suricata: Add a watcher to restart on unexpected termination

This patch adds a watcher process that will restart suricata when it is
being killed by SIGKILL (e.g. by the OOM killer) or after a SEGV.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/config/rootfiles/common/suricata b/config/rootfiles/common/suricata
index 53224d006e4b08a64dc652211d21160390dff5d0..8fe53f7e6689d76236b92d7c6f91e9e8940397b3 100644 (file)
--- a/config/rootfiles/common/suricata
+++ b/config/rootfiles/common/suricata
@@ -1,6 +1,7 @@
 etc/suricata
 etc/suricata/suricata.yaml
 usr/bin/suricata
+usr/bin/suricata-watcher
 usr/sbin/convert-ids-backend-files
 #usr/share/doc/suricata
 #usr/share/doc/suricata/AUTHORS

diff --git a/config/suricata/suricata-watcher b/config/suricata/suricata-watcher
new file mode 100644 (file)
index 0000000..a1a13d4
--- /dev/null
+++ b/config/suricata/suricata-watcher
@@ -0,0 +1,55 @@
+#!/bin/bash
+###############################################################################
+#                                                                             #
+# IPFire.org - A Linux-based Firewall                                         #
+# Copyright (C) 2024  IPFire Team  <info@ipfire.org>                          #
+#                                                                             #
+# This program is free software: you can redistribute it and/or modify        #
+# it under the terms of the GNU General Public License as published by        #
+# the Free Software Foundation, either version 3 of the License, or           #
+# (at your option) any later version.                                         #
+#                                                                             #
+# This program is distributed in the hope that it will be useful,             #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
+# GNU General Public License for more details.                                #
+#                                                                             #
+# You should have received a copy of the GNU General Public License           #
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
+#                                                                             #
+###############################################################################
+
+PIDFILE="/var/run/suricata.pid"
+
+main() {
+       local ret
+
+       while :; do
+               # Launch suricata
+               /usr/bin/suricata "$@" &>/dev/null
+
+               # Wait until suricata is done
+               ret=$?
+
+               case "${ret}" in
+                       # If suricata has been killed by SIGKILL (e.g. by
+                       # the OOM killer, or if it ran into a SEGV, we will
+                       # restart the process.
+                       137|139)
+                               # Remove the PID file
+                               unlink "${PIDFILE}" 2>/dev/null
+
+                               sleep 1
+                               continue
+                               ;;
+
+                       *)
+                               break
+                               ;;
+               esac
+       done
+
+       return ${ret}
+}
+
+main "$@" || return $?

diff --git a/lfs/suricata b/lfs/suricata
index 88f3c4575908e581d86c1089270ac963d86cc574..dcee61ea1310ca7d1560b42b041e0ced90c153bb 100644 (file)
--- a/lfs/suricata
+++ b/lfs/suricata
@@ -132,5 +132,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
        # Install converter script needed for Core Update 167
        install -m 0755 $(DIR_SRC)/config/suricata/convert-ids-backend-files /usr/sbin/convert-ids-backend-files
 
+       # Install the watcher
+       install -v -m 755 $(DIR_SRC)/config/suricata/suricata-watcher /usr/bin/suricata-watcher
+
        @rm -rf $(DIR_APP)
        @$(POSTBUILD)

diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata
index 20afab1300a59ac7a73679d466617328ec205be6..40bd69c87b2da5a8d7bf7b03d6908e1338eeaeed 100644 (file)
--- a/src/initscripts/system/suricata
+++ b/src/initscripts/system/suricata
@@ -123,12 +123,9 @@ case "$1" in
                if [ "$ENABLE_IDS" == "on" ]; then
                        # Start the IDS.
                        boot_mesg "Starting Intrusion Detection System..."
-                       /usr/bin/suricata -c /etc/suricata/suricata.yaml -D $NFQUEUES >/dev/null 2>/dev/null
+                       /usr/bin/suricata-watcher -c /etc/suricata/suricata.yaml $NFQUEUES
                        evaluate_retval
 
-                       # Allow reading the pidfile.
-                       chmod 644 $PID_FILE
-
                        # Flush the firewall chain
                        flush_fw_chain
 
@@ -139,20 +136,11 @@ case "$1" in
 
         stop)
                boot_mesg "Stopping Intrusion Detection System..."
-               killproc -p $PID_FILE /var/run
+               killproc /usr/bin/suricata
 
                # Flush firewall chain.
                flush_fw_chain
 
-               # Sometimes suricata not correct shutdown. So killall.
-               killall -KILL /usr/bin/suricata 2>/dev/null
-
-               # Remove suricata control socket.
-               rm /var/run/suricata/* >/dev/null 2>/dev/null
-
-               # Trash remain pid file if still exists.
-               rm -f $PID_FILE >/dev/null 2>/dev/null
-
                # Don't report returncode of rm if suricata was not started
                exit 0
         ;;