git: 0581f056998e - main - security/crowdsec: update to v1.6.1
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 03 May 2024 14:49:02 UTC
The branch main has been updated by jadawin:
URL: https://cgit.FreeBSD.org/ports/commit/?id=0581f056998e84494c5eecbdd3336f61cfb1cd79
commit 0581f056998e84494c5eecbdd3336f61cfb1cd79
Author: marco <marco@crowdsec.net>
AuthorDate: 2024-04-16 21:25:31 +0000
Commit: Philippe Audeoud <jadawin@FreeBSD.org>
CommitDate: 2024-05-03 13:48:51 +0000
security/crowdsec: update to v1.6.1
- improve rc, postinst scripts
- update upstream to latest stable
- restart service correctly if it crashes
- update hub in postinst (if network available) instead of service start
- use "one{status,stop...}" for compatibility with pfsense
- patch: fix network fs detection
PR: 278713
---
security/crowdsec/Makefile | 6 +-
security/crowdsec/distinfo | 10 +-
security/crowdsec/files/crowdsec.in | 105 +++++++++------------
.../crowdsec/files/patch-pkg_csconfig_database.go | 36 +++++++
.../crowdsec/files/patch-pkg_types_getfstype.go | 8 ++
.../files/patch-pkg_types_getfstype__freebsd.go | 28 ++++++
security/crowdsec/files/pkg-deinstall.in | 6 +-
security/crowdsec/files/pkg-install.in | 14 ++-
security/crowdsec/files/pkg-message.in | 6 +-
security/crowdsec/files/upgrade-hub.in | 11 ++-
10 files changed, 149 insertions(+), 81 deletions(-)
diff --git a/security/crowdsec/Makefile b/security/crowdsec/Makefile
index 53d3aa5d116b..8878c053dfff 100644
--- a/security/crowdsec/Makefile
+++ b/security/crowdsec/Makefile
@@ -1,7 +1,7 @@
PORTNAME= crowdsec
DISTVERSIONPREFIX= v
-DISTVERSION= 1.6.0
-PORTREVISION= 3
+DISTVERSION= 1.6.1
+PORTREVISION= 1
CATEGORIES= security
MAINTAINER= marco@crowdsec.net
@@ -15,7 +15,7 @@ LIB_DEPENDS= libabsl_base.so:devel/abseil \
libre2.so:devel/re2
USES= go:1.21,modules pkgconfig
-_COMMIT= 4b8e6cd7
+_COMMIT= 0746e0c0
_BUILD_DATE= $$(date -u "+%F_%T")
USE_RC_SUBR= crowdsec
diff --git a/security/crowdsec/distinfo b/security/crowdsec/distinfo
index 0a0ed29eef9c..9cb7e50d131c 100644
--- a/security/crowdsec/distinfo
+++ b/security/crowdsec/distinfo
@@ -1,5 +1,5 @@
-TIMESTAMP = 1706093904
-SHA256 (go/security_crowdsec/crowdsec-v1.6.0/v1.6.0.mod) = bf62cad10105ba50e3e0778651341cb7eca13ff5785c79a206ca8a5d42b90fed
-SIZE (go/security_crowdsec/crowdsec-v1.6.0/v1.6.0.mod) = 10099
-SHA256 (go/security_crowdsec/crowdsec-v1.6.0/v1.6.0.zip) = c7cb4870cbcc848cf4c36161021930bc77f490f2701bcebdace6ad27a400a73f
-SIZE (go/security_crowdsec/crowdsec-v1.6.0/v1.6.0.zip) = 1440975
+TIMESTAMP = 1713296982
+SHA256 (go/security_crowdsec/crowdsec-v1.6.1/v1.6.1.mod) = b7957886889cef4dd7166ae8996a93d0f2f5071a8b2155c16c190388f71baeee
+SIZE (go/security_crowdsec/crowdsec-v1.6.1/v1.6.1.mod) = 10066
+SHA256 (go/security_crowdsec/crowdsec-v1.6.1/v1.6.1.zip) = fbcee972b1c5b24b4b3a278381f2bd8837ca122e302defc747a76123a8c079c9
+SIZE (go/security_crowdsec/crowdsec-v1.6.1/v1.6.1.zip) = 1483959
diff --git a/security/crowdsec/files/crowdsec.in b/security/crowdsec/files/crowdsec.in
index eb72069392a8..703a3045657d 100644
--- a/security/crowdsec/files/crowdsec.in
+++ b/security/crowdsec/files/crowdsec.in
@@ -20,7 +20,6 @@
. /etc/rc.subr
name=crowdsec
-desc="Crowdsec Agent"
rcvar=crowdsec_enable
load_rc_config "$name"
