fix: CrowdSec configuration handling and verification in entrypoint and Dockerfile
This commit is contained in:
GitHub Actions
@@ -189,22 +189,42 @@ if command -v cscli >/dev/null; then
|
||||
# Initialize persistent config if key files are missing
|
||||
if [ ! -f "$CS_CONFIG_DIR/config.yaml" ]; then
|
||||
echo "Initializing persistent CrowdSec configuration..."
|
||||
|
||||
# Check if .dist has content
|
||||
if [ -d "/etc/crowdsec.dist" ] && [ -n "$(ls -A /etc/crowdsec.dist 2>/dev/null)" ]; then
|
||||
cp -r /etc/crowdsec.dist/* "$CS_CONFIG_DIR/" || {
|
||||
echo "Copying config from /etc/crowdsec.dist..."
|
||||
if ! cp -r /etc/crowdsec.dist/* "$CS_CONFIG_DIR/"; then
|
||||
echo "ERROR: Failed to copy config from /etc/crowdsec.dist"
|
||||
echo "DEBUG: Contents of /etc/crowdsec.dist:"
|
||||
ls -la /etc/crowdsec.dist/
|
||||
exit 1
|
||||
}
|
||||
echo "Successfully initialized config from .dist directory"
|
||||
fi
|
||||
|
||||
# Verify critical files were copied
|
||||
if [ ! -f "$CS_CONFIG_DIR/config.yaml" ]; then
|
||||
echo "ERROR: config.yaml was not copied to $CS_CONFIG_DIR"
|
||||
echo "DEBUG: Contents of $CS_CONFIG_DIR after copy:"
|
||||
ls -la "$CS_CONFIG_DIR/"
|
||||
exit 1
|
||||
fi
|
||||
echo "✓ Successfully initialized config from .dist directory"
|
||||
elif [ -d "/etc/crowdsec" ] && [ ! -L "/etc/crowdsec" ] && [ -n "$(ls -A /etc/crowdsec 2>/dev/null)" ]; then
|
||||
cp -r /etc/crowdsec/* "$CS_CONFIG_DIR/" || {
|
||||
echo "ERROR: Failed to copy config from /etc/crowdsec"
|
||||
echo "Copying config from /etc/crowdsec (fallback)..."
|
||||
if ! cp -r /etc/crowdsec/* "$CS_CONFIG_DIR/"; then
|
||||
echo "ERROR: Failed to copy config from /etc/crowdsec (fallback)"
|
||||
exit 1
|
||||
}
|
||||
echo "Successfully initialized config from /etc/crowdsec"
|
||||
fi
|
||||
echo "✓ Successfully initialized config from /etc/crowdsec"
|
||||
else
|
||||
echo "ERROR: No config source found (neither .dist nor /etc/crowdsec available)"
|
||||
echo "ERROR: No config source found!"
|
||||
echo "DEBUG: /etc/crowdsec.dist contents:"
|
||||
ls -la /etc/crowdsec.dist/ 2>/dev/null || echo " (directory not found or empty)"
|
||||
echo "DEBUG: /etc/crowdsec contents:"
|
||||
ls -la /etc/crowdsec 2>/dev/null || echo " (directory not found or empty)"
|
||||
exit 1
|
||||
fi
|
||||
else
|
||||
echo "✓ Persistent config already exists: $CS_CONFIG_DIR/config.yaml"
|
||||
fi
|
||||
|
||||
# Verify symlink exists (created at build time)
|
||||
@@ -212,10 +232,24 @@ if command -v cscli >/dev/null; then
|
||||
# Non-root users cannot create symlinks in /etc, so this must be done at build time
|
||||
if [ -L "/etc/crowdsec" ]; then
|
||||
echo "CrowdSec config symlink verified: /etc/crowdsec -> $CS_CONFIG_DIR"
|
||||
|
||||
# Verify the symlink target is accessible and has config.yaml
|
||||
if [ ! -f "/etc/crowdsec/config.yaml" ]; then
|
||||
echo "ERROR: /etc/crowdsec/config.yaml is not accessible via symlink"
|
||||
echo "DEBUG: Symlink target verification:"
|
||||
ls -la /etc/crowdsec 2>/dev/null || echo " (symlink broken or missing)"
|
||||
echo "DEBUG: Directory contents:"
|
||||
ls -la "$CS_CONFIG_DIR/" 2>/dev/null | head -10 || echo " (directory not found)"
|
||||
exit 1
|
||||
fi
|
||||
echo "✓ /etc/crowdsec/config.yaml is accessible via symlink"
|
||||
else
|
||||
echo "WARNING: /etc/crowdsec symlink not found. This may indicate a build issue."
|
||||
echo "ERROR: /etc/crowdsec symlink not found"
|
||||
echo "Expected: /etc/crowdsec -> /app/data/crowdsec/config"
|
||||
# Try to continue anyway - config may still work if CrowdSec uses CFG env var
|
||||
echo "This indicates a critical build-time issue. Symlink must be created at build time as root."
