Project

General

Profile

Actions

Bug #2136

closed

Suricata 4.0.0 beta1 restart problem

Added by Samiux A almost 7 years ago. Updated almost 7 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

Suricata 4.0.0 beta1 does not restart using systemctl script as the /var/run/suricata.pid does not killed properly.

Actions #1

Updated by Peter Manev almost 7 years ago

Where/how did you install it (asking since it is not from our PPA)?
Any err message?

Actions #2

Updated by Samiux A almost 7 years ago

I compiled from source code and installed on Ubuntu Server 16.04. The --enable-rust is enabled with cargo installed.

The suricata.service systemd script is :

[Unit]
Description=Suricata IDPS Daemon
Wants=network.target syslog.target
After=network.target syslog.target
Restart=on-failure

[Service]
Type=forking
ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml --af-packet -vv -D
ExecReload=/bin/kill -HUP $MAINPID
ExecStopPost=/bin/kill $MAINPID
Restart=on-failure

[Install]
WantedBy=multi-user.target

I configure the Suricata as the following :

./configure --prefix=/usr/ --sysconfdir=/etc/ --localstatedir=/var/ --enable-luajit \
--enable-rust --enable-nfqueue --enable-pie --enable-gccprotect --enable-gccprofile \
--enable-hiredis --enable-geoip --with-libnss-libraries=/usr/lib --with-libnss-includes=/usr/include/nss/ \
--with-libhiredis-libraries=/usr/lib/x86_64-linux-gnu --with-libhiredis-includes=/usr/include/hiredis \
--with-libnspr-libraries=/usr/lib --with-libnspr-includes=/usr/include/nspr \
--with-libcap_ng-libraries=/usr/local/lib --with-libcap_ng-includes=/usr/local/include \
--with-libluajit-includes=/usr/local/include/luajit-2.1/ \
--with-libluajit-libraries=/usr/local/lib/ \
CFLAGS="-ggdb -O0 -ftrapv -fPIE -Wl,-z,relro,-z,now -g -D_FORTIFY_SOURCE=2 -O2 -fstack-protector-all --param=ssp-buffer-size=4 -Wformat -Werror=format-security" \
SECCFLAGS="-ftrapv -fPIE -Wl,-z,relro,-z,now -fstack-protector-all -D_FORTIFY_SOURCE=2 -O2 -Wformat -Wformat-security" \
--with-libhs-includes=/usr/local/include/hs/ --with-libhs-libraries=/usr/local/lib/

I need to stop the suricata. Then, delete /var/run/suricata.pid before restarting the Suricata. Otherwise, the Suricata could not be started.

Actions #3

Updated by Victor Julien almost 7 years ago

  • Priority changed from Urgent to Normal

Strange, I didn't think the pid file handling changed.

Actions #4

Updated by Samiux A almost 7 years ago

I rerun the restart script and I got the following result.

sudo systemctl restart suricata
[sudo] password for samiux:
Job for suricata.service failed because the control process exited with error code. See "systemctl status suricata.service" and "journalctl -xe" for details.

● suricata.service - Suricata IDPS Daemon
Loaded: loaded (/lib/systemd/system/suricata.service; enabled; vendor preset: enabled)
Active: inactive (dead) (Result: exit-code) since Thu 2017-06-08 17:06:43 HKT; 15s ago
Process: 7010 ExecStopPost=/bin/kill $MAINPID (code=exited, status=1/FAILURE)
Process: 7031 ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml --af-packet -vv -D (code=exited, status=1/FAILURE)
Main PID: 17736 (code=dumped, signal=ABRT)

Jun 08 17:06:43 croissants systemd1: Failed to start Suricata IDPS Daemon.
Jun 08 17:06:43 croissants systemd1: suricata.service: Unit entered failed state.
Jun 08 17:06:43 croissants systemd1: suricata.service: Failed with result 'exit-code'.
Jun 08 17:06:43 croissants systemd1: suricata.service: Service hold-off time over, scheduling restart.
Jun 08 17:06:43 croissants systemd1: Stopped Suricata IDPS Daemon.
Jun 08 17:06:43 croissants systemd1: suricata.service: Start request repeated too quickly.
Jun 08 17:06:43 croissants systemd1: Failed to start Suricata IDPS Daemon.

ls la /var/run/suricata.pid
-rw-r----
1 root root 6 Jun 8 12:05 /var/run/suricata.pid

Actions #5

Updated by Samiux A almost 7 years ago

When I changed the "ExecStopPost" value, the Suricata restarted properly.

[Unit]
Description=Suricata IDPS Daemon
Wants=network.target syslog.target
After=network.target syslog.target
Restart=on-failure

[Service]
Type=forking
ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml --af-packet -vv -D
ExecReload=/bin/kill -HUP $MAINPID
ExecStopPost=/bin/kill $MAINPID && /bin/rm -f /var/run/suricata.pid
Restart=on-failure

[Install]
WantedBy=multi-user.target

Actions #6

Updated by Samiux A almost 7 years ago

The better version of suricata.service should be :

[Unit]
Description=Suricata IDPS Daemon
Wants=network.target syslog.target
After=network.target syslog.target
Restart=on-failure

[Service]
Type=forking
ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml --af-packet -vv -D
ExecReload=/bin/kill -HUP $MAINPID
ExecStop=/bin/kill $MAINPID && /bin/rm -f /var/run/suricata.pid
ExecStopPost=/bin/kill $MAINPID && /bin/rm -f /var/run/suricata.pid
Restart=on-failure

[Install]
WantedBy=multi-user.target

Actions #7

Updated by Samiux A almost 7 years ago

I think this thread can be closed as "PIDFile" for systemd script solved the problem.

[Unit]
Description=Suricata IDPS Daemon
Wants=network.target syslog.target
After=network.target syslog.target
Restart=on-failure

[Service]
Type=forking
PIDFile=/var/run/suricata.pid
ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml --af-packet -vv -D
ExecReload=/bin/kill -HUP $MAINPID
ExecStopPost=/bin/kill $MAINPID
Restart=on-failure

[Install]
WantedBy=multi-user.target

Actions #8

Updated by Jason Ish almost 7 years ago

  • Status changed from New to Closed

Due to https://redmine.openinfosecfoundation.org/issues/1335, Suricata 4.0.0-beta1 now fails on the existence of the PID.

For my RPMs I'm using the following unit file:
https://github.com/jasonish/suricata-rpms/blob/master/beta/suricata.service

Closing as this is expected behaviour.

Actions #9

Updated by Victor Julien almost 7 years ago

Can we check in a service file template that gets filled in with the proper paths (e.g. suricata.service.in)? I don't think we should install it, but it might make it easier for users to start using it.

Actions #10

Updated by Jason Ish almost 7 years ago

Victor Julien wrote:

Can we check in a service file template that gets filled in with the proper paths (e.g. suricata.service.in)? I don't think we should install it, but it might make it easier for users to start using it.

Yes, that would be a good idea.

https://redmine.openinfosecfoundation.org/issues/2138

I can do this.

Actions

Also available in: Atom PDF