services start, that should not

[neu5ron]

services start that are configured to 'False' under the config section 'Specify if a service is enabled on startup'.

rock config.yml

# Specify if a service is enabled on startup
enable_stenographer: False
enable_docket: False
enable_bro: True
enable_suricata: False
enable_snort: False
enable_suricata_update: False
enable_logstash: True
enable_elasticsearch: True
enable_kibana: True
enable_zookeeper: True
enable_kafka: True
enable_lighttpd: True
enable_fsf: False

then i rebooted

you will then notice stenographer, suricata, and fsf are running

[root@simplerockbuild admin]# systemctl status stenographer suricata docket fsf
● stenographer.service - packet capture to disk
   Loaded: loaded (/etc/systemd/system/stenographer.service; enabled; vendor preset: disabled)
   Active: active (exited) since Mon 2019-02-04 17:56:29 UTC; 2min 18s ago
  Process: 3372 ExecStartPost=/bin/echo View instance logs with `journalctl -u stenographer@*` (code=exited, status=0/SUCCESS)
  Process: 3360 ExecStartPost=/bin/echo View instance status with `systemctl status stenographer*`. (code=exited, status=0/SUCCESS)
  Process: 3345 ExecStart=/bin/true (code=exited, status=0/SUCCESS)
  Process: 3326 ExecStartPre=/bin/echo Starting template instances. (code=exited, status=0/SUCCESS)
 Main PID: 3345 (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/stenographer.service
Feb 04 17:56:29 simplerockbuild.simplerock.lan systemd[1]: Starting packet capture to disk...
Feb 04 17:56:29 simplerockbuild.simplerock.lan echo[3326]: Starting template instances.
Feb 04 17:56:29 simplerockbuild.simplerock.lan echo[3360]: View instance status with `systemctl status stenographer*`.
Feb 04 17:56:29 simplerockbuild.simplerock.lan echo[3372]: View instance logs with `journalctl -u stenographer@*`
Feb 04 17:56:29 simplerockbuild.simplerock.lan systemd[1]: Started packet capture to disk.
● suricata.service - Suricata Intrusion Detection Service
   Loaded: loaded (/etc/systemd/system/suricata.service; enabled; vendor preset: disabled)
   Active: active (running) since Mon 2019-02-04 17:56:29 UTC; 2min 18s ago
 Main PID: 3319 (Suricata-Main)
   CGroup: /system.slice/suricata.service
           └─3319 /sbin/suricata -c /etc/suricata/suricata.yaml --af-packet
Feb 04 17:56:29 simplerockbuild.simplerock.lan systemd[1]: Started Suricata Intrusion Detection Service.
Feb 04 17:56:29 simplerockbuild.simplerock.lan suricata[3319]: 4/2/2019 -- 17:56:29 - <Info> - Including configuration file rocknsm-overrides.yaml.
Feb 04 17:56:29 simplerockbuild.simplerock.lan suricata[3319]: 4/2/2019 -- 17:56:29 - <Info> - Configuration node 'default-rule-path' redefined.
Feb 04 17:56:29 simplerockbuild.simplerock.lan suricata[3319]: 4/2/2019 -- 17:56:29 - <Info> - Configuration node 'rule-files' redefined.
Feb 04 17:56:29 simplerockbuild.simplerock.lan suricata[3319]: 4/2/2019 -- 17:56:29 - <Info> - Configuration node 'af-packet' redefined.
Feb 04 17:56:29 simplerockbuild.simplerock.lan suricata[3319]: 4/2/2019 -- 17:56:29 - <Info> - Configuration node 'default-log-dir' redefined.
Feb 04 17:56:29 simplerockbuild.simplerock.lan suricata[3319]: 4/2/2019 -- 17:56:29 - <Info> - Configuration node 'outputs' redefined.
Feb 04 17:56:29 simplerockbuild.simplerock.lan suricata[3319]: 4/2/2019 -- 17:56:29 - <Notice> - This is Suricata version 4.0.6 RELEASE
Feb 04 17:57:05 simplerockbuild.simplerock.lan suricata[3319]: 4/2/2019 -- 17:57:05 - <Notice> - all 3 packet processing threads, 4 management threads initialized, engine started.
● docket.service - Docket uWSGI app
   Loaded: loaded (/usr/lib/systemd/system/docket.service; enabled; vendor preset: disabled)
   Active: inactive (dead)
● fsf.service - File Scanning Framework (FSF-Server) Service
   Loaded: loaded (/usr/lib/systemd/system/fsf.service; enabled; vendor preset: disabled)
   Active: active (running) since Mon 2019-02-04 17:56:29 UTC; 2min 17s ago
  Process: 3385 ExecStart=/opt/fsf/fsf-server/main.py start (code=exited, status=0/SUCCESS)
  Process: 3344 ExecStartPre=/bin/chown -R fsf:fsf /run/fsf (code=exited, status=0/SUCCESS)
  Process: 3324 ExecStartPre=/bin/mkdir -p /run/fsf (code=exited, status=0/SUCCESS)
 Main PID: 3418 (python)
   CGroup: /system.slice/fsf.service
           └─3418 python /opt/fsf/fsf-server/main.py start

[neu5ron]

rock_start and rock_stop work correctly because they look at the config.yml

rock/playbooks/files/rock_start

Line 4 in d38729f

if grep -qiE "^with_$1: (true|yes)" /etc/rocknsm/config.yml; then

however, the systemctl rockctl -- just blindly starts and stops everything. Also, would need to mention snort is not in the list either.

rock/playbooks/files/rockctl

Line 4 in d38729f

psprocs=( zookeeper kafka bro suricata filebeat elasticsearch logstash kibana stenographer )

[jeffgeiger]

Good point. So, for a fix, it needs the config.yml to be fully populated again. e.g. Just merge the "reference config" and config.yml into one thing again. @bndabbs, what say you?

[bndabbs]

rock_start is deprecated, so we should just get rid of that. For the 2nd piece, I think the easiest path forward would be to convert rockctl to a template and populate the list of procs per-host based on the inventory.

Something like the following:

psprocs=( {{ group_names }} )

From the Ansible docs:
"group_names is a list (array) of all the groups the current host is in. This can be used in templates using Jinja2 syntax to make template source files that vary based on the group membership (or role) of the host"

[jeffgeiger]

Oooh. I like that.

[neu5ron]

since filebeat is in rockctl and in config.yml only has enable_filebeat and not a with_filebeat - filebeat now gets disabled due to this script -- need to add with_filebeat to config.yml due to the usage in rockctl

rock/roles/common/files/rockctl

Line 7 in 211c509

if grep -qiE "^with_$1: (true|yes)" /etc/rocknsm/config.yml; then

@bndabbs will probably need your help on this... due to limited knowledge of the meta universe of deployment

[bndabbs]

#381 should fix this @neu5ron.