Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cleanup and fixes for the bouncer container implementation #38

Merged
merged 13 commits into from
Apr 8, 2024

Conversation

DavidePrincipi
Copy link
Member

@DavidePrincipi DavidePrincipi commented Apr 5, 2024

  • Remove old code
  • Improve module update scenario, by reinstalling Systemd units on each run
  • Avoid the system-wide installation of cscli
  • Fix Systemd errors for unhandled exit-codes
  • Run an initialization container to generate Crowdsec first configuration

See individual commits for more information.

Refs NethServer/dev#6900

Do not attach a terminal, otherwise output can contain terminal
sequences.
Avoid installing app executables under the system dirs.
- system-wide cscli wrapper
- /etc/crowdsec orphan directory
1. The ExecReload hook is not used.

2. The implementation cannot work because the configuration file is
   copied in the container only when it is restarted.
Since the journal is not filtered by modules, restart is no longer
required.
Systemd units are templates: automatize their expansion on each update,
to ease the current upgrade and future ones.

Restart both crowdsec and bouncer services.
- Ensure the bouncer do not daemonize itself
- Run container with --init to ensure zombies are reaped
- Bouncer: systemd unit ignore exit code 1, returned also with SIGTERM
- Controller: systemd unit ignore exit code 143 (SIGTERM)
@DavidePrincipi DavidePrincipi requested a review from stephdl April 5, 2024 07:36
@DavidePrincipi DavidePrincipi marked this pull request as draft April 5, 2024 08:39
The bouncer "daemonize" option is deprecated
Run an initialization container with TEST_MODE=true, just to generate the
initial Crowdsec configuration.

Configuration is written inside the ./crowdsec_config directory, which
is mounted as a volume.
The unit of the old package-based bouncer must be disabled and the
update code triggered even if the service is only stopped.
@DavidePrincipi DavidePrincipi marked this pull request as ready for review April 5, 2024 10:27
@DavidePrincipi DavidePrincipi requested a review from stephdl April 5, 2024 10:29
The text label refers to the old "Smarthost" name.
@DavidePrincipi DavidePrincipi merged commit a36f72b into main Apr 8, 2024
1 check passed
@DavidePrincipi DavidePrincipi deleted the cleanup-6900 branch April 8, 2024 06:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants