From nobody Fri May 03 14:49:02 2024 X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4VWDG66yfSz5K86j; Fri, 3 May 2024 14:49:02 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4VWDG65q28z4xZH; Fri, 3 May 2024 14:49:02 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1714747742; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=psM5dRQaksbOE6Lensb9dX0Aaw/vLqSQNbOw9C3e2UA=; b=bx9DyA9LCMjtgXjFJfEBqJsYNuQxdJJHf50R5Xak40IpMo7X0+q6TZ2XaWuC1cI5OcmtbW 8U0hXrWhmiFNta4qLXpnzrjSZ9HliviQai0xyDxmFdi8pA45yVrfNzNOk2Qgh/TDJV4uzv iVCtOmax1QSAq4B4VqPoFiParen5GIdGQJ66CHapiTdB34m6dUa5T7hcauREZYuSM4OAG8 w+45rVRcdPef8znZn4nbGyh3p0NrlpIXpld8EtiB66pg8D2JFaRm24g98MH7p7/RakSH9C U8TDoaTQWo29Gua4+yVPk3JU/o+KSxsAh8Vb22W3o45fVdwn8DHRgDdwKlnMUA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1714747742; a=rsa-sha256; cv=none; b=nA2c+TgFOv2WHGEr95+aQlj9p5mxD3b5bIyeB2AfDyemmLNBxCmMKKs2bXk60ExFMSyyxx cRJWjxhLJYE0Zk/R4FAbHIXpFHiq7I6My1fnBwwvEmCBiZUCHcKxXIuwjtWh9j4ubklnes TYmEIfpyFWm2URUZ/Zrb+kPXDAfOS/1coOMrOrEU6gFui+fAjajsyvcykRURwiwU2jPpO+ CrXEiusUJki2ktcncWKRgvOawPLP0kEhj+ThPJ+XB9/kdILuxlwXl17OW+7L4tGnQskuFP wOngEkw5xHfSG1OWjYdEO7i0vRmW7joKYXabB/2JJhQRdNiFolMVbUWxBphgnw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1714747742; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=psM5dRQaksbOE6Lensb9dX0Aaw/vLqSQNbOw9C3e2UA=; b=wWz8T5pkjczQErdhj64CBKAj3GvlOLBia9eOSOaK6xZ8N5dhWQtkf0Cnf6tNP8rspy3AYQ xZrvaOQ4SJpsdz3z5SHcBfoGae5UVLQKvEvdFkUgDbSCIrjUgJZwsdWbscTmBYXP0enuJT cv4GwQN4lOMZAhtp8LoSV2Zy7jw+spjJvrxn244UEin6lOLkBM5qPTVNd/CrjHobdv4xPE KNbuV3EJQ/VfuwNgGFwHLrjhtl1I+xRa04KNHvtYrhgUDy7f0m95Zi9pjm1QDBhrfz7mp1 x+motUeRrUfm3jtonJbuVUANrX/MWykSM/WhsIAjtT3daW+m+NFgJSsGAQ3SlQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4VWDG65QW0zqKZ; Fri, 3 May 2024 14:49:02 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 443En28a051788; Fri, 3 May 2024 14:49:02 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 443En2SG051785; Fri, 3 May 2024 14:49:02 GMT (envelope-from git) Date: Fri, 3 May 2024 14:49:02 GMT Message-Id: <202405031449.443En2SG051785@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Philippe Audeoud Subject: git: 0581f056998e - main - security/crowdsec: update to v1.6.1 List-Id: Commits to the main branch of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-ports-main@freebsd.org Sender: owner-dev-commits-ports-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: jadawin X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 0581f056998e84494c5eecbdd3336f61cfb1cd79 Auto-Submitted: auto-generated The branch main has been updated by jadawin: URL: https://cgit.FreeBSD.org/ports/commit/?id=0581f056998e84494c5eecbdd3336f61cfb1cd79 commit 0581f056998e84494c5eecbdd3336f61cfb1cd79 Author: marco AuthorDate: 2024-04-16 21:25:31 +0000 Commit: Philippe Audeoud CommitDate: 2024-05-03 13:48:51 +0000 security/crowdsec: update to v1.6.1 - improve rc, postinst scripts - update upstream to latest stable - restart service correctly if it crashes - update hub in postinst (if network available) instead of service start - use "one{status,stop...