diff --git a/.docker/docker-entrypoint.sh b/.docker/docker-entrypoint.sh index f1f4c471..0a786b50 100755 --- a/.docker/docker-entrypoint.sh +++ b/.docker/docker-entrypoint.sh @@ -189,22 +189,42 @@ if command -v cscli >/dev/null; then # Initialize persistent config if key files are missing if [ ! -f "$CS_CONFIG_DIR/config.yaml" ]; then echo "Initializing persistent CrowdSec configuration..." + + # Check if .dist has content if [ -d "/etc/crowdsec.dist" ] && [ -n "$(ls -A /etc/crowdsec.dist 2>/dev/null)" ]; then - cp -r /etc/crowdsec.dist/* "$CS_CONFIG_DIR/" || { + echo "Copying config from /etc/crowdsec.dist..." + if ! cp -r /etc/crowdsec.dist/* "$CS_CONFIG_DIR/"; then echo "ERROR: Failed to copy config from /etc/crowdsec.dist" + echo "DEBUG: Contents of /etc/crowdsec.dist:" + ls -la /etc/crowdsec.dist/ exit 1 - } - echo "Successfully initialized config from .dist directory" + fi + + # Verify critical files were copied + if [ ! -f "$CS_CONFIG_DIR/config.yaml" ]; then + echo "ERROR: config.yaml was not copied to $CS_CONFIG_DIR" + echo "DEBUG: Contents of $CS_CONFIG_DIR after copy:" + ls -la "$CS_CONFIG_DIR/" + exit 1 + fi + echo "✓ Successfully initialized config from .dist directory" elif [ -d "/etc/crowdsec" ] && [ ! -L "/etc/crowdsec" ] && [ -n "$(ls -A /etc/crowdsec 2>/dev/null)" ]; then - cp -r /etc/crowdsec/* "$CS_CONFIG_DIR/" || { - echo "ERROR: Failed to copy config from /etc/crowdsec" + echo "Copying config from /etc/crowdsec (fallback)..." + if ! cp -r /etc/crowdsec/* "$CS_CONFIG_DIR/"; then + echo "ERROR: Failed to copy config from /etc/crowdsec (fallback)" exit 1 - } - echo "Successfully initialized config from /etc/crowdsec" + fi + echo "✓ Successfully initialized config from /etc/crowdsec" else - echo "ERROR: No config source found (neither .dist nor /etc/crowdsec available)" + echo "ERROR: No config source found!" + echo "DEBUG: /etc/crowdsec.dist contents:" + ls -la /etc/crowdsec.dist/ 2>/dev/null || echo " (directory not found or empty)" + echo "DEBUG: /etc/crowdsec contents:" + ls -la /etc/crowdsec 2>/dev/null || echo " (directory not found or empty)" exit 1 fi + else + echo "✓ Persistent config already exists: $CS_CONFIG_DIR/config.yaml" fi # Verify symlink exists (created at build time) @@ -212,10 +232,24 @@ if command -v cscli >/dev/null; then # Non-root users cannot create symlinks in /etc, so this must be done at build time if [ -L "/etc/crowdsec" ]; then echo "CrowdSec config symlink verified: /etc/crowdsec -> $CS_CONFIG_DIR" + + # Verify the symlink target is accessible and has config.yaml + if [ ! -f "/etc/crowdsec/config.yaml" ]; then + echo "ERROR: /etc/crowdsec/config.yaml is not accessible via symlink" + echo "DEBUG: Symlink target verification:" + ls -la /etc/crowdsec 2>/dev/null || echo " (symlink broken or missing)" + echo "DEBUG: Directory contents:" + ls -la "$CS_CONFIG_DIR/" 2>/dev/null | head -10 || echo " (directory not found)" + exit 1 + fi + echo "✓ /etc/crowdsec/config.yaml is accessible via symlink" else - echo "WARNING: /etc/crowdsec symlink not found. This may indicate a build issue." + echo "ERROR: /etc/crowdsec symlink not found" echo "Expected: /etc/crowdsec -> /app/data/crowdsec/config" - # Try to continue anyway - config may still work if CrowdSec uses CFG env var + echo "This indicates a critical build-time issue. Symlink must be created at build time as root." + echo "DEBUG: Directory check:" + ls -la /etc/ | grep crowdsec || echo " (no crowdsec entry found)" + exit 1 fi # Create/update acquisition config for Caddy logs diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index 977ee907..285c1838 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -863,7 +863,30 @@ jobs: - name: Check container logs if: always() - run: docker logs test-container + run: | + echo "=== Charon Container Logs ===" + docker logs test-container || echo "ERROR: Could not retrieve container logs" + + echo "" + echo "=== Docker Container Status ===" + docker inspect test-container --format='Status: {{.State.Status}}, Exit Code: {{.State.ExitCode}}' || echo "Container not found" + + echo "" + echo "=== CrowdSec Configuration Verification ===" + echo "Checking if /etc/crowdsec/config.yaml is accessible in container:" + docker exec test-container test -f /etc/crowdsec/config.yaml && echo "✓ config.yaml found" || echo "✗ config.yaml NOT found" + + echo "" + echo "Checking CrowdSec symlink:" + docker exec test-container ls -la /etc/ | grep crowdsec || echo "No crowdsec entry in /etc" + + echo "" + echo "Checking /app/data/crowdsec/config/ contents:" + docker exec test-container ls -la /app/data/crowdsec/config/ 2>/dev/null | head -20 || echo "Directory not found or empty" + + echo "" + echo "Checking /etc/crowdsec.dist/ contents:" + docker exec test-container ls -la /etc/crowdsec.dist/ 2>/dev/null | head -20 || echo "Directory not found or empty" - name: Stop container if: always() diff --git a/Dockerfile b/Dockerfile index d7628c43..bfb3d641 100644 --- a/Dockerfile +++ b/Dockerfile @@ -420,13 +420,25 @@ RUN setcap 'cap_net_bind_service=+ep' /usr/bin/caddy # This ensures we don't have stdlib vulnerabilities from older Go versions COPY --from=crowdsec-builder /crowdsec-out/crowdsec /usr/local/bin/crowdsec COPY --from=crowdsec-builder /crowdsec-out/cscli /usr/local/bin/cscli +# Copy CrowdSec configuration files to .dist directory (will be used at runtime) COPY --from=crowdsec-builder /crowdsec-out/config /etc/crowdsec.dist +# Verify config files were copied successfully +RUN if [ ! -f /etc/crowdsec.dist/config.yaml ]; then \ + echo "WARNING: config.yaml not found in /etc/crowdsec.dist"; \ + echo "Available files in /etc/crowdsec.dist:"; \ + ls -la /etc/crowdsec.dist/ 2>/dev/null || echo "Directory empty or missing"; \ + else \ + echo "✓ config.yaml found in /etc/crowdsec.dist"; \ + fi -# Verify CrowdSec binaries +# Verify CrowdSec binaries and configuration RUN chmod +x /usr/local/bin/crowdsec /usr/local/bin/cscli 2>/dev/null || true; \ if [ -x /usr/local/bin/cscli ]; then \ echo "CrowdSec installed (built from source with Go 1.25):"; \ cscli version || echo "CrowdSec version check failed"; \ + echo ""; \ + echo "Configuration source: /etc/crowdsec.dist"; \ + ls -la /etc/crowdsec.dist/ | head -10 || echo "ERROR: /etc/crowdsec.dist directory not found"; \ else \ echo "CrowdSec not available for this architecture"; \ fi @@ -438,11 +450,14 @@ RUN mkdir -p /var/lib/crowdsec/data /var/log/crowdsec /var/log/caddy \ chown -R charon:charon /var/lib/crowdsec /var/log/crowdsec \ /app/data/crowdsec -# Generate CrowdSec default configs to .dist directory -RUN if command -v cscli >/dev/null; then \ - mkdir -p /etc/crowdsec.dist && \ - cscli config restore /etc/crowdsec.dist/ || \ - cp -r /etc/crowdsec/* /etc/crowdsec.dist/ 2>/dev/null || true; \ +# Ensure config.yaml exists in .dist (required for runtime) +# Skip cscli config restore at build time (no valid /etc/crowdsec at this stage) +# The runtime entrypoint will handle config initialization from .dist +RUN if [ ! -f /etc/crowdsec.dist/config.yaml ]; then \ + echo "⚠️ WARNING: config.yaml not in /etc/crowdsec.dist after builder COPY"; \ + echo " This file is critical for CrowdSec initialization at runtime"; \ + else \ + echo "✓ /etc/crowdsec.dist/config.yaml verified"; \ fi # Copy CrowdSec configuration templates from source