Actions
Bug #2505
closedgetrandom prevents any suricata start commands on more later OS's
Affected Versions:
Effort:
Difficulty:
Label:
Description
As part of QA runs stumbled upon this case
Using currently available latest git -
root@5897b8c12953:/# suricata --build-info
This is Suricata version 4.1.0-dev (rev 2d1c4420)
Features: DEBUG UNITTESTS PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LIBJANSSON TLS MAGIC RUST
SIMD support: SSE_4_2 SSE_4_1 SSE_3
Atomic intrisics: 1 2 4 8 16 byte(s)
64-bits, Little-endian architecture
GCC version 7.3.0, C version 199901
compiled with _FORTIFY_SOURCE=0
L1 cache line size (CLS)=64
thread local storage method: __thread
compiled with LibHTP v0.5.26, linked against LibHTP v0.5.26
Suricata Configuration:
AF_PACKET support: yes
eBPF support: no
XDP support:
PF_RING support: no
NFQueue support: no
NFLOG support: no
IPFW support: no
Netmap support: no
DAG enabled: no
Napatech enabled: no
Unix socket enabled: yes
Detection enabled: yes
Libmagic support: yes
libnss support: yes
libnspr support: yes
libjansson support: yes
liblzma support: no
hiredis support: yes
hiredis async with libevent: no
Prelude support: no
PCRE jit: yes
LUA support: no
libluajit: no
libgeoip: no
Non-bundled htp: no
Old barnyard2 support: no
Hyperscan support: yes
Libnet support: yes
liblz4 support: no
Rust support (experimental): yes
Rust strict mode: no
Rust debug mode: no
Suricatasc install: yes
Profiling enabled: no
Profiling locks enabled: no
Development settings:
Coccinelle / spatch: yes
Unit tests enabled: yes
Debug output enabled: yes
Debug validation enabled: no
Generic build parameters:
Installation prefix: /usr/local
Configuration directory: /usr/local/etc/suricata/
Log directory: /usr/local/var/log/suricata/
--prefix /usr/local
--sysconfdir /usr/local/etc
--localstatedir /usr/local/var
Host: x86_64-pc-linux-gnu
Compiler: gcc (exec name) / gcc (real)
GCC Protect enabled: no
GCC march native enabled: yes
GCC Profile enabled: no
Position Independent Executable enabled: no
CFLAGS -ggdb3 -O0 -march=native -I${srcdir}/../rust/gen/c-headers
PCAP_CFLAGS -I/usr/include
SECCFLAGS
root@5897b8c12953:/#
When building and running docker tests (using GtiLab and/or manual run with a SQARDs combo - https://github.com/pevma/sqard) "older" OS dockers - for example Xenial/Stretch compile and run suricata tetss normally and as expected.
"Newer" OSs - like Debian Testing/Fedora latest get stuck on any suricata command (example "suricata -T" would get stuck on getrandom() and never complete) see below -
strace suricata -T
....
....
...
write(1, "[\33[33m14314\33[0m] \33[32m22/5/2018 "..., 190[14314] 22/5/2018 -- 09:02:44 - (suricata.c:1076) <Notice> (LogVersion) -- This is Suricata version 4.1.0-dev (rev 2d1c4420)
) = 190
gettid() = 14314
fstat(3, {st_mode=S_IFREG|0644, st_size=125, ...}) = 0
write(3, "[14314] 22/5/2018 -- 09:02:44 - "..., 125) = 125
openat(AT_FDCWD, "/sys/devices/system/cpu", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4
fstat(4, {st_mode=S_IFDIR|0755, st_size=0, ...}) = 0
getdents(4, /* 16 entries */, 32768) = 464
getdents(4, /* 0 entries */, 32768) = 0
close(4) = 0
openat(AT_FDCWD, "/sys/devices/system/cpu/online", O_RDONLY|O_CLOEXEC) = 4
read(4, "0-3\n", 8192) = 4
close(4) = 0
mmap(NULL, 528384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x72b5be38d000
mmap(NULL, 528384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x72b5be30c000
mmap(NULL, 528384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x72b5be28b000
mmap(NULL, 528384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x72b5b9dbc000
mmap(NULL, 528384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x72b5b9d3b000
mmap(NULL, 528384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x72b5b9cba000
mmap(NULL, 528384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x72b5b9c39000
mmap(NULL, 528384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x72b5b9bb8000
brk(0xbbe5f989000) = 0xbbe5f989000
getrandom(0x76911f876770, 8, 0) = -1 ENOSYS (Function not implemented)
getrandom(0x76911f876770, 8, 0) = -1 ENOSYS (Function not implemented)
getrandom(0x76911f876770, 8, 0) = -1 ENOSYS (Function not implemented)
getrandom(0x76911f876770, 8, 0) = -1 ENOSYS (Function not implemented)
getrandom(0x76911f876770, 8, 0) = -1 ENOSYS (Function not implemented)
getrandom(0x76911f876770, 8, 0) = -1 ENOSYS (Function not implemented)
getrandom(0x76911f876770, 8, 0) = -1 ENOSYS (Function not implemented)
....
....
....
forever......
A quick way to test it and reproduce -
docker pull pevma/sqard:debian-testing && docker run --security-opt="apparmor=unconfined" --cap-add=SYS_PTRACE --name sqard-debian-testing-01 -d -ti pevma/sqard:debian-testing /bin/bash && docker attach $(docker ps -a |grep sqard-debian-testing-01 | awk '{print $1}')
Once inside -
git clone https://github.com/OISF/suricata.git && cd suricata && git clone https://github.com/OISF/libhtp.git -b 0.5.x && ./autogen.sh && ./configure --enable-hiredis --enable-rust --enable-unittests --enable-debug CFLAGS="-ggdb3 -O0" && make clean && make -j4 && make install-full && ldconfig
Actions