}" for compatibility with pfsense - patch: fix network fs detection PR: 278713 --- security/crowdsec/Makefile | 6 +- security/crowdsec/distinfo | 10 +- security/crowdsec/files/crowdsec.in | 105 +++++++++------------ .../crowdsec/files/patch-pkg_csconfig_database.go | 36 +++++++ .../crowdsec/files/patch-pkg_types_getfstype.go | 8 ++ .../files/patch-pkg_types_getfstype__freebsd.go | 28 ++++++ security/crowdsec/files/pkg-deinstall.in | 6 +- security/crowdsec/files/pkg-install.in | 14 ++- security/crowdsec/files/pkg-message.in | 6 +- security/crowdsec/files/upgrade-hub.in | 11 ++- 10 files changed, 149 insertions(+), 81 deletions(-) diff --git a/security/crowdsec/Makefile b/security/crowdsec/Makefile index 53d3aa5d116b..8878c053dfff 100644 --- a/security/crowdsec/Makefile +++ b/security/crowdsec/Makefile @@ -1,7 +1,7 @@ PORTNAME= crowdsec DISTVERSIONPREFIX= v -DISTVERSION= 1.6.0 -PORTREVISION= 3 +DISTVERSION= 1.6.1 +PORTREVISION= 1 CATEGORIES= security MAINTAINER= marco@crowdsec.net @@ -15,7 +15,7 @@ LIB_DEPENDS= libabsl_base.so:devel/abseil \ libre2.so:devel/re2 USES= go:1.21,modules pkgconfig -_COMMIT= 4b8e6cd7 +_COMMIT= 0746e0c0 _BUILD_DATE= $$(date -u "+%F_%T") USE_RC_SUBR= crowdsec diff --git a/security/crowdsec/distinfo b/security/crowdsec/distinfo index 0a0ed29eef9c..9cb7e50d131c 100644 --- a/security/crowdsec/distinfo +++ b/security/crowdsec/distinfo @@ -1,5 +1,5 @@ -TIMESTAMP = 1706093904 -SHA256 (go/security_crowdsec/crowdsec-v1.6.0/v1.6.0.mod) = bf62cad10105ba50e3e0778651341cb7eca13ff5785c79a206ca8a5d42b90fed -SIZE (go/security_crowdsec/crowdsec-v1.6.0/v1.6.0.mod) = 10099 -SHA256 (go/security_crowdsec/crowdsec-v1.6.0/v1.6.0.zip) = c7cb4870cbcc848cf4c36161021930bc77f490f2701bcebdace6ad27a400a73f -SIZE (go/security_crowdsec/crowdsec-v1.6.0/v1.6.0.zip) = 1440975 +TIMESTAMP = 1713296982 +SHA256 (go/security_crowdsec/crowdsec-v1.6.1/v1.6.1.mod) = b7957886889cef4dd7166ae8996a93d0f2f5071a8b2155c16c190388f71baeee +SIZE (go/security_crowdsec/crowdsec-v1.6.1/v1.6.1.mod) = 10066 +SHA256 (go/security_crowdsec/crowdsec-v1.6.1/v1.6.1.zip) = fbcee972b1c5b24b4b3a278381f2bd8837ca122e302defc747a76123a8c079c9 +SIZE (go/security_crowdsec/crowdsec-v1.6.1/v1.6.1.zip) = 1483959 diff --git a/security/crowdsec/files/crowdsec.in b/security/crowdsec/files/crowdsec.in index eb72069392a8..703a3045657d 100644 --- a/security/crowdsec/files/crowdsec.in +++ b/security/crowdsec/files/crowdsec.in @@ -20,7 +20,6 @@ . /etc/rc.subr name=crowdsec -desc="Crowdsec Agent" rcvar=crowdsec_enable load_rc_config "$name" @@ -30,95 +29,81 @@ load_rc_config "$name" : "${crowdsec_machine_name:=localhost}" : "${crowdsec_flags:=}" -pidfile=/var/run/${name}.pid +pidfile=/var/run/${name}_daemon.pid +pidfile_crowdsec=/var/run/${name}.pid required_files="$crowdsec_config" -command="%%PREFIX%%/bin/${name}" -start_cmd="${name}_start" -stop_cmd="${name}_stop" +command="/usr/sbin/daemon" +command_crowdsec="%%PREFIX%%/bin/crowdsec" +command_cscli="%%PREFIX%%/bin/cscli" +command_args="-f -P ${pidfile} -p ${pidfile_crowdsec} -r -R 10 -t \"${name}\" -- ${command_crowdsec} -c ${crowdsec_config} ${crowdsec_flags}" +reload_cmd="${name}_reload" start_precmd="${name}_precmd" configtest_cmd="${name}_configtest" +reload_precmd="${name}_configtest" +restart_precmd="${name}_configtest" +stop_precmd="${name}_stop_precmd" +stop_postcmd="${name}_stop_postcmd" extra_commands="configtest