FreeBSD Bugzilla – Attachment 250350 Details for
Bug 278713
security/crowdsec: update to 1.6.1, improve service scripts
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
patch for 1.6.1-1
0001-security-crowdsec-v1.6.1-improve-rc-postinst-scripts.patch (text/plain), 14.36 KB, created by
marco
on 2024-05-03 08:09:08 UTC
(
hide
)
Description:
patch for 1.6.1-1
Filename:
MIME Type:
Creator:
marco
Created:
2024-05-03 08:09:08 UTC
Size:
14.36 KB
patch
obsolete
>From 773f9d78dfbd8f6e75586efa5aa33c3f58e61962 Mon Sep 17 00:00:00 2001 >From: marco <marco@crowdsec.net> >Date: Tue, 16 Apr 2024 23:25:31 +0200 >Subject: [PATCH] security/crowdsec: v1.6.1; improve rc, postinst scripts > >- update upstream to latest stable >- restart service correctly if it crashes >- update hub in postinst (if network available) instead of service start >- use "one{status,stop...}" for compatibility with pfsense >- patch: fix network fs detection >--- > security/crowdsec/Makefile | 6 +- > security/crowdsec/distinfo | 10 +- > security/crowdsec/files/crowdsec.in | 105 ++++++++---------- > .../files/patch-pkg_csconfig_database.go | 36 ++++++ > .../files/patch-pkg_types_getfstype.go | 8 ++ > .../patch-pkg_types_getfstype__freebsd.go | 28 +++++ > security/crowdsec/files/pkg-deinstall.in | 6 +- > security/crowdsec/files/pkg-install.in | 14 ++- > security/crowdsec/files/pkg-message.in | 6 +- > security/crowdsec/files/upgrade-hub.in | 11 +- > 10 files changed, 149 insertions(+), 81 deletions(-) > create mode 100644 security/crowdsec/files/patch-pkg_csconfig_database.go > create mode 100644 security/crowdsec/files/patch-pkg_types_getfstype.go > create mode 100644 security/crowdsec/files/patch-pkg_types_getfstype__freebsd.go > >diff --git a/security/crowdsec/Makefile b/security/crowdsec/Makefile >index 53d3aa5d116b..8878c053dfff 100644 >--- a/security/crowdsec/Makefile >+++ b/security/crowdsec/Makefile >@@ -1,7 +1,7 @@ > PORTNAME= crowdsec > DISTVERSIONPREFIX= v >-DISTVERSION= 1.6.0 >-PORTREVISION= 3 >+DISTVERSION= 1.6.1 >+PORTREVISION= 1 > CATEGORIES= security > > MAINTAINER= marco@crowdsec.net >@@ -15,7 +15,7 @@ LIB_DEPENDS= libabsl_base.so:devel/abseil \ > libre2.so:devel/re2 > > USES= go:1.21,modules pkgconfig >-_COMMIT= 4b8e6cd7 >+_COMMIT= 0746e0c0 > _BUILD_DATE= $$(date -u "+%F_%T") > USE_RC_SUBR= crowdsec > >diff --git a/security/crowdsec/distinfo b/security/crowdsec/distinfo >index 0a0ed29eef9c..9cb7e50d131c 100644 >--- a/security/crowdsec/distinfo >+++ b/security/crowdsec/distinfo >@@ -1,5 +1,5 @@ >-TIMESTAMP = 1706093904 >-SHA256 (go/security_crowdsec/crowdsec-v1.6.0/v1.6.0.mod) = bf62cad10105ba50e3e0778651341cb7eca13ff5785c79a206ca8a5d42b90fed >-SIZE (go/security_crowdsec/crowdsec-v1.6.0/v1.6.0.mod) = 10099 >-SHA256 (go/security_crowdsec/crowdsec-v1.6.0/v1.6.0.zip) = c7cb4870cbcc848cf4c36161021930bc77f490f2701bcebdace6ad27a400a73f >-SIZE (go/security_crowdsec/crowdsec-v1.6.0/v1.6.0.zip) = 1440975 >+TIMESTAMP = 1713296982 >+SHA256 (go/security_crowdsec/crowdsec-v1.6.1/v1.6.1.mod) = b7957886889cef4dd7166ae8996a93d0f2f5071a8b2155c16c190388f71baeee >+SIZE (go/security_crowdsec/crowdsec-v1.6.1/v1.6.1.mod) = 10066 >+SHA256 (go/security_crowdsec/crowdsec-v1.6.1/v1.6.1.zip) = fbcee972b1c5b24b4b3a278381f2bd8837ca122e302defc747a76123a8c079c9 >+SIZE (go/security_crowdsec/crowdsec-v1.6.1/v1.6.1.zip) = 1483959 >diff --git a/security/crowdsec/files/crowdsec.in b/security/crowdsec/files/crowdsec.in >index eb72069392a8..703a3045657d 100644 >--- a/security/crowdsec/files/crowdsec.in >+++ b/security/crowdsec/files/crowdsec.in >@@ -20,7 +20,6 @@ > . /etc/rc.subr > > name=crowdsec >-desc="Crowdsec Agent" > rcvar=crowdsec_enable > > load_rc_config "$name" >@@ -30,95 +29,81 @@ load_rc_config "$name" > : "${crowdsec_machine_name:=localhost}" > : "${crowdsec_flags:=}" > >-pidfile=/var/run/${name}.pid >+pidfile=/var/run/${name}_daemon.pid >+pidfile_crowdsec=/var/run/${name}.pid > required_files="$crowdsec_config" >-command="%%PREFIX%%/bin/${name}" >-start_cmd="${name}_start" >-stop_cmd="${name}_stop" >+command="/usr/sbin/daemon" >+command_crowdsec="%%PREFIX%%/bin/crowdsec" >+command_cscli="%%PREFIX%%/bin/cscli" >+command_args="-f -P ${pidfile} -p ${pidfile_crowdsec} -r -R 10 -t \"${name}\" -- ${command_crowdsec} -c ${crowdsec_config} ${crowdsec_flags}" >+reload_cmd="${name}_reload" > start_precmd="${name}_precmd" > configtest_cmd="${name}_configtest" >+reload_precmd="${name}_configtest" >+restart_precmd="${name}_configtest" >+stop_precmd="${name}_stop_precmd" >+stop_postcmd="${name}_stop_postcmd" > extra_commands="configtest reload" > >+crowdsec_stop_precmd() { >+ # take note of the pid, because sbin/daemon will remove the file >+ # without waiting for crowdsec to exit >+ if [ -r "$pidfile_crowdsec" ]; then >+ _CROWDSECPID="$(check_pidfile "$pidfile_crowdsec" "$command_crowdsec")" >+ export _CROWDSECPID >+ fi >+} >+ >+crowdsec_stop_postcmd() { >+ # wait for process to exit before restarting, or it will find the http port in use >+ if [ -n "$_CROWDSECPID" ]; then >+ wait_for_pids "$_CROWDSECPID" >+ fi >+} >+ > crowdsec_precmd() { > cs_cli() { >- "%%PREFIX%%/bin/cscli" -c "${crowdsec_config}" "$@" >+ "$command_cscli" -c "$crowdsec_config" "$@" > } >+ > Config() { > cs_cli config show --key "Config.$1" > } > >- HUB_DIR=$(Config ConfigPaths.HubDir) >- if ! ls -1qA "$HUB_DIR"/* >/dev/null 2>&1; then >- echo "Fetching hub inventory" >- cs_cli hub update || : >- fi >- >- CONFIG_DIR=$(Config ConfigPaths.ConfigDir) >- > # Is the LAPI enabled on this node? >- if [ "$(cs_cli config show --key Config.API.Server.Enable)" != "false" ]; then >- >- # There are no machines, we create the main one >- if [ "$(cs_cli machines list -o json)" = "[]" ]; then >+ if [ "$(Config API.Server.Enable)" != "false" ]; then >+ # There are no machines, we create one for cscli & log processor >+ if [ "$(cs_cli machines list -o json --error)" = "[]" ]; then > echo "Registering LAPI" > cs_cli machines add "${crowdsec_machine_name}" --auto --force --error || : > fi > >+ CONFIG_DIR=$(Config ConfigPaths.ConfigDir) >+ > # Register to the central server to receive the community blocklist and more > if [ ! -s "${CONFIG_DIR}/online_api_credentials.yaml" ]; then > echo "Registering CAPI" > cs_cli capi register || : > fi >- > fi > >- # This would work but takes 30secs to timeout while reading the metrics, because crowdsec is not running yet. >- # cs_cli collections inspect crowdsecurity/freebsd 2>/dev/null | grep ^installed | grep -q true || \ >- # cs_cli collections install crowdsecurity/freebsd || : >- >- # So we just check for the file >- if [ ! -e "${CONFIG_DIR}/collections/freebsd.yaml" ]; then >+ # install the collection for the first time, or if it has been removed >+ cs_cli collections inspect crowdsecurity/freebsd --no-metrics 2>/dev/null | grep ^installed | grep -q true || \ > cs_cli collections install crowdsecurity/freebsd || : >- fi > } > >-crowdsec_stop() >-{ >- if [ ! -f "$pidfile" ]; then >- echo "${name} is not running." >- return >- fi >- pid=$(cat "$pidfile") >- if kill -0 "$pid" >/dev/null 2>&1; then >- echo "Stopping ${name}." >- kill -s TERM "$pid" >/dev/null 2>&1 >- # shellcheck disable=SC2034 >- for i in $(seq 1 20); do >- sleep 1 >- if ! kill -0 "$pid" >/dev/null 2>&1; then >- rm -f "$pidfile" >- return >- fi >- done >- echo "Timeout, terminating ${name} with SIGKILL." >- kill -s KILL "$pid" >/dev/null 2>&1 >- rm -f "$pidfile" >- else >- echo "${name} is not running." >+crowdsec_configtest() { >+ echo "Performing sanity check on ${name} configuration." >+ if ! "$command_crowdsec" -c "$crowdsec_config" -t -error; then >+ exit 1 > fi >+ echo "Configuration test OK" > } > >-crowdsec_start() >-{ >- /usr/sbin/daemon -f -p "$pidfile" -t "$desc" -- \ >- "$command" -c "$crowdsec_config" ${crowdsec_flags} >-} >- >-crowdsec_configtest() >-{ >- echo "Performing sanity check on ${name} configuration." >- if "$command" -c "$crowdsec_config" -t -error; then >- echo "Configuration test OK" >+crowdsec_reload() { >+ echo "Reloading configuration" >+ if [ -r "$pidfile_crowdsec" ]; then >+ kill -HUP "$(check_pidfile "$pidfile_crowdsec" "${command_crowdsec}")" > fi > } > >diff --git a/security/crowdsec/files/patch-pkg_csconfig_database.go b/security/crowdsec/files/patch-pkg_csconfig_database.go >new file mode 100644 >index 000000000000..c34546376722 >--- /dev/null >+++ b/security/crowdsec/files/patch-pkg_csconfig_database.go >@@ -0,0 +1,36 @@ >+--- pkg/csconfig/database.go.orig 2024-04-24 21:31:39 UTC >++++ pkg/csconfig/database.go >+@@ -76,26 +76,24 @@ func (c *Config) LoadDBConfig(inCli bool) error { >+ if c.DbConfig.UseWal == nil { >+ dbDir := filepath.Dir(c.DbConfig.DbPath) >+ isNetwork, fsType, err := types.IsNetworkFS(dbDir) >+- if err != nil { >++ switch { >++ case err != nil: >+ log.Warnf("unable to determine if database is on network filesystem: %s", err) >+ log.Warning("You are using sqlite without WAL, this can have a performance impact. If you do not store the database in a network share, set db_config.use_wal to true. Set explicitly to false to disable this warning.") >+- return nil >+- } >+- if isNetwork { >++ case isNetwork: >+ log.Debugf("database is on network filesystem (%s), setting useWal to false", fsType) >+ c.DbConfig.UseWal = ptr.Of(false) >+- } else { >++ default: >+ log.Debugf("database is on local filesystem (%s), setting useWal to true", fsType) >+ c.DbConfig.UseWal = ptr.Of(true) >+ } >+ } else if *c.DbConfig.UseWal { >+ dbDir := filepath.Dir(c.DbConfig.DbPath) >+ isNetwork, fsType, err := types.IsNetworkFS(dbDir) >+- if err != nil { >++ switch { >++ case err != nil: >+ log.Warnf("unable to determine if database is on network filesystem: %s", err) >+- return nil >+- } >+- if isNetwork { >++ case isNetwork: >+ log.Warnf("database seems to be stored on a network share (%s), but useWal is set to true. Proceed at your own risk.", fsType) >+ } >+ } >diff --git a/security/crowdsec/files/patch-pkg_types_getfstype.go b/security/crowdsec/files/patch-pkg_types_getfstype.go >new file mode 100644 >index 000000000000..9b9775265421 >--- /dev/null >+++ b/security/crowdsec/files/patch-pkg_types_getfstype.go >@@ -0,0 +1,8 @@ >+--- pkg/types/getfstype.go.orig 2024-04-24 21:23:59 UTC >++++ pkg/types/getfstype.go >+@@ -1,4 +1,4 @@ >+-//go:build !windows >++//go:build !windows && !freebsd >+ >+ package types >+ >diff --git a/security/crowdsec/files/patch-pkg_types_getfstype__freebsd.go b/security/crowdsec/files/patch-pkg_types_getfstype__freebsd.go >new file mode 100644 >index 000000000000..0fe3a5157120 >--- /dev/null >+++ b/security/crowdsec/files/patch-pkg_types_getfstype__freebsd.go >@@ -0,0 +1,28 @@ >+--- pkg/types/getfstype_freebsd.go.orig 2024-04-24 21:25:32 UTC >++++ pkg/types/getfstype_freebsd.go >+@@ -0,0 +1,25 @@ >++//go:build freebsd >++ >++package types >++ >++import ( >++ "fmt" >++ "syscall" >++) >++ >++func GetFSType(path string) (string, error) { >++ var fsStat syscall.Statfs_t >++ >++ if err := syscall.Statfs(path, &fsStat); err != nil { >++ return "", fmt.Errorf("failed to get filesystem type: %w", err) >++ } >++ >++ bs := fsStat.Fstypename >++ >++ b := make([]byte, len(bs)) >++ for i, v := range bs { >++ b[i] = byte(v) >++ } >++ >++ return string(b), nil >++} >diff --git a/security/crowdsec/files/pkg-deinstall.in b/security/crowdsec/files/pkg-deinstall.in >index 4cee7a613b84..6d60f11d51e6 100644 >--- a/security/crowdsec/files/pkg-deinstall.in >+++ b/security/crowdsec/files/pkg-deinstall.in >@@ -1,9 +1,11 @@ > #!