|Summary:||security/py-fail2ban: 'fail2ban_pidfile' knob be ignored @ rc.conf.|
|Product:||Ports & Packages||Reporter:||epopen|
|Component:||Individual Port(s)||Assignee:||Kubilay Kocak <koobs>|
|Severity:||Affects Many People||CC:||dmitry.wagin, python, swills, theis|
Description epopen 2019-02-25 08:12:23 UTC
Hi Because directory '/var' mount by tmpfs, and can't create fail2ban default pid/sock file directory '/var/run/fail2ban'. So plan modify these to '/var/run'. File '/usr/local/etc/rc.conf.d/fail2ban' added and one line only like below 'fail2ban_pidfile="/var/run/fail2ban.pid"' (Without 'fail2ban_enable="YES"', because fail2ban start very slowly in boot time, so start it after boot completed.) But won't affect, still '/var/run/fail2ban/fail2ban.pid'. (Even 'fail2ban_enable="YES"' added same) Tried to trace by 'sh -x /usr/local/etc/rc.d/fail2ban' and got result below. + fail2ban_pidfile=/var/run/fail2ban.pid Look like '/usr/local/etc/rc.conf.d/fail2ban' affect. How-To-Repeat: run rc script '/usr/local/etc/rc.d/fail2ban'
Comment 1 theis 2019-02-25 11:38:40 UTC
You can configure the location and name of the various files (pid, sock, database, ...) in fail2ban.conf. Don't forget to change the name in rc.conf so you get the correct status. Haven't tried it yet, though. Some actions, e.g. bsd-ipfw, seem to write to /var/run/fail2ban, too, but this can be configured in the jail itself.
Comment 2 epopen 2019-02-26 03:35:46 UTC
(In reply to theis from comment #1) Hi Theis Yes, I had modified pid and sock in fail2ban.conf. This situation, running fail2ban status report messy by 'service' command because the issue like below # service fail2ban onestatus fail2ban is not running. Thanks you a lot.
Comment 3 theis 2019-02-27 10:41:45 UTC
I just tried: Stop fail2ban Change the paths for pidfile and socket in fail2ban.conf Add fail2ban_pidfile=... in /etc/rc.conf (I'm still using the old scheme) Start fail2ban was successful, both pid- and sock-file were in /var/run I don't know if I understand you correctly. Just in case there are misunderstandings: You have to change both, fail2ban.conf and /etc/rc.conf (or wherever you are configuring the services) because the first one tells fail2ban where to write the pidfile and the latter one tells the service where to find it. From the error message in your post it looks like the service is still looking at the old place and of course will not find the pid-file there.
Comment 4 epopen 2019-02-27 14:54:33 UTC
(In reply to theis from comment #3) Hi Theis Sorry my question doesn't clear. try explain again. In fail2ban.local socket = /var/run/fail2ban.sock pidfile = /var/run/fail2ban.pid After start, both file in /var/run correctly. -rw------- 1 root wheel 6 2月 23 23:35 fail2ban.pid srwx------ 1 root wheel 0 2月 23 23:35 fail2ban.sock= In the time, got error as below. # service fail2ban onestatus fail2ban is not running. So I config 'fail2ban_pidfile="/var/run/fail2ban.pid"' @ rc.conf But won't affect. Tried to trace by 'sh -x /usr/local/etc/rc.d/fail2ban' and got result below. + fail2ban_pidfile=/var/run/fail2ban.pid Used default '/var/run/fail2ban.pid' still. Look like 'fail2ban_pidfile' knob be ignored @ /usr/local/etc/rc.d/fail2ban. Thanks you a lot.
Comment 5 theis 2019-02-27 17:33:34 UTC
If rc looks for the pid file in the correct path we are down to the common part at /etc/rc.subr, esp. the subroutine check_pidfile You can enable debug outputs: put rc_debug="YES" in fail2ban. check_pidfile() will silently ignore some errors but debug output would reveal them.
