Merge pull request #38 from NethServer/cleanup-6900

Cleanup and fixes for the bouncer container implementation

README.md

@@ -72,22 +72,20 @@ Display the configuration
 
 By default whitelist is enabled to never ban IP on the local network, for test purpose you could disable it
 
-    cscli parsers remove  crowdsecurity/whitelists
+    runagent -m crowdsec1 cscli parsers remove crowdsecurity/whitelists
     systemctl restart crowdsec1
 
-## List Banned IP in nftables sets
+### cscli
 
-Banned IP are contained inside nft sets that you can list by the command line below
+Crowdsec come with a cli tool, available within the application environment. Get a shell with:
 
-- ipv4
-`nft list set ip crowdsec crowdsec-blacklists`
-- ipv6
-`nft list set ip6 crowdsec6 crowdsec6-blacklists`
+    runagent -m crowdsec1 bash -l
 
-### cscli
+Then run the tool as
 
-crowdsec come with a cli, do `cscli --help`, if you want to know on a specific command  `cscli <command> --help`
+    cscli --help
 
+- help on a specific command:  `cscli <command> --help`
 - get a glance : `cscli metrics`
 - see the state of installed bouncers : `cscli bouncers list`
 - see the active decisions(ban): `cscli decisions list`
@@ -111,12 +109,12 @@ crowdsec come with a cli, do `cscli --help`, if you want to know on a specific c
 
 You can see the metrics of crowdsec at https://app.crowdsec.net/, for this purpose you need to create a login for a single user or an organization in the website, then in the top right menu click in `enroll an instance` and retrieve the keys, then enroll your container and restart it.
 
-    cscli console enroll <key>
+    runagent -m crowdsec1 cscli console enroll <key>
     systemctl restart crowdsec1
 
 you can force the enrollment with another key
 
-    cscli console enroll --overwrite <key>
+    runagent -m crowdsec1 cscli console enroll --overwrite <key>
     systemctl restart crowdsec1
 
 Once done you need to accept inside the website the `Instance enroll request`
@@ -127,29 +125,31 @@ To uninstall the instance:
 
     remove-module --no-preserve crowdsec1
 
-## Uninstall the crowdsec binary bouncer
+## Uninstall the old crowdsec binary bouncer
 
 Previous to the version 1.0.6 the bouncer was installed on the host following a repository method, after this version the bouncer is shipped in a full container.
 With the upgrade the service `crowdsec-firewall-bouncer` has been stopped but not removed from the host. For a full cleaning you can
 
 - remove firewalld permanent sets:
-        `firewall-cmd --permanent --delete-ipset=crowdsec-blacklists`
-        `firewall-cmd --permanent --delete-ipset=crowdsec6-blacklists`
+
+      firewall-cmd --permanent --delete-ipset=crowdsec-blacklists
+      firewall-cmd --permanent --delete-ipset=crowdsec6-blacklists
 
 - remove the bouncer on rocky linux
-        `dnf remove -y crowdsec-firewall-bouncer-iptables`
-        `rm /etc/yum.repos.d/crowdsec_crowdsec.repo`
+
+      dnf remove -y crowdsec-firewall-bouncer-iptables
+      rm -rvf /etc/yum.repos.d/crowdsec_crowdsec.repo /etc/crowdsec /usr/local/sbin/cscli
 
 - remove the bouncer on debian
-        `apt-get -y remove crowdsec-firewall-bouncer-iptables`
-        `rm /etc/apt/sources.list.d/crowdsec_crowdsec.list`
+
+      apt-get -y remove crowdsec-firewall-bouncer-iptables
+      rm -rvf /etc/apt/sources.list.d/crowdsec_crowdsec.list /etc/crowdsec /usr/local/sbin/cscli
 
 
 ## Testing
 
 Test the module using the `test-module.sh` script:
 
-
     ./test-module.sh <NODE_ADDR> ghcr.io/nethserver/crowdsec:latest
 
 The tests are made using [Robot Framework](https://robotframework.org/)
@@ -161,4 +161,4 @@ Translated with [Weblate](https://hosted.weblate.org/projects/ns8/).
 To setup the translation process:
 
 - add [GitHub Weblate app](https://docs.weblate.org/en/latest/admin/continuous.html#github-setup) to your repository
-- add your repository to [hosted.weblate.org]((https://hosted.weblate.org) or ask a NethServer developer to add it to ns8 Weblate project
+- add your repository to [hosted.weblate.org](https://hosted.weblate.org) or ask a NethServer developer to add it to ns8 Weblate project

imageroot/actions/create-module/10initialize

@@ -8,49 +8,28 @@
 set -e
 exec 1>&2 # Send any output to stderr, to not alter the action response protocol
 
