FreeBSD Bugzilla – Attachment 249323 Details for
Bug 277832
security/crowdsec: restart crashing service, improve scripts
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
patch for 1.6.0-3
0001-security-crowdsec-improve-rc-postinst-scripts.patch (text/plain), 7.95 KB, created by
marco
on 2024-03-20 09:46:45 UTC
(
hide
)
Description:
patch for 1.6.0-3
Filename:
MIME Type:
Creator:
marco
Created:
2024-03-20 09:46:45 UTC
Size:
7.95 KB
patch
obsolete
>From c70213a963743c0a708d77b605f045cfd05c29b5 Mon Sep 17 00:00:00 2001 >From: marco <marco@crowdsec.net> >Date: Wed, 20 Mar 2024 10:29:45 +0100 >Subject: [PATCH] security/crowdsec: improve rc, postinst scripts > > - restart service correctly if it crashes > - update hub in postinst (if network available) instead of service start > - use "one{status,stop...}" for compatibility with pfsense >--- > security/crowdsec/Makefile | 2 +- > security/crowdsec/files/crowdsec.in | 83 +++++++----------------- > security/crowdsec/files/pkg-deinstall.in | 6 +- > security/crowdsec/files/pkg-install.in | 14 +++- > security/crowdsec/files/upgrade-hub.in | 11 ++-- > 5 files changed, 46 insertions(+), 70 deletions(-) > >diff --git a/security/crowdsec/Makefile b/security/crowdsec/Makefile >index 1cc164e6bf25..53d3aa5d116b 100644 >--- a/security/crowdsec/Makefile >+++ b/security/crowdsec/Makefile >@@ -1,7 +1,7 @@ > PORTNAME= crowdsec > DISTVERSIONPREFIX= v > DISTVERSION= 1.6.0 >-PORTREVISION= 2 >+PORTREVISION= 3 > CATEGORIES= security > > MAINTAINER= marco@crowdsec.net >diff --git a/security/crowdsec/files/crowdsec.in b/security/crowdsec/files/crowdsec.in >index eb72069392a8..c2529b4d3283 100644 >--- a/security/crowdsec/files/crowdsec.in >+++ b/security/crowdsec/files/crowdsec.in >@@ -20,7 +20,6 @@ > . /etc/rc.subr > > name=crowdsec >-desc="Crowdsec Agent" > rcvar=crowdsec_enable > > load_rc_config "$name" >@@ -30,96 +29,62 @@ load_rc_config "$name" > : "${crowdsec_machine_name:=localhost}" > : "${crowdsec_flags:=}" > >-pidfile=/var/run/${name}.pid >+pidfile=/var/run/${name}_daemon.pid >+pidfile_crowdsec=/var/run/${name}.pid > required_files="$crowdsec_config" >-command="%%PREFIX%%/bin/${name}" >-start_cmd="${name}_start" >-stop_cmd="${name}_stop" >+command="/usr/sbin/daemon" >+command_crowdsec="%%PREFIX%%/bin/crowdsec" >+command_cscli="%%PREFIX%%/bin/cscli" >+command_args="-P ${pidfile} -p ${pidfile_crowdsec} -r -R 10 -t \"${name}\" -- ${command_crowdsec} -c ${crowdsec_config} ${crowdsec_flags}" >+reload_cmd="${name}_reload" > start_precmd="${name}_precmd" > configtest_cmd="${name}_configtest" > extra_commands="configtest reload" > > crowdsec_precmd() { > cs_cli() { >- "%%PREFIX%%/bin/cscli" -c "${crowdsec_config}" "$@" >+ "$command_cscli" -c "$crowdsec_config" "$@" > } >+ > Config() { > cs_cli config show --key "Config.$1" > } > >- HUB_DIR=$(Config ConfigPaths.HubDir) >- if ! ls -1qA "$HUB_DIR"/* >/dev/null 2>&1; then >- echo "Fetching hub inventory" >- cs_cli hub update || : >- fi >- >- CONFIG_DIR=$(Config ConfigPaths.ConfigDir) >- > # Is the LAPI enabled on this node? >- if [ "$(cs_cli config show --key Config.API.Server.Enable)" != "false" ]; then >- >- # There are no machines, we create the main one >+ if [ "$(Config API.Server.Enable)" != "false" ]; then >+ # There are no machines, we create one for cscli & log processor > if [ "$(cs_cli machines list -o json)" = "[]" ]; then > echo "Registering LAPI" > cs_cli machines add "${crowdsec_machine_name}" --auto --force --error || : > fi > >+ CONFIG_DIR=$(Config ConfigPaths.ConfigDir) >+ > # Register to the central server to receive the community blocklist and more > if [ ! -s "${CONFIG_DIR}/online_api_credentials.yaml" ]; then > echo "Registering CAPI" > cs_cli capi register || : > fi >- > fi > >- # This would work but takes 30secs to timeout while reading the metrics, because crowdsec is not running yet. >- # cs_cli collections inspect crowdsecurity/freebsd 2>/dev/null | grep ^installed | grep -q true || \ >- # cs_cli collections install crowdsecurity/freebsd || : >- >- # So we just check for the