Page MenuHomeFreeBSD
Differential D29489

security/crowdsec: rc script improvements
Needs RevisionPublic
Actions

Authored by crees on Mar 29 2021, 7:59 PM.
Tags
None
Referenced Files
Unknown Object (File)
Wed, Apr 17, 3:04 PM
Unknown Object (File)
Mon, Apr 8, 9:59 PM
Unknown Object (File)
Mon, Apr 8, 9:45 PM
Unknown Object (File)
Dec 23 2023, 3:40 AM
Unknown Object (File)
Dec 13 2023, 9:30 AM
Unknown Object (File)
Dec 12 2023, 7:26 AM
Unknown Object (File)
Dec 11 2023, 2:52 AM
Unknown Object (File)
Dec 10 2023, 4:34 PM
View All 41 Files
Subscribers
driesm
mat

Details

Reviewers
sbz
Summary

Check configuration before attempting to start, and also before attempting
to restart. This means that you are not left with a non-working daemon if
you break your config file.

While here, correct style and pet rclint.

PR:
Submitted by:
Reported by:

Diff Detail

Repository
rP FreeBSD ports repository
Lint
No Lint Coverage
Unit
No Test Coverage
Build Status
Buildable 38166
Build 35055: arc lint + arc unit

Event Timeline

crees created this revision.Mar 29 2021, 7:59 PM
Herald added a subscriber: mat. · View Herald TranscriptMar 29 2021, 7:59 PM
crees requested review of this revision.Mar 29 2021, 7:59 PM
Harbormaster completed remote builds in B38166: Diff 86521.Mar 29 2021, 7:59 PM
driesm added a subscriber: driesm.Mar 29 2021, 8:17 PM

Hi Crees good improvements! I only have one small remark inline.

security/crowdsec/files/crowdsec.in
33

No need to explicitly append crowdsec_flags to command args.
Now this will result in the flags being appended twice to the ran command.

This is actually something that is undocumented. Every rc script respects the $name_flags from rc.conf even if not defined in the rc script. It will auto append to the ran command.

sbz added inline comments.Mar 29 2021, 9:31 PM
security/crowdsec/files/crowdsec.in
33

Thanks @crees for the suggestions. I was not sure if to put the ${x_flags} is valid.

The value I'm using currently in rc.conf is the following:

crowdsec_flags='-info`

As documented in the article about rc-scripting, it could create an issue

"Never include dashed options, like -X or --foo, in command_args."
"The contents of command_args will appear at the end of the final command line, hence they are likely to follow arguments present in ${name}_flags; but most commands will not recognize dashed options after ordinary arguments."

In that case -info will be passed to the daemon command arguments which is not correct and lead to the following when trying to sudo service crowdsec start:

I have tested it and indeed it's does not act as expected

Performing sanity check on crowdsec configuration.
Starting crowdsec.
daemon: illegal option -- i
usage: daemon [-cfrS] [-p child_pidfile] [-P supervisor_pidfile]
              [-u user] [-o output_file] [-t title]
              [-l syslog_facility] [-s syslog_priority]
              [-T syslog_tag] [-m output_mask] [-R restart_delay_secs]
command arguments ...
/usr/local/etc/rc.d/crowdsec: WARNING: failed to start crowdsec
sbz added inline comments.Mar 29 2021, 9:41 PM
security/crowdsec/files/crowdsec.in
27

Could you explain the difference here? of removing the quote to add them again in command_args?

sbz added inline comments.Mar 29 2021, 9:43 PM
security/crowdsec/files/crowdsec.in
35

Thanks for that, it totally make sense to test the config with the *_precmd before starting

mat added inline comments.Mar 30 2021, 8:23 AM
security/crowdsec/files/crowdsec.in
27

The quotes are not needed here, sh will parse everything up to the last } as being part of the default value, even if it has spaces:

❯ cat test.sh

: ${crowdsec_config:=%%PREFIX%%/e tc/crowdsec/config.yaml}

echo $crowdsec_config

❯ sh -x test.sh  
+ : %%PREFIX%%/e tc/crowdsec/config.yaml
+ echo %%PREFIX%%/e tc/crowdsec/config.yaml
%%PREFIX%%/e tc/crowdsec/config.yaml

But if it has spaces, it needs to be quoted in command_args in order for it to not be splitted into multiple arguments.

sbz requested changes to this revision.Apr 7 2021, 9:56 AM

@crees Just to make it more explicit, I'm all okay for these changes except we have to fixes the glitch that broke the rc script because of the following issue. Here the reproduction steps

  1. echo 'crowdsec_flags="-info"' >> /etc/rc.conf
  2. service crowdsec start

You will end up with the process not starting because -info is passed as daemon(8) argument and the following message:

# grep crowdsec /etc/rc.conf
# crowdsec
crowdsec_enable="YES"
crowdsec_config_path="/usr/local/etc/crowdsec/config.yaml"
crowdsec_flags=" -info"
# service crowdsec start
Performing sanity check on crowdsec configuration.
Starting crowdsec.
daemon: illegal option -- i
usage: daemon [-cfrS] [-p child_pidfile] [-P supervisor_pidfile]
              [-u user] [-o output_file] [-t title]
              [-l syslog_facility] [-s syslog_priority]
              [-T syslog_tag] [-m output_mask] [-R restart_delay_secs]
command arguments ...
/usr/local/etc/rc.d/crowdsec: WARNING: failed to start crowdsec

If I remove crowdsec_flags, there is no problem to start.

grep crowdsec /etc/rc.conf
# crowdsec
crowdsec_enable="YES"
crowdsec_config_path="/usr/local/etc/crowdsec/config.yaml"
#crowdsec_flags=" -info"
# service crowdsec start
Performing sanity check on crowdsec configuration.
Starting crowdsec.
# service crowdsec status
crowdsec is running as pid 62333.

Yet I would prefer to keep it, any ideas?

This revision now requires changes to proceed.Apr 7 2021, 9:56 AM
crees added a comment.Apr 8 2021, 1:16 PM

I'll take a look at that.

sbz added a comment.Apr 19 2021, 11:39 AM

@crees Did you have a chance to look deeper?

Revision Contents
Changeset List

PathSize
security/
crowdsec/
1 line
files/
40 lines

Diff 86521

View Options

security/crowdsec/Makefile

Loading...
View Options

security/crowdsec/files/crowdsec.in

Loading...