docker entrypoint/configuration fixes + refactoring (#1959)
This commit is contained in:
parent
3ab6429199
commit
ff6ade73ce
|
@ -1,3 +1,4 @@
|
||||||
# We include .git in the build context because excluding it would break the
|
# We include .git in the build context because excluding it would break the
|
||||||
# "make release" target, which uses git to retrieve the build version and tag.
|
# "make release" target, which uses git to retrieve the build version and tag.
|
||||||
#.git
|
#.git
|
||||||
|
/tests/ansible
|
||||||
|
|
84
Dockerfile
84
Dockerfile
|
@ -4,105 +4,37 @@ ARG GOVERSION=1.19
|
||||||
|
|
||||||
FROM golang:${GOVERSION}-alpine AS build
|
FROM golang:${GOVERSION}-alpine AS build
|
||||||
|
|
||||||
|
RUN go install github.com/mikefarah/yq/v4@v4.30.6
|
||||||
|
|
||||||
WORKDIR /go/src/crowdsec
|
WORKDIR /go/src/crowdsec
|
||||||
|
|
||||||
COPY . .
|
COPY . .
|
||||||
|
|
||||||
# wizard.sh requires GNU coreutils
|
# wizard.sh requires GNU coreutils
|
||||||
RUN apk add --no-cache git gcc libc-dev make bash gettext binutils-gold coreutils && \
|
RUN apk add --no-cache git gcc libc-dev make bash gettext binutils-gold coreutils && \
|
||||||
|
echo "githubciXXXXXXXXXXXXXXXXXXXXXXXX" > /etc/machine-id && \
|
||||||
SYSTEM="docker" make clean release && \
|
SYSTEM="docker" make clean release && \
|
||||||
cd crowdsec-v* && \
|
cd crowdsec-v* && \
|
||||||
./wizard.sh --docker-mode && \
|
./wizard.sh --docker-mode && \
|
||||||
cd - && \
|
cd - >/dev/null && \
|
||||||
cscli hub update && \
|
cscli hub update && \
|
||||||
cscli collections install crowdsecurity/linux && \
|
cscli collections install crowdsecurity/linux && \
|
||||||
cscli parsers install crowdsecurity/whitelists
|
cscli parsers install crowdsecurity/whitelists
|
||||||
|
|
||||||
FROM alpine:latest as build-slim
|
FROM alpine:latest as build-slim
|
||||||
|
|
||||||
RUN apk add --no-cache --repository=http://dl-cdn.alpinelinux.org/alpine/edge/community tzdata yq bash && \
|
RUN apk add --no-cache --repository=http://dl-cdn.alpinelinux.org/alpine/edge/community tzdata bash && \
|
||||||
mkdir -p /staging/etc/crowdsec && \
|
mkdir -p /staging/etc/crowdsec && \
|
||||||
mkdir -p /staging/var/lib/crowdsec && \
|
mkdir -p /staging/var/lib/crowdsec && \
|
||||||
mkdir -p /var/lib/crowdsec/data \
|
mkdir -p /var/lib/crowdsec/data
|
||||||
yq -n '.url="http://0.0.0.0:8080"' | install -m 0600 /dev/stdin /staging/etc/crowdsec/local_api_credentials.yaml
|
|
||||||
|
|
||||||
|
COPY --from=build /go/bin/yq /usr/local/bin/yq
|
||||||
COPY --from=build /etc/crowdsec /staging/etc/crowdsec
|
COPY --from=build /etc/crowdsec /staging/etc/crowdsec
|
||||||
COPY --from=build /usr/local/bin/crowdsec /usr/local/bin/crowdsec
|
COPY --from=build /usr/local/bin/crowdsec /usr/local/bin/crowdsec
|
||||||
COPY --from=build /usr/local/bin/cscli /usr/local/bin/cscli
|
COPY --from=build /usr/local/bin/cscli /usr/local/bin/cscli
|
||||||
COPY --from=build /go/src/crowdsec/docker/docker_start.sh /
|
COPY --from=build /go/src/crowdsec/docker/docker_start.sh /
|
||||||
COPY --from=build /go/src/crowdsec/docker/config.yaml /staging/etc/crowdsec/config.yaml
|
COPY --from=build /go/src/crowdsec/docker/config.yaml /staging/etc/crowdsec/config.yaml
|
||||||
|
RUN yq -n '.url="http://0.0.0.0:8080"' | install -m 0600 /dev/stdin /staging/etc/crowdsec/local_api_credentials.yaml
