Attachment #250350 for bug #278713

View | Details | Raw Unified | Return to bug 278713
Collapse All | Expand All

Lines 1-7 Link Here

(-)b/security/crowdsec/Makefile (-3 / +3 lines)
1	PORTNAME= crowdsec	1	PORTNAME= crowdsec
2	DISTVERSIONPREFIX= v	2	DISTVERSIONPREFIX= v
3	DISTVERSION= 1.6.0	3	DISTVERSION= 1.6.1
4	PORTREVISION= 3	4	PORTREVISION= 1
5	CATEGORIES= security	5	CATEGORIES= security
6		6
7	MAINTAINER= marco@crowdsec.net	7	MAINTAINER= marco@crowdsec.net
Lines 15-21 LIB_DEPENDS= libabsl_base.so:devel/abseil \ Link Here
15	libre2.so:devel/re2	15	libre2.so:devel/re2
16		16
17	USES= go:1.21,modules pkgconfig	17	USES= go:1.21,modules pkgconfig
18	_COMMIT= 4b8e6cd7	18	_COMMIT= 0746e0c0
19	_BUILD_DATE= $$(date -u "+%F_%T")	19	_BUILD_DATE= $$(date -u "+%F_%T")
20	USE_RC_SUBR= crowdsec	20	USE_RC_SUBR= crowdsec
21		21

Lines 1-5 Link Here

(-)b/security/crowdsec/distinfo (-5 / +5 lines)
1	TIMESTAMP = 1706093904	1	TIMESTAMP = 1713296982
2	SHA256 (go/security_crowdsec/crowdsec-v1.6.0/v1.6.0.mod) = bf62cad10105ba50e3e0778651341cb7eca13ff5785c79a206ca8a5d42b90fed	2	SHA256 (go/security_crowdsec/crowdsec-v1.6.1/v1.6.1.mod) = b7957886889cef4dd7166ae8996a93d0f2f5071a8b2155c16c190388f71baeee
3	SIZE (go/security_crowdsec/crowdsec-v1.6.0/v1.6.0.mod) = 10099	3	SIZE (go/security_crowdsec/crowdsec-v1.6.1/v1.6.1.mod) = 10066
4	SHA256 (go/security_crowdsec/crowdsec-v1.6.0/v1.6.0.zip) = c7cb4870cbcc848cf4c36161021930bc77f490f2701bcebdace6ad27a400a73f	4	SHA256 (go/security_crowdsec/crowdsec-v1.6.1/v1.6.1.zip) = fbcee972b1c5b24b4b3a278381f2bd8837ca122e302defc747a76123a8c079c9
5	SIZE (go/security_crowdsec/crowdsec-v1.6.0/v1.6.0.zip) = 1440975	5	SIZE (go/security_crowdsec/crowdsec-v1.6.1/v1.6.1.zip) = 1483959

