[Bro-Dev] broctl restart

Daniel Thayer dnthayer at illinois.edu
Wed Mar 20 09:46:02 PDT 2013


On 03/18/2013 10:37 AM, Robin Sommer wrote:
> Daniel,
>
> I've a question/task regarding broctl' "restart". Before merging #960,
> there was this code:
>
>       if clean:
>            # Can't delete the tmp here because log archival might still be
>            # going on there in the background.
>            util.output("cleaning up ...")
>            self.do_cleanup("--keep-tmp " + args)
>            self.postcmd(False, "--keep-tmp " + args)
>
> You removed the --keep-tmp option, which makes sense because it didn't
> do anything. However, I'm concerned that that might have been there
> for a reason, per the comment (which I've removed now too because
> without the --keep-tmp, it doesn't apply anymore).
>
> Is is possible that we still have a problem there that if somebody
> does "restart --clean", logs might get deleted before they're
> completely archived? I'm wondering if the --keep-tmp code might have
> just gotten lost at some point accidentally.

I'm guessing the do_cleanup() code previously deleted tmp
unless the "--keep-tmp" option was specified. Currently, that
code does not delete tmp unless the "--all" option is
given (which cannot happen when the user runs the "restart"
command, even if the user erroneously tries to use the "--all"
option with the "restart" command).  So, I don't see any problem
here.


> Also, maybe related or not, we got a report that "broctl restart"
> (without --clean) apparently *does* delete logs occasionally before
> they get archived. So independent of --keep-tmp, I'm wondering if we
> have some a similar problem elsewhere.

I've found a race condition that occurs when the "stop" command
is issued which can result in log files being deleted before
they're archived into the "logs/<date>" directory (since "restart"
first does a "stop", I don't see any problem with the "restart"
command itself).

In my testing, I've seen only the conn.log being deleted before it
is archived, because it takes longer to archive conn.log due to the
summarize-connections postprocessor that gets run by the archive-log
script (as a quick test, I tried skipping the connection summary
processing by setting tracesummary="" in broctl.cfg, and this
resulted in conn.log being reliably archived with each "broctl stop").

I will post more details to ticket #970 in the tracker.



More information about the bro-dev mailing list