|
||||||
# NOTE: setting default values here would overwrite the ones set in config.yaml
|
|
||||||
# every time the container is started. We set the default in docker/config.yaml
|
|
||||||
# and document them in docker/README.md, but keep the variables empty here.
|
|
||||||
|
|
||||||
ENV CONFIG_FILE=/etc/crowdsec/config.yaml
|
|
||||||
ENV LOCAL_API_URL=
|
|
||||||
ENV CUSTOM_HOSTNAME=localhost
|
|
||||||
ENV PLUGIN_DIR=
|
|
||||||
ENV DISABLE_AGENT=false
|
|
||||||
ENV DISABLE_LOCAL_API=false
|
|
||||||
ENV DISABLE_ONLINE_API=false
|
|
||||||
ENV DSN=
|
|
||||||
ENV TYPE=
|
|
||||||
ENV TEST_MODE=false
|
|
||||||
ENV USE_WAL=
|
|
||||||
|
|
||||||
# register to app.crowdsec.net
|
|
||||||
|
|
||||||
ENV ENROLL_INSTANCE_NAME=
|
|
||||||
ENV ENROLL_KEY=
|
|
||||||
ENV ENROLL_TAGS=
|
|
||||||
|
|
||||||
# log verbosity
|
|
||||||
|
|
||||||
ENV LEVEL_TRACE=
|
|
||||||
ENV LEVEL_DEBUG=
|
|
||||||
ENV LEVEL_INFO=
|
|
||||||
|
|
||||||
# TLS setup ----------------------------------- #
|
|
||||||
|
|
||||||
ENV AGENT_USERNAME=
|
|
||||||
ENV AGENT_PASSWORD=
|
|
||||||
|
|
||||||
# TLS setup ----------------------------------- #
|
|
||||||
|
|
||||||
ENV USE_TLS=false
|
|
||||||
ENV INSECURE_SKIP_VERIFY=
|
|
||||||
|
|
||||||
ENV CACERT_FILE=
|
|
||||||
|
|
||||||
ENV LAPI_CERT_FILE=
|
|
||||||
ENV LAPI_KEY_FILE=
|
|
||||||
|
|
||||||
ENV CLIENT_CERT_FILE=
|
|
||||||
ENV CLIENT_KEY_FILE=
|
|
||||||
|
|
||||||
# deprecated in favor of LAPI_*
|
|
||||||
ENV CERT_FILE=
|
|
||||||
ENV KEY_FILE=
|
|
||||||
|
|
||||||
# comma-separated list of allowed OU values for TLS bouncer certificates
|
|
||||||
ENV BOUNCERS_ALLOWED_OU=
|
|
||||||
|
|
||||||
# comma-separated list of allowed OU values for TLS agent certificates
|
|
||||||
ENV AGENTS_ALLOWED_OU=
|
|
||||||
|
|
||||||
# Install the following hub items --------------#
|
|
||||||
|
|
||||||
ENV COLLECTIONS=
|
|
||||||
ENV PARSERS=
|
|
||||||
ENV SCENARIOS=
|
|
||||||
ENV POSTOVERFLOWS=
|
|
||||||
|
|
||||||
# Uninstall the following hub items ------------#
|
|
||||||
|
|
||||||
ENV DISABLE_COLLECTIONS=
|
|
||||||
ENV DISABLE_PARSERS=
|
|
||||||
ENV DISABLE_SCENARIOS=
|
|
||||||
ENV DISABLE_POSTOVERFLOWS=
|
|
||||||
|
|
||||||
ENV METRICS_PORT=
|
|
||||||
|
|
||||||
ENTRYPOINT /bin/bash docker_start.sh
|
ENTRYPOINT /bin/bash docker_start.sh
|
||||||
|
|
||||||
|
|
|
@ -4,6 +4,8 @@ ARG GOVERSION=1.19
|
||||||
|
|
||||||
FROM golang:${GOVERSION}-bullseye AS build
|
FROM golang:${GOVERSION}-bullseye AS build
|
||||||
|
|
||||||
|
RUN go install github.com/mikefarah/yq/v4@v4.30.6
|
||||||
|
|
||||||
WORKDIR /go/src/crowdsec
|
WORKDIR /go/src/crowdsec
|
||||||
|
|
||||||
COPY . .
|
COPY . .
|
||||||
|
@ -14,17 +16,20 @@ ENV DEBCONF_NOWARNINGS="yes"
|
||||||
# wizard.sh requires GNU coreutils
|
# wizard.sh requires GNU coreutils
|
||||||
RUN apt-get update && \
|
RUN apt-get update && \
|
||||||
apt-get install -y -q git gcc libc-dev make bash gettext binutils-gold coreutils tzdata && \
|
apt-get install -y -q git gcc libc-dev make bash gettext binutils-gold coreutils tzdata && \
|
||||||
SYSTEM="docker" make release && \
|
echo "githubciXXXXXXXXXXXXXXXXXXXXXXXX" > /etc/machine-id && \
|
||||||
|
SYSTEM="docker" make clean release && \
|
||||||
cd crowdsec-v* && \
|
cd crowdsec-v* && \
|
||||||
./wizard.sh --docker-mode && \
|
./wizard.sh --docker-mode && \
|
||||||
cd - && \
|
cd - >/dev/null && \
|
||||||
cscli hub update && \
|
cscli hub update && \
|
||||||
cscli collections install crowdsecurity/linux && \
|
cscli collections install crowdsecurity/linux && \
|
||||||
cscli parsers install crowdsecurity/whitelists && \
|
cscli parsers install crowdsecurity/whitelists
|
||||||
go install github.com/mikefarah/yq/v4@v4.30.5
|
|
||||||
|
|
||||||
FROM debian:bullseye-slim as build-slim
|
FROM debian:bullseye-slim as build-slim
|
||||||
|
|
||||||
|
ENV DEBIAN_FRONTEND=noninteractive
|
||||||
|
ENV DEBCONF_NOWARNINGS="yes"
|
||||||
|
|
||||||
RUN apt-get update && \
|
RUN apt-get update && \
|
||||||
apt-get install -y -q --install-recommends --no-install-suggests \
|
