Where may I find a list of program return codes?

jimoe · May 20, 2024, 4:14am

Suricata version 7.0.5

linux v6.8.9

installed Suricata from source

I am experimenting with starting Suricata using systemd. It starts correctly when I issue a command line directly; it does not start correctly using that same command as the value for ExecStart.

2024-05-19T15:03:02-07:00 sma-station14l systemd[1]: Starting Suricata Intrusion Detection Service...
2024-05-19T15:03:02-07:00 sma-station14l systemd[1]: Started Suricata Intrusion Detection Service.
2024-05-19T15:03:02-07:00 sma-station14l systemd[1]: suricata.service: Main process exited, code=exited, status=203/EXEC
2024-05-19T15:03:02-07:00 sma-station14l systemd[1]: suricata.service: Failed with result 'exit-code'.

I have searched Suricata docs and cannot find any mention of the program’s return codes. The man page is silent as well.

samiux · May 20, 2024, 11:33am

The startup failed may be either (1) suricata.yaml misconfigured or (2) the suricata.services misconfigured.

jmtaylor90 · May 20, 2024, 11:35am

The 203 exit code is not suricata specific but is what systemd is returning. You can find out more about the exit code values and meanings here:
https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#Process%20Exit%20Codes

The 203 exit code:
" The actual process execution failed (specifically, the execve(2) system call). Most likely this is caused by a missing or non-accessible executable file."

jimoe · May 20, 2024, 5:47pm

This is the command line:

/usr/local/bin/suricata -v --pidfile /data01/var/run/suricata.pid -c /usr/local/etc/suricata/suricata.yaml -q 0

It works when executed from a command prompt or a shell script. Not when executed by systemd.

Neither of the explanations for code 203 seem to fit the problem.

suricata.service file:

[Unit]
Description=Suricata Intrusion Detection Service
After=syslog.target network-online.target

[Service]
EnvironmentFile=-/etc/sysconfig/suricata
ExecStartPre=/bin/rm -f /usr/local/var/run/suricata.pid
ExecStart=$JMM_SURICMD

[Install]
WantedBy=multi-user.target

And the environment file:

JMM_SURICMD=/usr/local/bin/suricata -v --pidfile /data01/var/run/suricata.pid -c /usr/local/etc/suricata/suricata.yaml -q 0

jmtaylor90 · May 20, 2024, 6:01pm

The use of a variable like that is not supported in systemd. The EnvironmentFile is usually used to provide runtime variables, for instance your value of --pidfile could be specified
PIDFILE=/data01/var/run/suricata.pid

and the ExecStart would look something like

Execstart=/usr/local/bin/suricata -v --pidfile ${PIDFILE} -c /usr/local/etc/suricata/suricata.yaml -q 0

JT

jimoe · May 20, 2024, 6:12pm

I replaced the variable with the actual command line. Same result: code 203.

samiux · May 20, 2024, 11:58pm

and

NOT match.

I think this is the problem.

By the way, pid file will be auto generated and auto deleted by Suricata when starting up and closing down with the suricata.yaml settings.

jimoe · May 21, 2024, 12:39am

This, as it happens, is true.
I modified ExecStart to usr/local/bin/suricata $JMM_SURIOPT which is the path to Suricata + options. And it started properly. Yay!

Topic		Replies	Views
Failed to start suricata on Redhat 8	12	3605	December 17, 2020
Failed to start suricata.service	3	1054	June 26, 2023
Suricata service failed to start Help	21	8316	April 21, 2023
Starting Suricata issue Help	3	237	March 14, 2024
Suricata failed to start Help	3	1414	January 9, 2022

Where may I find a list of program return codes?

Related topics