@@ -30,95 +29,81 @@ load_rc_config "$name"
: "${crowdsec_machine_name:=localhost}"
: "${crowdsec_flags:=}"
-pidfile=/var/run/${name}.pid
+pidfile=/var/run/${name}_daemon.pid
+pidfile_crowdsec=/var/run/${name}.pid
required_files="$crowdsec_config"
-command="%%PREFIX%%/bin/${name}"
-start_cmd="${name}_start"
-stop_cmd="${name}_stop"
+command="/usr/sbin/daemon"
+command_crowdsec="%%PREFIX%%/bin/crowdsec"
+command_cscli="%%PREFIX%%/bin/cscli"
+command_args="-f -P ${pidfile} -p ${pidfile_crowdsec} -r -R 10 -t \"${name}\" -- ${command_crowdsec} -c ${crowdsec_config} ${crowdsec_flags}"
+reload_cmd="${name}_reload"
start_precmd="${name}_precmd"
configtest_cmd="${name}_configtest"
+reload_precmd="${name}_configtest"
+restart_precmd="${name}_configtest"
+stop_precmd="${name}_stop_precmd"
+stop_postcmd="${name}_stop_postcmd"
extra_commands="configtest reload"
+crowdsec_stop_precmd() {
+ # take note of the pid, because sbin/daemon will remove the file
+ # without waiting for crowdsec to exit
+ if [ -r "$pidfile_crowdsec" ]; then
+ _CROWDSECPID="$(check_pidfile "$pidfile_crowdsec" "$command_crowdsec")"
+ export _CROWDSECPID
+ fi
+}
+
+crowdsec_stop_postcmd() {
+ # wait for process to exit before restarting, or it will find the http port in use
+ if [ -n "$_CROWDSECPID" ]; then
+ wait_for_pids "$_CROWDSECPID"
+ fi
+}
+
crowdsec_precmd() {
cs_cli() {
- "%%PREFIX%%/bin/cscli" -c "${crowdsec_config}" "$@"
+ "$command_cscli" -c "$crowdsec_config" "$@"
}
+
Config() {
cs_cli config show --key "Config.$1"
}
- HUB_DIR=$(Config ConfigPaths.HubDir)
- if ! ls -1qA "$HUB_DIR"/* >/dev/null 2>&1; then
- echo "Fetching hub inventory"
- cs_cli hub update || :
- fi
-
- CONFIG_DIR=$(Config ConfigPaths.ConfigDir)
-
# Is the LAPI enabled on this node?
- if [ "$(cs_cli config show --key Config.API.Server.Enable)" != "false" ]; then
-
- # There are no machines, we create the main one
- if [ "$(cs_cli machines list -o json)" = "[]" ]; then
+ if [ "$(Config API.Server.Enable)" != "false" ]; then
+ # There are no machines, we create one for cscli & log processor
+ if [ "$(cs_cli machines list -o json --error)" = "[]" ]; then
echo "Registering LAPI"
cs_cli machines add "${crowdsec_machine_name}" --auto --force --error || :
fi
+ CONFIG_DIR=$(Config ConfigPaths.ConfigDir)
+
# Register to the central server to receive the community blocklist and more
if [ ! -s "${CONFIG_DIR}/online_api_credentials.yaml" ]; then
echo "Registering CAPI"
cs_cli capi register || :
fi
-
fi
- # This would work but takes 30secs to timeout while reading the metrics, because crowdsec is not running yet.
- # cs_cli collections inspect crowdsecurity/freebsd 2>/dev/null | grep ^installed | grep -q true || \
- # cs_cli collections install crowdsecurity/freebsd || :
-
- # So we just check for the file
- if [ ! -e "${CONFIG_DIR}/collections/freebsd.yaml" ]; then
+ # install the collection for the first time, or if it has been removed
+ cs_cli collections inspect crowdsecurity/freebsd --no-metrics 2>/dev/null | grep ^installed | grep -q true || \
cs_cli collections install crowdsecurity/freebsd || :
- fi
}
-crowdsec_stop()
-{
- if [ ! -f "$pidfile" ]; then
- echo "${name} is not running."
- return
- fi
- pid=$(cat "$pidfile")
- if kill -0 "$pid" >/dev/null 2>&1; then
- echo "Stopping ${name}."
