security/crowdsec: update to v1.6.1

-  improve rc, postinst scripts
- update upstream to latest stable
- restart service correctly if it crashes
- update hub in postinst (if network available) instead of service start
- use "one{status,stop...}" for compatibility with pfsense
- patch: fix network fs detection

PR:	278713

10 files changed, 149 insertions, 81 deletions

diff --git a/security/crowdsec/Makefile b/security/crowdsec/Makefile
index 53d3aa5d116b..8878c053dfff 100644
--- a/security/crowdsec/Makefile
+++ b/security/crowdsec/Makefile
@@ -1,7 +1,7 @@
 PORTNAME=	crowdsec
 DISTVERSIONPREFIX=	v
-DISTVERSION=	1.6.0
-PORTREVISION=	3
+DISTVERSION=	1.6.1
+PORTREVISION=	1
 CATEGORIES=	security
 
 MAINTAINER=	marco@crowdsec.net
@@ -15,7 +15,7 @@ LIB_DEPENDS=	libabsl_base.so:devel/abseil \
 		libre2.so:devel/re2
 
 USES=		go:1.21,modules pkgconfig
-_COMMIT=	4b8e6cd7
+_COMMIT=	0746e0c0
 _BUILD_DATE=	$$(date -u "+%F_%T")
 USE_RC_SUBR=	crowdsec
 
diff --git a/security/crowdsec/distinfo b/security/crowdsec/distinfo
index 0a0ed29eef9c..9cb7e50d131c 100644
--- a/security/crowdsec/distinfo
+++ b/security/crowdsec/distinfo
@@ -1,5 +1,5 @@
-TIMESTAMP = 1706093904
-SHA256 (go/security_crowdsec/crowdsec-v1.6.0/v1.6.0.mod) = bf62cad10105ba50e3e0778651341cb7eca13ff5785c79a206ca8a5d42b90fed
-SIZE (go/security_crowdsec/crowdsec-v1.6.0/v1.6.0.mod) = 10099
-SHA256 (go/security_crowdsec/crowdsec-v1.6.0/v1.6.0.zip) = c7cb4870cbcc848cf4c36161021930bc77f490f2701bcebdace6ad27a400a73f
-SIZE (go/security_crowdsec/crowdsec-v1.6.0/v1.6.0.zip) = 1440975
+TIMESTAMP = 1713296982
+SHA256 (go/security_crowdsec/crowdsec-v1.6.1/v1.6.1.mod) = b7957886889cef4dd7166ae8996a93d0f2f5071a8b2155c16c190388f71baeee
+SIZE (go/security_crowdsec/crowdsec-v1.6.1/v1.6.1.mod) = 10066
+SHA256 (go/security_crowdsec/crowdsec-v1.6.1/v1.6.1.zip) = fbcee972b1c5b24b4b3a278381f2bd8837ca122e302defc747a76123a8c079c9
+SIZE (go/security_crowdsec/crowdsec-v1.6.1/v1.6.1.zip) = 1483959
diff --git a/security/crowdsec/files/crowdsec.in b/security/crowdsec/files/crowdsec.in
index eb72069392a8..703a3045657d 100644
--- a/security/crowdsec/files/crowdsec.in
+++ b/security/crowdsec/files/crowdsec.in
@@ -20,7 +20,6 @@
 . /etc/rc.subr
 
 name=crowdsec
-desc="Crowdsec Agent"
 rcvar=crowdsec_enable
 
 load_rc_config "$name"
@@ -30,95 +29,81 @@ load_rc_config "$name"
 : "${crowdsec_machine_name:=localhost}"
 : "${crowdsec_flags:=}"
 
-pidfile=/var/run/${name}.pid
+pidfile=/var/run/${name}_daemon.pid
+pidfile_crowdsec=/var/run/${name}.pid
 required_files="$crowdsec_config"
-command="%%PREFIX%%/bin/${name}"
-start_cmd="${name}_start"
-stop_cmd="${name}_stop"
+command="/usr/sbin/daemon"
+command_crowdsec="%%PREFIX%%/bin/crowdsec"
+command_cscli="%%PREFIX%%/bin/cscli"
+command_args="-f -P ${pidfile} -p ${pidfile_crowdsec} -r -R 10 -t \"${name}\" -- ${command_crowdsec} -c ${crowdsec_config} ${crowdsec_flags}"
+reload_cmd="${name}_reload"
 start_precmd="${name}_precmd"
 configtest_cmd="${name}_configtest"
+reload_precmd="${name}_configtest"
+restart_precmd="${name}_configtest"
+stop_precmd="${name}_stop_precmd"
+stop_postcmd="${name}_stop_postcmd"
 extra_commands="configtest reload"
 