Lines 20-26 Link Here

(-)b/security/crowdsec/files/crowdsec.in (-60 / +45 lines)
20	. /etc/rc.subr	20	. /etc/rc.subr
21		21
22	name=crowdsec	22	name=crowdsec
23	desc="Crowdsec Agent"
24	rcvar=crowdsec_enable	23	rcvar=crowdsec_enable
25		24
26	load_rc_config "$name"	25	load_rc_config "$name"
Lines 30-124 load_rc_config "$name" Link Here
30	: "${crowdsec_machine_name:=localhost}"	29	: "${crowdsec_machine_name:=localhost}"
31	: "${crowdsec_flags:=}"	30	: "${crowdsec_flags:=}"
32		31
33	pidfile=/var/run/${name}.pid	32	pidfile=/var/run/${name}_daemon.pid
		33	pidfile_crowdsec=/var/run/${name}.pid
34	required_files="$crowdsec_config"	34	required_files="$crowdsec_config"
35	command="%%PREFIX%%/bin/${name}"	35	command="/usr/sbin/daemon"
36	start_cmd="${name}_start"	36	command_crowdsec="%%PREFIX%%/bin/crowdsec"
37	stop_cmd="${name}_stop"	37	command_cscli="%%PREFIX%%/bin/cscli"
		38	command_args="-f -P ${pidfile} -p ${pidfile_crowdsec} -r -R 10 -t \"${name}\" -- ${command_crowdsec} -c ${crowdsec_config} ${crowdsec_flags}"
		39	reload_cmd="${name}_reload"
38	start_precmd="${name}_precmd"	40	start_precmd="${name}_precmd"
39	configtest_cmd="${name}_configtest"	41	configtest_cmd="${name}_configtest"
		42	reload_precmd="${name}_configtest"
		43	restart_precmd="${name}_configtest"
		44	stop_precmd="${name}_stop_precmd"
		45	stop_postcmd="${name}_stop_postcmd"
40	extra_commands="configtest reload"	46	extra_commands="configtest reload"
41		47
		48	crowdsec_stop_precmd() {
		49	# take note of the pid, because sbin/daemon will remove the file
		50	# without waiting for crowdsec to exit
		51	if [ -r "$pidfile_crowdsec" ]; then
		52	_CROWDSECPID="$(check_pidfile "$pidfile_crowdsec" "$command_crowdsec")"
		53	export _CROWDSECPID
		54	fi
		55	}
		56
		57	crowdsec_stop_postcmd() {
		58	# wait for process to exit before restarting, or it will find the http port in use
		59	if [ -n "$_CROWDSECPID" ]; then
		60	wait_for_pids "$_CROWDSECPID"
		61	fi
		62	}
		63
42	crowdsec_precmd() {	64	crowdsec_precmd() {
43	cs_cli() {	65	cs_cli() {
44	"%%PREFIX%%/bin/cscli" -c "${crowdsec_config}" "$@"	66	"$command_cscli" -c "$crowdsec_config" "$@"
45	}	67	}
		68
46	Config() {	69	Config() {
47	cs_cli config show --key "Config.$1"	70	cs_cli config show --key "Config.$1"
48	}	71	}
49		72
50	HUB_DIR=$(Config ConfigPaths.HubDir)
51	if ! ls -1qA "$HUB_DIR"/* >/dev/null 2>&1; then
52	echo "Fetching hub inventory"
53	cs_cli hub update \|\| :
54	fi
55
56	CONFIG_DIR=$(Config ConfigPaths.ConfigDir)
57
58	# Is the LAPI enabled on this node?	73	# Is the LAPI enabled on this node?
59	if [ "$(cs_cli config show --key Config.API.Server.Enable)" != "false" ]; then	74	if [ "$(Config API.Server.Enable)" != "false" ]; then
60		75	# There are no machines, we create one for cscli & log processor
61	# There are no machines, we create the main one	76	if [ "$(cs_cli machines list -o json --error)" = "[]" ]; then
62	if [ "$(cs_cli machines list -o json)" = "[]" ]; then
63	echo "Registering LAPI"	77	echo "Registering LAPI"
64	cs_cli machines add "${crowdsec_machine_name}" --auto --force --error \|\| :	78	cs_cli machines add "${crowdsec_machine_name}" --auto --force --error \|\| :
65	fi	79	fi
66		80
		81	CONFIG_DIR=$(Config ConfigPaths.ConfigDir)
		82
67	# Register to the central server to receive the community blocklist and more	83	# Register to the central server to receive the community blocklist and more
68	if [ ! -s "${CONFIG_DIR}/online_api_credentials.yaml" ]; then	84	if [ ! -s "${CONFIG_DIR}/online_api_credentials.yaml" ]; then
69	echo "Registering CAPI"	85	echo "Registering CAPI"
70	cs_cli capi register \|\| :	86	cs_cli capi register \|\| :
71	fi	87	fi
72
73	fi	88	fi
74		89
75	# This would work but takes 30secs to timeout while reading the metrics, because crowdsec is not running yet.	90	# install the collection for the first time, or if it has been removed
76	# cs_cli collections inspect crowdsecurity/freebsd 2>/dev/null \| grep ^installed \| grep -q true \|\| \	91	cs_cli collections inspect crowdsecurity/freebsd --no-metrics 2>/dev/null \| grep ^installed \| grep -q true \|\| \
77	# cs_cli collections install crowdsecurity/freebsd \|\| :
78
79	# So we just check for the file
80	if [ ! -e "${CONFIG_DIR}/collections/freebsd.yaml" ]; then
81	cs_cli collections install crowdsecurity/freebsd \|\| :	92	cs_cli collections install crowdsecurity/freebsd \|\| :
82	fi
83	}	93	}
84		94
85	crowdsec_stop()	95	crowdsec_configtest() {
86	{	96	echo "Performing sanity check on ${name} configuration."
87	if [ ! -f "$pidfile" ]; then	97	if ! "$command_crowdsec" -c "$crowdsec_config" -t -error; then
88	echo "${name} is not running."	98	exit 1
89	return
90	fi
91	pid=$(cat "$pidfile")
92	if kill -0 "$pid" >/dev/null 2>&1; then
93	echo "Stopping ${name}."
94	kill -s TERM "$pid" >/dev/null 2>&1
95	# shellcheck disable=SC2034
96	for i in $(seq 1 20); do
97	sleep 1
98	if ! kill -0 "$pid" >/dev/null 2>&1; then
99	rm -f "$pidfile"
100	return
101	fi
102	done
103	echo "Timeout, terminating ${name} with SIGKILL."
104	kill -s KILL "$pid" >/dev/null 2>&1
105	rm -f "$pidfile"
106	else
107	echo "${name} is not running."
108	fi	99	fi
		100	echo "Configuration test OK"
109	}	101	}
110		102
111	crowdsec_start()	103	crowdsec_reload() {
112	{	104	echo "Reloading configuration"
113	/usr/sbin/daemon -f -p "$pidfile" -t "$desc" -- \	105	if [ -r "$pidfile_crowdsec" ]; then
114	"$command" -c "$crowdsec_config" ${crowdsec_flags}	106	kill -HUP "$(check_pidfile "$pidfile_crowdsec" "${command_crowdsec}")"
115	}
116
117	crowdsec_configtest()
118	{
119	echo "Performing sanity check on ${name} configuration."
120	if "$command" -c "$crowdsec_config" -t -error; then
121	echo "Configuration test OK"
122	fi	107	fi
123	}	108	}
124		109




