mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2026-07-05 16:48:22 +02:00
suricata: treat in-progress rule reload as success
so-suricata-reload-rules failed the surirulereload state when a rule
reload was already running: suricatasc returns
{"message":"Reload already in progress","return":"NOK"}, which never
matched the expected output, so retry looped all 60 attempts (~3 min)
and called fail.
Wrap the suricatasc calls so an in-progress reload is treated as
success (the in-flight reload picks up the new rules) while genuine
container-not-ready conditions still retry and ultimately fail.
This commit is contained in:
@@ -7,5 +7,19 @@
|
||||
|
||||
. /usr/sbin/so-common
|
||||
|
||||
retry 60 3 'docker exec so-suricata /opt/suricata/bin/suricatasc -c reload-rules /var/run/suricata/suricata-command.socket' '{"message":"done","return":"OK"}' || fail "The Suricata container was not ready in time."
|
||||
retry 60 3 'docker exec so-suricata /opt/suricata/bin/suricatasc -c ruleset-reload-nonblocking /var/run/suricata/suricata-command.socket' '{"message":"done","return":"OK"}' || fail "The Suricata container was not ready in time."
|
||||
reload_suricata_rules() {
|
||||
# $1 = suricatasc command (reload-rules | ruleset-reload-nonblocking)
|
||||
local output
|
||||
output=$(docker exec so-suricata /opt/suricata/bin/suricatasc -c "$1" /var/run/suricata/suricata-command.socket)
|
||||
echo "$output"
|
||||
# A reload already running is fine — the new rules get picked up by it.
|
||||
if [[ "$output" =~ "Reload already in progress" ]]; then
|
||||
echo "A rule reload is already in progress; treating as success."
|
||||
return 0
|
||||
fi
|
||||
[[ "$output" =~ '{"message":"done","return":"OK"}' ]] && return 0
|
||||
return 1
|
||||
}
|
||||
|
||||
retry 60 3 'reload_suricata_rules reload-rules' || fail "The Suricata container was not ready in time."
|
||||
retry 60 3 'reload_suricata_rules ruleset-reload-nonblocking' || fail "The Suricata container was not ready in time."
|
||||
|
||||
Reference in New Issue
Block a user