Hey!
Credit for discovery of this issue goes to Justin Azoff.
During module loading, Zeek checks the inode number of each script file and silently ignores a file with the same inode as loaded previously.
For example, if
/usr/share/bro/base/frameworks/input/load.bro
/usr/share/bro/base/frameworks/dpd/load.bro
share the same inode (are hardlinked) only the first one will load and the second one will not.
This breaks the workflow for me. The ClearLinux packaging mechanism, by design, hardlinks identical files (if they have identical checksum).
The net result is that a correctly packaged Zeek is left in a non-functioning state after installation.
Justin suggested that I can break hardlinks with rsync, like this
/usr/bin/rsync -aP /usr/share/bro/ /somewhere
/usr/bin/rsync -aP /somewhere /usr/share/bro/
That works - and I have a working Zeek cluster, with af_packet plugin, just by installing a single “network-monitoring-node” bundle.
Do we want to do something about it? Or is this expected? Can we, maybe, make this configurable? Should I live with this workaround?