diff options
Diffstat (limited to 'security/crowdsec/files/crowdsec.in')
-rw-r--r-- | security/crowdsec/files/crowdsec.in | 105 |
1 files changed, 45 insertions, 60 deletions
diff --git a/security/crowdsec/files/crowdsec.in b/security/crowdsec/files/crowdsec.in index eb72069392a8..703a3045657d 100644 --- a/security/crowdsec/files/crowdsec.in +++ b/security/crowdsec/files/crowdsec.in @@ -20,7 +20,6 @@ . /etc/rc.subr name=crowdsec -desc="Crowdsec Agent" rcvar=crowdsec_enable load_rc_config "$name" @@ -30,95 +29,81 @@ load_rc_config "$name" : "${crowdsec_machine_name:=localhost}" : "${crowdsec_flags:=}" -pidfile=/var/run/${name}.pid +pidfile=/var/run/${name}_daemon.pid +pidfile_crowdsec=/var/run/${name}.pid required_files="$crowdsec_config" -command="%%PREFIX%%/bin/${name}" -start_cmd="${name}_start" -stop_cmd="${name}_stop" +command="/usr/sbin/daemon" +command_crowdsec="%%PREFIX%%/bin/crowdsec" +command_cscli="%%PREFIX%%/bin/cscli" +command_args="-f -P ${pidfile} -p ${pidfile_crowdsec} -r -R 10 -t \"${name}\" -- ${command_crowdsec} -c ${crowdsec_config} ${crowdsec_flags}" +reload_cmd="${name}_reload" start_precmd="${name}_precmd" configtest_cmd="${name}_configtest" +reload_precmd="${name}_configtest" +restart_precmd="${name}_configtest" +stop_precmd="${name}_stop_precmd" +stop_postcmd="${name}_stop_postcmd" extra_commands="configtest reload" +crowdsec_stop_precmd() { + # take note of the pid, because sbin/daemon will remove the file + # without waiting for crowdsec to exit + if [ -r "$pidfile_crowdsec" ]; then + _CROWDSECPID="$(check_pidfile "$pidfile_crowdsec" "$command_crowdsec")" + export _CROWDSECPID + fi +} + +crowdsec_stop_postcmd() { + # wait for process to exit before restarting, or it will find the http port in use + if [ -n "$_CROWDSECPID" ]; then + wait_for_pids "$_CROWDSECPID" + fi +} + crowdsec_precmd() { cs_cli() { - "%%PREFIX%%/bin/cscli" -c "${crowdsec_config}" "$@" + "$command_cscli" -c "$crowdsec_config" "$@" } + Config() { cs_cli config show --key "Config.$1" } - HUB_DIR=$(Config ConfigPaths.HubDir) - if ! ls -1qA "$HUB_DIR"/* >/dev/null 2>&1; then - echo "Fetching hub inventory" - cs_cli hub update || : - fi - - CONFIG_DIR=$(Config ConfigPaths.ConfigDir) - # Is the LAPI enabled on this node? - if [ "$(cs_cli config show --key Config.API.Server.Enable)" != "false" ]; then - - # There are no machines, we create the main one - if [ "$(cs_cli machines list -o json)" = "[]" ]; then + if [ "$(Config API.Server.Enable)" != "false" ]; then + # There are no machines, we create one for cscli & log processor + if [ "$(cs_cli machines list -o json --error)" = "[]" ]; then echo "Registering LAPI" cs_cli machines add "${crowdsec_machine_name}" --auto --force --error || : fi + CONFIG_DIR=$(Config ConfigPaths.ConfigDir) + # Register to the central server to receive the community blocklist and more if [ ! -s "${CONFIG_DIR}/online_api_credentials.yaml" ]; then echo "Registering CAPI" cs_cli capi register || : fi - fi - # This would work but takes 30secs to timeout while reading the metrics, because crowdsec is not running yet. - # cs_cli collections inspect crowdsecurity/freebsd 2>/dev/null | grep ^installed | grep -q true || \ - # cs_cli collections install crowdsecurity/freebsd || : - - # So we just check for the file - if [ ! -e "${CONFIG_DIR}/collections/freebsd.yaml" ]; then + # install the collection for the first time, or if it has been removed + cs_cli collections inspect crowdsecurity/freebsd --no-metrics 2>/dev/null | grep ^installed | grep -q true || \ cs_cli collections install crowdsecurity/freebsd || : - fi } -crowdsec_stop() -{ - if [ ! -f "$pidfile" ]; then - echo "${name} is not running." - return - fi - pid=$(cat "$pidfile") - if kill -0 "$pid" >/dev/null 2>&1; then - echo "Stopping ${name}." - kill -s TERM "$pid" >/dev/null 2>&1 - # shellcheck disable=SC2034 - for i in $(seq 1 20); do - sleep 1 - if ! kill -0 "$pid" >/dev/null 2>&1; then - rm -f "$pidfile" - return - fi - done - echo "Timeout, terminating ${name} with SIGKILL." - kill -s KILL "$pid" >/dev/null 2>&1 - rm -f "$pidfile" - else - echo "${name} is not running." +crowdsec_configtest() { + echo "Performing sanity check on ${name} configuration." + if ! "$command_crowdsec" -c "$crowdsec_config" -t -error; then + exit 1 fi + echo "Configuration test OK" } -crowdsec_start() -{ - /usr/sbin/daemon -f -p "$pidfile" -t "$desc" -- \ - "$command" -c "$crowdsec_config" ${crowdsec_flags} -} - -crowdsec_configtest() -{ - echo "Performing sanity check on ${name} configuration." - if "$command" -c "$crowdsec_config" -t -error; then - echo "Configuration test OK" +crowdsec_reload() { + echo "Reloading configuration" + if [ -r "$pidfile_crowdsec" ]; then + kill -HUP "$(check_pidfile "$pidfile_crowdsec" "${command_crowdsec}")" fi } |