/usr/share/broctl/scripts/post-terminate is in broctl 1.4-1.
This file is owned by root:root, with mode 0o755.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 | #!/bin/bash
#
# Cleanup tasks after Bro termination: move the node's working directory
# to a tmp dir and create a new working directory, create a crash report if
# the node crashed, wait for this node's archive-log processes to finish,
# archive any remaining unrotated logs (if bro crashed or was killed), and
# finally (if the node didn't crash) remove the tmp dir if it doesn't contain
# any rotated log files.
#
# post-terminate <dir> [<crashflag>]
#
# <dir> is the node's working directory.
#
# If <crashflag> is not set, then BroControl has stopped Bro normally.
# If <crashflag> is "crash", then BroControl has determined that Bro crashed
# and this script will return information about the crash on stdout which is
# suitable for mailing to the user. If <crashflag> is "killed", then
# BroControl terminated Bro forcefully (but intentionally) by SIGKILL while
# trying to stop Bro.
if [ $# -lt 1 -o $# -gt 2 ]; then
echo "post-terminate: wrong usage"
exit 1
fi
dir=$1
if [ ! -d "$dir" ]; then
echo "post-terminate: directory not found: $dir"
exit 1
fi
crash=0
killed=0
if [ "$2" = "crash" ]; then
crash=1
elif [ "$2" = "killed" ]; then
killed=1
fi
# Compute both timestamps here so we get consistent results.
timestamp=`date +%Y-%m-%d-%H-%M-%S`
archivelogtime=`date +%y-%m-%d_%H.%M.%S`
. `dirname $0`/broctl-config.sh
if [ -z "${tmpdir}" ]; then
echo "post-terminate: broctl option tmpdir not set"
exit 1
fi
if [ ! -d "${tmpdir}" ]; then
mkdir "${tmpdir}"
fi
tmp=${tmpdir}/post-terminate-$timestamp-$$
if [ $crash -eq 1 ]; then
tmp=$tmp-crash
fi
mv "$dir" "$tmp"
if [ $? -ne 0 ]; then
exit 1
fi
mkdir "$dir"
cd "$tmp"
if [ -d .state ]; then
mv .state "$dir"
fi
if [ $crash -eq 1 ]; then
# output the crash report
"${scriptsdir}"/crash-diag "$tmp"
mybro=${bro}
if [ "${havenfs}" = "1" ]; then
mybro=${tmpexecdir}/`basename "${bro}"`
fi
cp "$mybro" .
fi
if [ ! -f .startup ]; then
echo "post-terminate: file not found: .startup"
exit 1
fi
# Execute the remaining part of this script in the background so that broctl
# doesn't need to wait for it to finish.
(
# Gather list of all archive-log PID files.
pidfiles=$(find . -maxdepth 1 -type f -name '.archive-log.*.tmp')
# Wait for any archive-log processes to finish, so that we can either
# launch new ones (below) or remove this directory.
while [ -n "$pidfiles" ]; do
for pfile in $pidfiles ; do
# If PID file is empty, then check it again later.
if [ -s $pfile ]; then
# Check if a process with given PID exists
ps -p $(cat $pfile) > /dev/null 2>&1
if [ $? -ne 0 ]; then
# No such process exists, so remove PID file
rm -f $pfile
fi
fi
done
sleep 1
pidfiles=$(find . -maxdepth 1 -type f -name '.archive-log.*.tmp')
done
if [ $crash -eq 1 -o $killed -eq 1 ]; then
# If Bro crashed or was killed, then we run log postprocessors here
# on all unrotated logs (including stdout.log/stderr.log, as they might
# have useful info in this situation). We ignore rotated logs here
# because presumably the archival of them was already attempted (and
# failed), and the presence of rotated logs will prevent the tmp directory
# from being removed (in order to give the user a chance to manually
# archive them).
find_cmd="find -E"
if [ "${os}" = "linux" ]; then
find_cmd=find
elif [ "${os}" = "openbsd" ]; then
find_cmd=gfind
fi
flags=
if [ $crash -eq 1 ]; then
# If Bro crashed, then we tell archive-log to not delete the log file.
flags=-c
fi
startuptime=`cat .startup | tail -1`
# Create list of all unrotated log files (this doesn't include rotated logs
# because they always have more than one period in the filename).
# Note: this assumes the user is using the default ".log" file extension.
unrotated_logs=$($find_cmd . -maxdepth 1 -type f -regex '\./[^.]+\.log')
for i in $unrotated_logs; do
# Strip off the leading "./"
logname=`echo $i | sed 's#^\./##'`
# Strip off the file extension
basename=`echo $logname | sed 's/\.[^.]*$//'`
# Since we don't have the actual start and end times for these logs,
# we try to construct reasonable values here.
strt=$startuptime
if [ -f .rotated.$basename ]; then
strt=`cat .rotated.$basename`
fi
end=$archivelogtime
# Note: here we assume the log is ascii
"${scriptsdir}"/archive-log $flags $logname $basename $strt $end 1 ascii &
done
# If Bro crashed, then we don't need to do anything else, because we don't
# want to remove the tmp directory.
if [ $crash -eq 1 ]; then
exit 0
fi
# Wait for all the archive-log processes started here to finish.
wait
fi
# If no rotated log files remain, then remove the directory.
# Note: this assumes the user is using the default ".log" file extension.
if [ -z "$(find . -maxdepth 1 -type f -name '*.*.log')" ]; then
rm -rf "$tmp"
fi
) >/dev/null 2>&1 &
|