/bin/sh > >+#shellcheck disable=SC2249 > case $2 in > "DEINSTALL") >- service crowdsec status 2>/dev/null && touch /var/run/crowdsec.running >- service crowdsec stop 2>/dev/null || : >+ # on pfsense, the service is not "enabled" so status and stop would fail >+ service crowdsec onestatus 2>/dev/null && touch /var/run/crowdsec.running >+ service crowdsec onestop 2>/dev/null || : > ;; > esac > >diff --git a/security/crowdsec/files/pkg-install.in b/security/crowdsec/files/pkg-install.in >index 74bccb12c1ab..d0a9fe85d3b4 100644 >--- a/security/crowdsec/files/pkg-install.in >+++ b/security/crowdsec/files/pkg-install.in >@@ -1,11 +1,19 @@ > #!/bin/sh > >+# shellcheck disable=SC2249 > case $2 in > "POST-INSTALL") >- cscli hub update -o human --error > /dev/null >+ echo "Updating crowdsec hub data" >+ if cscli hub update -o human --error; then >+ cscli hub upgrade -o human --error >+ else >+ echo "Failed to update crowdsec hub data." >+ echo "You can run 'cscli hub update; cscli hub upgrade'" >+ echo "to update manually, or let the cron job do it for you." >+ fi > if [ -e /var/run/crowdsec.running ]; then >- service crowdsec start >- rm -f /var/run/crowdsec.running >+ service crowdsec onestart >+ rm -f /var/run/crowdsec.running > fi > ;; > esac >diff --git a/security/crowdsec/files/pkg-message.in b/security/crowdsec/files/pkg-message.in >index b9812a0ed154..8e03e0da776d 100644 >--- a/security/crowdsec/files/pkg-message.in >+++ b/security/crowdsec/files/pkg-message.in >@@ -15,11 +15,11 @@ You need to check/edit the following files in %%ETCDIR%% as described in https:/ > - acquis.yaml, acquis.d: datasource configuration (this port does not include automatic discovery of the running services) > - profiles.yaml: remediation policies (ban, duration, etc) > >-Then you can enable the daemon via sysrc and run it. >+Then you can enable the service and run it. > > ---------- >-# sysrc crowdsec_enable="YES" >-crowdsec_enable: NO -> YES >+# service crowdsec enable >+crowdsec enabled in /etc/rc.conf > # service crowdsec start > ---------- > >diff --git a/security/crowdsec/files/upgrade-hub.in b/security/crowdsec/files/upgrade-hub.in >index 2364169f4425..b5b6fd2565c5 100644 >--- a/security/crowdsec/files/upgrade-hub.in >+++ b/security/crowdsec/files/upgrade-hub.in >@@ -1,16 +1,17 @@ > #!/bin/sh > >-test -x /usr/local/bin/cscli || exit 0 >+test -x %%PREFIX%%/bin/cscli || exit 0 >+ >+# splay hub upgrade and crowdsec reload >+sleep "$(jot -r 1 1 300)" > > # favor the opnsense plugin's cron if it's there > test -e /usr/local/etc/cron.d/oscrowdsec.cron && exit 0 > >-/usr/local/bin/cscli --error -o human hub update >+%%PREFIX%%/bin/cscli --error -o human hub update > >-upgraded=$(/usr/local/bin/cscli --error -o human hub upgrade) >+upgraded=$(%%PREFIX%%/bin/cscli --error -o human hub upgrade) > if [ -n "$upgraded" ]; then >- # splay initial metrics push >- sleep "$(jot -r 1 1 60)" > service crowdsec onestatus && service crowdsec onereload > fi > >-- >2.43.0 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=250350">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 278713
: 250350