These can be used to process the evidence or local node before and after a task runs. Examples are attaching a cloud disk, mounting a disk, un-encrypting a disk, etc.

Right now the user has to manually manage separate configs to talk to different Turbinia instances. It would be nice if there was a way to have multiple servers registered under one config, or possibly have a way for servers to register in a cloud project, and have the client be able to easily select from any server instance in a given cloud project.

We should autogenerate all of the commands and command args for turbiniactl based on the evidence object types and attributes so that all evidence types can be added through tubiniactl without needing to manually keep things in sync.

This will create a new Persistent disk with a filesystem that is slightly larger than the image file on GCS, and will copy the raw image from GCS directly as a file in the Persistent Disk FS. This will require a new Evidence type called something like PersistentDiskLocalImage.

... Also set a TTL to the task.

We need a way to get the status out of Turbinia remotely after things start. This may mean creating a new pubsub interface or other back-channel mechanism since right now the way to talk to Turbinia remotely is through pubsub (currently one-way).

... Including log lines, etc.

This will help a bit in debugging.

Right now PSQ starts a worker per core, but some of the underlying tools (i.e. plaso) do this as well, so it doesn't make sense to have that many worker tasks running. I'm not sure if a single worker per host is the right option either though.

ie. get .plaso files from GCS or wherever the new Evidence objects are written to.

Right now when we save data into Datastore we don't have any way to distinguish which Turbinia instance is saving the entities, which means that we can't have more than one Turbinia instance per cloud project without mixing the task status results together. We should add a new 'instance' (or something similar) as part of the entity key to help disambiguate. We could potentially use the config.PSQ_TOPIC variable here as this should already be unique.

Right now I have PR for some super basic/hacky start-up scripts, but we should update those into something more legit.

Right now we don't have a way to check how many workers are connected, and this can be non-trivial because workers can connect from anywhere. We should implement a 'turbiniactl workercheck' (or similar) command to run a quick check on all the workers. PSQ has a Broadcast worker mechanism that we can use for this.

Also consider YAPF presubmit hooks.

(There is another open ended issue to track adding multiple job types, but I'm going to start breaking them out into their own issues).

We can add different worker pools that are created to match individual job types (e.g. so Plaso can have worker nodes that have more cpu than workers for other job types). Right now it's one global worker pool.

Right now they are manually created, but the code should check for them and automatically create them if they do not exist.

It's out of date, and has packages listed from the previous iteration.

Currently Turbinia assumes that it runs as a user with sudo privileges. We should add methods to the TurbiniaTask object to handle executing privileged commands rather than hard-coding sudo into commands being run.

Timesketch has a fancy new python API. We should upload output to timesketch where relevant.

Output in CSV format. Also Create new evidence type for PlasoCSVFile.

This is so that multiple Turbinia Servers don't stomp on each other when using the same PubSub queue for scheduling tasks, etc.

Getting multiple log lines right now. Probably need to so something like this in logger.py:
https://stackoverflow.com/questions/6333916/python-logging-ensure-a-handler-is-added-only-once

Creating a persistent disk from a raw disk requires a few pre-processing steps (zero-pad to 1G, compress, upload to GCS, convert to image, create PD, etc), so it would be nice to automate this.

Once we have a generic task, we can use a recipe to specify the command and parameters.

... With links to completed processing results (both successful runs and failures).

... This potentially means implementing pre-processors as well.

Right now we will process the symlink as a file, but we should follow the symlink before adding the file to be processed.

[INFO] Took 0.27 sec
Traceback (most recent call last):
File "/home/turbinia/src/turbinia/turbiniactl", line 175, in
worker.listen()
File "/home/turbinia/turbinia-env/local/lib/python2.7/site-packages/psq/worker.py", line 60, in listen
self.run_task(task)
File "/home/turbinia/turbinia-env/local/lib/python2.7/site-packages/psq/worker.py", line 69, in run_task
task.execute(self.queue)
File "/home/turbinia/turbinia-env/local/lib/python2.7/site-packages/psq/task.py", line 96, in execute
queue.storage.put_task(self)
File "/home/turbinia/turbinia-env/local/lib/python2.7/site-packages/psq/datastore_storage.py", line 61, in put_task
entity['data'] = dumps(task)
File "/home/turbinia/turbinia-env/local/lib/python2.7/site-packages/google/cloud/client.py", line 134, in getstate
'Clients have non-trivial state that is local and unpickleable.',
pickle.PicklingError: Pickling client objects is explicitly not supported.
Clients have non-trivial state that is local and unpickleable.

This will probably use GCS FUSE:
https://cloud.google.com/storage/docs/gcs-fuse

Right now the output for jobs is put into a locally mounted filesystem, and we should allow for the option to put the output directly into cloud storage.

Hey @berggren (& other Googlers!),

I've heard this project referenced multiple times, and I'm super curious, but the README doesn't really give much of an idea what this project is for. Is it like a Salt/Puppet/Ansible thing? Is it an orchestration platform? I know I could read the code, but that's a big investment. A decent README that explains what this project is about would go a long way to helping folks evaluate if it's helpful.

Thanks!

Right now the workers assume that we can process anything so we should make sure to fail gracefully when we can't.

... And also a Task that takes a RawDisk and generates RawDiskPartitions.

• Strings
• fls
• keyword filters
• etc

We want a simple webui to start turbinia jobs.