-install -m 644 "${AGENT_INSTALL_DIR}/crowdsec.service" "/etc/systemd/system/${MODULE_ID}.service"
+# Run with TEST_MODE=true to generate the initial configuration
+mkdir -vp crowdsec_config
+podman run -i --rm --replace --name "${MODULE_ID}-init" \
+    --log-driver=none \
+    --privileged \
+    --network=host \
+    --env=TEST_MODE=true \
+    --volume  ./crowdsec_config:/etc/crowdsec:Z \
+    --volume "${MODULE_ID}-data":/var/lib/crowdsec/data:Z \
+    --volume "${CROWDSEC_JOURNAL}":/run/log/journal \
+    ${CROWDSEC_IMAGE}
+
+install-systemd-units
 
-# create the service to update the crowdsec hub for collections
-tmpfile=$(mktemp)
-trap "rm -f \${tmpfile}" EXIT
-cat <<EOF >${tmpfile}
-[Unit]
-Description=Update the crowdsec HUB
-Requisite=${MODULE_ID}.service
-
-[Service]
-Type=oneshot
-ExecStart=/usr/bin/podman exec -ti ${MODULE_ID} cscli hub update
-ExecStart=/usr/bin/podman exec -ti ${MODULE_ID} cscli hub upgrade
-SyslogIdentifier=%N
-EOF
-install -v -m 644 "${tmpfile}" /etc/systemd/system/${MODULE_ID}-upgrade-hub.service
-
-# create the timer to update the crowdsec hub for collections
-tmpfile=$(mktemp)
-trap "rm -f \${tmpfile}" EXIT
-cat <<EOF >${tmpfile}
-[Unit]
-Description=Timer of crowdsec hub update
-
-[Timer]
-OnActiveSec=15 minutes
-OnUnitInactiveSec=15 days
-
-[Install]
-WantedBy=timers.target
-EOF
-install -v -m 644 "${tmpfile}" /etc/systemd/system/${MODULE_ID}-upgrade-hub.timer
-
-systemctl daemon-reload
 systemctl enable --now "${MODULE_ID}.service"
 systemctl enable --now "${MODULE_ID}-upgrade-hub.timer"
 
 # Install default collections
-podman exec -ti ${MODULE_ID} cscli hub update
-podman exec -ti ${MODULE_ID} cscli hub upgrade
+podman exec -i ${MODULE_ID} cscli hub update
+podman exec -i ${MODULE_ID} cscli hub upgrade
 
-podman exec -ti ${MODULE_ID} cscli collections install \
+podman exec -i ${MODULE_ID} cscli collections install \
     crowdsecurity/apache2 \
     crowdsecurity/base-http-scenarios \
     crowdsecurity/dovecot \
@@ -70,4 +49,4 @@ podman exec -ti ${MODULE_ID} cscli collections install \
     crowdsecurity/whitelist-good-actors
 
 # we need it if we want to ban with IP from country
-podman exec -ti ${MODULE_ID} cscli parsers install crowdsecurity/geoip-enrich
+podman exec -i ${MODULE_ID} cscli parsers install crowdsecurity/geoip-enrich

imageroot/actions/create-module/35register-local-bouncer

@@ -10,4 +10,4 @@ set -e
 
 echo "Register the localhost bouncer"
 secret=$(cat secrets/bouncer_keys_firewall.secret)
-podman exec -ti ${MODULE_ID} cscli bouncers add localhost -k "$secret"
+podman exec -i ${MODULE_ID} cscli bouncers add localhost -k "$secret"

imageroot/actions/create-module/50start-bouncer

@@ -8,13 +8,6 @@
 set -e
 exec 1>&2 # Send any output to stderr, to not alter the action response protocol
 
-tmpfile=$(mktemp)
-trap "rm -f \${tmpfile}" EXIT
-envsubst >${tmpfile} <"${AGENT_INSTALL_DIR}/crowdsec-firewall-bouncer.service"
-install -m 644 "${tmpfile}" "/etc/systemd/system/${MODULE_ID}-firewall-bouncer.service"
-# reload and start service
-systemctl daemon-reload
-
 # API server could be slow to start:
 # ignore  bouncer connect error if it fails to start on first run
 systemctl enable --now ${MODULE_ID}-firewall-bouncer.service

imageroot/bin/cscli

@@ -0,0 +1,12 @@
+#!/bin/bash
+
+#
+# Copyright (C) 2022 Nethesis S.r.l.
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+
+if [[ -t 1 ]]; then
+    with_tty=1
+fi
+
+exec podman exec -${with_tty:+t}i "${MODULE_ID}" cscli "${@}"

imageroot/bin/expand-configuration

@@ -35,10 +35,8 @@ template = jenv.get_template('acquis.yaml')
 with open("crowdsec_config/acquis.yaml","w") as f:
     f.write(template.render())
 
