Project

General

Profile

Actions
Copy link

Bug #2090

closed

Rule-reload in multi-tenancy is buggy

Added by Antti Tönkyrä over 7 years ago. Updated over 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Victor Julien
Target version:
4.1rc1
Affected Versions:
Effort:
Difficulty:
Label:

Description

Observed version 3.2.1-1 (Debian Stretch)

I have observed several failure cases when performing rule reloads in multi-tenancy setup which may or may not be the result of same underlying bug:

Case 1: Suricata needs rule-reload before tenants can be reloaded safely

# systemctl start suricata
# gdb attach --pid=suripid
( in another window ) # /usr/bin/suricatasc -c 'reload-tenant 1001 /etc/suricata/tenants/tenant-test.yaml'
Thread 15 "US" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f5a20ff9700 (LWP 12865)]
0x0000000000000000 in ?? ()
(gdb) bt
#0  0x0000000000000000 in ?? ()
#1  0x000055fa66f56ef9 in ThreadCtxDoInit (de_ctx=de_ctx@entry=0x55fa6955ec30, det_ctx=det_ctx@entry=0x7f5a04002320) at detect-engine.c:1228
#2  0x000055fa66f57dc6 in DetectEngineThreadCtxInitForReload (tv=tv@entry=0x55fa69571f80, new_de_ctx=new_de_ctx@entry=0x55fa6955ec30, mt=mt@entry=1) at detect-engine.c:1398
#3  0x000055fa66f5b296 in DetectEngineReloadThreads (new_de_ctx=0x55fa6955ec30) at detect-engine.c:460
#4  0x000055fa66f5e6e8 in DetectEngineMTApply () at detect-engine.c:2454
#5  0x000055fa67016c7e in UnixSocketReloadTenant (cmd=<optimized out>, answer=0x7f5a04000f10, data=<optimized out>) at runmode-unix-socket.c:691
#6  0x000055fa6704d576 in UnixCommandExecute ...

However, if reload happens beforehand everything is fine and tenant can be reloaded many times

systemctl start suricata
# /usr/bin/suricatasc -c reload-rules
{"message": "done", "return": "OK"}
# /usr/bin/suricatasc -c 'reload-tenant 1001 /etc/suricata/tenants/tenant-test.yaml'
{"message": "reloading tenant succeeded", "return": "OK"}
# /usr/bin/suricatasc -c 'reload-tenant 1001 /etc/suricata/tenants/tenant-test.yaml'
{"message": "reloading tenant succeeded", "return": "OK"}
# /usr/bin/suricatasc -c 'reload-tenant 1001 /etc/suricata/tenants/tenant-test.yaml'
{"message": "reloading tenant succeeded", "return": "OK"}
# /usr/bin/suricatasc -c 'reload-tenant 1001 /etc/suricata/tenants/tenant-test.yaml'
{"message": "reloading tenant succeeded", "return": "OK"}

However, in rapid succession of rule-reload and tenant reload, the tenant breaks:

# systemctl restart suricata
# /usr/bin/suricatasc -c reload-rules
{"message": "done", "return": "OK"}
#  /usr/bin/suricatasc -c 'reload-tenant 1001 /etc/suricata/tenants/tenant-test.yaml'
{"message": "reloading tenant succeeded", "return": "OK"}
#  /usr/bin/suricatasc -c 'reload-tenant 1001 /etc/suricata/tenants/tenant-test.yaml'
{"message": "reloading tenant succeeded", "return": "OK"}
# /usr/bin/suricatasc -c reload-rules; /usr/bin/suricatasc -c 'reload-tenant 1001 /etc/suricata/tenants/tenant-test.yaml'
{"message": "done", "return": "OK"}
{"message": "reload tenant failed", "return": "NOK"}
# /usr/bin/suricatasc -c reload-rules; /usr/bin/suricatasc -c 'reload-tenant 1001 /etc/suricata/tenants/tenant-test.yaml'
{"message": "done", "return": "OK"}
{"message": "reload tenant failed", "return": "NOK"}
#  /usr/bin/suricatasc -c 'reload-tenant 1001 /etc/suricata/tenants/tenant-test.yaml'
{"message": "reload tenant failed", "return": "NOK"}

Related issues 1 (0 open1 closed)

Related to Suricata - Bug #2518: Tenant rules reload completely broken in 4.x.xClosedVictor JulienActions
Actions
Copy link

Also available in: Atom PDF