Bug 163825
| Summary: | security/barnyard2 won't start after db crash | ||
|---|---|---|---|
| Product: | Ports & Packages | Reporter: | Michael Scheidell <scheidell> |
| Component: | Individual Port(s) | Assignee: | Michael Scheidell <scheidell> |
| Status: | Closed FIXED | ||
| Severity: | Affects Only Me | ||
| Priority: | Normal | ||
| Version: | Latest | ||
| Hardware: | Any | ||
| OS: | Any | ||
Responsible Changed From-To: freebsd-ports-bugs->scheidell Submitter has GNATS access (via the GNATS Auto Assign Tool) Maintainer of security/barnyard2,
Please note that PR ports/163825 has just been submitted.
If it contains a patch for an upgrade, an enhancement or a bug fix
you agree on, reply to this email stating that you approve the patch
and a committer will take care of it.
The full text of the PR can be found at:
http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/163825
--
Edwin Groothuis via the GNATS Auto Assign Tool
edwin@FreeBSD.org
State Changed From-To: open->feedback Awaiting maintainers feedback (via the GNATS Auto Assign Tool) --On January 4, 2012 9:50:27 PM -0600 Edwin Groothuis <edwin@FreeBSD.org> wrote: > Maintainer of security/barnyard2, > > Please note that PR ports/163825 has just been submitted. > > If it contains a patch for an upgrade, an enhancement or a bug fix > you agree on, reply to this email stating that you approve the patch > and a committer will take care of it. > > The full text of the PR can be found at: > http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/163825 > > -- > Edwin Groothuis via the GNATS Auto Assign Tool > edwin@FreeBSD.org Since REQUIRE does not guarantee that the service will be running, I'm not sure this is the best way to solve this problem. It may be better to have a section in the script that checks for the existence of a running instance of the db in question. I'm going to need to think about this one some more before deciding if this is the right approach. Paul Schmehl (pauls@utdallas.edu) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ I thought about it for a while.
It was a matter of what is the easiest thing to do, with the most impact.
Real solution might be to make barnyard more resilience (but I am
waiting for barnyard2, version .. that new one with snortsam in it to
become stable)
So right now, this is a race condition, or chicken or eff thing.
With barnyard2 starting first, as it is now, and mysql-server starting
later in the rcorder chain, it waits for (x seconds) for an sql
connection, retrying for a certain amount of time. If mysql is fine,
the time it takes for mysql to start is small enough that barnyard
doesn't exit.
If mysql crashed, and needs to rebuilt itself from logs, it take longer.
This patch removes optionally the BEFORE: LOGIN, which is what prevented
the 'REQUIRES: *mysql' from moving this up in the start order, based on
option knob so that mysql-server starts first. if mysql starts first in
rcorder, AND IT FAILS, this changes nothing, barnyard2 still won't
start, but never would. However, if mysql-server starts first, before
barnyard2, then it will clean out its logs and transactions and be ready
for barnyard2.
Not a perfect solution, but,
1, it can't hurt (tm)
2. it was the 'cheapest' solution.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
>*| *SECNAP Network Security Corporation
* Best Mobile Solutions Product of 2011
* Best Intrusion Prevention Product
* Hot Company Finalist 2011
* Best Email Security Product
* Certified SNORT Integrator
Michael, the mysql script has # REQUIRE: LOGIN. I'm wondering if simply
removing the # BEFORE: LOGIN line from the barnyard2 script wouldn't solve
the problem. Optionally, we could also add # REQUIRE: DAEMON mysql
postgresql, because even if they're not installed the script will still
start the barnyard2 daemon (if I'm reading rcorder(8) correctly.)
"The ``REQUIRE'' keyword is misleading: It doesn't describe which daemons
have to be running before a script will be started. It describes
which
scripts must be placed before it in the dependency ordering. For
exam-
ple, if your script has a ``REQUIRE'' on ``named'', it means the
script
must be placed after the ``named'' script in the dependency ordering,
not
necessarily that it requires named(8) to be started or enabled."
It doesn't really say what happens if the script doesn't exist, so I'm not
sure adding the REQUIRE option would work in every case.
Paul Schmehl (pauls@utdallas.edu)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/
On 1/5/12 10:02 PM, Paul Schmehl wrote:
> Michael, the mysql script has # REQUIRE: LOGIN. I'm wondering if
> simply removing the # BEFORE: LOGIN line from the barnyard2 script
> wouldn't solve the problem. Optionally, we could also add # REQUIRE:
> DAEMON mysql postgresql, because even if they're not installed the
> script will still start the barnyard2 daemon (if I'm reading
> rcorder(8) correctly.)
removing # BEFORE: Login only allows barnyard to be considered in normal
alpha order in ../rc.d/*. so, it HELPS, but without the REQUIRE:
(mysql), it would still be before it,
one more thing, rc.shutdown does it in reverse order, so, either my
original patch, or as you suggested, just take our BEFORE: LOGIN, and
make the REQUIRE line include all the possible db's/
either should work (still need to take out BEFORE: LOGIN)
my patch would just keep it from complaining (warning).
your port, your choice.
my patch or just remove BEFORE: LOGIN and add mysql postgresql to rc file.
