Seth, Vlad, and I were discussing future deployment models for broctld
this morning, and I thought I'd capture some thoughts here for further
discussion and feedback:
- we were thinking that eventually broctld should probably be
running on *every* host with Bro prcocesses, including workers.
That way things get more consistent: each broctld will be in
charge of the Bro processes on "its" host. When an upstream
broctld wants to trigger some action somewhere else, rather than
logging in and executing commands directly, it would instead
talk to the corresponding broctld. That unifies communication
between systems (in particular in the deep cluster setting) and
will also make maintaince tasks, like monitoring and restarting
Bro processes, much simpler and more responsive.
- with that, we can then consider switching to a more standard
model for installing daemons on hosts: rather than having a
central node push everything out (incuding programs and
binaries), people would install broctld locally on each host via
the package system (or whatever), including init.d scripts etc.
- we could also consider moving away from SSH as the primary
communication mechanism if there's better alternatives.
All not really new, but I thought I'd write it down. Feedback welcome.
Robin