[Zeek] The deduplication during the script's loading
Michał Purzyński
michalpurzynski1 at gmail.com
Wed Mar 20 21:45:25 PDT 2019
Hey!
Credit for discovery of this issue goes to Justin Azoff.
During module loading, Zeek checks the inode number of each script file and
silently ignores a file with the same inode as loaded previously.
For example, if
/usr/share/bro/base/frameworks/input/__load__.bro
/usr/share/bro/base/frameworks/dpd/__load__.bro
share the same inode (are hardlinked) only the first one will load and the
second one will not.
This breaks the workflow for me. The ClearLinux packaging mechanism, by
design, hardlinks identical files (if they have identical checksum).
The net result is that a correctly packaged Zeek is left in a
non-functioning state after installation.
Justin suggested that I can break hardlinks with rsync, like this
/usr/bin/rsync -aP /usr/share/bro/<whatever> /somewhere
/usr/bin/rsync -aP /somewhere /usr/share/bro/<whatever>
That works - and I have a working Zeek cluster, with af_packet plugin, just
by installing a single "network-monitoring-node" bundle.
Do we want to do something about it? Or is this expected? Can we, maybe,
make this configurable? Should I live with this workaround?
--
M.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190320/3dcd0be5/attachment.html
More information about the Zeek
mailing list