Bug 236017

Summary: security/py-fail2ban: 'fail2ban_pidfile' knob be ignored @ rc.conf.
Product: Ports & Packages Reporter: epopen
Component: Individual Port(s)Assignee: Kubilay Kocak <koobs>
Status: Closed FIXED    
Severity: Affects Many People CC: dmitry.wagin, python, swills, theis
Priority: --- Keywords: easy
Version: LatestFlags: theis: maintainer-feedback+
koobs: merge-quarterly+
Hardware: Any   
OS: Any   
Attachments:
Description Flags
patch theis: maintainer-approval+

Description epopen 2019-02-25 08:12:23 UTC
Hi

Because directory '/var' mount by tmpfs, and can't create fail2ban default pid/sock file directory '/var/run/fail2ban'.
So plan modify these to '/var/run'.

File '/usr/local/etc/rc.conf.d/fail2ban' added and one line only like below
'fail2ban_pidfile="/var/run/fail2ban.pid"'
(Without 'fail2ban_enable="YES"', because fail2ban start very slowly in boot time, so start it after boot completed.)

But won't affect, still '/var/run/fail2ban/fail2ban.pid'.
(Even 'fail2ban_enable="YES"' added same)

Tried to trace by 'sh -x /usr/local/etc/rc.d/fail2ban' and got result below.
   + fail2ban_pidfile=/var/run/fail2ban.pid
Look like '/usr/local/etc/rc.conf.d/fail2ban' affect.

How-To-Repeat:
run rc script '/usr/local/etc/rc.d/fail2ban'
Comment 1 theis 2019-02-25 11:38:40 UTC
You can configure the location and name of the various files (pid, sock, database, ...) in fail2ban.conf. Don't forget to change the name in rc.conf so you get the correct status.

Haven't tried it yet, though.

Some actions, e.g. bsd-ipfw, seem to write to /var/run/fail2ban, too, but this can be configured in the jail itself.
Comment 2 epopen 2019-02-26 03:35:46 UTC
(In reply to theis from comment #1)
Hi Theis

Yes, I had modified pid and sock in fail2ban.conf.

This situation, running fail2ban status report messy by 'service' command because the issue like below

# service fail2ban onestatus
fail2ban is not running.

Thanks you a lot.
Comment 3 theis 2019-02-27 10:41:45 UTC
I just tried:
Stop fail2ban
Change the paths for pidfile and socket in fail2ban.conf
Add fail2ban_pidfile=... in /etc/rc.conf (I'm still using the old scheme)
Start fail2ban was successful, both pid- and sock-file were in /var/run

I don't know if I understand you correctly. Just in case there are misunderstandings: You have to change both, fail2ban.conf and /etc/rc.conf (or wherever you are configuring the services) because the first one tells fail2ban where to write the pidfile and the latter one tells the service where to find it. From the error message in your post it looks like the service is still looking at the old place and of course will not find the pid-file there.
Comment 4 epopen 2019-02-27 14:54:33 UTC
(In reply to theis from comment #3)
Hi Theis

Sorry my question doesn't clear. try explain again.

In fail2ban.local
socket = /var/run/fail2ban.sock
pidfile = /var/run/fail2ban.pid

After start, both file in /var/run correctly.
-rw-------  1 root  wheel      6  2月 23 23:35 fail2ban.pid
srwx------  1 root  wheel      0  2月 23 23:35 fail2ban.sock=

In the time, got error as below.
# service fail2ban onestatus
fail2ban is not running.

So I config 'fail2ban_pidfile="/var/run/fail2ban.pid"' @ rc.conf
But won't affect.

Tried to trace by 'sh -x /usr/local/etc/rc.d/fail2ban' and got result below.
   + fail2ban_pidfile=/var/run/fail2ban.pid

Used default '/var/run/fail2ban.pid' still.
Look like 'fail2ban_pidfile' knob be ignored @ /usr/local/etc/rc.d/fail2ban.