- kill -s TERM "$pid" >/dev/null 2>&1
- # shellcheck disable=SC2034
- for i in $(seq 1 20); do
- sleep 1
- if ! kill -0 "$pid" >/dev/null 2>&1; then
- rm -f "$pidfile"
- return
- fi
- done
- echo "Timeout, terminating ${name} with SIGKILL."
- kill -s KILL "$pid" >/dev/null 2>&1
- rm -f "$pidfile"
- else
- echo "${name} is not running."
+crowdsec_configtest() {
+ echo "Performing sanity check on ${name} configuration."
+ if ! "$command_crowdsec" -c "$crowdsec_config" -t -error; then
+ exit 1
fi
+ echo "Configuration test OK"
}
-crowdsec_start()
-{
- /usr/sbin/daemon -f -p "$pidfile" -t "$desc" -- \
- "$command" -c "$crowdsec_config" ${crowdsec_flags}
-}
-
-crowdsec_configtest()
-{
- echo "Performing sanity check on ${name} configuration."
- if "$command" -c "$crowdsec_config" -t -error; then
- echo "Configuration test OK"
+crowdsec_reload() {
+ echo "Reloading configuration"
+ if [ -r "$pidfile_crowdsec" ]; then
+ kill -HUP "$(check_pidfile "$pidfile_crowdsec" "${command_crowdsec}")"
fi
}
diff --git a/security/crowdsec/files/patch-pkg_csconfig_database.go b/security/crowdsec/files/patch-pkg_csconfig_database.go
new file mode 100644
index 000000000000..c34546376722
--- /dev/null
+++ b/security/crowdsec/files/patch-pkg_csconfig_database.go
@@ -0,0 +1,36 @@
+--- pkg/csconfig/database.go.orig 2024-04-24 21:31:39 UTC
++++ pkg/csconfig/database.go
+@@ -76,26 +76,24 @@ func (c *Config) LoadDBConfig(inCli bool) error {
+ if c.DbConfig.UseWal == nil {
+ dbDir := filepath.Dir(c.DbConfig.DbPath)
+ isNetwork, fsType, err := types.IsNetworkFS(dbDir)
+- if err != nil {
++ switch {
++ case err != nil:
+ log.Warnf("unable to determine if database is on network filesystem: %s", err)
+ log.Warning("You are using sqlite without WAL, this can have a performance impact. If you do not store the database in a network share, set db_config.use_wal to true. Set explicitly to false to disable this warning.")
+- return nil
+- }
+- if isNetwork {
++ case isNetwork:
+ log.Debugf("database is on network filesystem (%s), setting useWal to false", fsType)
+ c.DbConfig.UseWal = ptr.Of(false)
+- } else {
++ default:
+ log.Debugf("database is on local filesystem (%s), setting useWal to true", fsType)
+ c.DbConfig.UseWal = ptr.Of(true)
+ }
+ } else if *c.DbConfig.UseWal {
+ dbDir := filepath.Dir(c.DbConfig.DbPath)
+ isNetwork, fsType, err := types.IsNetworkFS(dbDir)
+- if err != nil {
++ switch {
++ case err != nil:
+ log.Warnf("unable to determine if database is on network filesystem: %s", err)
+- return nil
+- }
+- if isNetwork {
++ case isNetwork:
+ log.Warnf("database seems to be stored on a network share (%s), but useWal is set to true. Proceed at your own risk.", fsType)
+ }
+ }
diff --git a/security/crowdsec/files/patch-pkg_types_getfstype.go b/security/crowdsec/files/patch-pkg_types_getfstype.go
new file mode 100644
index 000000000000..9b9775265421
--- /dev/null
+++ b/security/crowdsec/files/patch-pkg_types_getfstype.go
@@ -0,0 +1,8 @@
+--- pkg/types/getfstype.go.orig 2024-04-24 21:23:59 UTC
++++ pkg/types/getfstype.go
+@@ -1,4 +1,4 @@
+-//go:build !windows
++//go:build !windows && !freebsd
+
+ package types
+
diff --git a/security/crowdsec/files/patch-pkg_types_getfstype__freebsd.go b/security/crowdsec/files/patch-pkg_types_getfstype__freebsd.go
new file mode 100644
index 000000000000..0fe3a5157120
--- /dev/null
+++ b/security/crowdsec/files/patch-pkg_types_getfstype__freebsd.go
@@ -0,0 +1,28 @@
+--- pkg/types/getfstype_freebsd.go.orig 2024-04-24 21:25:32 UTC
++++ pkg/types/getfstype_freebsd.go
+@@ -0,0 +1,25 @@