|
||||
echo "DEBUG: Directory check:"
|
||||
ls -la /etc/ | grep crowdsec || echo " (no crowdsec entry found)"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Create/update acquisition config for Caddy logs
|
||||
|
||||
25
.github/workflows/docker-build.yml
vendored
25
.github/workflows/docker-build.yml
vendored
@@ -863,7 +863,30 @@ jobs:
|
||||
|
||||
- name: Check container logs
|
||||
if: always()
|
||||
run: docker logs test-container
|
||||
run: |
|
||||
echo "=== Charon Container Logs ==="
|
||||
docker logs test-container || echo "ERROR: Could not retrieve container logs"
|
||||
|
||||
echo ""
|
||||
echo "=== Docker Container Status ==="
|
||||
docker inspect test-container --format='Status: {{.State.Status}}, Exit Code: {{.State.ExitCode}}' || echo "Container not found"
|
||||
|
||||
echo ""
|
||||
echo "=== CrowdSec Configuration Verification ==="
|
||||
echo "Checking if /etc/crowdsec/config.yaml is accessible in container:"
|
||||
docker exec test-container test -f /etc/crowdsec/config.yaml && echo "✓ config.yaml found" || echo "✗ config.yaml NOT found"
|
||||
|
||||
echo ""
|
||||
echo "Checking CrowdSec symlink:"
|
||||
docker exec test-container ls -la /etc/ | grep crowdsec || echo "No crowdsec entry in /etc"
|
||||
|
||||
echo ""
|
||||
echo "Checking /app/data/crowdsec/config/ contents:"
|
||||
docker exec test-container ls -la /app/data/crowdsec/config/ 2>/dev/null | head -20 || echo "Directory not found or empty"
|
||||
|
||||
echo ""
|
||||
echo "Checking /etc/crowdsec.dist/ contents:"
|
||||
docker exec test-container ls -la /etc/crowdsec.dist/ 2>/dev/null | head -20 || echo "Directory not found or empty"
|
||||
|
||||
- name: Stop container
|
||||
if: always()
|
||||
|
||||
27
Dockerfile
27
Dockerfile
@@ -420,13 +420,25 @@ RUN setcap 'cap_net_bind_service=+ep' /usr/bin/caddy
|
||||
# This ensures we don't have stdlib vulnerabilities from older Go versions
|
||||
COPY --from=crowdsec-builder /crowdsec-out/crowdsec /usr/local/bin/crowdsec
|
||||
COPY --from=crowdsec-builder /crowdsec-out/cscli /usr/local/bin/cscli
|
||||
# Copy CrowdSec configuration files to .dist directory (will be used at runtime)
|
||||
COPY --from=crowdsec-builder /crowdsec-out/config /etc/crowdsec.dist
|
||||
# Verify config files were copied successfully
|
||||
RUN if [ ! -f /etc/crowdsec.dist/config.yaml ]; then \
|
||||
echo "WARNING: config.yaml not found in /etc/crowdsec.dist"; \
|
||||
echo "Available files in /etc/crowdsec.dist:"; \
|
||||
ls -la /etc/crowdsec.dist/ 2>/dev/null || echo "Directory empty or missing"; \
|
||||
else \
|
||||
echo "✓ config.yaml found in /etc/crowdsec.dist"; \
|
||||
fi
|
||||
|
||||
# Verify CrowdSec binaries
|
||||
# Verify CrowdSec binaries and configuration
|
||||
RUN chmod +x /usr/local/bin/crowdsec /usr/local/bin/cscli 2>/dev/null || true; \
|
||||
if [ -x /usr/local/bin/cscli ]; then \
|
||||
echo "CrowdSec installed (built from source with Go 1.25):"; \
|
||||
cscli version || echo "CrowdSec version check failed"; \
|
||||
echo ""; \
|
||||
echo "Configuration source: /etc/crowdsec.dist"; \
|
||||
ls -la /etc/crowdsec.dist/ | head -10 || echo "ERROR: /etc/crowdsec.dist directory not found"; \
|
||||
else \
|
||||
echo "CrowdSec not available for this architecture"; \
|
||||
fi
|
||||
@@ -438,11 +450,14 @@ RUN mkdir -p /var/lib/crowdsec/data /var/log/crowdsec /var/log/caddy \
|
||||
chown -R charon:charon /var/lib/crowdsec /var/log/crowdsec \
|
||||
/app/data/crowdsec
|
||||
|
||||
# Generate CrowdSec default configs to .dist directory
|
||||
RUN if command -v cscli >/dev/null; then \
|
||||
mkdir -p /etc/crowdsec.dist && \
|
||||
cscli config restore /etc/crowdsec.dist/ || \
|
||||
cp -r /etc/crowdsec/* /etc/crowdsec.dist/ 2>/dev/null || true; \
|
||||
# Ensure config.yaml exists in .dist (required for runtime)
|
||||
# Skip cscli config restore at build time (no valid /etc/crowdsec at this stage)
|
||||
# The runtime entrypoint will handle config initialization from .dist
|
||||
RUN if [ ! -f /etc/crowdsec.dist/config.yaml ]; then \
|
||||
echo "⚠️ WARNING: config.yaml not in /etc/crowdsec.dist after builder COPY"; \
|
||||
echo " This file is critical for CrowdSec initialization at runtime"; \
|
||||
else \
|
||||
echo "✓ /etc/crowdsec.dist/config.yaml verified"; \
|
||||
fi
|
||||
|
||||
# Copy CrowdSec configuration templates from source
|
||||
|
||||
Reference in New Issue
Block a user