--- pkg/csconfig/database.go.orig	2024-04-24 21:31:39 UTC
+++ pkg/csconfig/database.go
@@ -76,26 +76,24 @@ func (c *Config) LoadDBConfig(inCli bool) error {
 		if c.DbConfig.UseWal == nil {
 			dbDir := filepath.Dir(c.DbConfig.DbPath)
 			isNetwork, fsType, err := types.IsNetworkFS(dbDir)
-			if err != nil {
+			switch {
+			case err != nil:
 				log.Warnf("unable to determine if database is on network filesystem: %s", err)
 				log.Warning("You are using sqlite without WAL, this can have a performance impact. If you do not store the database in a network share, set db_config.use_wal to true. Set explicitly to false to disable this warning.")
-				return nil
-			}
-			if isNetwork {
+			case isNetwork:
 				log.Debugf("database is on network filesystem (%s), setting useWal to false", fsType)
 				c.DbConfig.UseWal = ptr.Of(false)
-			} else {
+			default:
 				log.Debugf("database is on local filesystem (%s), setting useWal to true", fsType)
 				c.DbConfig.UseWal = ptr.Of(true)
 			}
 		} else if *c.DbConfig.UseWal {
 			dbDir := filepath.Dir(c.DbConfig.DbPath)
 			isNetwork, fsType, err := types.IsNetworkFS(dbDir)
-			if err != nil {
+			switch {
+			case err != nil:
 				log.Warnf("unable to determine if database is on network filesystem: %s", err)
-				return nil
-			}
-			if isNetwork {
+			case isNetwork:
 				log.Warnf("database seems to be stored on a network share (%s), but useWal is set to true. Proceed at your own risk.", fsType)
 			}
 		}

Added Link Here

(-)b/security/crowdsec/files/patch-pkg_types_getfstype.go (+8 lines)
1	--- pkg/types/getfstype.go.orig 2024-04-24 21:23:59 UTC
2	+++ pkg/types/getfstype.go
3	@@ -1,4 +1,4 @@
4	-//go:build !windows
5	+//go:build !windows && !freebsd
6
7	package types
8




--- pkg/types/getfstype_freebsd.go.orig	2024-04-24 21:25:32 UTC
+++ pkg/types/getfstype_freebsd.go
@@ -0,0 +1,25 @@
+//go:build freebsd
+
+package types
+
+import (
+    "fmt"
+    "syscall"
+)
+
+func GetFSType(path string) (string, error) {
+	var fsStat syscall.Statfs_t
+
+	if err := syscall.Statfs(path, &fsStat); err != nil {
+		return "", fmt.Errorf("failed to get filesystem type: %w", err)
+	}
+
+	bs := fsStat.Fstypename
+
+	b := make([]byte, len(bs))
+	for i, v := range bs {
+		b[i] = byte(v)
+	}
+
+	return string(b), nil
+}

