Project

General

Profile

Actions

Bug #6373

open

main/startup: support sentinel file signal for initial rule processing completion

Added by Jeff Lucovsky 9 months ago. Updated 9 months ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Many deployments use different ways to observe "health".

When starting Suricata, it's helpful to know when it's rule processing step is complete so observers can distinguish between
- Suricata's running and can't communicate because it hasn't opened the unix socket for suricatasc comms
- Suricata's running, processing rules, and is not responding.

A sentinel file that is set before Suricata launches (by the launcher) and is cleared when Suricata's initial rule processing completes can disambiguate the first case.

Actions #1

Updated by Jason Ish 9 months ago

Would it make more sense to fix the socket so it could be used to monitor state sooner?

We already have one mechanism for notification once running with systems in OnNotifyRunning. Does this location fit the needs for the sentinel file? Then I wonder if it would make sense for a plugin to register a callback here. My worry is there is no one size fits all mechanism here as its probably going to be highly dependent on your process orchestration. A systemd hooks makes sense as its ubiquitous.

Actions #2

Updated by Jeff Lucovsky 9 months ago

That location would make sense.

A plugin registration mechanism for deployment-customization would be helpful for the non-systemd deployments.

Something like RegisterOnRunning with a callback to a void (*funcptr)(void) would work. Thoughts on that interface?

Actions

Also available in: Atom PDF