+crowdsec_stop_precmd() {
+    # take note of the pid, because sbin/daemon will remove the file
+    # without waiting for crowdsec to exit
+    if [ -r "$pidfile_crowdsec" ]; then
+        _CROWDSECPID="$(check_pidfile "$pidfile_crowdsec" "$command_crowdsec")"
+        export _CROWDSECPID
+    fi
+}
+
+crowdsec_stop_postcmd() {
+    # wait for process to exit before restarting, or it will find the http port in use
+    if [ -n "$_CROWDSECPID" ]; then
+        wait_for_pids "$_CROWDSECPID"
+    fi
+}
+
 crowdsec_precmd() {
     cs_cli() {
-        "%%PREFIX%%/bin/cscli" -c "${crowdsec_config}" "$@"
+        "$command_cscli" -c "$crowdsec_config" "$@"
     }
+
     Config() {
         cs_cli config show --key "Config.$1"
     }
 
-    HUB_DIR=$(Config ConfigPaths.HubDir)
-    if ! ls -1qA "$HUB_DIR"/* >/dev/null 2>&1; then
-        echo "Fetching hub inventory"
-        cs_cli hub update || :
-    fi
-
-    CONFIG_DIR=$(Config ConfigPaths.ConfigDir)
-
     # Is the LAPI enabled on this node?
-    if [ "$(cs_cli config show --key Config.API.Server.Enable)" != "false" ]; then
-
-        # There are no machines, we create the main one
-        if [ "$(cs_cli machines list -o json)" = "[]" ]; then
+    if [ "$(Config API.Server.Enable)" != "false" ]; then
+        # There are no machines, we create one for cscli & log processor
+        if [ "$(cs_cli machines list -o json --error)" = "[]" ]; then
             echo "Registering LAPI"
             cs_cli machines add "${crowdsec_machine_name}" --auto --force --error || :
         fi
 
+        CONFIG_DIR=$(Config ConfigPaths.ConfigDir)
+
         # Register to the central server to receive the community blocklist and more
         if [ ! -s "${CONFIG_DIR}/online_api_credentials.yaml" ]; then
             echo "Registering CAPI"
             cs_cli capi register || :
         fi
-
     fi
 
-    # This would work but takes 30secs to timeout while reading the metrics, because crowdsec is not running yet.
-    #    cs_cli collections inspect crowdsecurity/freebsd 2>/dev/null | grep ^installed | grep -q true || \
-    #        cs_cli collections install crowdsecurity/freebsd || :
-
-    # So we just check for the file
-    if [ ! -e "${CONFIG_DIR}/collections/freebsd.yaml" ]; then
+    # install the collection for the first time, or if it has been removed
+    cs_cli collections inspect crowdsecurity/freebsd --no-metrics 2>/dev/null | grep ^installed | grep -q true || \
         cs_cli collections install crowdsecurity/freebsd || :
-    fi
 }
 
-crowdsec_stop()
-{
-    if [ ! -f "$pidfile" ]; then
-        echo "${name} is not running."
-        return
-    fi
-    pid=$(cat "$pidfile")
-    if kill -0 "$pid" >/dev/null 2>&1; then
-        echo "Stopping ${name}."
-        kill -s TERM "$pid" >/dev/null 2>&1
-        # shellcheck disable=SC2034
-        for i in $(seq 1 20); do
-            sleep 1
-            if ! kill -0 "$pid" >/dev/null 2>&1; then
-                rm -f "$pidfile"
-                return
-            fi
-        done
-        echo "Timeout, terminating ${name} with SIGKILL."
-        kill -s KILL "$pid" >/dev/null 2>&1
-        rm -f "$pidfile"
-    else
-        echo "${name} is not running."
+crowdsec_configtest() {
+    echo "Performing sanity check on ${name} configuration."
+    if ! "$command_crowdsec" -c "$crowdsec_config" -t -error; then
+        exit 1
     fi
+    echo "Configuration test OK"
 }
 