Lines 1-9 Link Here

(-)b/security/crowdsec/files/pkg-deinstall.in (-2 / +4 lines)
1	#!/bin/sh	1	#!/bin/sh
2		2
		3	#shellcheck disable=SC2249
3	case $2 in	4	case $2 in
4	"DEINSTALL")	5	"DEINSTALL")
5	service crowdsec status 2>/dev/null && touch /var/run/crowdsec.running	6	# on pfsense, the service is not "enabled" so status and stop would fail
6	service crowdsec stop 2>/dev/null \|\| :	7	service crowdsec onestatus 2>/dev/null && touch /var/run/crowdsec.running
		8	service crowdsec onestop 2>/dev/null \|\| :
7	;;	9	;;
8	esac	10	esac
9		11




#!/bin/sh

# shellcheck disable=SC2249
case $2 in
        "POST-INSTALL")
                echo "Updating crowdsec hub data"
                if cscli hub update -o human --error; then
                    cscli hub upgrade -o human --error
                else
                    echo "Failed to update crowdsec hub data."
                    echo "You can run 'cscli hub update; cscli hub upgrade'"
                    echo "to update manually, or let the cron job do it for you."
                fi
                if [ -e /var/run/crowdsec.running ]; then
                    service crowdsec onestart
                    rm -f /var/run/crowdsec.running
                fi
                ;;
esac

Lines 15-25 You need to check/edit the following files in %%ETCDIR%% as described in https:/ Link Here

(-)b/security/crowdsec/files/pkg-message.in (-3 / +3 lines)
15	- acquis.yaml, acquis.d: datasource configuration (this port does not include automatic discovery of the running services)	15	- acquis.yaml, acquis.d: datasource configuration (this port does not include automatic discovery of the running services)
16	- profiles.yaml: remediation policies (ban, duration, etc)	16	- profiles.yaml: remediation policies (ban, duration, etc)
17		17
18	Then you can enable the daemon via sysrc and run it.	18	Then you can enable the service and run it.
19		19
20	----------	20	----------
21	# sysrc crowdsec_enable="YES"	21	# service crowdsec enable
22	crowdsec_enable: NO -> YES	22	crowdsec enabled in /etc/rc.conf
23	# service crowdsec start	23	# service crowdsec start
24	----------	24	----------
25		25




#!/bin/sh

test -x %%PREFIX%%/bin/cscli || exit 0

# splay hub upgrade and crowdsec reload
sleep "$(jot -r 1 1 300)"

# favor the opnsense plugin's cron if it's there
test -e /usr/local/etc/cron.d/oscrowdsec.cron && exit 0

%%PREFIX%%/bin/cscli --error -o human hub update

upgraded=$(%%PREFIX%%/bin/cscli --error -o human hub upgrade)
if [ -n "$upgraded" ]; then
    # splay initial metrics push
    sleep "$(jot -r 1 1 60)"
    service crowdsec onestatus && service crowdsec onereload
fi

- 

Return to bug 278713

Added Link Here

(-)b/security/crowdsec/files/patch-pkg_csconfig_database.go (+36 lines)
1	--- pkg/csconfig/database.go.orig 2024-04-24 21:31:39 UTC
2	+++ pkg/csconfig/database.go
3	@@ -76,26 +76,24 @@ func (c *Config) LoadDBConfig(inCli bool) error {
4	if c.DbConfig.UseWal == nil {
5	dbDir := filepath.Dir(c.DbConfig.DbPath)
6	isNetwork, fsType, err := types.IsNetworkFS(dbDir)
7	- if err != nil {
8	+ switch {
9	+ case err != nil:
10	log.Warnf("unable to determine if database is on network filesystem: %s", err)
11	log.Warning("You are using sqlite without WAL, this can have a performance impact. If you do not store the database in a network share, set db_config.use_wal to true. Set explicitly to false to disable this warning.")
12	- return nil
13	- }
14	- if isNetwork {
15	+ case isNetwork:
16	log.Debugf("database is on network filesystem (%s), setting useWal to false", fsType)
17	c.DbConfig.UseWal = ptr.Of(false)
18	- } else {
19	+ default:
20	log.Debugf("database is on local filesystem (%s), setting useWal to true", fsType)
21	c.DbConfig.UseWal = ptr.Of(true)
22	}
23	} else if *c.DbConfig.UseWal {
24	dbDir := filepath.Dir(c.DbConfig.DbPath)
25	isNetwork, fsType, err := types.IsNetworkFS(dbDir)
26	- if err != nil {
27	+ switch {
28	+ case err != nil:
29	log.Warnf("unable to determine if database is on network filesystem: %s", err)
30	- return nil
31	- }
32	- if isNetwork {
33	+ case isNetwork:
34	log.Warnf("database seems to be stored on a network share (%s), but useWal is set to true. Proceed at your own risk.", fsType)
35	}
36	}