(but then again, if you have BOTH mysql and postgress installed, and
enabled in rc.conf, barnard would need to wait for both of them, needlessly)
my real time/robotics background always says 'don't like warnings, and
don't like starting things we dont' need' :-)
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
>*| *SECNAP Network Security Corporation
* Best Mobile Solutions Product of 2011
* Best Intrusion Prevention Product
* Hot Company Finalist 2011
* Best Email Security Product
* Certified SNORT Integrator
Let's do this, then. Retain the code you provided, but remove BEFORE: LOGIN entirely. There's really no need for it. Then your changes would simply add REQUIRE: the appropriate db based on the OPTIONS KNOBS. Sound reasonable? -- Paul Schmehl (pauls@utdallas.edu) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/infosecurity/ State Changed From-To: feedback->closed Thanks Paul! scheidell 2012-01-06 21:53:32 UTC
FreeBSD ports repository
Modified files:
security/barnyard2 Makefile
security/barnyard2/files barnyard2.sh.in
Log:
- Selectivly adds mysql/and/or postgresql to rc script 'REQUIRES:'
PR: ports/163825
Submitted by: scheidell
Approved by: pauls@utdallas.edu (maintainer), gabor (mentor, implicit)
Revision Changes Path
1.12 +6 -0 ports/security/barnyard2/Makefile
1.5 +1 -3 ports/security/barnyard2/files/barnyard2.sh.in
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
|
if the machine fails, or the db crashes, mysql will be in recovery mode, and barnyard2 won't start: (it seems to be ok if mysql-server is started pretty quickly after rc, but if mysql in recovery mode, barnyard2 won't start. I want to put mysql-server FIRST, but if you check rcorder: rcorder /etc/rc.d/* /usr/local/etc/rc.d/* /usr/local/etc/rc.d/barnyard2 /usr/local/etc/rc.d/snort /etc/rc.d/LOGIN /usr/local/etc/rc.d/mysql-server EVEN IF YOU EDIT barnyard2 rc file and put in 'REQUIRE: DAEMON mysql' then won't help the order. because barnyard2 has BEFORE: LOGIN, and mysql-server has REQUIRE: LOGIN. (does barnyard2 REALLY need before login)? Fix: this patch will remove BEFORE: LOGIN if you have any db option, and add the correct REQUIRE: () lines. if you have NO db selected, it leaves BEFORE: LOGIN. ______________________________________________________________________ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com/ ______________________________________________________________________--0F9mJjGwLEs1RWjb58DmqoB4A18aKYjLAvyRJiT5mBm8u8As Content-Type: text/plain; name="file.diff" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="file.diff" Index: Makefile =================================================================== RCS file: /home/pcvs/ports/security/barnyard2/Makefile,v retrieving revision 1.11 diff -u -r1.11 Makefile --- Makefile 23 Sep 2011 22:25:08 -0000 1.11 +++ Makefile 5 Jan 2012 03:37:42 -0000 @@ -37,11 +37,23 @@ CONFIGURE_ARGS+= --with-mysql \ --with-mysql-includes=${LOCALBASE}/include/mysql \ --with-mysql-libraries=${LOCALBASE}/lib/mysql +SUB_LIST+= MYSQL=" mysql" +.else +SUB_LIST+= MYSQL="" .endif .if defined(WITH_POSTGRESQL) USE_PGSQL= yes CONFIGURE_ARGS+= --with-postgresql +SUB_LIST+= PGSQL=" postgresql" +.else +SUB_LIST+= PGSQL="" +.endif + +.if defined(WITH_POSTGRESQL) || defined(WITH_MYSQL) +SUB_LIST+= LOGIN="\# KEYWORD: shutdown" KEYWORD="" +.else +SUB_LIST+= LOGIN="\# BEFORE: LOGIN" KEYWORD="\# KEYWORD: shutdown" .endif .if defined(WITH_SNORT) Index: files/barnyard2.sh.in =================================================================== RCS file: /home/pcvs/ports/security/barnyard2/files/barnyard2.sh.in,v retrieving revision 1.4 diff -u -r1.4 barnyard2.sh.in --- files/barnyard2.sh.in 12 Oct 2011 00:48:13 -0000 1.4 +++ files/barnyard2.sh.in 5 Jan 2012 03:37:42 -0000 @@ -2,9 +2,9 @@ # # PROVIDE: barnyard2 -# REQUIRE: DAEMON -# BEFORE: LOGIN -# KEYWORD: shutdown +# REQUIRE: DAEMON%%MYSQL%%%%PGSQL%% +%%LOGIN%% +%%KEYWORD%% # Add the following lines to /etc/rc.conf to enable barnyard2: # barnyard2_enable (bool): Set to YES to enable barnyard2 How-To-Repeat: crash mysql pretty badly.