[...]
command := exec.Command("python", "path/py.py")
[...] }
I always receive error:
fork/exec /usr/bin/python: operation not permitted
I've got ubuntu 18.04, virtualenv 15.1.0 and go version: go 1.10.3 linux/amd64

Looking forward to hearing from you

Regards,
KM

andrewkroh · September 5, 2018, 7:10pm

The simplest solution IMO would be to disable the seccomp protections provided by libbeat that prohibit the beat from executing anything. You can add

seccomp.enabed: false

to your config file or add

-E seccomp.enabled=false

to your CLI args.

You can read more about the seccomp feature in any one of the Beat's documentation. https://www.elastic.co/guide/en/beats/metricbeat/6.4/linux-seccomp.html

And there is more developer level info in the readme at https://github.com/elastic/beats/tree/master/libbeat/common/seccomp.

kmacew · September 6, 2018, 5:38pm

Hi Andrew

Thanks for replying, I'll try it out in few days and let you know how it went.

Regards,
KM

kmacew · September 7, 2018, 5:11pm

Hi

Andrew i've tried both methods. One worked, another didn't. With flag -E seccomp.enabled=false It worked like a charm. With seccomp.enabled: false in configuration file It didn't. I suppose I made this overwrite in wrong configuration file. I added seccomp.enabled: false to _meta/beat.yml like:
################### xxx Configuration Example #########################

############################# xxx ######################################

xxx:
period: 1s
seccomp.enabled: false

Thanks you very much for helping me out.
Regards,
KM

andrewkroh · September 7, 2018, 5:48pm

You would want to add seccomp.enabled: false to the configuration file that you are loading into your Beat. That is the file specified with -c beatname.yml on the CLI.

kmacew · September 7, 2018, 6:46pm

You're right. It worked.

Thank you very much and wish you the best,
KM

system · October 5, 2018, 8:46pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Os/exec Operation Not Permitted when beats is imported Beats	3	541	February 9, 2019
Integrating filebeat Causes exec.Command to Fail Beats filebeat	1	76	July 5, 2024
Unable to run commands using exec.Command from Beat ( Linux ) Beats	4	673	March 7, 2019
Runtime/cgo: pthread_create failed: Operation not permitted SIGABRT: abort PC=0x7f46dd713a7c m=2 sigcode=18446744073709551610 Beats filebeat	1	1368	September 4, 2023
I am unable to Start Auditbeat service Beats auditbeat	20	759	January 6, 2021

Operation not permitted <= New Beat

Related Topics