apt-get install -y -q --install-recommends --no-install-suggests \
|
||||||
procps \
|
procps \
|
||||||
|
@ -35,8 +40,7 @@ RUN apt-get update && \
|
||||||
tzdata && \
|
tzdata && \
|
||||||
mkdir -p /staging/etc/crowdsec && \
|
mkdir -p /staging/etc/crowdsec && \
|
||||||
mkdir -p /staging/var/lib/crowdsec && \
|
mkdir -p /staging/var/lib/crowdsec && \
|
||||||
mkdir -p /var/lib/crowdsec/data \
|
mkdir -p /var/lib/crowdsec/data
|
||||||
yq -n '.url="http://0.0.0.0:8080"' | install -m 0600 /dev/stdin /staging/etc/crowdsec/local_api_credentials.yaml
|
|
||||||
|
|
||||||
COPY --from=build /go/bin/yq /usr/local/bin/yq
|
COPY --from=build /go/bin/yq /usr/local/bin/yq
|
||||||
COPY --from=build /etc/crowdsec /staging/etc/crowdsec
|
COPY --from=build /etc/crowdsec /staging/etc/crowdsec
|
||||||
|
@ -44,79 +48,9 @@ COPY --from=build /usr/local/bin/crowdsec /usr/local/bin/crowdsec
|
||||||
COPY --from=build /usr/local/bin/cscli /usr/local/bin/cscli
|
COPY --from=build /usr/local/bin/cscli /usr/local/bin/cscli
|
||||||
COPY --from=build /go/src/crowdsec/docker/docker_start.sh /
|
COPY --from=build /go/src/crowdsec/docker/docker_start.sh /
|
||||||
COPY --from=build /go/src/crowdsec/docker/config.yaml /staging/etc/crowdsec/config.yaml
|
COPY --from=build /go/src/crowdsec/docker/config.yaml /staging/etc/crowdsec/config.yaml
|
||||||
RUN yq eval -i ".plugin_config.group = \"nogroup\"" /staging/etc/crowdsec/config.yaml
|
RUN yq -n '.url="http://0.0.0.0:8080"' | install -m 0600 /dev/stdin /staging/etc/crowdsec/local_api_credentials.yaml && \
|
||||||
|
yq eval -i ".plugin_config.group = \"nogroup\"" /staging/etc/crowdsec/config.yaml
|
||||||
|
|
||||||
# NOTE: setting default values here would overwrite the ones set in config.yaml
|
|
||||||
# every time the container is started. We set the default in docker/config.yaml
|
|
||||||
# and document them in docker/README.md, but keep the variables empty here.
|
|
||||||
|
|
||||||
ENV CONFIG_FILE=/etc/crowdsec/config.yaml
|
|
||||||
ENV LOCAL_API_URL=
|
|
||||||
ENV CUSTOM_HOSTNAME=localhost
|
|
||||||
ENV PLUGIN_DIR=
|
|
||||||
ENV DISABLE_AGENT=false
|
|
||||||
ENV DISABLE_LOCAL_API=false
|
|
||||||
ENV DISABLE_ONLINE_API=false
|
|
||||||
ENV DSN=
|
|
||||||
ENV TYPE=
|
|
||||||
ENV TEST_MODE=false
|
|
||||||
ENV USE_WAL=
|
|
||||||
|
|
||||||
# register to app.crowdsec.net
|
|
||||||
|
|
||||||
ENV ENROLL_INSTANCE_NAME=
|
|
||||||
ENV ENROLL_KEY=
|
|
||||||
ENV ENROLL_TAGS=
|
|
||||||
|
|
||||||
# log verbosity
|
|
||||||
|
|
||||||
ENV LEVEL_TRACE=
|
|
||||||
ENV LEVEL_DEBUG=
|
|
||||||
ENV LEVEL_INFO=
|
|
||||||
|
|
||||||
# TLS setup ----------------------------------- #
|
|
||||||
|
|
||||||
ENV AGENT_USERNAME=
|
|
||||||
ENV AGENT_PASSWORD=
|
|
||||||
|
|
||||||
# TLS setup ----------------------------------- #
|
|
||||||
|
|
||||||
ENV USE_TLS=false
|
|
||||||
ENV INSECURE_SKIP_VERIFY=
|
|
||||||
|
|
||||||
ENV CACERT_FILE=
|
|
||||||
|
|
||||||
ENV LAPI_CERT_FILE=
|
|
||||||
ENV LAPI_KEY_FILE=
|
|
||||||
|
|
||||||
ENV CLIENT_CERT_FILE=
|
|
||||||
ENV CLIENT_KEY_FILE=
|
|
||||||
|
|
||||||
# deprecated in favor of LAPI_*
|
|
||||||
ENV CERT_FILE=
|
|
||||||
ENV KEY_FILE=
|
|
||||||
|
|
||||||
# comma-separated list of allowed OU values for TLS bouncer certificates
|
|
||||||
ENV BOUNCERS_ALLOWED_OU=
|
|
||||||
|
|
||||||
# comma-separated list of allowed OU values for TLS agent certificates
|
|
||||||
ENV AGENTS_ALLOWED_OU=
|
|
||||||
|
|
||||||
# Install the following hub items --------------#
|
|
||||||
|
|
||||||
ENV COLLECTIONS=
|
|
||||||
ENV PARSERS=
|
|
||||||
ENV SCENARIOS=
|
|
||||||
ENV POSTOVERFLOWS=
|
|
||||||
|
|
||||||
# Uninstall the following hub items ------------#
|
|
||||||
|
|
||||||
ENV DISABLE_COLLECTIONS=
|
|
||||||
ENV DISABLE_PARSERS=
|
|
||||||
ENV DISABLE_SCENARIOS=
|
|
||||||
ENV DISABLE_POSTOVERFLOWS=
|
|
||||||
|
|
||||||
ENV METRICS_PORT=
|
|
||||||
|
|
||||||
ENTRYPOINT /bin/bash docker_start.sh
|
ENTRYPOINT /bin/bash docker_start.sh
|
||||||
|
|
||||||
|
|
|
@ -198,22 +198,33 @@ Using binds rather than named volumes ([complete explanation here](https://docs.
