Hello Arturo,
thank you for quick response.
UNIX socket
> ===========
>
> Regarding the UNIX socket path, I would like to note that the default
> in debian is (should be):
> * /var/run/suricata-command.socket
>
> Therefore, your issues with suricata looking for
> /var/run/suricata/suricata-command.socket are perhaps
> related to a previous version of suricata?
>
No - it is related to run suricata under 'suri' user.
I had to create /var/run/suricata directory to let suricata user create
suricata-command.socket socket. The regular user does not have write
permissions to /var/run directory.
Other possibility is to create <default> socket in ExecStartPre and change
it's permissions to grant suri user read-write access (not tested).
oinkmaster
> ==========
>
> Yes, the updater script looks for the socket in the default path, which is:
> * /var/run/suricata-command.socket
>
> I've not tested to run suricata with a different user apart of the
> default, which is root.
>
And that's the point - maybe described not in enough details by me.
ExecReload suricatasc
> =====================
>
> Again, it seems is the same issue with the socket path.
>
Yes it is.
> $PID instead of $MAINPID
> ========================
>
> I just tested this here and I see no issues. The systemd.service(5)
> manpage refers to $MAINPID
>
> Could you please give more info?
>
> Arturo Borrero González
>
These are my tries to reload:
~# /etc/init.d/suricata reload
Reloading suricata configuration (via systemctl): suricata.serviceJob for
suricata.service failed. See 'systemctl status suricata.service' and
'journalctl -xn' for details.
failed!
~# systemctl status suricata.service
● suricata.service - Suricata IDS/IDP daemon
Loaded: loaded (/etc/systemd/system/suricata.service; disabled)
Active: active (running) (Result: exit-code) since Thu 2016-09-29
16:01:01 CEST; 6 days ago
Docs: man:suricata(8)
man:suricatasc(8)
https://redmine.openinfosecfoundation.org/projects/suricata/wiki
Process: 19693 ExecReload=/usr/bin/suricatasc -c reload-rules
(code=exited, status=1/FAILURE)
Main PID: 2897 (Suricata-Main)
CGroup: /system.slice/suricata.service
└─2897 /usr/bin/suricata -D --af-packet -c
/etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid
Sep 29 16:01:01 ba-suricata-s.hq.eset.com suricata[2895]: 29/9/2016 --
16:01:01 - <Notice> - This is Suricata version 3.1.2 RELEASE
Sep 29 16:01:01 ba-suricata-s.hq.eset.com suricata[2895]: 29/9/2016 --
16:01:01 - <Info> - CPUs/cores online: 4
Sep 29 16:01:01 ba-suricata-s.hq.eset.com suricata[2895]: 29/9/2016 --
16:01:01 - <Info> - HTTP memcap: 3221225472
Sep 29 16:01:01 ba-suricata-s.hq.eset.com suricata[2895]: 29/9/2016 --
16:01:01 - <Info> - Found an MTU of 1500 for 'eth1'
Sep 29 16:01:01 ba-suricata-s.hq.eset.com suricata[2895]: 29/9/2016 --
16:01:01 - <Info> - Found an MTU of 1500 for 'eth2'
Sep 29 16:01:01 ba-suricata-s.hq.eset.com suricata[2895]: 29/9/2016 --
16:01:01 - <Info> - Found an MTU of 1500 for 'eth3'
Sep 29 16:01:01 ba-suricata-s.hq.eset.com systemd[1]: Started Suricata
IDS/IDP daemon.
Oct 06 08:56:03 ba-suricata-s.hq.eset.com systemd[1]: Reloading Suricata
IDS/IDP daemon.
Oct 06 08:56:03 ba-suricata-s.hq.eset.com suricatasc[19693]: Unable to
connect to socket /var/run//suricata-command.socket: [Er...ctory
Oct 06 08:56:03 ba-suricata-s.hq.eset.com systemd[1]: suricata.service:
control process exited, code=exited status=1
Oct 06 08:56:03 ba-suricata-s.hq.eset.com systemd[1]: Reload failed for
Suricata IDS/IDP daemon.