Thanks you a lot.
Comment 5 theis 2019-02-27 17:33:34 UTC
If rc looks for the pid file in the correct path we are down to the common part at /etc/rc.subr, esp. the subroutine check_pidfile

You can enable debug outputs: put
rc_debug="YES"
in fail2ban. check_pidfile() will silently ignore some errors but debug output would reveal them.
Comment 6 epopen 2019-02-28 16:09:21 UTC
(In reply to theis from comment #5)
Hi Theis

Follow your suggestaion, rc_debug="YES" added into '/etc/rc.conf'
And "/usr/local/etc/rc.conf.d/fail2ban" added as below
   fail2ban_pidfile="/var/run/fail2ban.pid"
(Other test, added it into '/etc/rc.conf' still same problem)

And got result as below.
# service fail2ban onestatus
/usr/local/etc/rc.d/fail2ban: DEBUG: Sourcing /usr/local/etc/rc.conf.d/fail2ban
/usr/local/etc/rc.d/fail2ban: DEBUG: pid file (/var/run/fail2ban/fail2ban.pid): not readable.
/usr/local/etc/rc.d/fail2ban: DEBUG: checkyesno: fail2ban_enable is set to YES.

I have no idea why 'fail2ban_pidfile' knob be ignored.
Thanks you a lot.
Comment 7 theis 2019-03-04 16:48:27 UTC
Created attachment 202552 [details]
patch
Comment 8 theis 2019-03-04 16:49:39 UTC
Sorry for the delay I didn't find the time before.

Problem is that the rc.d script evaluates fail2ban_pidfile before rc.conf was read. A patch is attached.
Comment 9 epopen 2019-03-05 06:31:06 UTC
(In reply to theis from comment #8)
Hi Theis

I had applied your patch into /usr/local/etc/rc.d/fain2ban.
The bug fixed :D

Thanks you very much for your help.
Comment 10 Kubilay Kocak freebsd_committer freebsd_triage 2019-03-05 09:16:53 UTC
This still needs to be committed/merged
Comment 11 theis 2019-03-05 22:02:20 UTC
If the original submitter doesn't oppose merge quarterly would be OK for me.
I don't know how to set that flag, I only see ? and X.
Comment 12 Kubilay Kocak freebsd_committer freebsd_triage 2019-03-06 11:11:42 UTC
(In reply to theis from comment #11)

The merge-quarterly flag is for committers (and maintainers), used to indicate or request that a change should be considered for merging to the quarterly branch.

In this case because its a bug fix, with quarterly users affected (presumably). If the quarterly version of the port/package is *not* affected, just let us know.
Comment 13 Steve Wills freebsd_committer 2019-05-26 20:07:52 UTC
New quarterly branch was created, this can be closed.
Comment 14 Kubilay Kocak freebsd_committer freebsd_triage 2019-05-31 11:39:24 UTC
This change wasn't committed (or merged), re-open and now has a duplicate in bug 238250
Comment 15 Kubilay Kocak freebsd_committer freebsd_triage 2019-05-31 11:39:59 UTC
*** Bug 238250 has been marked as a duplicate of this bug. ***
Comment 16 commit-hook freebsd_committer 2019-05-31 11:56:17 UTC
A commit references this bug:

Author: koobs
Date: Fri May 31 11:55:41 UTC 2019
New revision: 503168
URL: https://svnweb.freebsd.org/changeset/ports/503168

Log:
  security/py-fail2ban: Fix rc script

  The rc.d script evaluates fail2ban_pidfile before rc.conf is read.

  This change moves those evaluations to the corect place allowing
  users to override the values via /etc/rc.conf as expected.

  PR:		236017
  Reported by:	<epopen gmail com>, Dmitry Wagin <dmitry.wagin ya ru>
  Submitted by:	<theis gmx at> (maintainer)
  MFH:		2019Q2

Changes:
  head/security/py-fail2ban/Makefile
  head/security/py-fail2ban/files/fail2ban.in
Comment 17 Kubilay Kocak freebsd_committer freebsd_triage 2019-05-31 11:57:27 UTC
Committed pending MFH. Apologies for the delay
Comment 18 commit-hook freebsd_committer 2019-07-01 06:20:35 UTC
A commit references this bug:

Author: koobs
Date: Mon Jul  1 06:19:58 UTC 2019
New revision: 505539
URL: https://svnweb.freebsd.org/changeset/ports/505539

Log:
  MFH: r503168 security/py-fail2ban: Fix rc script

  The rc.d script evaluates fail2ban_pidfile before rc.conf is read.

  This change moves those evaluations to the corect place allowing
  users to override the values via /etc/rc.conf as expected.

  PR:		236017
  Reported by:	<epopen gmail com>, Dmitry Wagin <dmitry.wagin ya ru>
  Submitted by:	<theis gmx at> (maintainer)

  Approved by:	ports-secteam (blanket: bugfix)

Changes:
_U  branches/2019Q2/
  branches/2019Q2/security/py-fail2ban/Makefile
  branches/2019Q2/security/py-fail2ban/files/fail2ban.in