View | Details | Raw Unified | Return to bug 277832 | Differences between
and this patch

Collapse All | Expand All

(-)b/security/crowdsec/Makefile (-1 / +1 lines)
Lines 1-7 Link Here
1
PORTNAME=	crowdsec
1
PORTNAME=	crowdsec
2
DISTVERSIONPREFIX=	v
2
DISTVERSIONPREFIX=	v
3
DISTVERSION=	1.6.0
3
DISTVERSION=	1.6.0
4
PORTREVISION=	2
4
PORTREVISION=	3
5
CATEGORIES=	security
5
CATEGORIES=	security
6
6
7
MAINTAINER=	marco@crowdsec.net
7
MAINTAINER=	marco@crowdsec.net
(-)b/security/crowdsec/files/crowdsec.in (-59 / +24 lines)
Lines 20-26 Link Here
20
. /etc/rc.subr
20
. /etc/rc.subr
21
21
22
name=crowdsec
22
name=crowdsec
23
desc="Crowdsec Agent"
24
rcvar=crowdsec_enable
23
rcvar=crowdsec_enable
25
24
26
load_rc_config "$name"
25
load_rc_config "$name"
Lines 30-125 load_rc_config "$name" Link Here
30
: "${crowdsec_machine_name:=localhost}"
29
: "${crowdsec_machine_name:=localhost}"
31
: "${crowdsec_flags:=}"
30
: "${crowdsec_flags:=}"
32
31
33
pidfile=/var/run/${name}.pid
32
pidfile=/var/run/${name}_daemon.pid
33
pidfile_crowdsec=/var/run/${name}.pid
34
required_files="$crowdsec_config"
34
required_files="$crowdsec_config"
35
command="%%PREFIX%%/bin/${name}"
35
command="/usr/sbin/daemon"
36
start_cmd="${name}_start"
36
command_crowdsec="%%PREFIX%%/bin/crowdsec"
37
stop_cmd="${name}_stop"
37
command_cscli="%%PREFIX%%/bin/cscli"
38
command_args="-P ${pidfile} -p ${pidfile_crowdsec} -r -R 10 -t \"${name}\" -- ${command_crowdsec} -c ${crowdsec_config} ${crowdsec_flags}"
39
reload_cmd="${name}_reload"
38
start_precmd="${name}_precmd"
40
start_precmd="${name}_precmd"
39
configtest_cmd="${name}_configtest"
41
configtest_cmd="${name}_configtest"
40
extra_commands="configtest reload"
42
extra_commands="configtest reload"
41
43
42
crowdsec_precmd() {
44
crowdsec_precmd() {
43
    cs_cli() {
45
    cs_cli() {
44
        "%%PREFIX%%/bin/cscli" -c "${crowdsec_config}" "$@"
46
        "$command_cscli" -c "$crowdsec_config" "$@"
45
    }
47
    }
48
46
    Config() {
49
    Config() {
47
        cs_cli config show --key "Config.$1"
50
        cs_cli config show --key "Config.$1"
48
    }
51
    }
49
52
50
    HUB_DIR=$(Config ConfigPaths.HubDir)
51
    if ! ls -1qA "$HUB_DIR"/* >/dev/null 2>&1; then
52
        echo "Fetching hub inventory"
53
        cs_cli hub update || :
54
    fi
55
56
    CONFIG_DIR=$(Config ConfigPaths.ConfigDir)
57
58
    # Is the LAPI enabled on this node?
53
    # Is the LAPI enabled on this node?
59
    if [ "$(cs_cli config show --key Config.API.Server.Enable)" != "false" ]; then
54
    if [ "$(Config API.Server.Enable)" != "false" ]; then
60
55
        # There are no machines, we create one for cscli & log processor
61
        # There are no machines, we create the main one
62
        if [ "$(cs_cli machines list -o json)" = "[]" ]; then
56
        if [ "$(cs_cli machines list -o json)" = "[]" ]; then
63
            echo "Registering LAPI"
57
            echo "Registering LAPI"
64
            cs_cli machines add "${crowdsec_machine_name}" --auto --force --error || :
58
            cs_cli machines add "${crowdsec_machine_name}" --auto --force --error || :
65
        fi
59
        fi
66
60
61
