From 3d8cfc5b5af46115d7be9c48f273ae2f3197f4b9 Mon Sep 17 00:00:00 2001 From: Brennan Kinney <5098581+polarathene@users.noreply.github.com> Date: Mon, 30 Jan 2023 01:35:57 +1300 Subject: [PATCH] chore: Remove wrapper script for fail2ban service (#3032) * chore: Remove the wrapper script for `fail2ban` - This does not appear necessary. The server can be run with foreground mode. - `daemons-stack.sh` removal of the socket can be handled by the fail2ban server when using the `-x` option. * chore: Remove `touch /var/log/auth.log` These were both added as supposed fixes in 2016 for the then Ubuntu 2014 base image. Removing them causes no failures in tests. * fix: Install optional python packages for `fail2ban` These have barely any overhead in layer weight. The DNS package may provide some QoL improvements, while the `pyinotify` is a better alternative than polling logs to check for updates. We have `gamin` package installed but `fail2ban` would complain in the log that it was not able to initialize the module for it. There only appears to be a `python-gamin` dependent on EOL python 2, no longer available from Debian Bullseye. --- Dockerfile | 1 - target/scripts/build/packages.sh | 1 + target/scripts/startup/daemons-stack.sh | 5 ---- target/scripts/wrapper/fail2ban-wrapper.sh | 31 -------------------- target/supervisor/conf.d/supervisor-app.conf | 2 +- 5 files changed, 2 insertions(+), 38 deletions(-) delete mode 100755 target/scripts/wrapper/fail2ban-wrapper.sh diff --git a/Dockerfile b/Dockerfile index 16db5638..7ad2b0a5 100644 --- a/Dockerfile +++ b/Dockerfile @@ -240,7 +240,6 @@ RUN <&1 diff --git a/target/scripts/startup/daemons-stack.sh b/target/scripts/startup/daemons-stack.sh index 7f4ef7ac..3b389b6b 100644 --- a/target/scripts/startup/daemons-stack.sh +++ b/target/scripts/startup/daemons-stack.sh @@ -56,11 +56,6 @@ function _start_daemon_postgrey function _start_daemon_fail2ban { - touch /var/log/auth.log - - # delete fail2ban.sock that probably was left here after container restart - [[ -e /var/run/fail2ban/fail2ban.sock ]] && rm /var/run/fail2ban/fail2ban.sock - _default_start_daemon 'fail2ban' } diff --git a/target/scripts/wrapper/fail2ban-wrapper.sh b/target/scripts/wrapper/fail2ban-wrapper.sh deleted file mode 100755 index 32efebb5..00000000 --- a/target/scripts/wrapper/fail2ban-wrapper.sh +++ /dev/null @@ -1,31 +0,0 @@ -#!/bin/bash - -# You cannot start fail2ban in some foreground mode and -# it's more or less important that docker doesn't kill -# fail2ban and its chilren if you stop the container. -# -# Use this script with supervisord and it will take -# care about starting and stopping fail2ban correctly. -# -# supervisord config snippet for fail2ban-wrapper: -# -# [program:fail2ban] -# process_name = fail2ban -# command = /path/to/fail2ban-wrapper.sh -# startsecs = 0 -# autorestart = false -# - -trap "/usr/bin/fail2ban-client stop" SIGINT -trap "/usr/bin/fail2ban-client stop" SIGTERM -trap "/usr/bin/fail2ban-client reload" SIGHUP - -/usr/bin/fail2ban-client start -sleep 5 - -# wait until fail2ban is dead (triggered by trap) -while kill -0 "$(< /var/run/fail2ban/fail2ban.pid)" -do - sleep 5 -done - diff --git a/target/supervisor/conf.d/supervisor-app.conf b/target/supervisor/conf.d/supervisor-app.conf index 0378187b..d3e84fdc 100644 --- a/target/supervisor/conf.d/supervisor-app.conf +++ b/target/supervisor/conf.d/supervisor-app.conf @@ -40,7 +40,7 @@ autostart=false autorestart=true stdout_logfile=/var/log/supervisor/%(program_name)s.log stderr_logfile=/var/log/supervisor/%(program_name)s.log -command=/usr/local/bin/fail2ban-wrapper.sh +command=/usr/bin/fail2ban-server -xf start [program:opendkim] startsecs=0