|
||||||
# Reference
|
# Reference
|
||||||
## Environment Variables
|
## Environment Variables
|
||||||
|
|
||||||
|
Note for persistent configurations (i.e. bind mount or volumes): when a
|
||||||
|
variable is set, its value may be written to the appropriate file (usually
|
||||||
|
config.yaml) each time the container is run.
|
||||||
|
|
||||||
|
|
||||||
| Variable | Default | Description |
|
| Variable | Default | Description |
|
||||||
| ----------------------- | ------------------------- | ----------- |
|
| ----------------------- | ------------------------- | ----------- |
|
||||||
| `CONFIG_FILE` | `/etc/crowdsec/config.yaml` | Configuration file location |
|
| `CONFIG_FILE` | `/etc/crowdsec/config.yaml` | Configuration file location |
|
||||||
| `DSN` | | Process a single source in time-machine: `-e DSN="file:///var/log/toto.log"` or `-e DSN="cloudwatch:///your/group/path:stream_name?profile=dev&backlog=16h"` or `-e DSN="journalctl://filters=_SYSTEMD_UNIT=ssh.service"` |
|
|
||||||
| `TYPE` | | [`Labels.type`](https://docs.crowdsec.net/Crowdsec/v1/references/acquisition/) for file in time-machine: `-e TYPE="<type>"` |
|
|
||||||
| `TEST_MODE` | false | Don't run the service, only test the configuration: `-e TEST_MODE=true` |
|
|
||||||
| `TZ` | | Set the [timezone](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones) to ensure the logs have a local timestamp. |
|
|
||||||
| `LOCAL_API_URL` | `http://0.0.0.0:8080` | The LAPI URL, you need to change this when `DISABLE_LOCAL_API` is true: `-e LOCAL_API_URL="http://lapi-address:8080"` |
|
|
||||||
| `DISABLE_AGENT` | false | Disable the agent, run a LAPI-only container |
|
| `DISABLE_AGENT` | false | Disable the agent, run a LAPI-only container |
|
||||||
| `DISABLE_LOCAL_API` | false | Disable LAPI, run an agent-only container |
|
| `DISABLE_LOCAL_API` | false | Disable LAPI, run an agent-only container |
|
||||||
| `DISABLE_ONLINE_API` | false | Disable online API registration for signal sharing |
|
| `DISABLE_ONLINE_API` | false | Disable online API registration for signal sharing |
|
||||||
| `CUSTOM_HOSTNAME` | localhost | Custom hostname for LAPI registration (with agent and LAPI on the same container) |
|
| `TEST_MODE` | false | Don't run the service, only test the configuration: `-e TEST_MODE=true` |
|
||||||
|
| `TZ` | | Set the [timezone](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones) to ensure the logs have a local timestamp. |
|
||||||
|
| `LOCAL_API_URL` | `http://0.0.0.0:8080` | The LAPI URL, you need to change this when `DISABLE_LOCAL_API` is true: `-e LOCAL_API_URL="http://lapi-address:8080"` |
|
||||||
| `PLUGIN_DIR` | `/usr/local/lib/crowdsec/plugins/` | Directory for plugins: `-e PLUGIN_DIR="<path>"` |
|
| `PLUGIN_DIR` | `/usr/local/lib/crowdsec/plugins/` | Directory for plugins: `-e PLUGIN_DIR="<path>"` |
|
||||||
| `BOUNCER_KEY_<name>` | | Register a bouncer with the name `<name>` and a key equal to the value of the environment variable. |
|
|
||||||
| `METRICS_PORT` | 6060 | Port to expose Prometheus metrics |
|
| `METRICS_PORT` | 6060 | Port to expose Prometheus metrics |
|
||||||
|
| | | |
|
||||||
|
| __LAPI__ | | (useless with DISABLE_LOCAL_API) |
|
||||||
| `USE_WAL` | false | Enable Write-Ahead Logging with SQLite |
|
| `USE_WAL` | false | Enable Write-Ahead Logging with SQLite |
|
||||||
|