++//go:build freebsd
++
++package types
++
++import (
++ "fmt"
++ "syscall"
++)
++
++func GetFSType(path string) (string, error) {
++ var fsStat syscall.Statfs_t
++
++ if err := syscall.Statfs(path, &fsStat); err != nil {
++ return "", fmt.Errorf("failed to get filesystem type: %w", err)
++ }
++
++ bs := fsStat.Fstypename
++
++ b := make([]byte, len(bs))
++ for i, v := range bs {
++ b[i] = byte(v)
++ }
++
++ return string(b), nil
++}
diff --git a/security/crowdsec/files/pkg-deinstall.in b/security/crowdsec/files/pkg-deinstall.in
index 4cee7a613b84..6d60f11d51e6 100644
--- a/security/crowdsec/files/pkg-deinstall.in
+++ b/security/crowdsec/files/pkg-deinstall.in
@@ -1,9 +1,11 @@
#!/bin/sh
+#shellcheck disable=SC2249
case $2 in
"DEINSTALL")
- service crowdsec status 2>/dev/null && touch /var/run/crowdsec.running
- service crowdsec stop 2>/dev/null || :
+ # on pfsense, the service is not "enabled" so status and stop would fail
+ service crowdsec onestatus 2>/dev/null && touch /var/run/crowdsec.running
+ service crowdsec onestop 2>/dev/null || :
;;
esac
diff --git a/security/crowdsec/files/pkg-install.in b/security/crowdsec/files/pkg-install.in
index 74bccb12c1ab..d0a9fe85d3b4 100644
--- a/security/crowdsec/files/pkg-install.in
+++ b/security/crowdsec/files/pkg-install.in
@@ -1,11 +1,19 @@
#!/bin/sh
+# shellcheck disable=SC2249
case $2 in
"POST-INSTALL")
- cscli hub update -o human --error > /dev/null
+ echo "Updating crowdsec hub data"
+ if cscli hub update -o human --error; then
+ cscli hub upgrade -o human --error
+ else
+ echo "Failed to update crowdsec hub data."
+ echo "You can run 'cscli hub update; cscli hub upgrade'"
+ echo "to update manually, or let the cron job do it for you."
+ fi
if [ -e /var/run/crowdsec.running ]; then
- service crowdsec start
- rm -f /var/run/crowdsec.running
+ service crowdsec onestart
+ rm -f /var/run/crowdsec.running
fi
;;
esac
diff --git a/security/crowdsec/files/pkg-message.in b/security/crowdsec/files/pkg-message.in
index b9812a0ed154..8e03e0da776d 100644
--- a/security/crowdsec/files/pkg-message.in
+++ b/security/crowdsec/files/pkg-message.in
@@ -15,11 +15,11 @@ You need to check/edit the following files in %%ETCDIR%% as described in https:/
- acquis.yaml, acquis.d: datasource configuration (this port does not include automatic discovery of the running services)
- profiles.yaml: remediation policies (ban, duration, etc)
-Then you can enable the daemon via sysrc and run it.
+Then you can enable the service and run it.
----------
-# sysrc crowdsec_enable="YES"
-crowdsec_enable: NO -> YES
+# service crowdsec enable
+crowdsec enabled in /etc/rc.conf
# service crowdsec start
----------
diff --git a/security/crowdsec/files/upgrade-hub.in b/security/crowdsec/files/upgrade-hub.in
index 2364169f4425..b5b6fd2565c5 100644
--- a/security/crowdsec/files/upgrade-hub.in
+++ b/security/crowdsec/files/upgrade-hub.in
@@ -1,16 +1,17 @@
#!/bin/sh
-test -x /usr/local/bin/cscli || exit 0
+test -x %%PREFIX%%/bin/cscli || exit 0
+
+# splay hub upgrade and crowdsec reload
+sleep "$(jot -r 1 1 300)"
# favor the opnsense plugin's cron if it's there
test -e /usr/local/etc/cron.d/oscrowdsec.cron && exit 0
-/usr/local/bin/cscli --error -o human hub update
+%%PREFIX%%/bin/cscli --error -o human hub update
-upgraded=$(/usr/local/bin/cscli --error -o human hub upgrade)
+upgraded=$(%%PREFIX%%/bin/cscli --error -o human hub upgrade)
if [ -n "$upgraded" ]; then
- # splay initial metrics push
- sleep "$(jot -r 1 1 60)"
service crowdsec onestatus && service crowdsec onereload
fi