Zeekctl and systemd - looking for feedback

Hey there,

I’m a bit of a systemd fanboy and Zeekctl’s process management has been a pet-peeve of mine

I’ve spent a bit of time to create a zeekctl plugin that hooks the install command and start commands to use systemd instead of letting zeekctl manage processes. The idea is that Zeekctl’s install command renders and links the right systemd unit files onto the system on which zeekctl is invoked. Afterwards, you use systemctl start zeek.target to start the Zeek cluster and journalctl to check on individual processes.

I’m looking for feedback from Zeek operators, users or distributors that run Zeek single node clusters on Linux. Is there any interest in leveraging and relying on systemd features more heavily these days? The plugin is intended as a POC and a starting point for establishing a reasonable Zeek systemd deployment.

# Install the plugin
$ zkg install https://github.com/awelzel/zeekctl-systemd

# Prep the Zeek installation
$ echo "systemd.enabled = 1" >> ./etc/zeekctl.cfg
$ ./bin/zeekctl install

$ systemctl start zeek.target
$ systemctl status
$ systemd-cgtop zeek.slice

The install command writes unit files into /usr/lib/systemd and /etc/systemd/system- if you’re paranoid, use a virtual machine or checkout the instructions about running in a container in the repo.

Looking forward to hear any thoughts

Thanks, Arne

Hey Arne!

Before moving to the new mgmt framework we were using systemd exclusively in this fashion, without zeekctl at all. (Full credit to Vlad for the implementation.) We would install via Ansible which would build the things zeekctl does in the background like setting up the Cluster::nodes, etc. I still have the templates for zeek.target, zeek_worker@.service, etc if you want to see them.

In honestly worked great, though it could sometimes be a pain to debug. The biggest problem for us was needing to support multi-node clusters and rather than script around that problem we opted to the newer stuff.

-Dop

Hey @dopheide - thanks! You’re the only one I’m aware that ran a systemd setup before. But two or three individuals at Zeek days brought up in the past why we’re not running with systemd and do manual process management.

The idea for now was to exclude the multi-node scenario, as zeekctlis doing a lot of things for which today other tools are likely better suited.

Is your prior deployment open-source?

Unfortunately it’s not open source, the code that generated the configs is intermingled with a lot of other stuff. Lemme see what I can dig up. I can at least provide the jinja templates, some debugging documentation, and hopefully an old copy of the generated files.

-Dop