| `CUSTOM_HOSTNAME` | localhost | Name for the local agent (running in the container with LAPI) |
|
||||||
|
| | | |
|
||||||
|
| __Agent__ | | (these don't work with DISABLE_AGENT) |
|
||||||
|
| `TYPE` | | [`Labels.type`](https://docs.crowdsec.net/Crowdsec/v1/references/acquisition/) for file in time-machine: `-e TYPE="<type>"` |
|
||||||
|
| `DSN` | | Process a single source in time-machine: `-e DSN="file:///var/log/toto.log"` or `-e DSN="cloudwatch:///your/group/path:stream_name?profile=dev&backlog=16h"` or `-e DSN="journalctl://filters=_SYSTEMD_UNIT=ssh.service"` |
|
||||||
|
| | | |
|
||||||
|
| __Bouncers__ | | |
|
||||||
|
| `BOUNCER_KEY_<name>` | | Register a bouncer with the name `<name>` and a key equal to the value of the environment variable. |
|
||||||
| | | |
|
| | | |
|
||||||
| __Console__ | | |
|
| __Console__ | | |
|
||||||
| `ENROLL_KEY` | | Enroll key retrieved from [the console](https://app.crowdsec.net/) to enroll the instance. |
|
| `ENROLL_KEY` | | Enroll key retrieved from [the console](https://app.crowdsec.net/) to enroll the instance. |
|
||||||
|
@ -224,14 +235,16 @@ Using binds rather than named volumes ([complete explanation here](https://docs.
|
||||||
| `AGENT_USERNAME` | | Agent username (to register if is LAPI or to use if it's an agent): `-e AGENT_USERNAME="machine_id"` |
|
| `AGENT_USERNAME` | | Agent username (to register if is LAPI or to use if it's an agent): `-e AGENT_USERNAME="machine_id"` |
|
||||||
| `AGENT_PASSWORD` | | Agent password (to register if is LAPI or to use if it's an agent): `-e AGENT_PASSWORD="machine_password"` |
|
| `AGENT_PASSWORD` | | Agent password (to register if is LAPI or to use if it's an agent): `-e AGENT_PASSWORD="machine_password"` |
|
||||||
| | | |
|
| | | |
|
||||||
| __TLS Auth/encryption | | |
|
| __TLS Encryption__ | | |
|
||||||
| `USE_TLS` | false | Enable TLS on the LAPI |
|
| `USE_TLS` | false | Enable TLS encryption (either as a LAPI or agent) |
|
||||||
| `CACERT_FILE` | | CA certificate bundle (optional) |
|
| `CACERT_FILE` | | CA certificate bundle (for self-signed certificates) |
|
||||||
| `INSECURE_SKIP_VERIFY` | | Skip LAPI certificate validation |
|
| `INSECURE_SKIP_VERIFY` | | Skip LAPI certificate validation |
|
||||||
| `CLIENT_CERT_FILE` | | Client TLS Certificate path (enables TLS auth) |
|
| `LAPI_CERT_FILE` | | LAPI TLS Certificate path |
|
||||||
|
| `LAPI_KEY_FILE` | | LAPI TLS Key path |
|
||||||
|
| | | |
|
||||||
|
| __TLS Authentication__ | | (these require USE_TLS=true) |
|
||||||
|
| `CLIENT_CERT_FILE` | | Client TLS Certificate path (enable TLS authentication) |
|
||||||
| `CLIENT_KEY_FILE` | | Client TLS Key path |
|
| `CLIENT_KEY_FILE` | | Client TLS Key path |
|
||||||
| `LAPI_CERT_FILE` | | LAPI TLS Certificate path (required if USE_TLS) |
|
|
||||||
| `LAPI_KEY_FILE` | | LAPI TLS Key path (required if USE_TLS) |
|
|
||||||
| `AGENTS_ALLOWED_OU` | agent-ou | OU values allowed for agents, separated by comma |
|
| `AGENTS_ALLOWED_OU` | agent-ou | OU values allowed for agents, separated by comma |
|
||||||
| `BOUNCERS_ALLOWED_OU` | bouncer-ou | OU values allowed for bouncers, separated by comma |
|
| `BOUNCERS_ALLOWED_OU` | bouncer-ou | OU values allowed for bouncers, separated by comma |
|
||||||
| | | |
|
| | | |
|
||||||
|
@ -249,6 +262,10 @@ Using binds rather than named volumes ([complete explanation here](https://docs.
