Project

General

Profile

Actions

Bug #1716

closed

live rule reloads not functioning on some servers

Added by Chris Beverly almost 9 years ago. Updated over 8 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

We have ~85 servers that are all running the same build of suricata, distrubuted as a docker image. On all but 5 of these servers, live rule reloading (docker kill -s USR2 suricata) works just fine. But on the 5 servers that it does not work on, the USR2 signal gets to the point of printing the "<Notice> - rule reload starting", but does NOT print the "<Notice> - rule reload completed" message like all of the others. Any subsequent attempt to issue a USR2 signal to the suricata process results in absolutely no activity or log output.

The containers have been removed and recreated from image, and the servers have been completely reprovisioned (full OS reinstall, all servers configured the exact same using config management). Nothing appears to be clearing this issue. Attached is the gdb output. The sequence of the output is as follows:

01) gdb was attached right after a fresh container creation and after suricata had completed it's full startup sequence
02) The rule reload was issued
03) 'thread apply all bt' was issued
04) 'cont' was issued
05) After the rule reload stuck at "<Notice> - rule reload starting", 'thread apply all bt' was issued once more

Please let me know if there is any other information that can be provided.


Files

suricata_gdb.txt (120 KB) suricata_gdb.txt Chris Beverly, 02/19/2016 06:11 PM
stats.tar.gz (1.55 MB) stats.tar.gz Chris Beverly, 02/21/2016 11:36 AM
Actions

Also available in: Atom PDF