From 0581f056998e84494c5eecbdd3336f61cfb1cd79 Mon Sep 17 00:00:00 2001 From: marco Date: Tue, 16 Apr 2024 23:25:31 +0200 Subject: security/crowdsec: update to v1.6.1 - improve rc, postinst scripts - update upstream to latest stable - restart service correctly if it crashes - update hub in postinst (if network available) instead of service start - use "one{status,stop...}" for compatibility with pfsense - patch: fix network fs detection PR: 278713 --- security/crowdsec/Makefile | 6 +- security/crowdsec/distinfo | 10 +- security/crowdsec/files/crowdsec.in | 105 +++++++++------------ .../crowdsec/files/patch-pkg_csconfig_database.go | 36 +++++++ .../crowdsec/files/patch-pkg_types_getfstype.go | 8 ++ .../files/patch-pkg_types_getfstype__freebsd.go | 28 ++++++ security/crowdsec/files/pkg-deinstall.in | 6 +- security/crowdsec/files/pkg-install.in | 14 ++- security/crowdsec/files/pkg-message.in | 6 +- security/crowdsec/files/upgrade-hub.in | 11 ++- 10 files changed, 149 insertions(+), 81 deletions(-) create mode 100644 security/crowdsec/files/patch-pkg_csconfig_database.go create mode 100644 security/crowdsec/files/patch-pkg_types_getfstype.go create mode 100644 security/crowdsec/files/patch-pkg_types_getfstype__freebsd.go (limited to 'security') diff --git a/security/crowdsec/Makefile b/security/crowdsec/Makefile index 53d3aa5d116b..8878c053dfff 100644 --- a/security/crowdsec/Makefile +++ b/security/crowdsec/Makefile @@ -1,7 +1,7 @@ PORTNAME= crowdsec DISTVERSIONPREFIX= v -DISTVERSION= 1.6.0 -PORTREVISION= 3 +DISTVERSION= 1.6.1 +PORTREVISION= 1 CATEGORIES= security MAINTAINER= marco@crowdsec.net @@ -15,7 +15,7 @@ LIB_DEPENDS= libabsl_base.so:devel/abseil \ libre2.so:devel/re2 USES= go:1.21,modules pkgconfig -_COMMIT= 4b8e6cd7 +_COMMIT= 0746e0c0 _BUILD_DATE= $$(date -u "+%F_%T") USE_RC_SUBR= crowdsec diff --git a/security/crowdsec/distinfo b/security/crowdsec/distinfo index 0a0ed29eef9c..9cb7e50d131c 100644 --- a/security/crowdsec/distinfo +++ b/security/crowdsec/distinfo @@ -1,5 +1,5 @@ -TIMESTAMP = 1706093904 -SHA256 (go/security_crowdsec/crowdsec-v1.6.0/v1.6.0.mod) = bf62cad10105ba50e3e0778651341cb7eca13ff5785c79a206ca8a5d42b90fed -SIZE (go/security_crowdsec/crowdsec-v1.6.0/v1.6.0.mod) = 10099 -SHA256 (go/security_crowdsec/crowdsec-v1.6.0/v1.6.0.zip) = c7cb4870cbcc848cf4c36161021930bc77f490f2701bcebdace6ad27a400a73f -SIZE (go/security_crowdsec/crowdsec-v1.6.0/v1.6.0.zip) = 1440975 +TIMESTAMP = 1713296982 +SHA256 (go/security_crowdsec/crowdsec-v1.6.1/v1.6.1.mod) = b7957886889cef4dd7166ae8996a93d0f2f5071a8b2155c16c190388f71baeee +SIZE (go/security_crowdsec/crowdsec-v1.6.1/v1.6.1.mod) = 10066 +SHA256 (go/security_crowdsec/crowdsec-v1.6.1/v1.6.1.zip) = fbcee972b1c5b24b4b3a278381f2bd8837ca122e302defc747a76123a8c079c9 +SIZE (go/security_crowdsec/crowdsec-v1.6.1/v1.6.1.zip) = 1483959 diff --git a/security/crowdsec/files/crowdsec.in b/security/crowdsec/files/crowdsec.in index eb72069392a8..703a3045657d 100644 --- a/security/crowdsec/files/crowdsec.in +++ b/security/crowdsec/files/crowdsec.in @@ -20,7 +20,6 @@ . /etc/rc.subr name=crowdsec -desc="Crowdsec Agent" rcvar=crowdsec_enable load_rc_config "$name" @@ -30,95 +29,81 @@ load_rc_config "$name" : "${crowdsec_machine_name:=localhost}" : "${crowdsec_flags:=}" -pidfile=/var/run/${name}.pid +pidfile=/var/run/${name}_daemon.pid +pidfile_crowdsec=/var/run/${name}.pid