Bug #6373
open
main/startup: support sentinel file signal for initial rule processing completion
Added by Jeff Lucovsky about 1 year ago.
Updated about 1 year ago.
Description
Many deployments use different ways to observe "health".
When starting Suricata, it's helpful to know when it's rule processing step is complete so observers can distinguish between
- Suricata's running and can't communicate because it hasn't opened the unix socket for suricatasc comms
- Suricata's running, processing rules, and is not responding.
A sentinel file that is set before Suricata launches (by the launcher) and is cleared when Suricata's initial rule processing completes can disambiguate the first case.
Would it make more sense to fix the socket so it could be used to monitor state sooner?
We already have one mechanism for notification once running with systems in OnNotifyRunning. Does this location fit the needs for the sentinel file? Then I wonder if it would make sense for a plugin to register a callback here. My worry is there is no one size fits all mechanism here as its probably going to be highly dependent on your process orchestration. A systemd hooks makes sense as its ubiquitous.
That location would make sense.
A plugin registration mechanism for deployment-customization would be helpful for the non-systemd deployments.
Something like RegisterOnRunning with a callback to a void (*funcptr)(void) would work. Thoughts on that interface?
Also available in: Atom
PDF