[08/20] suricata: Add a watcher to restart on unexpected termination
Commit Message
This patch adds a watcher process that will restart suricata when it is
being killed by SIGKILL (e.g. by the OOM killer) or after a SEGV.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
config/rootfiles/common/suricata | 1 +
config/suricata/suricata-watcher | 55 ++++++++++++++++++++++++++++++++
lfs/suricata | 3 ++
src/initscripts/system/suricata | 16 ++--------
4 files changed, 61 insertions(+), 14 deletions(-)
create mode 100644 config/suricata/suricata-watcher
@@ -1,6 +1,7 @@
etc/suricata
etc/suricata/suricata.yaml
usr/bin/suricata
+usr/bin/suricata-watcher
usr/sbin/convert-ids-backend-files
#usr/share/doc/suricata
#usr/share/doc/suricata/AUTHORS
new file mode 100644
@@ -0,0 +1,55 @@
+#!/bin/bash
+###############################################################################
+# #
+# IPFire.org - A Linux-based Firewall #
+# Copyright (C) 2024 IPFire Team <info@ipfire.org> #
+# #
+# This program is free software: you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation, either version 3 of the License, or #
+# (at your option) any later version. #
+# #
+# This program is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with this program. If not, see <http://www.gnu.org/licenses/>. #
+# #
+###############################################################################
+
+PIDFILE="/var/run/suricata.pid"
+
+main() {
+ local ret
+
+ while :; do
+ # Launch suricata
+ /usr/bin/suricata "$@" &>/dev/null
+
+ # Wait until suricata is done
+ ret=$?
+
+ case "${ret}" in
+ # If suricata has been killed by SIGKILL (e.g. by
+ # the OOM killer, or if it ran into a SEGV, we will
+ # restart the process.
+ 137|139)
+ # Remove the PID file
+ unlink "${PIDFILE}" 2>/dev/null
+
+ sleep 1
+ continue
+ ;;
+
+ *)
+ break
+ ;;
+ esac
+ done
+
+ return ${ret}
+}
+
+main "$@" || return $?
@@ -132,5 +132,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
# Install converter script needed for Core Update 167
install -m 0755 $(DIR_SRC)/config/suricata/convert-ids-backend-files /usr/sbin/convert-ids-backend-files
+ # Install the watcher
+ install -v -m 755 $(DIR_SRC)/config/suricata/suricata-watcher /usr/bin/suricata-watcher
+
@rm -rf $(DIR_APP)
@$(POSTBUILD)
@@ -123,12 +123,9 @@ case "$1" in
if [ "$ENABLE_IDS" == "on" ]; then
# Start the IDS.
boot_mesg "Starting Intrusion Detection System..."
- /usr/bin/suricata -c /etc/suricata/suricata.yaml -D $NFQUEUES >/dev/null 2>/dev/null
+ /usr/bin/suricata-watcher -c /etc/suricata/suricata.yaml $NFQUEUES
evaluate_retval
- # Allow reading the pidfile.
- chmod 644 $PID_FILE
-
# Flush the firewall chain
flush_fw_chain
@@ -139,20 +136,11 @@ case "$1" in
stop)
boot_mesg "Stopping Intrusion Detection System..."
- killproc -p $PID_FILE /var/run
+ killproc /usr/bin/suricata
# Flush firewall chain.
flush_fw_chain
- # Sometimes suricata not correct shutdown. So killall.
- killall -KILL /usr/bin/suricata 2>/dev/null
-
- # Remove suricata control socket.
- rm /var/run/suricata/* >/dev/null 2>/dev/null
-
- # Trash remain pid file if still exists.
- rm -f $PID_FILE >/dev/null 2>/dev/null
-
# Don't report returncode of rm if suricata was not started
exit 0
;;