file >- if [ ! -e "${CONFIG_DIR}/collections/freebsd.yaml" ]; then >+ # install the collection for the first time, or if it has been removed >+ cs_cli collections inspect crowdsecurity/freebsd --no-metrics 2>/dev/null | grep ^installed | grep -q true || \ > cs_cli collections install crowdsecurity/freebsd || : >- fi >-} >- >-crowdsec_stop() >-{ >- if [ ! -f "$pidfile" ]; then >- echo "${name} is not running." >- return >- fi >- pid=$(cat "$pidfile") >- if kill -0 "$pid" >/dev/null 2>&1; then >- echo "Stopping ${name}." >- kill -s TERM "$pid" >/dev/null 2>&1 >- # shellcheck disable=SC2034 >- for i in $(seq 1 20); do >- sleep 1 >- if ! kill -0 "$pid" >/dev/null 2>&1; then >- rm -f "$pidfile" >- return >- fi >- done >- echo "Timeout, terminating ${name} with SIGKILL." >- kill -s KILL "$pid" >/dev/null 2>&1 >- rm -f "$pidfile" >- else >- echo "${name} is not running." >- fi >-} >- >-crowdsec_start() >-{ >- /usr/sbin/daemon -f -p "$pidfile" -t "$desc" -- \ >- "$command" -c "$crowdsec_config" ${crowdsec_flags} > } > > crowdsec_configtest() > { > echo "Performing sanity check on ${name} configuration." >- if "$command" -c "$crowdsec_config" -t -error; then >- echo "Configuration test OK" >+ if ! "$command_crowdsec" -c "$crowdsec_config" -t -error; then >+ exit 1 > fi >+ echo "Configuration test OK" >+} >+ >+crowdsec_reload() { >+ crowdsec_configtest >+ echo "Reloading configuration" >+ kill -HUP "$(cat "$pidfile_crowdsec")" > } > > run_rc_command "$1" >diff --git a/security/crowdsec/files/pkg-deinstall.in b/security/crowdsec/files/pkg-deinstall.in >index 4cee7a613b84..6d60f11d51e6 100644 >--- a/security/crowdsec/files/pkg-deinstall.in >+++ b/security/crowdsec/files/pkg-deinstall.in >@@ -1,9 +1,11 @@ > #!/bin/sh > >+#shellcheck disable=SC2249 > case $2 in > "DEINSTALL") >- service crowdsec status 2>/dev/null && touch /var/run/crowdsec.running >- service crowdsec stop 2>/dev/null || : >+ # on pfsense, the service is not "enabled" so status and stop would fail >+ service crowdsec onestatus 2>/dev/null && touch /var/run/crowdsec.running >+ service crowdsec onestop 2>/dev/null || : > ;; > esac > >diff --git a/security/crowdsec/files/pkg-install.in b/security/crowdsec/files/pkg-install.in >index 74bccb12c1ab..d0a9fe85d3b4 100644 >--- a/security/crowdsec/files/pkg-install.in >+++ b/security/crowdsec/files/pkg-install.in >@@ -1,11 +1,19 @@ > #!/bin/sh > >+# shellcheck disable=SC2249 > case $2 in > "POST-INSTALL") >- cscli hub update -o human --error > /dev/null >+ echo "Updating crowdsec hub data" >+ if cscli hub update -o human --error; then >+ cscli hub upgrade -o human --error >+ else >+ echo "Failed to update crowdsec hub data." >+ echo "You can run 'cscli hub update; cscli hub upgrade'" >+ echo "to update manually, or let the cron job do it for you." >+ fi > if [ -e /var/run/crowdsec.running ]; then >- service crowdsec start >- rm -f /var/run/crowdsec.running >+ service crowdsec onestart >+ rm -f /var/run/crowdsec.running > fi > ;; > esac >diff --git a/security/crowdsec/files/upgrade-hub.in b/security/crowdsec/files/upgrade-hub.in >index 2364169f4425..b5b6fd2565c5 100644 >--- a/security/crowdsec/files/upgrade-hub.in >+++ b/security/crowdsec/files/upgrade-hub.in >@@ -1,16 +1,17 @@ > #!/bin/sh > >-test -x /usr/local/bin/cscli || exit 0 >+test -x %%PREFIX%%/bin/cscli || exit 0 >+ >+# splay hub upgrade and crowdsec reload >+sleep "$(jot -r 1 1 300)" > > # favor the opnsense plugin's cron if it's there > test -e /usr/local/etc/cron.d/oscrowdsec.cron && exit 0 > >-/usr/local/bin/cscli --error -o human hub update >+%%PREFIX%%/bin/cscli --error -o human hub update > >-upgraded=$(/usr/local/bin/cscli --error -o human hub upgrade) >+upgraded=$(%%PREFIX%%/bin/cscli --error -o human hub upgrade) > if [ -n "$upgraded" ]; then >- # splay initial metrics push >- sleep "$(jot -r 1 1 60)" > service crowdsec onestatus && service crowdsec onereload > fi > >-- >2.40.1 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=249323">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 277832
:
249323
|
249341