Using Docker for Job execution
Overview
Turbinia supports the use of Docker by allowing a Task to execute its command through a Docker Container instead. For example, when a Task for a PlasoJob is passed to a Worker, the Task will execute the command log2timeline.py <ARGS>
through the Container and pass back the associated data to the Worker for further processing. The benefit being that it eliminates having to install the required dependencies and/or external programs for a Job on the Worker’s host machine. Please note that Turbinia does not provide the Docker Images necessary for each Job and they will need to either be created or pulled from a container registry.
Enabling Docker usage
In order to enable this feature, please take the following steps.
In the
turbinia.conf
configuration file, set theDOCKER_ENABLED
flag toTrue
to enable the usage of Docker.Review the
DEPENDENCIES
flag in theturbinia.conf
configuration file and identify which Job you would like to execute a Docker container for. Once identified, replace the value fordocker_image
with the name of the Docker image.Save the
turbinia.conf
configuration file then restart all Workers for the changes to take into effect.When the Workers start, they will perform dependency checks to ensure that the binaries required by the Job are installed in the Container, and if that check passes, it will execute those in the configured Docker Container.
If you no longer would like to use the Docker image, set the
docker_image
value back toNone
.
Example using Plaso
The following section provides an example of the steps mentioned above for the Plaso Job by using the Docker CLI to retrieve the required information.
Retrieve the latest Plaso Docker image either locally or through a preconfigured registry containing the image.
docker pull log2timeline/plaso
Identify the name for the retrieved image.
docker image ls
Then copy the value listed under the column
REPOSITORY
.REPOSITORY TAG IMAGE ID CREATED SIZE log2timeline/plaso latest 9c22665bff50 4 days ago 314MB
Open up the
turbinia.conf
configuration file then set the attributeDOCKER_ENABLED
toTrue
.Identify the
DEPENDENCIES
attribute and look for the JobPlasoJob
, then replace thedocker_image
value with the identifiedREPOSITORY
.{ 'job': 'PlasoJob' 'programs': ['log2timeline.py'], 'docker_image': 'log2timeline/plaso' }
Note: You can also provide the docker image name with a tag to pin the programs used in jobs to a certain version. In the example above
log2timeline/plaso
can also be specified aslog2timeline/plaso:latest
. This way the tools can be updated and after that the tag is changed in the configuration file which eliminates the need for redeploying or re-installing anything.
Save the configuration file, then restart the turbinia Worker.
sudo systemctl restart turbinia@psqworker.service
If the dependency check succeeds, once a Worker receives a Docker configured Task, the Task will execute its external command through the Docker Container instead and pass the associated data back to the Worker for further processing.