Bug 12785

Summary: Test Core 164 Suricata / Intrusion Prevention Page Locked
Product: IPFire Reporter: Charles Brown <cab_77573>
Component: ---Assignee: Stefan Schantl <stefan.schantl>
Status: CLOSED FIXED QA Contact:
Severity: - Unknown -    
Priority: - Unknown - CC: adolf.belka, fkienker, matthias.fischer, michael.tremer, peter.mueller
Version: 2Keywords: Blocker
Hardware: unspecified   
OS: Unspecified   
See Also: https://bugzilla.ipfire.org/show_bug.cgi?id=12788

Description Charles Brown 2022-03-02 11:07:34 UTC
From the community forum ...
https://community.ipfire.org/t/possible-problem-with-suricata-test-core-164/7345
Comment 1 Charles Brown 2022-03-02 13:03:16 UTC
Also, some additional comments concerning things not quite right with settings and/or file permissions;  and different behavior depending on 'update' vs fresh install of CU 164 -- in later comments in this forum post
https://community.ipfire.org/t/manual-update-missing-on-core-164-test/7329/7
Comment 2 Adolf Belka 2022-03-02 16:50:13 UTC
(In reply to Charles Brown from comment #1)
> Also, some additional comments concerning things not quite right with
> settings and/or file permissions;  and different behavior depending on
> 'update' vs fresh install of CU 164 -- in later comments in this forum post
> https://community.ipfire.org/t/manual-update-missing-on-core-164-test/7329/7

That has already been raised as its own bug #12788
Comment 3 Fred Kienker 2022-03-02 18:11:12 UTC
I can confirm this behavior on Core 164 on multiple systems. The only resolution is to reboot the firewall, but even this does not work consistently. Sometimes after waiting an hour or two, it will return to the normal IPS screen. If more information would be helpful, I will try to record the pattern under which this occurs.
Comment 4 Fred Kienker 2022-03-02 18:19:38 UTC
(In reply to Fred Kienker from comment #3)
> I can confirm this behavior on Core 164 on multiple systems. The only
> resolution is to reboot the firewall, but even this does not work
> consistently. Sometimes after waiting an hour or two, it will return to the
> normal IPS screen. If more information would be helpful, I will try to
> record the pattern under which this occurs.

Message displayed on the screen:  	

Ruleset update in progress. Please wait until all operations have completed successfully..
Comment 5 Fred Kienker 2022-03-02 21:21:19 UTC
This is from the httpd/error_log:

[Wed Mar 02 13:22:51.398738 2022] [core:error] [pid 2870:tid 136107555538496] (70007)The timeout specified has expired: [client 10.0.2.11:63504] AH00574: ap_content_length_filter: apr_bucket_read() failed, referer: https://fw-at4b.at4b.net:444/
Comment 6 Stefan Schantl 2022-03-03 04:46:27 UTC
Hello thanks for reporting this issue.

The error occurs because the IDS updater in the background had an error and
did not release it's page lock file correctly.

At the moment to get things work again properly you only can perform a reboot of the system to get rid of this lock or you manually have to remove the "/tmp/ids_page_locked" file by hand.

I'll sent a fix to prevent from having this issue.

-Stefan
Comment 7 Stefan Schantl 2022-03-03 04:51:15 UTC
Fix has arrived the mailing list:

https://patchwork.ipfire.org/project/ipfire/patch/20220303044943.3678-1-stefan.schantl@ipfire.org/
Comment 9 Charles Brown 2022-03-08 13:12:06 UTC
Per my testing with /master/2022-03-07 18:53:09 +0000-b69659af, this issue is fixed
Comment 11 Matthias Fischer 2022-03-14 17:25:38 UTC
I ran into the same issue.

As I see it the updater 'update-ids-ruleset' wasn't shipped with Core164:

https://git.ipfire.org/?p=ipfire-2.x.git;a=tree;f=config/rootfiles/core/164/filelists;h=c81a06294cd3527b9b68d1352d487bf1c8f95c9e;hb=refs/heads/core164
Comment 12 Peter Müller 2022-03-16 20:38:58 UTC
Ah, zut alors, I was too eager on this one then. :-/

Resetting it back to ON_QA, since https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=ebe404ef020fc5091f5b9cee6e2617fc2e45d279 fixes this problem in Core Update 165, and C165 is already available for testing.

https://blog.ipfire.org/post/ipfire-2-27-core-update-165-is-available-for-testing