Suricata-update fails to run

Suricata 6.0.6

When I run “suricata-update,” the following is logged:

Traceback (most recent call last):
  File "/usr/local/bin/suricata-update", line 32, in <module>
    from suricata.update import main
ModuleNotFoundError: No module named 'suricata.update'
$ ls -l /usr/local/bin/suricata*
-rwxr-xr-x 1 root root  46M Sep 20 10:40 /usr/local/bin/suricata*
-rwxr-xr-x 1 root root  180 Sep 20 10:40 /usr/local/bin/suricatactl*
-rwxr-xr-x 1 root root  178 Sep 20 10:40 /usr/local/bin/suricatasc*
-rwxr-xr-x 1 root root 1.2K Jul  9  2021 /usr/local/bin/suricata-update*

When suricata is updated, is there a separate step required for suricata-update as well?

Which OS/Distribution and version is this?

Opensuse tumbleweed 20220915
linux 5.19.8-1-default x86_64

I’m not familiar with OpenSuse, but I wonder if the same thing is happening as on Fedora 36.

Was a /usr/local/local created?

Can you run find /usr/local -name enablesource.py and show me where it went?

In short, distributions are making changes to the way Python installs stuff when using distutils that breaks things. Here is the issue specific to Fedora, but other distributions are doing the same: https://bugzilla.redhat.com/show_bug.cgi?id=2026979

To fix it, we have stopped using distutils to install our Python code, however that is not in 6.0.6, but will be in the next point release.

The Fedora work-around is to:

export RPM_BUILD_ROOT=fake
make install

I wonder if that would help with OpenSuse as well, given it uses RPM.

Was a /usr/local/local created?
No.

Can you run find /usr/local -name enablesource.py and show me where it went?

$ find /usr/local -name enablesource.py
/usr/local/lib/python2.7/site-packages/suricata/update/commands/enablesource.py
/usr/local/lib/python3.6/site-packages/suricata/update/commands/enablesource.py
/usr/local/lib/python3.8/site-packages/suricata/update/commands/enablesource.py
$ export RPM_BUILD_ROOT=fake
$ make install

Made no difference.

Ok, I just tried on the opensuse/tumbleweed:latest docker image and it all worked fine, but of course thats a fresh install with one version of Python installed. You could…

head -n1 /usr/local/bin/suricata-update to see what version of Python that is using.

Run the Python path shown in the above and make sure it aligns with one of the versions you have in /usr/local/lib, to help find where the discrepancy is.

$ head -n1 /usr/local/bin/suricata-update
#!/usr/bin/python3
$ /usr/bin/python3 -V
Python 3.10.6

Ok. Not too sure how much I can help you out with Python on OpenSuse… But your Python interpreter being picked up by Suricata is 3.10, but there is no suricata-update installed for that version of Python. Did you perhaps upgrade python after installing Suricata? Are you using sudo to install but not for configure perhaps resulting in different Python binaries being picked up?

One common issue is that you install Suricata with Python 3.9 and all works. Then your system updates the default Python to 3.10 and things break, requiring Suricata to be installed again, right from the ./configure. The changes in the next patch release should resolve that as well.

I tried building Suricata from ./configure as root for all of it. Suricata-update still fails.

Workaround:
I did modify suricata-update to use python 3.8 (there is no 3.9).
#!/usr/bin/python3.8
That worked.

When is the next patch release?