[gentoo-commits] repo/gentoo:master commit in: net-analyzer/suricata/files/, net-analyzer/suricata/

["Slawek Lis" <slis@gentoo.org>]

commit:     be92f97f24e7867078e10efa0ee191b770cbf143
Author:     Slawomir Lis <slis <AT> gentoo <DOT> org>
AuthorDate: Thu Dec 22 11:35:30 2016 +0000
Commit:     Slawek Lis <slis <AT> gentoo <DOT> org>
CommitDate: Thu Dec 22 11:35:30 2016 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=be92f97f

net-analyzer/suricata: Updated init script

Applied patches sent in order to bug 602590.
Now it's possible to run one or many instances of suricata.

Thanks to Vieri <rentorbuy <AT> yahoo.com> for help.

Package-Manager: Portage-2.3.3, Repoman-2.3.1

 net-analyzer/suricata/files/suricata-3.2-conf |  17 +++--
 net-analyzer/suricata/files/suricata-3.2-init | 105 +++++++++++++++++++-------
 net-analyzer/suricata/suricata-3.2.ebuild     |  21 ++++--
 3 files changed, 102 insertions(+), 41 deletions(-)

diff --git a/net-analyzer/suricata/files/suricata-3.2-conf b/net-analyzer/suricata/files/suricata-3.2-conf
index dfb1471..bc6e281 100644
--- a/net-analyzer/suricata/files/suricata-3.2-conf
+++ b/net-analyzer/suricata/files/suricata-3.2-conf
@@ -5,27 +5,28 @@
 # SURICATA_DIR="/etc/suricata"
 
 # Pass options to each suricata service.
+#
 # You can launch more than one service at the same time with different options.
 # This can be useful in a multi-queue gateway, for example.
 # You can expand on the Suricata inline example found at:
-# https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Setting_up_IPSinline_for_Linux
+# http://suricata.readthedocs.io/en/latest/setting-up-ipsinline-for-linux.html
 # Instead of configuring iptables to send traffic to just one queue, you can configure it to "load balance"
 # on several queues. You can then have a Suricata instance processing traffic for each queue.
 # This should help improve performance on the gateway/firewall.
-# Suppose you configured iptables to use queues 0 and 1. You can now do the following:
+#
+# Suppose you configured iptables to use queues 0 and 1 named q0 and q1. You can now do the following:
 # ln -s /etc/init.d/suricata /etc/init.d/suricata.q0
 # ln -s /etc/init.d/suricata /etc/init.d/suricata.q1
 # cp /etc/suricata/suricata.yaml /etc/suricata/suricata-q0.yaml
 # cp /etc/suricata/suricata.yaml /etc/suricata/suricata-q1.yaml
-# mkdir /var/log/suricata/q{0,1}
-# Edit both suricata-q{0,1}.yaml files and set values accordingly (eg. set the suricata.log file path to
-# a dedicated dir in the section "logging:outputs:-file").
+# Edit both suricata-q{0,1}.yaml files and set values accordingly.
+# 
 # You can then define the following options here:
 
-# SURICATA_OPTS[q0]="-q 0 -l /var/log/suricata/q0"
-# SURICATA_OPTS[q1]="-q 1 -l /var/log/suricata/q1"
+# SURICATA_OPTS_q0="-i eth0"
+# SURICATA_OPTS_q1="-i eth1"
 
 # If you want to use ${SURICATA_DIR}/suricata.yaml and start the service with /etc/init.d/suricata
 # then you can set:
 
-# SURICATA_OPTIONS="-i eth0"
+SURICATA_OPTS="-i eth0"

diff --git a/net-analyzer/suricata/files/suricata-3.2-init b/net-analyzer/suricata/files/suricata-3.2-init
index 2a9d46f..3a9c356 100644
--- a/net-analyzer/suricata/files/suricata-3.2-init
+++ b/net-analyzer/suricata/files/suricata-3.2-init
@@ -3,20 +3,22 @@
 # Distributed under the terms of the GNU General Public License v2
 # $Id$
 