required_files="$crowdsec_config" -command="%%PREFIX%%/bin/${name}" -start_cmd="${name}_start" -stop_cmd="${name}_stop" +command="/usr/sbin/daemon" +command_crowdsec="%%PREFIX%%/bin/crowdsec" +command_cscli="%%PREFIX%%/bin/cscli" +command_args="-f -P ${pidfile} -p ${pidfile_crowdsec} -r -R 10 -t \"${name}\" -- ${command_crowdsec} -c ${crowdsec_config} ${crowdsec_flags}" +reload_cmd="${name}_reload" start_precmd="${name}_precmd" configtest_cmd="${name}_configtest" +reload_precmd="${name}_configtest" +restart_precmd="${name}_configtest" +stop_precmd="${name}_stop_precmd" +stop_postcmd="${name}_stop_postcmd" extra_commands="configtest reload" +crowdsec_stop_precmd() { + # take note of the pid, because sbin/daemon will remove the file + # without waiting for crowdsec to exit + if [ -r "$pidfile_crowdsec" ]; then + _CROWDSECPID="$(check_pidfile "$pidfile_crowdsec" "$command_crowdsec")" + export _CROWDSECPID + fi +} + +crowdsec_stop_postcmd() { + # wait for process to exit before restarting, or it will find the http port in use + if [ -n "$_CROWDSECPID" ]; then + wait_for_pids "$_CROWDSECPID" + fi +} + crowdsec_precmd() { cs_cli() { - "%%PREFIX%%/bin/cscli" -c "${crowdsec_config}" "$@" + "$command_cscli" -c "$crowdsec_config" "$@" } + Config() { cs_cli config show --key "Config.$1" } - HUB_DIR=$(Config ConfigPaths.HubDir) - if ! ls -1qA "$HUB_DIR"/* >/dev/null 2>&1; then - echo "Fetching hub inventory" - cs_cli hub update || : - fi - - CONFIG_DIR=$(Config ConfigPaths.ConfigDir) - # Is the LAPI enabled on this node? - if [ "$(cs_cli config show --key Config.API.Server.Enable)" != "false" ]; then - - # There are no machines, we create the main one - if [ "$(cs_cli machines list -o json)" = "[]" ]; then + if [ "$(Config API.Server.Enable)" != "false" ]; then + # There are no machines, we create one for cscli & log processor + if [ "$(cs_cli machines list -o json --error)" = "[]" ]; then echo "Registering LAPI" cs_cli machines add "${crowdsec_machine_name}" --auto --force --error || : fi + CONFIG_DIR=$(Config ConfigPaths.ConfigDir) + # Register to the central server to receive the community blocklist and more if [ ! -s "${CONFIG_DIR}/online_api_credentials.yaml" ]; then echo "Registering CAPI" cs_cli capi register || : fi - fi - # This would work but takes 30secs to timeout while reading the metrics, because crowdsec is not running yet. - # cs_cli collections inspect crowdsecurity/freebsd 2>/dev/null | grep ^installed | grep -q true || \ - # cs_cli collections install crowdsecurity/freebsd || : - - # So we just check for the file - if [ ! -e "${CONFIG_DIR}/collections/freebsd.yaml" ]; then + # install the collection for the first time, or if it has been removed + cs_cli collections inspect crowdsecurity/freebsd --no-metrics 2>/dev/null | grep ^installed | grep -q true || \ cs_cli collections install crowdsecurity/freebsd || : - fi } -crowdsec_stop() -{ - if [ ! -f "$pidfile" ]; then - echo "${name} is not running." - return - fi - pid=$(cat "$pidfile") - if kill -0 "$pid" >/dev/null 2>&1; then - echo "Stopping ${name}." - kill -s TERM "$pid" >/dev/null 2>&1 - # shellcheck disable=SC2034 - for i in $(seq 1 20); do - sleep 1 - if ! kill -0 "$pid" >/dev/null 2>&1; then - rm -f "$pidfile" - return - fi - done - echo "Timeout, terminating ${name} with SIGKILL." - kill -s KILL "$pid" >/dev/null 2>&1 - rm -f "$pidfile" - else - echo "${name} is not