Added Link Here

(-)b/security/crowdsec/files/patch-pkg_types_getfstype__freebsd.go (+28 lines)
1	--- pkg/types/getfstype_freebsd.go.orig 2024-04-24 21:25:32 UTC
2	+++ pkg/types/getfstype_freebsd.go
3	@@ -0,0 +1,25 @@
4	+//go:build freebsd
5	+
6	+package types
7	+
8	+import (
9	+ "fmt"
10	+ "syscall"
11	+)
12	+
13	+func GetFSType(path string) (string, error) {
14	+ var fsStat syscall.Statfs_t
15	+
16	+ if err := syscall.Statfs(path, &fsStat); err != nil {
17	+ return "", fmt.Errorf("failed to get filesystem type: %w", err)
18	+ }
19	+
20	+ bs := fsStat.Fstypename
21	+
22	+ b := make([]byte, len(bs))
23	+ for i, v := range bs {
24	+ b[i] = byte(v)
25	+ }
26	+
27	+ return string(b), nil
28	+}

Lines 1-11 Link Here

(-)b/security/crowdsec/files/pkg-install.in (-3 / +11 lines)
1	#!/bin/sh	1	#!/bin/sh
2		2
		3	# shellcheck disable=SC2249
3	case $2 in	4	case $2 in
4	"POST-INSTALL")	5	"POST-INSTALL")
5	cscli hub update -o human --error > /dev/null	6	echo "Updating crowdsec hub data"
		7	if cscli hub update -o human --error; then
		8	cscli hub upgrade -o human --error
		9	else
		10	echo "Failed to update crowdsec hub data."
		11	echo "You can run 'cscli hub update; cscli hub upgrade'"
		12	echo "to update manually, or let the cron job do it for you."
		13	fi
6	if [ -e /var/run/crowdsec.running ]; then	14	if [ -e /var/run/crowdsec.running ]; then
7	service crowdsec start	15	service crowdsec onestart
8	rm -f /var/run/crowdsec.running	16	rm -f /var/run/crowdsec.running
9	fi	17	fi
10	;;	18	;;
11	esac	19	esac

Lines 1-16 Link Here

(-)b/security/crowdsec/files/upgrade-hub.in (-6 / +6 lines)
1	#!/bin/sh	1	#!/bin/sh
2		2
3	test -x /usr/local/bin/cscli \|\| exit 0	3	test -x %%PREFIX%%/bin/cscli \|\| exit 0
		4
		5	# splay hub upgrade and crowdsec reload
		6	sleep "$(jot -r 1 1 300)"
4		7
5	# favor the opnsense plugin's cron if it's there	8	# favor the opnsense plugin's cron if it's there
6	test -e /usr/local/etc/cron.d/oscrowdsec.cron && exit 0	9	test -e /usr/local/etc/cron.d/oscrowdsec.cron && exit 0
7		10
8	/usr/local/bin/cscli --error -o human hub update	11	%%PREFIX%%/bin/cscli --error -o human hub update
9		12
10	upgraded=$(/usr/local/bin/cscli --error -o human hub upgrade)	13	upgraded=$(%%PREFIX%%/bin/cscli --error -o human hub upgrade)
11	if [ -n "$upgraded" ]; then	14	if [ -n "$upgraded" ]; then
12	# splay initial metrics push
13	sleep "$(jot -r 1 1 60)"
14	service crowdsec onestatus && service crowdsec onereload	15	service crowdsec onestatus && service crowdsec onereload
15	fi	16	fi
16		17
17	-