Hint: Some lines were ellipsized, use -l to show in full.
And of course stop does not work either:
~# /etc/init.d/suricata stop
Stopping suricata (via systemctl): suricata.service.
~# systemctl status suricata.service
● suricata.service - Suricata IDS/IDP daemon
Loaded: loaded (/etc/systemd/system/suricata.service; disabled)
Active: failed (Result: signal) since Thu 2016-10-06 09:05:12 CEST; 10s
ago
Docs: man:suricata(8)
man:suricatasc(8)
https://redmine.openinfosecfoundation.org/projects/suricata/wiki
Process: 21276 ExecStop=/usr/bin/suricatasc -c shutdown (code=exited,
status=1/FAILURE)
Process: 19693 ExecReload=/usr/bin/suricatasc -c reload-rules
(code=exited, status=1/FAILURE)
Main PID: 2897 (code=killed, signal=KILL)
Oct 06 08:56:03 ba-suricata-s.hq.eset.com suricatasc[19693]: Unable to
connect to socket /var/run//suricata-command.socket: [Er...ctory
Oct 06 08:56:03 ba-suricata-s.hq.eset.com systemd[1]: suricata.service:
control process exited, code=exited status=1
Oct 06 08:56:03 ba-suricata-s.hq.eset.com systemd[1]: Reload failed for
Suricata IDS/IDP daemon.
Oct 06 09:03:42 ba-suricata-s.hq.eset.com systemd[1]: Stopping Suricata
IDS/IDP daemon...
Oct 06 09:03:42 ba-suricata-s.hq.eset.com suricatasc[21276]: Unable to
connect to socket /var/run//suricata-command.socket: [Er...ctory
Oct 06 09:03:42 ba-suricata-s.hq.eset.com systemd[1]: suricata.service:
control process exited, code=exited status=1
Oct 06 09:05:12 ba-suricata-s.hq.eset.com systemd[1]: suricata.service
stop-sigterm timed out. Killing.
Oct 06 09:05:12 ba-suricata-s.hq.eset.com systemd[1]: suricata.service:
main process exited, code=killed, status=9/KILL
Oct 06 09:05:12 ba-suricata-s.hq.eset.com systemd[1]: Stopped Suricata
IDS/IDP daemon.
Oct 06 09:05:12 ba-suricata-s.hq.eset.com systemd[1]: Unit suricata.service
entered failed state.
Hint: Some lines were ellipsized, use -l to show in full.
With following service file the suricata (under suri user) service
management is working:
~# cat /etc/systemd/system/suricata.service
[Unit]
Description=Suricata IDS/IDP daemon
After=network.target network-online.target
Requires=network-online.target
Documentation=man:suricata(8) man:suricatasc(8)
Documentation=
https://redmine.openinfosecfoundation.org/projects/suricata/wiki
[Service]
Type=forking
Environment=LD_PREDLOAD=/usr/lib/libtcmalloc_minimal.so.4
UNIXCMD_SOCKET="/var/run/suricata/suricata-command.socket"
PIDFile=/var/run/suricata/suricata.pid
ExecStartPre=-/bin/mkdir /var/run/suricata
ExecStartPre=/bin/chown -R suri:suri /var/run/suricata
ExecStart=/usr/bin/suricata -D --af-packet -c /etc/suricata/suricata.yaml
--pidfile /var/run/suricata/suricata.pid
ExecReload=/bin/dash -c "/usr/bin/suricatasc -c reload-rules
${UNIXCMD_SOCKET}"; /bin/kill -HUP $MAINPID
ExecStop=/bin/dash -c "/usr/bin/suricatasc -c shutdown ${UNIXCMD_SOCKET}"
ExecStopPost=/bin/rm -rf /var/run/suricata
Restart=on-failure
ProtectSystem=full
ProtectHome=true
[Install]
WantedBy=multi-user.target
Just another minor remark - sysvinit script does not report reload action
as available:
root@ba-suricata-s:~# /etc/init.d/suricata
OK
Usage: /etc/init.d/suricata {start|stop|restart|status}
--
Peter Viskup