running." +crowdsec_configtest() { + echo "Performing sanity check on ${name} configuration." + if ! "$command_crowdsec" -c "$crowdsec_config" -t -error; then + exit 1 fi + echo "Configuration test OK" } -crowdsec_start() -{ - /usr/sbin/daemon -f -p "$pidfile" -t "$desc" -- \ - "$command" -c "$crowdsec_config" ${crowdsec_flags} -} - -crowdsec_configtest() -{ - echo "Performing sanity check on ${name} configuration." - if "$command" -c "$crowdsec_config" -t -error; then - echo "Configuration test OK" +crowdsec_reload() { + echo "Reloading configuration" + if [ -r "$pidfile_crowdsec" ]; then + kill -HUP "$(check_pidfile "$pidfile_crowdsec" "${command_crowdsec}")" fi } diff --git a/security/crowdsec/files/patch-pkg_csconfig_database.go b/security/crowdsec/files/patch-pkg_csconfig_database.go new file mode 100644 index 000000000000..c34546376722 --- /dev/null +++ b/security/crowdsec/files/patch-pkg_csconfig_database.go @@ -0,0 +1,36 @@ +--- pkg/csconfig/database.go.orig 2024-04-24 21:31:39 UTC ++++ pkg/csconfig/database.go +@@ -76,26 +76,24 @@ func (c *Config) LoadDBConfig(inCli bool) error { + if c.DbConfig.UseWal == nil { + dbDir := filepath.Dir(c.DbConfig.DbPath) + isNetwork, fsType, err := types.IsNetworkFS(dbDir) +- if err != nil { ++ switch { ++ case err != nil: + log.Warnf("unable to determine if database is on network filesystem: %s", err) + log.Warning("You are using sqlite without WAL, this can have a performance impact. If you do not store the database in a network share, set db_config.use_wal to true. Set explicitly to false to disable this warning.") +- return nil +- } +- if isNetwork { ++ case isNetwork: + log.Debugf("database is on network filesystem (%s), setting useWal to false", fsType) + c.DbConfig.UseWal = ptr.Of(false) +- } else { ++ default: + log.Debugf("database is on local filesystem (%s), setting useWal to true", fsType) + c.DbConfig.UseWal = ptr.Of(true) + } + } else if *c.DbConfig.UseWal { + dbDir := filepath.Dir(c.DbConfig.DbPath) + isNetwork, fsType, err := types.IsNetworkFS(dbDir) +- if err != nil { ++ switch { ++ case err != nil: + log.Warnf("unable to determine if database is on network filesystem: %s", err) +- return nil +- } +- if isNetwork { ++ case isNetwork: + log.Warnf("database seems to be stored on a network share (%s), but useWal is set to true. Proceed at your own risk.", fsType) + } + } diff --git a/security/crowdsec/files/patch-pkg_types_getfstype.go b/security/crowdsec/files/patch-pkg_types_getfstype.go new file mode 100644 index 000000000000..9b9775265421 --- /dev/null +++ b/security/crowdsec/files/patch-pkg_types_getfstype.go @@ -0,0 +1,8 @@ +--- pkg/types/getfstype.go.orig 2024-04-24 21:23:59 UTC ++++ pkg/types/getfstype.go +@@ -1,4 +1,4 @@ +-//go:build !windows ++//go:build !windows && !freebsd + + package types + diff --git a/security/crowdsec/files/patch-pkg_types_getfstype__freebsd.go b/security/crowdsec/files/patch-pkg_types_getfstype__freebsd.go new file mode 100644 index 000000000000..0fe3a5157120 --- /dev/null +++ b/security/crowdsec/files/patch-pkg_types_getfstype__freebsd.go @@ -0,0 +1,28 @@ +--- pkg/types/getfstype_freebsd.go.orig 2024-04-24 21:25:32 UTC ++++ pkg/types/getfstype_freebsd.go +@@ -0,0 +1,25 @@ ++//go:build freebsd ++ ++package types ++ ++import ( ++ "fmt" ++ "syscall" ++) ++ ++func GetFSType(path string) (string, error) { ++ var fsStat syscall.Statfs_t ++ ++ if