|
||||||
| `LEVEL_INFO` | false | Force INFO level for the container log |
|
| `LEVEL_INFO` | false | Force INFO level for the container log |
|
||||||
| `LEVEL_DEBUG` | false | Force DEBUG level for the container log |
|
| `LEVEL_DEBUG` | false | Force DEBUG level for the container log |
|
||||||
| `LEVEL_TRACE` | false | Force TRACE level (VERY verbose) for the container log |
|
| `LEVEL_TRACE` | false | Force TRACE level (VERY verbose) for the container log |
|
||||||
|
| | | |
|
||||||
|
| __Developer options__ | | |
|
||||||
|
| `CI_TESTING` | false | Used during functional tests |
|
||||||
|
| `DEBUG` | false | Trace the entrypoint |
|
||||||
|
|
||||||
## Volumes
|
## Volumes
|
||||||
|
|
||||||
|
|
|
@ -41,7 +41,7 @@ api:
|
||||||
- 127.0.0.1
|
- 127.0.0.1
|
||||||
- ::1
|
- ::1
|
||||||
online_client: # Central API credentials (to push signals and receive bad IPs)
|
online_client: # Central API credentials (to push signals and receive bad IPs)
|
||||||
#credentials_path: /etc/crowdsec/online_api_credentials.yaml
|
#credentials_path: /etc/crowdsec/online_api_credentials.yaml
|
||||||
tls:
|
tls:
|
||||||
agents_allowed_ou:
|
agents_allowed_ou:
|
||||||
- agent-ou
|
- agent-ou
|
||||||
|
|
|
@ -3,14 +3,9 @@
|
||||||
# shellcheck disable=SC2292 # allow [ test ] syntax
|
# shellcheck disable=SC2292 # allow [ test ] syntax
|
||||||
# shellcheck disable=SC2310 # allow "if function..." syntax with -e
|
# shellcheck disable=SC2310 # allow "if function..." syntax with -e
|
||||||
|
|
||||||
#set -x
|
|
||||||
#export PS4='+(${BASH_SOURCE}:${LINENO}): ${FUNCNAME[0]:+${FUNCNAME[0]}(): }'
|
|
||||||
|
|
||||||
set -e
|
set -e
|
||||||
shopt -s inherit_errexit
|
shopt -s inherit_errexit
|
||||||
|
|
||||||
#- HELPER FUNCTIONS ----------------#
|
|
||||||
|
|
||||||
# match true, TRUE, True, tRuE, etc.
|
# match true, TRUE, True, tRuE, etc.
|
||||||
istrue() {
|
istrue() {
|
||||||
case "$(echo "$1" | tr '[:upper:]' '[:lower:]')" in
|
case "$(echo "$1" | tr '[:upper:]' '[:lower:]')" in
|
||||||
|
@ -27,6 +22,22 @@ isfalse() {
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if istrue "$DEBUG"; then
|
||||||
|
set -x
|
||||||
|
export PS4='+(${BASH_SOURCE}:${LINENO}): ${FUNCNAME[0]:+${FUNCNAME[0]}(): }'
|
||||||
|
fi
|
||||||
|
|
||||||
|
if istrue "$CI_TESTING"; then
|
||||||
|
echo "githubciXXXXXXXXXXXXXXXXXXXXXXXX" >/etc/machine-id
|
||||||
|
fi
|
||||||
|
|
||||||
|
#- DEFAULTS -----------------------#
|
||||||
|
|
||||||
|
export CONFIG_FILE="${CONFIG_FILE:=/etc/crowdsec/config.yaml}"
|
||||||
|
export CUSTOM_HOSTNAME="${CUSTOM_HOSTNAME:=localhost}"
|
||||||
|
|
||||||
|
#- HELPER FUNCTIONS ----------------#
|
||||||
|
|
||||||
# csv2yaml <string>
|
# csv2yaml <string>
|
||||||
# generate a yaml list from a comma-separated string of values
|
# generate a yaml list from a comma-separated string of values
|
||||||
csv2yaml() {
|
csv2yaml() {
|
||||||
|
@ -59,7 +70,18 @@ conf_set() {
|
||||||
YAML_FILE="$CONFIG_FILE"
|
YAML_FILE="$CONFIG_FILE"
|
||||||
fi
|
fi
|
||||||
YAML_CONTENT=$(cat "$YAML_FILE" 2>/dev/null || true)
|
YAML_CONTENT=$(cat "$YAML_FILE" 2>/dev/null || true)
|
||||||
echo "$YAML_CONTENT" | yq e "$1" | install -m 0600 /dev/stdin "$YAML_FILE"
|
NEW_CONTENT=$(echo "$YAML_CONTENT" | yq e "$1")
|
||||||
|
echo "$NEW_CONTENT" | install -m 0600 /dev/stdin "$YAML_FILE"
|
||||||
|
}
|
||||||
|
|
||||||
|
# conf_set_if(): used to update the configuration
|
||||||
|
# only if a given variable is provided
|
||||||
|
# conf_set_if "$VAR" <yq_expression> [file_path]
|
||||||
|
conf_set_if() {
|
||||||
|
if [ "$1" != "" ]; then
|
||||||
|
shift
|
||||||
|
conf_set "$@"
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
# register_bouncer <bouncer_name> <bouncer_key>
|
# register_bouncer <bouncer_name> <bouncer_key>
|
||||||
|
@ -135,43 +157,42 @@ fi
|
||||||
# regenerate local agent credentials (even if agent is disabled, cscli needs a
|
# regenerate local agent credentials (even if agent is disabled, cscli needs a
|