+SURICATA_BIN=/usr/bin/suricata
 SURICATA_DIR=${SURICATA_DIR:-/etc/suricata}
 SURICATA=${SVCNAME#*.}
+SURICATAID=$(shell_var "${SURICATA}")
 if [ -n "${SURICATA}" ] && [ ${SVCNAME} != "suricata" ]; then
     SURICATACONF="${SURICATA_DIR}/suricata-${SURICATA}.yaml"
     SURICATAPID="/var/run/suricata/suricata.${SURICATA}.pid"
-    SURICATAOPTS=${SURICATA_OPTS[${SURICATA}]}
+    eval SURICATAOPTS=\$SURICATA_OPTS_${SURICATAID}
 else
     SURICATACONF="${SURICATA_DIR}/suricata.yaml"
     SURICATAPID="/var/run/suricata/suricata.pid"
-    SURICATAOPTS=${SURICATA_OPTIONS}
+    SURICATAOPTS=${SURICATA_OPTS}
 fi
 
 extra_commands="checkconfig"
-extra_started_commands="reload"
+extra_started_commands="reload relog"
 
 depend() {
 	need net
@@ -34,49 +36,96 @@ checkconfig() {
 	fi
 }
 
+initpidinfo() {
+	[ -f ${SURICATAPID} ] && SUR_PID="$(cat ${SURICATAPID})"
+	if [ ${#SUR_PID} -gt 0 ]; then
+	    SUR_PID_CHECK="$(ps -eo pid | grep -c ${SUR_PID})"
+	    SUR_USER="$(ps -p ${SUR_PID} --no-headers -o user)"
+	fi
+}
+
+checkpidinfo() {
+	initpidinfo
+        if [ ! -f ${SURICATAPID} ]; then
+        	eerror "${SVCNAME} isn't running"
+                return 1
+	elif [ ${#SUR_PID} -eq 0 ] || [ $((SUR_PID_CHECK)) -ne 1 ]; then
+		eerror "Could not determine PID of ${SVCNAME}! Did the service crash?"
+		return 1
+	elif [ ${#SUR_USER} -eq 0 ]; then
+		eerror "Unable to determine user running ${SVCNAME}!"
+		return 1
+	elif [ "x${SUR_USER}" != "xroot" ]; then
+		eerror "${SVCNAME} must be running as root for reload or relog to work!"
+		return 1
+        fi
+}
+
 start() {
 	checkconfig || return 1
 	ebegin "Starting ${SVCNAME}"
-	start-stop-daemon --start --quiet --exec /usr/bin/suricata \
+	start-stop-daemon --start --quiet --exec ${SURICATA_BIN} \
 		-- --pidfile ${SURICATAPID} -D ${SURICATAOPTS} \
 		 -c ${SURICATACONF} >/dev/null 2>&1
-	eend $?
+	local SUR_EXIT=$?
+	if [ $((SUR_EXIT)) -ne 0 ]; then
+	    einfo "Could not start ${SURICATA_BIN} with:"
+	    einfo "--pidfile ${SURICATAPID} -D ${SURICATAOPTS} -c ${SURICATACONF}"
+	    einfo "Exit code ${SUR_EXIT}"
+	fi
+	eend ${SUR_EXIT}
 }
 
 stop() {
 	ebegin "Stopping ${SVCNAME}"
+	initpidinfo
 	start-stop-daemon --stop --quiet --pidfile ${SURICATAPID} >/dev/null 2>&1
 	einfon "Waiting for ${SVCNAME} to shut down. This can take a while..."
 	echo
 	# max wait: 5 minutes as it can take quite a while on some systems with heavy traffic
-	cnt=300
-	while [ -f ${SURICATAPID} ]; do
+	local cnt=300
+	while [ -f ${SURICATAPID} ] && [ $cnt -gt 0 ]; do
 	    cnt=$(expr $cnt - 1)
-	    if [ $cnt -lt 1 ] ; then
-		echo
-		eend 1 "Failed."
-		break
-	    fi
 	    sleep 1
-	    echo -ne "$cnt seconds left before we give up\r"
+	    echo -ne "$cnt seconds left before we give up checking the PID file...\r"
 	done
-	eend $?
+	# under certain conditions suricata can be pretty slow and the PID can persist long after the pidfile has been removed
+	# max wait for process to terminate: 1 minute
+	if [ ${#SUR_PID} -gt 0 ]; then
+	    cnt=60
+	    SUR_PID_CHECK="$(ps -eo pid | grep -c ${SUR_PID})"
+	    if [ $((SUR_PID_CHECK)) -ne 0 ]; then
+		echo
+		einfo "The PID file ${SURICATAPID} is gone but the ${SVCNAME} PID ${SUR_PID} is still running."
+		einfo "Waiting for process to shut down on its own. This can take a while..."
+	    fi
+	    while [ $((SUR_PID_CHECK)) -ne 0 ]; do
+		cnt=$(expr $cnt - 1)
+		if [ $cnt -lt 1 ] ; then
+		    echo
+		    eend 1 "Failed. You might need to kill PID ${SUR_PID} or find out why it can't be stopped."
+		    break
+		fi
+		sleep 1
+		echo -ne "$cnt seconds left before we give up checking PID ${SUR_PID}...\r"
+		SUR_PID_CHECK="$(ps -eo pid | grep -c ${SUR_PID})"
+	    done
+	fi
+	eend 0
 }
 
