FreeBSD Bugzilla – Attachment 249341 Details for
Bug 277832
security/crowdsec: restart crashing service, improve scripts
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
patch for 1.6.0-3
0001-security-crowdsec-improve-rc-postinst-scripts.patch (text/plain), 9.82 KB, created by
marco
on 2024-03-20 15:23:08 UTC
(
hide
)
Description:
patch for 1.6.0-3
Filename:
MIME Type:
Creator:
marco
Created:
2024-03-20 15:23:08 UTC
Size:
9.82 KB
patch
obsolete
>From 6d91ad72644c58076c541298956f8fd47c3a6a43 Mon Sep 17 00:00:00 2001 >From: marco <marco@crowdsec.net> >Date: Wed, 20 Mar 2024 10:29:45 +0100 >Subject: [PATCH] security/crowdsec: improve rc, postinst scripts > > - restart service correctly if it crashes > - update hub in postinst (if network available) instead of service start > - use "one{status,stop...}" for compatibility with pfsense > - patch behavior for data download and service reload after upgrade >--- > security/crowdsec/Makefile | 2 +- > security/crowdsec/files/crowdsec.in | 83 ++++++------------- > .../crowdsec/files/patch-pkg_cwhub_dataset.go | 55 ++++++++++++ > security/crowdsec/files/pkg-deinstall.in | 6 +- > security/crowdsec/files/pkg-install.in | 14 +++- > security/crowdsec/files/upgrade-hub.in | 11 +-- > 6 files changed, 101 insertions(+), 70 deletions(-) > create mode 100644 security/crowdsec/files/patch-pkg_cwhub_dataset.go > >diff --git a/security/crowdsec/Makefile b/security/crowdsec/Makefile >index 1cc164e6bf25..53d3aa5d116b 100644 >--- a/security/crowdsec/Makefile >+++ b/security/crowdsec/Makefile >@@ -1,7 +1,7 @@ > PORTNAME= crowdsec > DISTVERSIONPREFIX= v > DISTVERSION= 1.6.0 >-PORTREVISION= 2 >+PORTREVISION= 3 > CATEGORIES= security > > MAINTAINER= marco@crowdsec.net >diff --git a/security/crowdsec/files/crowdsec.in b/security/crowdsec/files/crowdsec.in >index eb72069392a8..c2529b4d3283 100644 >--- a/security/crowdsec/files/crowdsec.in >+++ b/security/crowdsec/files/crowdsec.in >@@ -20,7 +20,6 @@ > . /etc/rc.subr > > name=crowdsec >-desc="Crowdsec Agent" > rcvar=crowdsec_enable > > load_rc_config "$name" >@@ -30,96 +29,62 @@ load_rc_config "$name" > : "${crowdsec_machine_name:=localhost}" > : "${crowdsec_flags:=}" > >-pidfile=/var/run/${name}.pid >+pidfile=/var/run/${name}_daemon.pid >+pidfile_crowdsec=/var/run/${name}.pid > required_files="$crowdsec_config" >-command="%%PREFIX%%/bin/${name}" >-start_cmd="${name}_start" >-stop_cmd="${name}_stop" >+command="/usr/sbin/daemon" >+command_crowdsec="%%PREFIX%%/bin/crowdsec" >+command_cscli="%%PREFIX%%/bin/cscli" >+command_args="-P ${pidfile} -p ${pidfile_crowdsec} -r -R 10 -t \"${name}\" -- ${command_crowdsec} -c ${crowdsec_config} ${crowdsec_flags}" >+reload_cmd="${name}_reload" > start_precmd="${name}_precmd" > configtest_cmd="${name}_configtest" > extra_commands="configtest reload" > > crowdsec_precmd() { > cs_cli() { >- "%%PREFIX%%/bin/cscli" -c "${crowdsec_config}" "$@" >+ "$command_cscli" -c "$crowdsec_config" "$@" > } >+ > Config() { > cs_cli config show --key "Config.