        CONFIG_DIR=$(Config ConfigPaths.ConfigDir)
62
67
        # Register to the central server to receive the community blocklist and more
63
        # Register to the central server to receive the community blocklist and more
68
        if [ ! -s "${CONFIG_DIR}/online_api_credentials.yaml" ]; then
64
        if [ ! -s "${CONFIG_DIR}/online_api_credentials.yaml" ]; then
69
            echo "Registering CAPI"
65
            echo "Registering CAPI"
70
            cs_cli capi register || :
66
            cs_cli capi register || :
71
        fi
67
        fi
72
73
    fi
68
    fi
74
69
75
    # This would work but takes 30secs to timeout while reading the metrics, because crowdsec is not running yet.
70
    # install the collection for the first time, or if it has been removed
76
    #    cs_cli collections inspect crowdsecurity/freebsd 2>/dev/null | grep ^installed | grep -q true || \
71
    cs_cli collections inspect crowdsecurity/freebsd --no-metrics 2>/dev/null | grep ^installed | grep -q true || \
77
    #        cs_cli collections install crowdsecurity/freebsd || :
78
79
    # So we just check for the file
80
    if [ ! -e "${CONFIG_DIR}/collections/freebsd.yaml" ]; then
81
        cs_cli collections install crowdsecurity/freebsd || :
72
        cs_cli collections install crowdsecurity/freebsd || :
82
    fi
83
}
84
85
crowdsec_stop()
86
{
87
    if [ ! -f "$pidfile" ]; then
88
        echo "${name} is not running."
89
        return
90
    fi
91
    pid=$(cat "$pidfile")
92
    if kill -0 "$pid" >/dev/null 2>&1; then
93
        echo "Stopping ${name}."
94
        kill -s TERM "$pid" >/dev/null 2>&1
95
        # shellcheck disable=SC2034
96
        for i in $(seq 1 20); do
97
            sleep 1
98
            if ! kill -0 "$pid" >/dev/null 2>&1; then
99
                rm -f "$pidfile"
100
                return
101
            fi
102
        done
103
        echo "Timeout, terminating ${name} with SIGKILL."
104
        kill -s KILL "$pid" >/dev/null 2>&1
105
        rm -f "$pidfile"
106
    else
107
        echo "${name} is not running."
108
    fi
109
}
110
111
crowdsec_start()
112
{
113
    /usr/sbin/daemon -f -p "$pidfile" -t "$desc" -- \
114
        "$command" -c "$crowdsec_config" ${crowdsec_flags}
115
}
73
}
116
74
117
crowdsec_configtest()
75
crowdsec_configtest()
118
{
76
{
119
    echo "Performing sanity check on ${name} configuration."
77
    echo "Performing sanity check on ${name} configuration."
120
    if "$command" -c "$crowdsec_config" -t -error; then
78
    if ! "$command_crowdsec" -c "$crowdsec_config" -t -error; then
121
        echo "Configuration test OK"
79
        exit 1
122
    fi
80
    fi
81
    echo "Configuration test OK"
82
}
83
84
crowdsec_reload() {
85
    crowdsec_configtest
86
    echo "Reloading configuration"
87
    kill -HUP "$(cat "$pidfile_crowdsec")"
123
}
88
}
124
89
125
run_rc_command "$1"
90
run_rc_command "$1"
(-)b/security/crowdsec/files/patch-pkg_cwhub_dataset.go (+55 lines)
Added Link Here
1
--- pkg/cwhub/dataset.go.orig	1979-11-30 00:00:00 UTC
2
+++ pkg/cwhub/dataset.go
3
@@ -6,6 +6,7 @@ import (
4
 	"io"
5
 	"net/http"
6
 	"os"
7
+	"path/filepath"
8
 	"time"
9
 