-# The first start crowdsec expects other configuration files
-# if these files are not present then the service fails to start
-# we start the first time with the default configuration
-if os.path.isfile("crowdsec_config/config.yaml.local"):
+# expand config.yaml.local
+if True:
     files =["crowdsec_config/config.yaml.local"]
     for f in files:
         try:
@@ -58,8 +56,9 @@ if os.path.isfile("crowdsec_config/config.yaml.local"):
     output = template.render(properties)
     with open("crowdsec_config/config.yaml.local","w") as f:
         f.write(output)
+
 ## template of local_api_credentials.yaml.local
-if os.path.isfile("crowdsec_config/config.yaml.local"):
+if True:
     files =["crowdsec_config/local_api_credentials.yaml.local"]
     for f in files:
         try:

imageroot/bin/install-systemd-units

@@ -0,0 +1,21 @@
+#!/bin/bash
+
+#
+# Copyright (C) 2022 Nethesis S.r.l.
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+
+# install the main controller service
+install -m 644 "${AGENT_INSTALL_DIR}/crowdsec.service" "/etc/systemd/system/${MODULE_ID}.service"
+
+# install the firewall bouncer service
+envsubst <"${AGENT_INSTALL_DIR}/crowdsec-firewall-bouncer.service" >"/etc/systemd/system/${MODULE_ID}-firewall-bouncer.service"
+
+# create the service to update the crowdsec hub for collections
+envsubst <"${AGENT_INSTALL_DIR}/crowdsec-upgrade-hub.service" >"/etc/systemd/system/${MODULE_ID}-upgrade-hub.service"
+
+# create the timer to update the crowdsec hub for collections
+envsubst <"${AGENT_INSTALL_DIR}/crowdsec-upgrade-hub.timer" >"/etc/systemd/system/${MODULE_ID}-upgrade-hub.timer"
+
+# reload and start service
+systemctl daemon-reload

imageroot/crowdsec-firewall-bouncer.service

@@ -23,8 +23,10 @@ LimitNOFILE=65536
 TimeoutStopSec=70
 ExecStartPre=/bin/rm -f %t/%N.pid %t/%N.cid
 ExecStartPre=runagent -m ${MODULE_ID} expand-bouncer-configuration
+SuccessExitStatus=1
 ExecStart=/usr/bin/podman run \
     --detach \
+    --init \
     --conmon-pidfile %t/%N.pid \
     --cidfile %t/%N.cid \
     --cgroups=no-conmon \
@@ -36,8 +38,6 @@ ExecStart=/usr/bin/podman run \
     ${CROWDSEC_FIREWALL_BOUNCER_IMAGE}
 ExecStop=/usr/bin/podman stop --ignore --cidfile %t/%N.cid -t 10
 ExecStopPost=/usr/bin/podman rm --ignore -f --cidfile %t/%N.cid
-ExecReload=runagent -m ${MODULE_ID} expand-bouncer-configuration
-ExecReload=/usr/bin/podman kill -s HUP %N
 PIDFile=%t/%N.pid
 Type=forking
 

imageroot/crowdsec-upgrade-hub.service

@@ -0,0 +1,9 @@
+[Unit]
+Description=Update the crowdsec HUB
+Requisite=${MODULE_ID}.service
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/podman exec -i ${MODULE_ID} cscli hub update
+ExecStart=/usr/bin/podman exec -i ${MODULE_ID} cscli hub upgrade
+SyslogIdentifier=%N

imageroot/crowdsec-upgrade-hub.timer

@@ -0,0 +1,9 @@
+[Unit]
+Description=Timer of crowdsec hub update
+
+[Timer]
+OnActiveSec=15 minutes
+OnUnitInactiveSec=15 days
+
+[Install]
+WantedBy=timers.target

imageroot/crowdsec.service

@@ -24,8 +24,10 @@ ExecStartPre=/bin/mkdir -vp crowdsec_config/postoverflows/s01-whitelist
 ExecStartPre=/bin/mkdir -vp crowdsec_config/parsers/s02-enrich
 ExecStartPre=/usr/local/bin/runagent -m %N expand-configuration
 ExecStartPre=/usr/local/bin/runagent -m %N expand-smarthost
+SuccessExitStatus=143
 ExecStart=/usr/bin/podman run \
     --detach \
+    --init \
     --privileged \
     --conmon-pidfile %t/%N.pid \
     --cidfile %t/%N.cid \