$1" > } > >- HUB_DIR=$(Config ConfigPaths.HubDir) >- if ! ls -1qA "$HUB_DIR"/* >/dev/null 2>&1; then >- echo "Fetching hub inventory" >- cs_cli hub update || : >- fi >- >- CONFIG_DIR=$(Config ConfigPaths.ConfigDir) >- > # Is the LAPI enabled on this node? >- if [ "$(cs_cli config show --key Config.API.Server.Enable)" != "false" ]; then >- >- # There are no machines, we create the main one >+ if [ "$(Config API.Server.Enable)" != "false" ]; then >+ # There are no machines, we create one for cscli & log processor > if [ "$(cs_cli machines list -o json)" = "[]" ]; then > echo "Registering LAPI" > cs_cli machines add "${crowdsec_machine_name}" --auto --force --error || : > fi > >+ CONFIG_DIR=$(Config ConfigPaths.ConfigDir) >+ > # Register to the central server to receive the community blocklist and more > if [ ! -s "${CONFIG_DIR}/online_api_credentials.yaml" ]; then > echo "Registering CAPI" > cs_cli capi register || : > fi >- > fi > >- # This would work but takes 30secs to timeout while reading the metrics, because crowdsec is not running yet. >- # cs_cli collections inspect crowdsecurity/freebsd 2>/dev/null | grep ^installed | grep -q true || \ >- # cs_cli collections install crowdsecurity/freebsd || : >- >- # So we just check for the file >- if [ ! -e "${CONFIG_DIR}/collections/freebsd.yaml" ]; then >+ # install the collection for the first time, or if it has been removed >+ cs_cli collections inspect crowdsecurity/freebsd --no-metrics 2>/dev/null | grep ^installed | grep -q true || \ > cs_cli collections install crowdsecurity/freebsd || : >- fi >-} >- >-crowdsec_stop() >-{ >- if [ ! -f "$pidfile" ]; then >- echo "${name} is not running." >- return >- fi >- pid=$(cat "$pidfile") >- if kill -0 "$pid" >/dev/null 2>&1; then >- echo "Stopping ${name}." >- kill -s TERM "$pid" >/dev/null 2>&1 >- # shellcheck disable=SC2034 >- for i in $(seq 1 20); do >- sleep 1 >- if ! kill -0 "$pid" >/dev/null 2>&1; then >- rm -f "$pidfile" >- return >- fi >- done >- echo "Timeout, terminating ${name} with SIGKILL." >- kill -s KILL "$pid" >/dev/null 2>&1 >- rm -f "$pidfile" >- else >- echo "${name} is not running." >- fi >-} >- >-crowdsec_start() >-{ >- /usr/sbin/daemon -f -p "$pidfile" -t "$desc" -- \ >- "$command" -c "$crowdsec_config" ${crowdsec_flags} > } > > crowdsec_configtest() > { > echo "Performing sanity check on ${name} configuration." >- if "$command" -c "$crowdsec_config" -t -error; then >- echo "Configuration test OK" >+ if ! "$command_crowdsec" -c "$crowdsec_config" -t -error; then >+ exit 1 > fi >+ echo "Configuration test OK" >+} >+ >+crowdsec_reload() { >+ crowdsec_configtest >+ echo "Reloading configuration" >+ kill -HUP "$(cat "$pidfile_crowdsec")" > } > > run_rc_command "$1" >diff --git a/security/crowdsec/files/patch-pkg_cwhub_dataset.go b/security/crowdsec/files/patch-pkg_cwhub_dataset.go >new file mode 100644 >index 000000000000..1629d97a431d >--- /dev/null >+++ b/security/crowdsec/files/patch-pkg_cwhub_dataset.go >@@ -0,0 +1,55 @@ >+--- pkg/cwhub/dataset.go.orig 1979-11-30 00:00:00 UTC >++++ pkg/cwhub/dataset.go >+@@ -6,6 +6,7 @@ import ( >+ "io" >+ "net/http" >+ "os" >++ "path/filepath" >+ "time" >+ >+ "github.com/sirupsen/logrus" >+@@ -31,19 +32,40 @@ func downloadFile(url string, destPath string) error { >+ return fmt.Errorf("bad http code %d for %s", resp.StatusCode, url) >+ } >+ >+- file, err := os.Create(destPath) >++ // Download to a temporary location to avoid corrupting files >++ // that are currently in use or memory mapped. >++ >++ tmpFile, err := os.CreateTemp(filepath.Dir(destPath), filepath.Base(destPath)+".