err := syscall.Statfs(path, &fsStat); err != nil { ++ return "", fmt.Errorf("failed to get filesystem type: %w", err) ++ } ++ ++ bs := fsStat.Fstypename ++ ++ b := make([]byte, len(bs)) ++ for i, v := range bs { ++ b[i] = byte(v) ++ } ++ ++ return string(b), nil ++} diff --git a/security/crowdsec/files/pkg-deinstall.in b/security/crowdsec/files/pkg-deinstall.in index 4cee7a613b84..6d60f11d51e6 100644 --- a/security/crowdsec/files/pkg-deinstall.in +++ b/security/crowdsec/files/pkg-deinstall.in @@ -1,9 +1,11 @@ #!/bin/sh +#shellcheck disable=SC2249 case $2 in "DEINSTALL") - service crowdsec status 2>/dev/null && touch /var/run/crowdsec.running - service crowdsec stop 2>/dev/null || : + # on pfsense, the service is not "enabled" so status and stop would fail + service crowdsec onestatus 2>/dev/null && touch /var/run/crowdsec.running + service crowdsec onestop 2>/dev/null || : ;; esac diff --git a/security/crowdsec/files/pkg-install.in b/security/crowdsec/files/pkg-install.in index 74bccb12c1ab..d0a9fe85d3b4 100644 --- a/security/crowdsec/files/pkg-install.in +++ b/security/crowdsec/files/pkg-install.in @@ -1,11 +1,19 @@ #!/bin/sh +# shellcheck disable=SC2249 case $2 in "POST-INSTALL") - cscli hub update -o human --error > /dev/null + echo "Updating crowdsec hub data" + if cscli hub update -o human --error; then + cscli hub upgrade -o human --error + else + echo "Failed to update crowdsec hub data." + echo "You can run 'cscli hub update; cscli hub upgrade'" + echo "to update manually, or let the cron job do it for you." + fi if [ -e /var/run/crowdsec.running ]; then - service crowdsec start - rm -f /var/run/crowdsec.running + service crowdsec onestart + rm -f /var/run/crowdsec.running fi ;; esac diff --git a/security/crowdsec/files/pkg-message.in b/security/crowdsec/files/pkg-message.in index b9812a0ed154..8e03e0da776d 100644 --- a/security/crowdsec/files/pkg-message.in +++ b/security/crowdsec/files/pkg-message.in @@ -15,11 +15,11 @@ You need to check/edit the following files in %%ETCDIR%% as described in https:/ - acquis.yaml, acquis.d: datasource configuration (this port does not include automatic discovery of the running services) - profiles.yaml: remediation policies (ban, duration, etc) -Then you can enable the daemon via sysrc and run it. +Then you can enable the service and run it. ---------- -# sysrc crowdsec_enable="YES" -crowdsec_enable: NO -> YES +# service crowdsec enable +crowdsec enabled in /etc/rc.conf # service crowdsec start ---------- diff --git a/security/crowdsec/files/upgrade-hub.in b/security/crowdsec/files/upgrade-hub.in index 2364169f4425..b5b6fd2565c5 100644 --- a/security/crowdsec/files/upgrade-hub.in +++ b/security/crowdsec/files/upgrade-hub.in @@ -1,16 +1,17 @@ #!/bin/sh -test -x /usr/local/bin/cscli || exit 0 +test -x %%PREFIX%%/bin/cscli || exit 0 + +# splay hub upgrade and crowdsec reload +sleep "$(jot -r 1 1 300)" # favor the opnsense plugin's cron if it's there test -e /usr/local/etc/cron.d/oscrowdsec.cron && exit 0 -/usr/local/bin/cscli --error -o human hub update +%%PREFIX%%/bin/cscli --error -o human hub update -upgraded=$(/usr/local/bin/cscli --error -o human hub upgrade) +upgraded=$(%%PREFIX%%/bin/cscli --error -o human hub upgrade) if [ -n "$upgraded" ]; then - # splay initial metrics push - sleep "$(jot -r 1 1 60)" service crowdsec onestatus && service crowdsec onereload fi -- cgit v1.2.3