||||||
# connection to the API)
|
# connection to the API)
|
||||||
cscli machines delete "$CUSTOM_HOSTNAME" 2>/dev/null || true
|
cscli machines delete "$CUSTOM_HOSTNAME" 2>/dev/null || true
|
||||||
if isfalse "$DISABLE_LOCAL_API" && isfalse "$USE_TLS"; then
|
|
||||||
echo "Regenerate local agent credentials"
|
|
||||||
cscli machines add "$CUSTOM_HOSTNAME" --auto --url "$LOCAL_API_URL"
|
|
||||||
fi
|
|
||||||
|
|
||||||
if isfalse "$DISABLE_LOCAL_API"; then
|
if isfalse "$DISABLE_LOCAL_API"; then
|
||||||
echo "Check if lapi needs to automatically register an agent"
|
if isfalse "$USE_TLS" || [ "$CLIENT_CERT_FILE" = "" ]; then
|
||||||
|
echo "Regenerate local agent credentials"
|
||||||
|
cscli machines add "$CUSTOM_HOSTNAME" --auto
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "Check if lapi needs to register an additional agent"
|
||||||
# pre-registration is not needed with TLS authentication, but we can have TLS transport with user/pw
|
# pre-registration is not needed with TLS authentication, but we can have TLS transport with user/pw
|
||||||
if [ "$AGENT_USERNAME" != "" ] && [ "$AGENT_PASSWORD" != "" ] ; then
|
if [ "$AGENT_USERNAME" != "" ] && [ "$AGENT_PASSWORD" != "" ] ; then
|
||||||
# re-register because pw may have been changed
|
# re-register because pw may have been changed
|
||||||
# doing this generates local_api_credentials.yaml from scratch, removing any tls setting
|
cscli machines add "$AGENT_USERNAME" --password "$AGENT_PASSWORD" -f /dev/null --force
|
||||||
cscli machines add "$AGENT_USERNAME" --password "$AGENT_PASSWORD" --url "$LOCAL_API_URL" --force
|
|
||||||
echo "Agent registered to lapi"
|
echo "Agent registered to lapi"
|
||||||
elif isfalse "$USE_TLS"; then
|
|
||||||
echo "TLS is disabled, the AGENT_USERNAME and AGENT_PASSWORD must be set" >&2
|
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# ----------------
|
||||||
|
|
||||||
lapi_credentials_path=$(conf_get '.api.client.credentials_path')
|
lapi_credentials_path=$(conf_get '.api.client.credentials_path')
|
||||||
|
|
||||||
conf_set 'with(select(strenv(INSECURE_SKIP_VERIFY)!=""); .api.client.insecure_skip_verify = env(INSECURE_SKIP_VERIFY))'
|
conf_set_if "$LOCAL_API_URL" '.url = strenv(LOCAL_API_URL)' "$lapi_credentials_path"
|
||||||
|
|
||||||
# we only use the envvars that are actually defined
|
if istrue "$DISABLE_LOCAL_API"; then
|
||||||
# in case of persistent configuration
|
# we only use the envvars that are actually defined
|
||||||
conf_set '
|
# in case of persistent configuration
|
||||||
with(select(strenv(LOCAL_API_URL)!=""); .url = strenv(LOCAL_API_URL)) |
|
conf_set_if "$AGENT_USERNAME" '.login = strenv(AGENT_USERNAME)' "$lapi_credentials_path"
|
||||||
with(select(strenv(AGENT_USERNAME)!=""); .login = strenv(AGENT_USERNAME)) |
|
conf_set_if "$AGENT_PASSWORD" '.password = strenv(AGENT_PASSWORD)' "$lapi_credentials_path"
|
||||||
with(select(strenv(AGENT_PASSWORD)!=""); .password = strenv(AGENT_PASSWORD))
|
fi
|
||||||
' "$lapi_credentials_path"
|
|
||||||
|
|
||||||
|
conf_set_if "$INSECURE_SKIP_VERIFY" '.api.client.insecure_skip_verify = env(INSECURE_SKIP_VERIFY)'
|
||||||
|
|
||||||
|
# agent-only containers still require USE_TLS
|
||||||
if istrue "$USE_TLS"; then
|
if istrue "$USE_TLS"; then
|
||||||
conf_set '
|
# shellcheck disable=SC2153
|
||||||
with(select(strenv(CACERT_FILE)!=""); .ca_cert_path = strenv(CACERT_FILE)) |
|
conf_set_if "$CACERT_FILE" '.ca_cert_path = strenv(CACERT_FILE)' "$lapi_credentials_path"
|
||||||
with(select(strenv(CLIENT_KEY_FILE)!=""); .key_path = strenv(CLIENT_KEY_FILE)) |
|
conf_set_if "$CLIENT_KEY_FILE" '.key_path = strenv(CLIENT_KEY_FILE)' "$lapi_credentials_path"
|
||||||
with(select(strenv(CLIENT_CERT_FILE)!=""); .cert_path = strenv(CLIENT_CERT_FILE))
|
conf_set_if "$CLIENT_CERT_FILE" '.cert_path = strenv(CLIENT_CERT_FILE)' "$lapi_credentials_path"
|
||||||
' "$lapi_credentials_path"
|
