Reputation: 21
I receive pthread_create failed: Operation not permitted when launching Filebeat and other Beats
I have this error launching any Beat. I'm using Debian 12 and OSS Beats (Filebeat, Metricbeat, .. version 7.12.1 but also same problem with 7.13.1). I configured previously pf_ring for Suricata, I really don`t know if this problem with Beats is related to any system change of performance configuration. I was trying several times, and few time ago I managed to run Filebeat. It seems most of the times it fails but not always...
2023-09-14T16:17:32.355-0500 INFO instance/beat.go:468 metricbeat start running.
2023-09-14T16:17:32.357-0500 INFO filesystem/filesystem.go:57 Ignoring filesystem types: sysfs, tmpfs, bdev, proc, cgroup, cgroup2, cpuset, devtmpfs, debugfs, tracefs, securityfs, sockfs, bpf, pipefs, ramfs, hugetlbfs, devpts, mqueue, pstore, autofs, efivarfs, configfs, fuse, fusectl, binfmt_misc
2023-09-14T16:17:32.357-0500 INFO [system.fsstat] fsstat/fsstat.go:57 Ignoring filesystem types: %ssysfs, tmpfs, bdev, proc, cgroup, cgroup2, cpuset, devtmpfs, debugfs, tracefs, securityfs, sockfs, bpf, pipefs, ramfs, hugetlbfs, devpts, mqueue, pstore, autofs, efivarfs, configfs, fuse, fusectl, binfmt_misc
2023-09-14T16:17:32.358-0500 INFO cfgfile/reload.go:164 Config reloader started
runtime/cgo: pthread_create failed: Operation not permitted
SIGABRT: abort
PC=0x7f839ff97d3c m=5 sigcode=18446744073709551610
goroutine 0 [idle]:
runtime: unknown pc 0x7f839ff97d3c
stack: frame={sp:0x7f836b7fd900, fp:0x0} stack=[0x7f836affe268,0x7f836b7fde68)
00007f836b7fd800: 0000000000000000 0000000000000000
00007f836b7fd810: 0000000000000000 00007f836b7fdae8
00007f836b7fd820: 00000000014fffb5 <runtime.gentraceback+4501> 00007f836b7fda90
00007f836b7fd830: 00007f836b7fdb80 0000000001512d01 <runtime.return0+1>
00007f836b7fd840: 00007f836b7fd908 0000000000000000
00007f836b7fd850: 0000000000000000 0000000000000000
results of ulimit -a:
ulimit -a
real-time non-blocking time (microseconds, -R) unlimited
core file size (blocks, -c) 0
data seg size (kbytes, -d) unlimited
scheduling priority (-e) 0
file size (blocks, -f) unlimited
pending signals (-i) 95881
max locked memory (kbytes, -l) 3074064
max memory size (kbytes, -m) unlimited
open files (-n) 1024
pipe size (512 bytes, -p) 8
POSIX message queues (bytes, -q) 819200
real-time priority (-r) 0
stack size (kbytes, -s) 8192
cpu time (seconds, -t) unlimited
max user processes (-u) 95881
virtual memory (kbytes, -v) unlimited
file locks (-x) unlimited
Thanks in advance and let me know if more info or logs are needed to debug
I tried to reboot, to unload pf_ring module, to stop Suricata process... I expect a normal behaviour of Beats
SOLUTION:
glibc >= 2.35 added a new rseq syscall that is not in our default list of allowed syscalls. That is likely the problem you are running into.
seccomp:
default_action: allow
syscalls:
- action: allow
names:
- rseq
Upvotes: 2
Views: 1198
Answers (0)
Related Questions
- Filebeat : data path already locked by another beat. Please make sure that multiple beats are not sharing the same data path
- Logstash config with filebeat issue when using both beats and file input
- filebeat pod restarting multiple times and not getting logs in kibana
- Filebeat 7.9.3 change index is not working and it always creates default filebeat-7.9.3-2020.11.04-000001
- Chown: filebeat.yml: operation not permitted
- Filebeat - kakfka output 'and' or 'regex' condition not working
- Filebeat and Logstash: logdata not passing
- Filebeat not replacing environment variable on windows when started as a service