Bro Cluster Documentation Error

Good Afternoon,

I am trying to make documentation for installing a bro cluster configuration, and receive the attached error when trying to install via broctl. I can log into both of my worker nodes from the bro manager via ssh fine, and without a password…

Thank you,

Charles

I assume attachments don’t work… here is the test output:

root@ip-172-31-41-32:/home/ubuntu# export PATH=/usr/local/bro/bin:$PATH

root@ip-172-31-41-32:/home/ubuntu# broctl

Warning: broctl node config has changed (run the broctl “deploy” command)

Warning: Bro node “bro” possibly still running on host “localhost” (PID 16564)

Welcome to BroControl 1.4

Type “help” for help.

[BroControl] > install

removing old policies in /usr/local/bro/spool/installed-scripts-do-not-touch/sit e …

removing old policies in /usr/local/bro/spool/installed-scripts-do-not-touch/aut o …

creating policy directories …

installing site policies …

generating cluster-layout.bro …

generating local-networks.bro …

generating broctl-config.bro …

generating broctl-config.sh …

updating nodes …

Host key verification failed.

Host key verification failed.

Error: cannot create (some of the) directories /usr/local/bro,/usr/local/bro/log s,/usr/local/bro/spool,/usr/local/bro/spool/tmp on node worker-1

[BroControl] > Host key verification failed.

Host key verification failed.

Host key verification failed.

Host key verification failed.

When you check if you can ssh to the other machines in your cluster,
you need to make sure you're running ssh as the same user that
you're running broctl.

Also, what did you specify for the "host=" entries in your node.cfg?

Please see the attached document on how configured the host entries.

I can ssh into the computers as my ubuntu user fine, but I copied over my keys as follows:

scp -v ~/.ssh/id_rsa.pub root@172.31.41.31:/home/ubuntu/.ssh/authorized_keys2
scp -v ~/.ssh/id_rsa.pub root@172.31.41.33:/home/ubuntu/.ssh/authorized_keys2

Is this an issue? I tried using ubuntu as the user and it hangs:

ubuntu@ip-172-31-41-32:~$ scp -v ~/.ssh/id_rsa.pub ubuntu@172.31.41.33:/home/ubuntu/.ssh/authorized_keys2
Executing: program /usr/bin/ssh host 172.31.41.33, user ubuntu, command scp -v -t /home/ubuntu/.ssh/authorized_keys2
OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to 172.31.41.33 [172.31.41.33] port 22.
debug1: Connection established.
debug1: identity file /home/ubuntu/.ssh/id_rsa type 1
debug1: identity file /home/ubuntu/.ssh/id_rsa-cert type -1
debug1: identity file /home/ubuntu/.ssh/id_dsa type -1
debug1: identity file /home/ubuntu/.ssh/id_dsa-cert type -1
debug1: identity file /home/ubuntu/.ssh/id_ecdsa type -1
debug1: identity file /home/ubuntu/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/ubuntu/.ssh/id_ed25519 type -1
debug1: identity file /home/ubuntu/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.3
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.3
debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.3 pat OpenSSH_6.6.1* compat 0x04000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5-etm@openssh.com none
debug1: kex: client->server aes128-ctr hmac-md5-etm@openssh.com none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA d1:0a:e6:c3:bf:ee:23:5a:63:63:ce:c8:71:41:88:29
debug1: Host '172.31.41.33' is known and matches the ECDSA host key.
debug1: Found key in /home/ubuntu/.ssh/known_hosts:2
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/ubuntu/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug1: key_parse_private2: missing begin marker
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).
Authenticated to 172.31.41.33 ([172.31.41.33]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
debug1: Sending command: scp -v -t /home/ubuntu/.ssh/authorized_keys2
Sending file modes: C0644 404 id_rsa.pub
scp: /home/ubuntu/.ssh/authorized_keys2: Permission denied
ubuntu@ip-172-31-41-32:~$ Sink: C0644 404 id_rsa.pub
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: channel 0: free: client-session, nchannels 1
debug1: fd 0 clearing O_NONBLOCK
debug1: fd 1 clearing O_NONBLOCK
Transferred: sent 3472, received 2636 bytes, in 0.2 seconds
Bytes per second: sent 18676.3, received 14179.4
debug1: Exit status 1

In screenshot in previous email, it appeared you were running broctl
as the "root" user. If that's the case, then you need to be able
to ssh to your worker machine as the "root" user. The home
directory of the "root" user is probably "/root".

I tried running bro from by ubuntu account and recieve this:

Also for whatever reason I have to constantly export my paths to run broctl. Not a big issue but if you know a fix that would be great.

ubuntu@ip-172-31-41-32:~$ export PATH=/usr/local/bro/bin:$PATH
ubuntu@ip-172-31-41-32:~$ broctl
Warning: broctl node config has changed (run the broctl "deploy" command)
Warning: Bro node "bro" possibly still running on host "localhost" (PID 16564)

Welcome to BroControl 1.4

Type "help" for help.

[BroControl] > install
Error: cannot acquire lock: [Errno 13] Permission denied: '/usr/local/bro/spool/lock.27491'
Error: Unable to get lock
[BroControl] >

The error message for the lock issue is "Permission denied",
so you will need to check whether your "ubuntu" user
has permission to write to the /usr/local/bro/spool/ directory.

This fixed it after i applied it to the manager and all the nodes!

sudo chown -R ubuntu:ubuntu /usr/local/bro

Thanks for your help.