|
||||||
else
|
else
|
||||||
conf_set '
|
conf_set '
|
||||||
del(.ca_cert_path) |
|
del(.ca_cert_path) |
|
||||||
|
@ -180,12 +201,18 @@ else
|
||||||
' "$lapi_credentials_path"
|
' "$lapi_credentials_path"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if istrue "$DISABLE_ONLINE_API"; then
|
||||||
|
conf_set 'del(.api.server.online_client)'
|
||||||
|
fi
|
||||||
|
|
||||||
# registration to online API for signal push
|
# registration to online API for signal push
|
||||||
if isfalse "$DISABLE_ONLINE_API" && [ "$CONFIG_FILE" == "/etc/crowdsec/config.yaml" ] ; then
|
if isfalse "$DISABLE_ONLINE_API" ; then
|
||||||
|
CONFIG_DIR=$(conf_get '.config_paths.config_dir')
|
||||||
config_exists=$(conf_get '.api.server.online_client | has("credentials_path")')
|
config_exists=$(conf_get '.api.server.online_client | has("credentials_path")')
|
||||||
if isfalse "$config_exists"; then
|
if isfalse "$config_exists"; then
|
||||||
conf_set '.api.server.online_client = {"credentials_path": "/etc/crowdsec/online_api_credentials.yaml"}'
|
export CONFIG_DIR
|
||||||
cscli capi register > /etc/crowdsec/online_api_credentials.yaml
|
conf_set '.api.server.online_client = {"credentials_path": strenv(CONFIG_DIR) + "/online_api_credentials.yaml"}'
|
||||||
|
cscli capi register > "$CONFIG_DIR/online_api_credentials.yaml"
|
||||||
echo "Registration to online API done"
|
echo "Registration to online API done"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
@ -214,22 +241,20 @@ if [ "$GID" != "" ]; then
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# XXX only with LAPI
|
||||||
if istrue "$USE_TLS"; then
|
if istrue "$USE_TLS"; then
|
||||||
agents_allowed_yaml=$(csv2yaml "$AGENTS_ALLOWED_OU") \
|
agents_allowed_yaml=$(csv2yaml "$AGENTS_ALLOWED_OU") \
|
||||||
bouncers_allowed_yaml=$(csv2yaml "$BOUNCERS_ALLOWED_OU") \
|
bouncers_allowed_yaml=$(csv2yaml "$BOUNCERS_ALLOWED_OU") \
|
||||||
conf_set '
|
conf_set_if "$CACERT_FILE" '.api.server.tls.ca_cert_path = strenv(CACERT_FILE)'
|
||||||
with(select(strenv(CACERT_FILE)!=""); .api.server.tls.ca_cert_path = strenv(CACERT_FILE)) |
|
conf_set_if "$LAPI_CERT_FILE" '.api.server.tls.cert_file = strenv(LAPI_CERT_FILE)'
|
||||||
with(select(strenv(LAPI_CERT_FILE)!=""); .api.server.tls.cert_file = strenv(LAPI_CERT_FILE)) |
|
conf_set_if "$LAPI_KEY_FILE" '.api.server.tls.key_file = strenv(LAPI_KEY_FILE)'
|
||||||
with(select(strenv(LAPI_KEY_FILE)!=""); .api.server.tls.key_file = strenv(LAPI_KEY_FILE)) |
|
conf_set_if "$BOUNCERS_ALLOWED_OU" '.api.server.tls.bouncers_allowed_ou = env(bouncers_allowed_yaml)'
|
||||||
with(select(strenv(BOUNCERS_ALLOWED_OU)!=""); .api.server.tls.bouncers_allowed_ou = env(bouncers_allowed_yaml)) |
|
conf_set_if "$AGENTS_ALLOWED_OU" '.api.server.tls.agents_allowed_ou = env(agents_allowed_yaml)'
|
||||||
with(select(strenv(AGENTS_ALLOWED_OU)!=""); .api.server.tls.agents_allowed_ou = env(agents_allowed_yaml)) |
|
|
||||||
... comments=""
|
|
||||||
'
|
|
||||||
else
|
else
|
||||||
conf_set 'del(.api.server.tls)'
|
conf_set 'del(.api.server.tls)'
|
||||||
fi
|
fi
|
||||||
|
|
||||||
conf_set 'with(select(strenv(PLUGIN_DIR)!=""); .config_paths.plugin_dir = strenv(PLUGIN_DIR))'
|
conf_set_if "$PLUGIN_DIR" '.config_paths.plugin_dir = strenv(PLUGIN_DIR)'
|
||||||
|
|
||||||
## Install collections, parsers, scenarios & postoverflows
|
## Install collections, parsers, scenarios & postoverflows
|
||||||
cscli hub update
|
cscli hub update
|
||||||
|
@ -336,7 +361,7 @@ if istrue "$LEVEL_INFO"; then
|
||||||
ARGS="$ARGS -info"
|
ARGS="$ARGS -info"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
conf_set 'with(select(strenv(METRICS_PORT)!=""); .prometheus.listen_port=env(METRICS_PORT))'
|
conf_set_if "$METRICS_PORT" '.prometheus.listen_port=env(METRICS_PORT)'
|
||||||
|
|
||||||
# shellcheck disable=SC2086
|
# shellcheck disable=SC2086
|
||||||
exec crowdsec $ARGS
|
exec crowdsec $ARGS
|
||||||
|
|
Loading…
Reference in a new issue