akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 16 Packages Projects Releases Wiki Activity
3,891 Commits 11 Branches 107 Tags
main
Commit Graph

56 Commits

Author SHA1 Message Date
GitHub Actions
739895d81e fix(security): resolve CrowdSec startup and permission issues 
Fixes CrowdSec not starting automatically on container boot and LAPI
binding failures due to permission issues.

Changes:
- Fix Dockerfile: Add charon:charon ownership for CrowdSec directories
- Move reconciliation from routes.go goroutine to main.go initialization
- Add mutex protection to prevent concurrent reconciliation
- Increase LAPI startup timeout from 30s to 60s
- Add config validation in entrypoint script

Testing:
- Backend coverage: 85.4% ( meets requirement)
- Frontend coverage: 87.01% ( exceeds requirement)
- Security: 0 Critical/High vulnerabilities ( Trivy + Go scans)
- All CrowdSec-specific tests passing ( 100%)

Technical Details:
- Reconciliation now runs synchronously during app initialization
  (after DB migrations, before HTTP server starts)
- Maintains "GUI-controlled" design philosophy per entrypoint docs
- Follows principle of least privilege (charon user, not root)
- No breaking changes to API or behavior

Documentation:
- Implementation guide: docs/implementation/crowdsec_startup_fix_COMPLETE.md
- Migration guide: docs/implementation/crowdsec_startup_fix_MIGRATION.md
- QA report: docs/reports/qa_report_crowdsec_startup_fix.md

Related: #crowdsec-startup-timeout
 2025-12-23 01:59:21 +00:00
GitHub Actions
c71c996444 fix: update Caddy and Charon startup commands to preserve supplementary group privileges 2025-12-22 22:33:46 +00:00
GitHub Actions
60de33e160 fix: enhance Docker socket integration and privilege management in entrypoint script 2025-12-22 22:24:15 +00:00
GitHub Actions
baf822e084 fix: resolve Docker socket permissions and notification page routing 
- Add runtime Docker socket permission detection in entrypoint
  - Detects socket GID and logs helpful deployment guidance
  - Provides three resolution options (root user, group-add, or chmod)
  - Non-intrusive: logs only, doesn't modify permissions

- Fix notification page routing mismatch
  - Move notifications route from /notifications to /settings/notifications
  - Add notifications tab to Settings page with Bell icon
  - Align navigation structure with route definitions

- Enhance Docker API error handling
  - Return 503 (not 500) when Docker daemon unavailable
  - Add DockerUnavailableError type for clear error distinction
  - Implement SSRF hardening (reject arbitrary host values)

- Improve security and testability
  - Move ProxyHost routes to protected auth group
  - Refactor Docker handler tests to use mocks
  - Simplify useDocker hook query enablement logic

Docker socket fix addresses deployment-level permission issue without
code changes. The 503 error correctly signals service unavailability
due to configuration, not application bugs.

Closes #XX (if applicable)
 2025-12-22 21:58:20 +00:00
GitHub Actions
e902774e85 fix(crowdsec): resolve non-root container migration issues 
Container migration from root to non-root (UID 1000) broke CrowdSec startup due to:
- Missing config template population
- Incorrect symlink creation timing
- Permission conflicts on /etc/crowdsec directory

Changes:
- Dockerfile: Generate config templates at build time, remove /etc/crowdsec directory creation
- Entrypoint: Implement proper symlink creation with migration logic, add fail-fast error handling
- Variables: Centralize CrowdSec path management with CS_LOG_DIR

Testing:
-  10/11 CrowdSec verification tests passed
-  Backend coverage: 85.8% (target: 85%)
-  Frontend coverage: 87.01% (target: 85%)
-  Type safety checks passed
-  All linting passed

Fixes issues with CrowdSec not starting after container non-root migration.
 2025-12-22 04:03:04 +00:00
GitHub Actions
05c2045f06 chore: reorganize repository structure 
- Move docker-compose files to .docker/compose/
- Move docker-entrypoint.sh to .docker/
- Move DOCKER.md to .docker/README.md
- Move 16 implementation docs to docs/implementation/
- Delete test artifacts (block_test.txt, caddy_*.json)
- Update all references in Dockerfile, Makefile, tasks, scripts
- Add .github/instructions/structure.instructions.md for enforcement
- Update CHANGELOG.md

Root level reduced from 81 items to ~35 visible items.
 2025-12-21 04:57:31 +00:00