reload" +crowdsec_stop_precmd() { + # take note of the pid, because sbin/daemon will remove the file + # without waiting for crowdsec to exit + if [ -r "$pidfile_crowdsec" ]; then + _CROWDSECPID="$(check_pidfile "$pidfile_crowdsec" "$command_crowdsec")" + export _CROWDSECPID + fi +} + +crowdsec_stop_postcmd() { + # wait for process to exit before restarting, or it will find the http port in use + if [ -n "$_CROWDSECPID" ]; then + wait_for_pids "$_CROWDSECPID" + fi +} + crowdsec_precmd() { cs_cli() { - "%%PREFIX%%/bin/cscli" -c "${crowdsec_config}" "$@" + "$command_cscli" -c "$crowdsec_config" "$@" } + Config() { cs_cli config show --key "Config.$1" } - HUB_DIR=$(Config ConfigPaths.HubDir) - if ! ls -1qA "$HUB_DIR"/* >/dev/null 2>&1; then - echo "Fetching hub inventory" - cs_cli hub update || : - fi - - CONFIG_DIR=$(Config ConfigPaths.ConfigDir) - # Is the LAPI enabled on this node? - if [ "$(cs_cli config show --key Config.API.Server.Enable)" != "false" ]; then - - # There are no machines, we create the main one - if [ "$(cs_cli machines list -o json)" = "[]" ]; then + if [ "$(Config API.Server.Enable)" != "false" ]; then + # There are no machines, we create one for cscli & log processor + if [ "$(cs_cli machines list -o json --error)" = "[]" ]; then echo "Registering LAPI" cs_cli machines add "${crowdsec_machine_name}" --auto --force --error || : fi + CONFIG_DIR=$(Config ConfigPaths.ConfigDir) + # Register to the central server to receive the community blocklist and more if [ ! -s "${CONFIG_DIR}/online_api_credentials.yaml" ]; then echo "Registering CAPI" cs_cli capi register || : fi - fi - # This would work but takes 30secs to timeout while reading the metrics, because crowdsec is not running yet. - # cs_cli collections inspect crowdsecurity/freebsd 2>/dev/null | grep ^installed | grep -q true || \ - # cs_cli collections install crowdsecurity/freebsd || : - - # So we just check for the file - if [ ! -e "${CONFIG_DIR}/collections/freebsd.yaml" ]; then + # install the collection for the first time, or if it has been removed + cs_cli collections inspect crowdsecurity/freebsd --no-metrics 2>/dev/null | grep ^installed | grep -q true || \ cs_cli collections install crowdsecurity/freebsd || : - fi } -crowdsec_stop() -{ - if [ ! -f "$pidfile" ]; then - echo "${name} is not running." - return - fi - pid=$(cat "$pidfile") - if kill -0 "$pid" >/dev/null 2>&1; then - echo "Stopping ${name}." - kill -s TERM "$pid" >/dev/null 2>&1 - # shellcheck disable=SC2034 - for i in $(seq 1 20); do - sleep 1 - if ! kill -0 "$pid" >/dev/null 2>&1; then - rm -f "$pidfile" - return - fi - done - echo "Timeout, terminating ${name} with SIGKILL." - kill -s KILL "$pid" >/dev/null 2>&1 - rm -f "$pidfile" - else - echo "${name} is not running." +crowdsec_configtest() { + echo "Performing sanity check on ${name} configuration." + if ! "$command_crowdsec" -c "$crowdsec_config" -t -error; then + exit 1 fi + echo "Configuration test OK" } -crowdsec_start() -{ - /usr/sbin/daemon -f -p "$pidfile" -t "$desc" -- \ - "$command" -c "$crowdsec_config" ${crowdsec_flags} -} - -crowdsec_configtest() -{ - echo "Performing sanity check on ${name} configuration." - if "$command" -c "$crowdsec_config" -t -error; then - echo "Configuration test OK" +crowdsec_reload() { + echo "Reloading configuration" + if [ -r "$pidfile_crowdsec" ]; then + kill -HUP "$(check_pidfile "$pidfile_crowdsec" "${command_crowdsec}")" fi } diff --git a/security/crowdsec/files/patch-pkg_csconfig_database.go b/security/crowdsec/files/patch-pkg_csconfig_database.go new file mode 100644 index 000000000000..c34546376722 --- /dev/null +++ b/security/crowdsec/files/patch-pkg_csconfig_database.go @@ -0,0 +1,36 @@ +--- pkg/csconfig/database.go.orig 2024-04-24 21:31:39 UTC ++++ pkg/csconfig/database.go +@@ -76,26 +76,24 @@ func (c *Config) LoadDBConfig(inCli bool) error { + if c.DbConfig.UseWal == nil { + dbDir := filepath.Dir(c.DbConfig.DbPath) + isNetwork, fsType, err := types.IsNetworkFS(dbDir) +- if err != nil { ++ switch { ++ case err != nil: + log.Warnf("unable to determine if database is on network filesystem: %s", err) + log.Warning("You are using sqlite without WAL, this can have a performance impact. If you do not store the database in a network share, set db_config.use_wal to true. Set explicitly to false to disable this warning.") +- return nil +- } +- if isNetwork { ++ case isNetwork: + log.Debugf("database is on network filesystem (%s), setting useWal to false", fsType) + c.DbConfig.UseWal = ptr.Of(false) +- } else { ++ default: + log.Debugf("database is on local filesystem (%s), setting useWal to true", fsType) + c.DbConfig.UseWal = ptr.Of(true) + } + } else if *c.DbConfig.UseWal { + dbDir := filepath.Dir(c.DbConfig.DbPath) + isNetwork, fsType, err := types.IsNetworkFS(dbDir) +- if err != nil { ++ switch { ++ case err != nil: + log.Warnf("unable to determine if database is on network filesystem: %s", err) +- return nil +- } +- if isNetwork { ++ case isNetwork: + log.Warnf("database seems to be stored on a network share (%s), but useWal is set to true. Proceed at your own risk.", fsType) + } + } diff --git a/security/crowdsec/files/patch-pkg_types_getfstype.go b/security/crowdsec/files/patch-pkg_types_getfstype.go new file mode 100644 index 000000000000..9b9775265421 --- /dev/null +++ b/security/crowdsec/files/patch-pkg_types_getfstype.go @@ -0,0 +1,8 @@ +--- pkg/types/getfstype.go.orig 2024-04-24 21:23:59 UTC ++++ pkg/types/getfstype.go +@@ -1,4 +1,4 @@ +-//go:build !windows ++//go:build !windows && !freebsd + + package types + diff --git a/security/crowdsec/files/patch-pkg_types_getfstype__freebsd.go b/security/crowdsec/files/patch-pkg_types_getfstype__freebsd.go new file mode 100644 index 000000000000..0fe3a5157120 --- /dev/null +++ b/security/crowdsec/files/patch-pkg_types_getfstype__freebsd.go @@ -0,0 +1,28 @@ +--- pkg/types/getfstype_freebsd.go.orig 2024-04-24 21:25:32 UTC ++++ pkg/types/getfstype_freebsd.go +@@ -0,0 +1,25 @@ ++//go:build freebsd ++ ++package types ++ ++import ( ++ "fmt" ++ "syscall" ++) ++ ++func GetFSType(path string) (string, error) { ++ var fsStat syscall.Statfs_t ++ ++ if err := syscall.Statfs(path, &fsStat); err != nil { ++ return "", fmt.Errorf("failed to get filesystem type: %w", err) ++ } ++ ++ bs := fsStat.Fstypename ++ ++ b := make([]byte, len(bs)) ++ for i, v := range bs { ++ b[i] = byte(v) ++ } ++ ++ return string(b), nil ++} diff --git a/security/crowdsec/files/pkg-deinstall.in b/security/crowdsec/files/pkg-deinstall.in index 4cee7a613b84..6d60f11d51e6 100644 --- a/security/crowdsec/files/pkg-deinstall.in +++ b/security/crowdsec/files/pkg-deinstall.in @@ -1,9 +1,11 @@ #!