-crowdsec_start()
-{
-    /usr/sbin/daemon -f -p "$pidfile" -t "$desc" -- \
-        "$command" -c "$crowdsec_config" ${crowdsec_flags}
-}
-
-crowdsec_configtest()
-{
-    echo "Performing sanity check on ${name} configuration."
-    if "$command" -c "$crowdsec_config" -t -error; then
-        echo "Configuration test OK"
+crowdsec_reload() {
+    echo "Reloading configuration"
+    if [ -r "$pidfile_crowdsec" ]; then
+        kill -HUP "$(check_pidfile "$pidfile_crowdsec" "${command_crowdsec}")"
     fi
 }
 
diff --git a/security/crowdsec/files/patch-pkg_csconfig_database.go b/security/crowdsec/files/patch-pkg_csconfig_database.go
new file mode 100644
index 000000000000..c34546376722
--- /dev/null
+++ b/security/crowdsec/files/patch-pkg_csconfig_database.go
@@ -0,0 +1,36 @@
+--- pkg/csconfig/database.go.orig	2024-04-24 21:31:39 UTC
++++ pkg/csconfig/database.go
+@@ -76,26 +76,24 @@ func (c *Config) LoadDBConfig(inCli bool) error {
+ 		if c.DbConfig.UseWal == nil {
+ 			dbDir := filepath.Dir(c.DbConfig.DbPath)
+ 			isNetwork, fsType, err := types.IsNetworkFS(dbDir)
+-			if err != nil {
++			switch {
++			case err != nil:
+ 				log.Warnf("unable to determine if database is on network filesystem: %s", err)
+ 				log.Warning("You are using sqlite without WAL, this can have a performance impact. If you do not store the database in a network share, set db_config.use_wal to true. Set explicitly to false to disable this warning.")
+-				return nil
+-			}
+-			if isNetwork {
++			case isNetwork:
+ 				log.Debugf("database is on network filesystem (%s), setting useWal to false", fsType)
+ 				c.DbConfig.UseWal = ptr.Of(false)
+-			} else {
++			default:
+ 				log.Debugf("database is on local filesystem (%s), setting useWal to true", fsType)
+ 				c.DbConfig.UseWal = ptr.Of(true)
+ 			}
+ 		} else if *c.DbConfig.UseWal {
+ 			dbDir := filepath.Dir(c.DbConfig.DbPath)
+ 			isNetwork, fsType, err := types.IsNetworkFS(dbDir)
+-			if err != nil {
++			switch {
++			case err != nil:
+ 				log.Warnf("unable to determine if database is on network filesystem: %s", err)
+-				return nil
+-			}
+-			if isNetwork {
++			case isNetwork:
+ 				log.Warnf("database seems to be stored on a network share (%s), but useWal is set to true. Proceed at your own risk.", fsType)
+ 			}
+ 		}
diff --git a/security/crowdsec/files/patch-pkg_types_getfstype.go b/security/crowdsec/files/patch-pkg_types_getfstype.go
new file mode 100644
index 000000000000..9b9775265421
--- /dev/null
+++ b/security/crowdsec/files/patch-pkg_types_getfstype.go
@@ -0,0 +1,8 @@
+--- pkg/types/getfstype.go.orig	2024-04-24 21:23:59 UTC
++++ pkg/types/getfstype.go
+@@ -1,4 +1,4 @@
+-//go:build !windows
++//go:build !windows && !freebsd
+ 
+ package types
+ 
diff --git a/security/crowdsec/files/patch-pkg_types_getfstype__freebsd.go b/security/crowdsec/files/patch-pkg_types_getfstype__freebsd.go
new file mode 100644
index 000000000000..0fe3a5157120
--- /dev/null
+++ b/security/crowdsec/files/patch-pkg_types_getfstype__freebsd.go
@@ -0,0 +1,28 @@
+--- pkg/types/getfstype_freebsd.go.orig	2024-04-24 21:25:32 UTC
++++ pkg/types/getfstype_freebsd.go
+@@ -0,0 +1,25 @@
++//go:build freebsd
++
++package types
++
++import (
++    "fmt"
++    "syscall"
++)
++
++func GetFSType(path string) (string, error) {
++	var fsStat syscall.Statfs_t
++
++	if err := syscall.Statfs(path, &fsStat); err != nil {
++		return "", fmt.Errorf("failed to get filesystem type: %w", err)
++	}
++
++	bs := fsStat.Fstypename
++
++	b := make([]byte, len(bs))
++	for i, v := range bs {
++		b[i] = byte(v)
++	}
++
++	return string(b), nil
++}
diff --git a/security/crowdsec/files/pkg-deinstall.in b/security/crowdsec/files/pkg-deinstall.in
index 4cee7a613b84..6d60f11d51e6 100644
--- a/security/crowdsec/files/pkg-deinstall.in
+++ b/security/crowdsec/files/pkg-deinstall.in
@@ -1,9 +1,11 @@
 #!/bin/sh
 