Comment 6 epopen 2019-02-28 16:09:21 UTC
(In reply to theis from comment #5) Hi Theis Follow your suggestaion, rc_debug="YES" added into '/etc/rc.conf' And "/usr/local/etc/rc.conf.d/fail2ban" added as below fail2ban_pidfile="/var/run/fail2ban.pid" (Other test, added it into '/etc/rc.conf' still same problem) And got result as below. # service fail2ban onestatus /usr/local/etc/rc.d/fail2ban: DEBUG: Sourcing /usr/local/etc/rc.conf.d/fail2ban /usr/local/etc/rc.d/fail2ban: DEBUG: pid file (/var/run/fail2ban/fail2ban.pid): not readable. /usr/local/etc/rc.d/fail2ban: DEBUG: checkyesno: fail2ban_enable is set to YES. I have no idea why 'fail2ban_pidfile' knob be ignored. Thanks you a lot.
Comment 8 theis 2019-03-04 16:49:39 UTC
Sorry for the delay I didn't find the time before. Problem is that the rc.d script evaluates fail2ban_pidfile before rc.conf was read. A patch is attached.
Comment 9 epopen 2019-03-05 06:31:06 UTC
(In reply to theis from comment #8) Hi Theis I had applied your patch into /usr/local/etc/rc.d/fain2ban. The bug fixed :D Thanks you very much for your help.
Comment 10 Kubilay Kocak 2019-03-05 09:16:53 UTC
This still needs to be committed/merged
Comment 11 theis 2019-03-05 22:02:20 UTC
If the original submitter doesn't oppose merge quarterly would be OK for me. I don't know how to set that flag, I only see ? and X.
Comment 12 Kubilay Kocak 2019-03-06 11:11:42 UTC
(In reply to theis from comment #11) The merge-quarterly flag is for committers (and maintainers), used to indicate or request that a change should be considered for merging to the quarterly branch. In this case because its a bug fix, with quarterly users affected (presumably). If the quarterly version of the port/package is *not* affected, just let us know.
Comment 13 Steve Wills 2019-05-26 20:07:52 UTC
New quarterly branch was created, this can be closed.
Comment 14 Kubilay Kocak 2019-05-31 11:39:24 UTC
This change wasn't committed (or merged), re-open and now has a duplicate in bug 238250
Comment 15 Kubilay Kocak 2019-05-31 11:39:59 UTC
*** Bug 238250 has been marked as a duplicate of this bug. ***
Comment 16 commit-hook 2019-05-31 11:56:17 UTC
A commit references this bug: Author: koobs Date: Fri May 31 11:55:41 UTC 2019 New revision: 503168 URL: https://svnweb.freebsd.org/changeset/ports/503168 Log: security/py-fail2ban: Fix rc script The rc.d script evaluates fail2ban_pidfile before rc.conf is read. This change moves those evaluations to the corect place allowing users to override the values via /etc/rc.conf as expected. PR: 236017 Reported by: <epopen gmail com>, Dmitry Wagin <dmitry.wagin ya ru> Submitted by: <theis gmx at> (maintainer) MFH: 2019Q2 Changes: head/security/py-fail2ban/Makefile head/security/py-fail2ban/files/fail2ban.in
Comment 17 Kubilay Kocak 2019-05-31 11:57:27 UTC
Committed pending MFH. Apologies for the delay
Comment 18 commit-hook 2019-07-01 06:20:35 UTC
A commit references this bug: Author: koobs Date: Mon Jul 1 06:19:58 UTC 2019 New revision: 505539 URL: https://svnweb.freebsd.org/changeset/ports/505539 Log: MFH: r503168 security/py-fail2ban: Fix rc script The rc.d script evaluates fail2ban_pidfile before rc.conf is read. This change moves those evaluations to the corect place allowing users to override the values via /etc/rc.conf as expected. PR: 236017 Reported by: <epopen gmail com>, Dmitry Wagin <dmitry.wagin ya ru> Submitted by: <theis gmx at> (maintainer) Approved by: ports-secteam (blanket: bugfix) Changes: _U branches/2019Q2/ branches/2019Q2/security/py-fail2ban/Makefile branches/2019Q2/security/py-fail2ban/files/fail2ban.in