suricata-verify
suricata-verify copied to clipboard
OISF
test-dump-counters: Test dump-counters via unix-command socket
Replaces https://github.com/OISF/suricata-verify/pull/1683
Changes since v4:
- Switch to af-packet source because using pcap blocks Suricata termination on Debian 10 and Ubuntu 20.04.
Changes since v3:
- Don't use
ps, not available in CI everywhere. - Invoke suricatasc with python3.
Changes since v2:
- Rewrote as shell script invoking suricatasc instead of using the suricatasc Python module
- Set rule-files.0=/dev/null to prevent loading of rules
- Set a BPF filter to make capture on
lounlikely
Test for https://github.com/OISF/suricata/pull/10468
Ticket
Ticket: 6732
Redmine ticket: https://redmine.openinfosecfoundation.org/issues/6732
@jasonish - how does this version look to you?
Yeah, not as pretty :) But more future proof with respect for some changes I hope to have in by 8.0. Thanks.
I ran this in my own private gitlab-ci env, where the tests run in docker containers. Got a bunch of failures with exit codes 127, 137(?), 124 and one test timeout. Haven't tried to debug it.
Would it need special capabilities?
Would it need special capabilities?
Suppose CAP_NET_RAW due to listeing on lo. I ran it within a plain docker run --rm -it here and that seemed to work.
https://github.com/OISF/suricata/pull/10583 got merged, so this should pass... let's check
OISF/suricata#10583 got merged, so this should pass... let's check
Thanks for re-triggering. Think for main-7.0.x still needs f17204191d3bb2201e6b6b1c4cf2e7a96148e8cd backported for it to pass there too :crossed_fingers:
FYI - I'll be unavailable for the next few weeks. If there's interest in having this test merged and there's more polishing needed, would be great if someone could shepherd it.
cc @jlucovsky / @jasonish
Do we know why this is failing on Suricata 7? Looks like its been backported.
Do we know why this is failing on Suricata 7? Looks like its been backported.
Where ?
git log main-7.0.x | grep f172041 yields no result for me
I concur with @catenacyber
The changes are in master:
$ git l | grep -e 'stats: Fix non-worker' -e 'schema: Add stats.capture'
f9cf87a003 schema: Add stats.capture and in_iface properties
f17204191d stats: Fix non-worker stats missing
These are not in main-7.0.x:
$ git l | grep -e 'stats: Fix non-worker' -e 'schema: Add stats.capture'
$
I didn't look past the backport ticket, which appears to be closed for 7.0.x.
I think it needs to be reconsidered completely, as I got massive failures in my CI setup, most likely for not working well with certain permissions missing from the CI runners.
I think it needs to be reconsidered completely, as I got massive failures in my CI setup, most likely for not working well with certain permissions missing from the CI runners.
Perhaps adding capabilities to the requires section of test.yaml? But that could get complex. On Linux, you might only want to run if certain caps are available, but run on FreeBSD as long as root. That does bring a level of expression not available in S-V.
Or put tests that require a level of privilege in a separate directory, privileged-tests and then its up to the CI environment to be configured to run them.
I think SV isn't the best place for this. I've added a bunch of "live" tests in https://github.com/OISF/suricata/pull/11006, and I think this work could be extended for the testing required here?
See in suricata :
.github/workflows/live/pcap.sh:JSON=$(python3 python/bin/suricatasc -c "dump-counters" /var/run/suricata/suricata-command.socket)
I'm going to close this PR. I don't have the cycles to see this through. I agree with @catenacyber 's last comment that the script looks like a good place to validate the dump-counters output more.