[Bro] ganeti cluster with bro cluster

Randy Bush randy at psg.com
Sun Feb 12 23:04:40 PST 2017


[ ubuntu 16.04 on ganeti cluster ]

so i figured the config out

    [logger]
    type=logger
    host=bro0.sea.rg.net
    #
    [manager]
    type=manager
    host=bro0.sea.rg.net
    #
    [proxy-1]
    type=proxy
    host=bro0.sea.rg.net
    #
    [worker-0]
    type=worker
    host=bro0.sea.rg.net
    interface=eth0
    #
    [worker-1]
    type=worker
    host=bro1.sea.rg.net
    interface=eth0
    #
    [worker-2]
    type=worker
    host=bro2.sea.rg.net
    interface=eth0

and i got the worker-0 node to be able to pcap its eth0 by

    sudo setcap cap_net_raw,cap_net_admin=eip /usr/local/bro/bin/bro

although i ran the same on worker-1 and worker-2, they fail with

    worker-2 terminated immediately after starting; check output with "diag"
    worker-1 terminated immediately after starting; check output with "diag"

and the logs say

    fatal error: problem with interface eth0 (pcap_error: socket: Operation not permitted (pcap_activate))

i suspected that when `broctl deploy` copies over
/usr/local/bro/bin/bro, the copies do not inherit the capabilities.  but
i did

   broctl deploy
   <it failed with the pcap_error>
   <did `sudo setcap cap_net_raw,cap_net_admin=eip /usr/local/bro/bin/bro` on all workers>
   broctl start

and the same result, pcap_error on workers 1 and 2, not on 0.

---

i also get

   Error: error occurred while trying to send mail: send-mail: SENDMAIL-NOTFOUND not found

despite

    $ which sendmail
    /usr/sbin/sendmail

---

clue bat, please

randy


More information about the Bro mailing list