10
 	"github.com/sirupsen/logrus"
11
@@ -31,19 +32,40 @@ func downloadFile(url string, destPath string) error {
12
 		return fmt.Errorf("bad http code %d for %s", resp.StatusCode, url)
13
 	}
14
 
15
-	file, err := os.Create(destPath)
16
+	// Download to a temporary location to avoid corrupting files
17
+	// that are currently in use or memory mapped.
18
+
19
+	tmpFile, err := os.CreateTemp(filepath.Dir(destPath), filepath.Base(destPath)+".*.tmp")
20
 	if err != nil {
21
 		return err
22
 	}
23
-	defer file.Close()
24
 
25
+	tmpFileName := tmpFile.Name()
26
+	defer func() {
27
+		tmpFile.Close()
28
+		os.Remove(tmpFileName)
29
+	}()
30
+
31
 	// avoid reading the whole file in memory
32
-	_, err = io.Copy(file, resp.Body)
33
+	_, err = io.Copy(tmpFile, resp.Body)
34
 	if err != nil {
35
 		return err
36
 	}
37
 
38
-	if err = file.Sync(); err != nil {
39
+	if err = tmpFile.Sync(); err != nil {
40
+		return err
41
+	}
42
+
43
+	if err = tmpFile.Close(); err != nil {
44
+		return err
45
+	}
46
+
47
+	// a check on stdout is used while scripting to know if the hub has been upgraded
48
+	// and a configuration reload is required
49
+	// TODO: use a better way to communicate this
50
+	fmt.Printf("updated %s\n", filepath.Base(destPath))
51
+
52
+	if err = os.Rename(tmpFileName, destPath); err != nil {
53
 		return err
54
 	}
55
 
(-)b/security/crowdsec/files/pkg-deinstall.in (-2 / +4 lines)
Lines 1-9 Link Here
1
#!/bin/sh
1
#!/bin/sh
2
2
3
#shellcheck disable=SC2249
3
case $2 in
4
case $2 in
4
       "DEINSTALL")
5
       "DEINSTALL")
5
               service crowdsec status 2>/dev/null && touch /var/run/crowdsec.running
6
               # on pfsense, the service is not "enabled" so status and stop would fail
6
               service crowdsec stop 2>/dev/null || :
7
               service crowdsec onestatus 2>/dev/null && touch /var/run/crowdsec.running
8
               service crowdsec onestop 2>/dev/null || :
7
               ;;
9
               ;;
8
esac
10
esac
9
11
(-)b/security/crowdsec/files/pkg-install.in (-3 / +11 lines)
Lines 1-11 Link Here
1
#!/bin/sh
1
#!/bin/sh
2
2
3
# shellcheck disable=SC2249
3
case $2 in
4
case $2 in
4
        "POST-INSTALL")
5
        "POST-INSTALL")
5
                cscli hub update -o human --error > /dev/null
6
                echo "Updating crowdsec hub data"
7
                if cscli hub update -o human --error; then
8
                    cscli hub upgrade -o human --error
9
                else
10
                    echo "Failed to update crowdsec hub data."
11
                    echo "You can run 'cscli hub update; cscli hub upgrade'"
12
                    echo "to update manually, or let the cron job do it for you."
13
                fi
6
                if [ -e /var/run/crowdsec.running ]; then
14
                if [ -e /var/run/crowdsec.running ]; then
7
                        service crowdsec start
15
                    service crowdsec onestart
8
                        rm -f /var/run/crowdsec.running
16
                    rm -f /var/run/crowdsec.running
9
                fi
17
                fi
10
                ;;
18
                ;;
11
esac
19
esac
(-)b/security/crowdsec/files/upgrade-hub.in (-6 / +6 lines)
Lines 1-16 Link Here
1
#!/bin/sh
1
#!/bin/sh
2
2
3
test -x /usr/local/bin/cscli || exit 0
3
test -x %%PREFIX%%/bin/cscli || exit 0
4
5
# splay hub upgrade and crowdsec reload
6
sleep "$(jot -r 1 1 300)"
4
7
5
# favor the opnsense plugin's cron if it's there
8
# favor the opnsense plugin's cron if it's there
6
test -e /usr/local/etc/cron.d/oscrowdsec.cron && exit 0
9
test -e /usr/local/etc/cron.d/oscrowdsec.cron && exit 0
7
10
8
/usr/local/bin/cscli --error -o human hub update
11
%%PREFIX%%/bin/cscli --error -o human hub update
9
12
10
upgraded=$(/usr/local/bin/cscli --error -o human hub upgrade)
13
upgraded=$(%%PREFIX%%/bin/cscli --error -o human hub upgrade)
11
if [ -n "$upgraded" ]; then
14
if [ -n "$upgraded" ]; then
12
    # splay initial metrics push
13
    sleep "$(jot -r 1 1 60)"
14
    service crowdsec onestatus && service crowdsec onereload
15
    service crowdsec onestatus && service crowdsec onereload
15
fi
16
fi
16
17
17
- 

Return to bug 277832