*.tmp") >+ if err != nil { >+ return err >+ } >+- defer file.Close() >+ >++ tmpFileName := tmpFile.Name() >++ defer func() { >++ tmpFile.Close() >++ os.Remove(tmpFileName) >++ }() >++ >+ // avoid reading the whole file in memory >+- _, err = io.Copy(file, resp.Body) >++ _, err = io.Copy(tmpFile, resp.Body) >+ if err != nil { >+ return err >+ } >+ >+- if err = file.Sync(); err != nil { >++ if err = tmpFile.Sync(); err != nil { >++ return err >++ } >++ >++ if err = tmpFile.Close(); err != nil { >++ return err >++ } >++ >++ // a check on stdout is used while scripting to know if the hub has been upgraded >++ // and a configuration reload is required >++ // TODO: use a better way to communicate this >++ fmt.Printf("updated %s\n", filepath.Base(destPath)) >++ >++ if err = os.Rename(tmpFileName, destPath); err != nil { >+ return err >+ } >+ >diff --git a/security/crowdsec/files/pkg-deinstall.in b/security/crowdsec/files/pkg-deinstall.in >index 4cee7a613b84..6d60f11d51e6 100644 >--- a/security/crowdsec/files/pkg-deinstall.in >+++ b/security/crowdsec/files/pkg-deinstall.in >@@ -1,9 +1,11 @@ > #!/bin/sh > >+#shellcheck disable=SC2249 > case $2 in > "DEINSTALL") >- service crowdsec status 2>/dev/null && touch /var/run/crowdsec.running >- service crowdsec stop 2>/dev/null || : >+ # on pfsense, the service is not "enabled" so status and stop would fail >+ service crowdsec onestatus 2>/dev/null && touch /var/run/crowdsec.running >+ service crowdsec onestop 2>/dev/null || : > ;; > esac > >diff --git a/security/crowdsec/files/pkg-install.in b/security/crowdsec/files/pkg-install.in >index 74bccb12c1ab..d0a9fe85d3b4 100644 >--- a/security/crowdsec/files/pkg-install.in >+++ b/security/crowdsec/files/pkg-install.in >@@ -1,11 +1,19 @@ > #!/bin/sh > >+# shellcheck disable=SC2249 > case $2 in > "POST-INSTALL") >- cscli hub update -o human --error > /dev/null >+ echo "Updating crowdsec hub data" >+ if cscli hub update -o human --error; then >+ cscli hub upgrade -o human --error >+ else >+ echo "Failed to update crowdsec hub data." >+ echo "You can run 'cscli hub update; cscli hub upgrade'" >+ echo "to update manually, or let the cron job do it for you." >+ fi > if [ -e /var/run/crowdsec.running ]; then >- service crowdsec start >- rm -f /var/run/crowdsec.running >+ service crowdsec onestart >+ rm -f /var/run/crowdsec.running > fi > ;; > esac >diff --git a/security/crowdsec/files/upgrade-hub.in b/security/crowdsec/files/upgrade-hub.in >index 2364169f4425..b5b6fd2565c5 100644 >--- a/security/crowdsec/files/upgrade-hub.in >+++ b/security/crowdsec/files/upgrade-hub.in >@@ -1,16 +1,17 @@ > #!/bin/sh > >-test -x /usr/local/bin/cscli || exit 0 >+test -x %%PREFIX%%/bin/cscli || exit 0 >+ >+# splay hub upgrade and crowdsec reload >+sleep "$(jot -r 1 1 300)" > > # favor the opnsense plugin's cron if it's there > test -e /usr/local/etc/cron.d/oscrowdsec.cron && exit 0 > >-/usr/local/bin/cscli --error -o human hub update >+%%PREFIX%%/bin/cscli --error -o human hub update > >-upgraded=$(/usr/local/bin/cscli --error -o human hub upgrade) >+upgraded=$(%%PREFIX%%/bin/cscli --error -o human hub upgrade) > if [ -n "$upgraded" ]; then >- # splay initial metrics push >- sleep "$(jot -r 1 1 60)" > service crowdsec onestatus && service crowdsec onereload > fi > >-- >2.40.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 277832
:
249323
| 249341