commit: be92f97f24e7867078e10efa0ee191b770cbf143 Author: Slawomir Lis <slis <AT> gentoo <DOT> org> AuthorDate: Thu Dec 22 11:35:30 2016 +0000 Commit: Slawek Lis <slis <AT> gentoo <DOT> org> CommitDate: Thu Dec 22 11:35:30 2016 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=be92f97f
net-analyzer/suricata: Updated init script Applied patches sent in order to bug 602590. Now it's possible to run one or many instances of suricata. Thanks to Vieri <rentorbuy <AT> yahoo.com> for help. Package-Manager: Portage-2.3.3, Repoman-2.3.1 net-analyzer/suricata/files/suricata-3.2-conf | 17 +++-- net-analyzer/suricata/files/suricata-3.2-init | 105 +++++++++++++++++++------- net-analyzer/suricata/suricata-3.2.ebuild | 21 ++++-- 3 files changed, 102 insertions(+), 41 deletions(-) diff --git a/net-analyzer/suricata/files/suricata-3.2-conf b/net-analyzer/suricata/files/suricata-3.2-conf index dfb1471..bc6e281 100644 --- a/net-analyzer/suricata/files/suricata-3.2-conf +++ b/net-analyzer/suricata/files/suricata-3.2-conf @@ -5,27 +5,28 @@ # SURICATA_DIR="/etc/suricata" # Pass options to each suricata service. +# # You can launch more than one service at the same time with different options. # This can be useful in a multi-queue gateway, for example. # You can expand on the Suricata inline example found at: -# https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Setting_up_IPSinline_for_Linux +# http://suricata.readthedocs.io/en/latest/setting-up-ipsinline-for-linux.html # Instead of configuring iptables to send traffic to just one queue, you can configure it to "load balance" # on several queues. You can then have a Suricata instance processing traffic for each queue. # This should help improve performance on the gateway/firewall. -# Suppose you configured iptables to use queues 0 and 1. You can now do the following: +# +# Suppose you configured iptables to use queues 0 and 1 named q0 and q1. You can now do the following: # ln -s /etc/init.d/suricata /etc/init.d/suricata.q0 # ln -s /etc/init.d/suricata /etc/init.d/suricata.q1 # cp /etc/suricata/suricata.yaml /etc/suricata/suricata-q0.yaml # cp /etc/suricata/suricata.yaml /etc/suricata/suricata-q1.yaml -# mkdir /var/log/suricata/q{0,1} -# Edit both suricata-q{0,1}.yaml files and set values accordingly (eg. set the suricata.log file path to -# a dedicated dir in the section "logging:outputs:-file"). +# Edit both suricata-q{0,1}.yaml files and set values accordingly. +# # You can then define the following options here: -# SURICATA_OPTS[q0]="-q 0 -l /var/log/suricata/q0" -# SURICATA_OPTS[q1]="-q 1 -l /var/log/suricata/q1" +# SURICATA_OPTS_q0="-i eth0" +# SURICATA_OPTS_q1="-i eth1" # If you want to use ${SURICATA_DIR}/suricata.yaml and start the service with /etc/init.d/suricata # then you can set: -# SURICATA_OPTIONS="-i eth0" +SURICATA_OPTS="-i eth0" diff --git a/net-analyzer/suricata/files/suricata-3.2-init b/net-analyzer/suricata/files/suricata-3.2-init index 2a9d46f..3a9c356 100644 --- a/net-analyzer/suricata/files/suricata-3.2-init +++ b/net-analyzer/suricata/files/suricata-3.2-init @@ -3,20 +3,22 @@ # Distributed under the terms of the GNU General Public License v2 # $Id$ +SURICATA_BIN=/usr/bin/suricata SURICATA_DIR=${SURICATA_DIR:-/etc/suricata} SURICATA=${SVCNAME#*.} +SURICATAID=$(shell_var "${SURICATA}") if [ -n "${SURICATA}" ] && [ ${SVCNAME} != "suricata" ]; then SURICATACONF="${SURICATA_DIR}/suricata-${SURICATA}.yaml" SURICATAPID="/var/run/suricata/suricata.${SURICATA}.pid" - SURICATAOPTS=${SURICATA_OPTS[${SURICATA}]} + eval SURICATAOPTS=\$SURICATA_OPTS_${SURICATAID} else SURICATACONF="${SURICATA_DIR}/suricata.yaml" SURICATAPID="/var/run/suricata/suricata.pid" - SURICATAOPTS=${SURICATA_OPTIONS} + SURICATAOPTS=${SURICATA_OPTS} fi extra_commands="checkconfig" -extra_started_commands="reload" +extra_started_commands="reload relog" depend() { need net @@ -34,49 +36,96 @@ checkconfig() { fi } +initpidinfo() { + [ -f ${SURICATAPID} ] && SUR_PID="$(cat ${SURICATAPID})" + if [ ${#SUR_PID} -gt 0 ]; then + SUR_PID_CHECK="$(ps -eo pid | grep -c ${SUR_PID})" + SUR_USER="$(ps -p ${SUR_PID} --no-headers -o user)" + fi +} + +checkpidinfo() { + initpidinfo + if [ ! -f ${SURICATAPID} ]; then + eerror "${SVCNAME} isn't running" + return 1 + elif [ ${#SUR_PID} -eq 0 ] || [ $((SUR_PID_CHECK)) -ne 1 ]; then + eerror "Could not determine PID of ${SVCNAME}! Did the service crash?" + return 1 + elif [ ${#SUR_USER} -eq 0 ]; then + eerror "Unable to determine user running ${SVCNAME}!" + return 1 + elif [ "x${SUR_USER}" != "xroot" ]; then + eerror "${SVCNAME} must be running as root for reload or relog to work!" + return 1 + fi +} + start() { checkconfig || return 1 ebegin "Starting ${SVCNAME}" - start-stop-daemon --start --quiet --exec /usr/bin/suricata \ + start-stop-daemon --start --quiet --exec ${SURICATA_BIN} \ -- --pidfile ${SURICATAPID} -D ${SURICATAOPTS} \ -c ${SURICATACONF} >/dev/null 2>&1 - eend $? + local SUR_EXIT=$? + if [ $((SUR_EXIT)) -ne 0 ]; then + einfo "Could not start ${SURICATA_BIN} with:" + einfo "--pidfile ${SURICATAPID} -D ${SURICATAOPTS} -c ${SURICATACONF}" + einfo "Exit code ${SUR_EXIT}" + fi + eend ${SUR_EXIT} } stop() { ebegin "Stopping ${SVCNAME}" + initpidinfo start-stop-daemon --stop --quiet --pidfile ${SURICATAPID} >/dev/null 2>&1 einfon "Waiting for ${SVCNAME} to shut down. This can take a while..." echo # max wait: 5 minutes as it can take quite a while on some systems with heavy traffic - cnt=300 - while [ -f ${SURICATAPID} ]; do + local cnt=300 + while [ -f ${SURICATAPID} ] && [ $cnt -gt 0 ]; do cnt=$(expr $cnt - 1) - if [ $cnt -lt 1 ] ; then - echo - eend 1 "Failed." - break - fi sleep 1 - echo -ne "$cnt seconds left before we give up\r" + echo -ne "$cnt seconds left before we give up checking the PID file...\r" done - eend $? + # under certain conditions suricata can be pretty slow and the PID can persist long after the pidfile has been removed + # max wait for process to terminate: 1 minute + if [ ${#SUR_PID} -gt 0 ]; then + cnt=60 + SUR_PID_CHECK="$(ps -eo pid | grep -c ${SUR_PID})" + if [ $((SUR_PID_CHECK)) -ne 0 ]; then + echo + einfo "The PID file ${SURICATAPID} is gone but the ${SVCNAME} PID ${SUR_PID} is still running." + einfo "Waiting for process to shut down on its own. This can take a while..." + fi + while [ $((SUR_PID_CHECK)) -ne 0 ]; do + cnt=$(expr $cnt - 1) + if [ $cnt -lt 1 ] ; then + echo + eend 1 "Failed. You might need to kill PID ${SUR_PID} or find out why it can't be stopped." + break + fi + sleep 1 + echo -ne "$cnt seconds left before we give up checking PID ${SUR_PID}...\r" + SUR_PID_CHECK="$(ps -eo pid | grep -c ${SUR_PID})" + done + fi + eend 0 } reload() { + checkpidinfo || return 1 + checkconfig || return 1 + ebegin "Sending USR2 signal to ${SVCNAME} to perform a live rule and config reload." + start-stop-daemon --signal USR2 --pidfile ${SURICATAPID} + eend $? +} - local SUR_PID="`cat ${SURICATAPID}`" - local SUR_USER="`ps -p ${SUR_PID} --no-headers -o user`" - - if [ ! -f ${SURICATAPID} ]; then - eerror "${SVCNAME} isn't running" - return 1 - elif [ ${SUR_USER} != root ]; then - eerror "${SVCNAME} must be running as root for reload to work!" - return 1 - else - checkconfig || return 1 - ebegin "Reloading ${SVCNAME}" - start-stop-daemon --signal HUP --pidfile ${SURICATAPID} - fi +relog() { + checkpidinfo || return 1 + checkconfig || return 1 + ebegin "Sending HUP signal to ${SVCNAME} to close and re-open all log files." + start-stop-daemon --signal HUP --pidfile ${SURICATAPID} + eend $? } diff --git a/net-analyzer/suricata/suricata-3.2.ebuild b/net-analyzer/suricata/suricata-3.2.ebuild index 2bd57bd..078186b 100644 --- a/net-analyzer/suricata/suricata-3.2.ebuild +++ b/net-analyzer/suricata/suricata-3.2.ebuild @@ -63,9 +63,6 @@ src_configure() { if use cuda ; then myeconfargs+=( $(use_enable cuda) ) fi - if use debug ; then - myeconfargs+=( $(use_enable debug) ) - fi if use geoip ; then myeconfargs+=( $(use_enable geoip) ) fi @@ -96,7 +93,16 @@ src_configure() { # this should be used when pf_ring use flag support will be added # LIBS+="-lrt -lnuma" - econf LIBS="${LIBS}" ${myeconfargs[@]} + # avoid upstream configure script trying to add -march=native to CFLAGS + myeconfargs+=( --enable-gccmarch-native=no ) + + if use debug ; then + myeconfargs+=( $(use_enable debug) ) + # so we can get a backtrace according to "reporting bugs" on upstream web site + CFLAGS="-ggdb -O0" econf LIBS="${LIBS}" ${myeconfargs[@]} + else + econf LIBS="${LIBS}" ${myeconfargs[@]} + fi } src_install() { @@ -124,7 +130,7 @@ src_install() { pkg_postinst() { elog "The ${PN} init script expects to find the path to the configuration" - elog "file as well as extra options in /etc/conf.d." + elog "file as well as extra options in /etc/conf.d" elog "" elog "To create more than one ${PN} service, simply create a new .yaml file for it" elog "then create a symlink to the init script from a link called" @@ -136,4 +142,9 @@ pkg_postinst() { elog "Then edit /etc/conf.d/${PN} and make sure you specify sensible options for foo." elog "" elog "You can create as many ${PN}.foo* services as you wish." + + if use debug; then + elog "You enabled the debug USE flag. Please read this link to report bugs upstream:" + elog "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Reporting_Bugs"; + fi }