/bin/sh +#shellcheck disable=SC2249 case $2 in "DEINSTALL") - service crowdsec status 2>/dev/null && touch /var/run/crowdsec.running - service crowdsec stop 2>/dev/null || : + # on pfsense, the service is not "enabled" so status and stop would fail + service crowdsec onestatus 2>/dev/null && touch /var/run/crowdsec.running + service crowdsec onestop 2>/dev/null || : ;; esac diff --git a/security/crowdsec/files/pkg-install.in b/security/crowdsec/files/pkg-install.in index 74bccb12c1ab..d0a9fe85d3b4 100644 --- a/security/crowdsec/files/pkg-install.in +++ b/security/crowdsec/files/pkg-install.in @@ -1,11 +1,19 @@ #!/bin/sh +# shellcheck disable=SC2249 case $2 in "POST-INSTALL") - cscli hub update -o human --error > /dev/null + echo "Updating crowdsec hub data" + if cscli hub update -o human --error; then + cscli hub upgrade -o human --error + else + echo "Failed to update crowdsec hub data." + echo "You can run 'cscli hub update; cscli hub upgrade'" + echo "to update manually, or let the cron job do it for you." + fi if [ -e /var/run/crowdsec.running ]; then - service crowdsec start - rm -f /var/run/crowdsec.running + service crowdsec onestart + rm -f /var/run/crowdsec.running fi ;; esac diff --git a/security/crowdsec/files/pkg-message.in b/security/crowdsec/files/pkg-message.in index b9812a0ed154..8e03e0da776d 100644 --- a/security/crowdsec/files/pkg-message.in +++ b/security/crowdsec/files/pkg-message.in @@ -15,11 +15,11 @@ You need to check/edit the following files in %%ETCDIR%% as described in https:/ - acquis.yaml, acquis.d: datasource configuration (this port does not include automatic discovery of the running services) - profiles.yaml: remediation policies (ban, duration, etc) -Then you can enable the daemon via sysrc and run it. +Then you can enable the service and run it. ---------- -# sysrc crowdsec_enable="YES" -crowdsec_enable: NO -> YES +# service crowdsec enable +crowdsec enabled in /etc/rc.conf # service crowdsec start ---------- diff --git a/security/crowdsec/files/upgrade-hub.in b/security/crowdsec/files/upgrade-hub.in index 2364169f4425..b5b6fd2565c5 100644 --- a/security/crowdsec/files/upgrade-hub.in +++ b/security/crowdsec/files/upgrade-hub.in @@ -1,16 +1,17 @@ #!/bin/sh -test -x /usr/local/bin/cscli || exit 0 +test -x %%PREFIX%%/bin/cscli || exit 0 + +# splay hub upgrade and crowdsec reload +sleep "$(jot -r 1 1 300)" # favor the opnsense plugin's cron if it's there test -e /usr/local/etc/cron.d/oscrowdsec.cron && exit 0 -/usr/local/bin/cscli --error -o human hub update +%%PREFIX%%/bin/cscli --error -o human hub update -upgraded=$(/usr/local/bin/cscli --error -o human hub upgrade) +upgraded=$(%%PREFIX%%/bin/cscli --error -o human hub upgrade) if [ -n "$upgraded" ]; then - # splay initial metrics push - sleep "$(jot -r 1 1 60)" service crowdsec onestatus && service crowdsec onereload fi