+#shellcheck disable=SC2249
 case $2 in
        "DEINSTALL")
-               service crowdsec status 2>/dev/null && touch /var/run/crowdsec.running
-               service crowdsec stop 2>/dev/null || :
+               # on pfsense, the service is not "enabled" so status and stop would fail
+               service crowdsec onestatus 2>/dev/null && touch /var/run/crowdsec.running
+               service crowdsec onestop 2>/dev/null || :
                ;;
 esac
 
diff --git a/security/crowdsec/files/pkg-install.in b/security/crowdsec/files/pkg-install.in
index 74bccb12c1ab..d0a9fe85d3b4 100644
--- a/security/crowdsec/files/pkg-install.in
+++ b/security/crowdsec/files/pkg-install.in
@@ -1,11 +1,19 @@
 #!/bin/sh
 
+# shellcheck disable=SC2249
 case $2 in
         "POST-INSTALL")
-                cscli hub update -o human --error > /dev/null
+                echo "Updating crowdsec hub data"
+                if cscli hub update -o human --error; then
+                    cscli hub upgrade -o human --error
+                else
+                    echo "Failed to update crowdsec hub data."
+                    echo "You can run 'cscli hub update; cscli hub upgrade'"
+                    echo "to update manually, or let the cron job do it for you."
+                fi
                 if [ -e /var/run/crowdsec.running ]; then
-                        service crowdsec start
-                        rm -f /var/run/crowdsec.running
+                    service crowdsec onestart
+                    rm -f /var/run/crowdsec.running
                 fi
                 ;;
 esac
diff --git a/security/crowdsec/files/pkg-message.in b/security/crowdsec/files/pkg-message.in
index b9812a0ed154..8e03e0da776d 100644
--- a/security/crowdsec/files/pkg-message.in
+++ b/security/crowdsec/files/pkg-message.in
@@ -15,11 +15,11 @@ You need to check/edit the following files in %%ETCDIR%% as described in https:/
  - acquis.yaml, acquis.d: datasource configuration (this port does not include automatic discovery of the running services)
  - profiles.yaml: remediation policies (ban, duration, etc)
 
-Then you can enable the daemon via sysrc and run it.
+Then you can enable the service and run it.
 
 ----------
-# sysrc crowdsec_enable="YES"
-crowdsec_enable: NO -> YES
+# service crowdsec enable
+crowdsec enabled in /etc/rc.conf
 # service crowdsec start
 ----------
 
diff --git a/security/crowdsec/files/upgrade-hub.in b/security/crowdsec/files/upgrade-hub.in
index 2364169f4425..b5b6fd2565c5 100644
--- a/security/crowdsec/files/upgrade-hub.in
+++ b/security/crowdsec/files/upgrade-hub.in
@@ -1,16 +1,17 @@
 #!/bin/sh
 
-test -x /usr/local/bin/cscli || exit 0
+test -x %%PREFIX%%/bin/cscli || exit 0
+
+# splay hub upgrade and crowdsec reload
+sleep "$(jot -r 1 1 300)"
 
 # favor the opnsense plugin's cron if it's there
 test -e /usr/local/etc/cron.d/oscrowdsec.cron && exit 0
 
-/usr/local/bin/cscli --error -o human hub update
+%%PREFIX%%/bin/cscli --error -o human hub update
 
-upgraded=$(/usr/local/bin/cscli --error -o human hub upgrade)
+upgraded=$(%%PREFIX%%/bin/cscli --error -o human hub upgrade)
 if [ -n "$upgraded" ]; then
-    # splay initial metrics push
-    sleep "$(jot -r 1 1 60)"
     service crowdsec onestatus && service crowdsec onereload
 fi