 reload() {
+	checkpidinfo || return 1
+	checkconfig || return 1
+	ebegin "Sending USR2 signal to ${SVCNAME} to perform a live rule and config reload."
+	start-stop-daemon --signal USR2 --pidfile ${SURICATAPID}
+	eend $?
+}
 
-	local SUR_PID="`cat ${SURICATAPID}`"
-	local SUR_USER="`ps -p ${SUR_PID} --no-headers -o user`"
-
-        if [ ! -f ${SURICATAPID} ]; then
-        	eerror "${SVCNAME} isn't running"
-                return 1
-	elif [ ${SUR_USER} != root ]; then
-		eerror "${SVCNAME} must be running as root for reload to work!"
-		return 1
-	else
-		checkconfig || return 1
-		ebegin "Reloading ${SVCNAME}"
-		start-stop-daemon --signal HUP --pidfile ${SURICATAPID}
-        fi
+relog() {
+	checkpidinfo || return 1
+	checkconfig || return 1
+	ebegin "Sending HUP signal to ${SVCNAME} to close and re-open all log files."
+	start-stop-daemon --signal HUP --pidfile ${SURICATAPID}
+	eend $?
 }

diff --git a/net-analyzer/suricata/suricata-3.2.ebuild b/net-analyzer/suricata/suricata-3.2.ebuild
index 2bd57bd..078186b 100644
--- a/net-analyzer/suricata/suricata-3.2.ebuild
+++ b/net-analyzer/suricata/suricata-3.2.ebuild
@@ -63,9 +63,6 @@ src_configure() {
 	if use cuda ; then
 		myeconfargs+=( $(use_enable cuda) )
 	fi
-	if use debug ; then
-		myeconfargs+=( $(use_enable debug) )
-	fi
 	if use geoip ; then
 		myeconfargs+=( $(use_enable geoip) )
 	fi
@@ -96,7 +93,16 @@ src_configure() {
 # this should be used when pf_ring use flag support will be added
 # 	LIBS+="-lrt -lnuma"
 
-	econf LIBS="${LIBS}" ${myeconfargs[@]}
+	# avoid upstream configure script trying to add -march=native to CFLAGS
+	myeconfargs+=( --enable-gccmarch-native=no )
+
+	if use debug ; then
+		myeconfargs+=( $(use_enable debug) )
+		# so we can get a backtrace according to "reporting bugs" on upstream web site
+		CFLAGS="-ggdb -O0" econf LIBS="${LIBS}" ${myeconfargs[@]}
+	else
+		econf LIBS="${LIBS}" ${myeconfargs[@]}
+	fi
 }
 
 src_install() {
@@ -124,7 +130,7 @@ src_install() {
 
 pkg_postinst() {
 	elog "The ${PN} init script expects to find the path to the configuration"
-	elog "file as well as extra options in /etc/conf.d."
+	elog "file as well as extra options in /etc/conf.d"
 	elog ""
 	elog "To create more than one ${PN} service, simply create a new .yaml file for it"
 	elog "then create a symlink to the init script from a link called"
@@ -136,4 +142,9 @@ pkg_postinst() {
 	elog "Then edit /etc/conf.d/${PN} and make sure you specify sensible options for foo."
 	elog ""
 	elog "You can create as many ${PN}.foo* services as you wish."
+
+	if use debug; then
+	    elog "You enabled the debug USE flag. Please read this link to report bugs upstream:"
+	    elog "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Reporting_Bugs"
+	fi
 }