| 1 |
commit: abb0829a6cca560c1686ee864b9735a60c2c4b98 |
| 2 |
Author: Michael Orlitzky <mjo <AT> gentoo <DOT> org> |
| 3 |
AuthorDate: Tue Jan 4 15:18:46 2022 +0000 |
| 4 |
Commit: Michael Orlitzky <mjo <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Tue Jan 4 16:08:31 2022 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=abb0829a |
| 7 |
|
| 8 |
net-analyzer/fail2ban: new revision with improved openrc support. |
| 9 |
|
| 10 |
This -r3 adds a patch corresponding to, |
| 11 |
|
| 12 |
https://github.com/fail2ban/fail2ban/pull/2182 |
| 13 |
|
| 14 |
that (a) upstreams the OpenRC script and (b) adds some nice |
| 15 |
improvements to it. Done with sam's permission. |
| 16 |
|
| 17 |
Package-Manager: Portage-3.0.28, Repoman-3.0.3 |
| 18 |
Signed-off-by: Michael Orlitzky <mjo <AT> gentoo.org> |
| 19 |
|
| 20 |
net-analyzer/fail2ban/fail2ban-0.11.2-r3.ebuild | 134 +++++++++++ |
| 21 |
.../files/fail2ban-0.11.2-upstream-openrc.patch | 247 +++++++++++++++++++++ |
| 22 |
2 files changed, 381 insertions(+) |
| 23 |
|
| 24 |
diff --git a/net-analyzer/fail2ban/fail2ban-0.11.2-r3.ebuild b/net-analyzer/fail2ban/fail2ban-0.11.2-r3.ebuild |
| 25 |
new file mode 100644 |
| 26 |
index 000000000000..1390bc1bdc39 |
| 27 |
--- /dev/null |
| 28 |
+++ b/net-analyzer/fail2ban/fail2ban-0.11.2-r3.ebuild |
| 29 |
@@ -0,0 +1,134 @@ |
| 30 |
+# Copyright 1999-2022 Gentoo Authors |
| 31 |
+# Distributed under the terms of the GNU General Public License v2 |
| 32 |
+ |
| 33 |
+EAPI=7 |
| 34 |
+ |
| 35 |
+PYTHON_COMPAT=( python3_{8..10} ) |
| 36 |
+DISTUTILS_SINGLE_IMPL=1 |
| 37 |
+ |
| 38 |
+inherit bash-completion-r1 distutils-r1 systemd tmpfiles |
| 39 |
+ |
| 40 |
+DESCRIPTION="Scans log files and bans IPs that show malicious signs" |
| 41 |
+HOMEPAGE="https://www.fail2ban.org/" |
| 42 |
+if [[ ${PV} == *9999 ]] ; then |
| 43 |
+ EGIT_REPO_URI="https://github.com/${PN}/${PN}" |
| 44 |
+ inherit git-r3 |
| 45 |
+else |
| 46 |
+ SRC_URI="https://github.com/${PN}/${PN}/archive/${PV}.tar.gz -> ${P}.tar.gz" |
| 47 |
+ KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ppc ~ppc64 ~sparc ~x86" |
| 48 |
+fi |
| 49 |
+ |
| 50 |
+LICENSE="GPL-2" |
| 51 |
+SLOT="0" |
| 52 |
+IUSE="selinux systemd" |
| 53 |
+ |
| 54 |
+RDEPEND=" |
| 55 |
+ virtual/logger |
| 56 |
+ virtual/mta |
| 57 |
+ selinux? ( sec-policy/selinux-fail2ban ) |
| 58 |
+ systemd? ( |
| 59 |
+ $(python_gen_cond_dep ' |
| 60 |
+ || ( |
| 61 |
+ dev-python/python-systemd[${PYTHON_USEDEP}] |
| 62 |
+ sys-apps/systemd[python(-),${PYTHON_USEDEP}] |
| 63 |
+ )' 'python*' ) |
| 64 |
+ ) |
| 65 |
+" |
| 66 |
+ |
| 67 |
+DOCS=( ChangeLog DEVELOP README.md THANKS TODO doc/run-rootless.txt ) |
| 68 |
+ |
| 69 |
+PATCHES=( |
| 70 |
+ "${FILESDIR}"/${P}-fix-tests-for-2021.patch |
| 71 |
+ "${FILESDIR}"/${PN}-0.11.2-adjust-apache-logs-paths.patch |
| 72 |
+ "${FILESDIR}"/${P}-fix-2to3-usage.patch |
| 73 |
+ "${FILESDIR}"/${P}-fix-systemd-test.patch |
| 74 |
+ "${FILESDIR}"/${P}-fix-py3.10-collections.patch |
| 75 |
+ "${FILESDIR}"/${P}-upstream-openrc.patch |
| 76 |
+) |
| 77 |
+ |
| 78 |
+python_prepare_all() { |
| 79 |
+ distutils-r1_python_prepare_all |
| 80 |
+ |
| 81 |
+ # Replace /var/run with /run, but not in the top source directory |
| 82 |
+ find . -mindepth 2 -type f -exec \ |
| 83 |
+ sed -i -e 's|/var\(/run/fail2ban\)|\1|g' {} + || die |
| 84 |
+} |
| 85 |
+ |
| 86 |
+python_compile() { |
| 87 |
+ ./fail2ban-2to3 || die |
| 88 |
+ distutils-r1_python_compile |
| 89 |
+} |
| 90 |
+ |
| 91 |
+python_test() { |
| 92 |
+ bin/fail2ban-testcases \ |
| 93 |
+ --no-network \ |
| 94 |
+ --no-gamin \ |
| 95 |
+ --verbosity=4 || die "Tests failed with ${EPYTHON}" |
| 96 |
+} |
| 97 |
+ |
| 98 |
+python_install_all() { |
| 99 |
+ distutils-r1_python_install_all |
| 100 |
+ |
| 101 |
+ rm -rf "${ED}"/usr/share/doc/${PN} "${ED}"/run || die |
| 102 |
+ |
| 103 |
+ newconfd files/fail2ban-openrc.conf ${PN} |
| 104 |
+ |
| 105 |
+ # These two are placed in the ${BUILD_DIR} after being "built" |
| 106 |
+ # in install_scripts(). |
| 107 |
+ newinitd "${BUILD_DIR}/fail2ban-openrc.init" "${PN}" |
| 108 |
+ systemd_dounit "${BUILD_DIR}/${PN}.service" |
| 109 |
+ |
| 110 |
+ dotmpfiles files/${PN}-tmpfiles.conf |
| 111 |
+ |
| 112 |
+ doman man/*.{1,5} |
| 113 |
+ |
| 114 |
+ # Use INSTALL_MASK if you do not want to touch /etc/logrotate.d. |
| 115 |
+ # See http://thread.gmane.org/gmane.linux.gentoo.devel/35675 |
| 116 |
+ insinto /etc/logrotate.d |
| 117 |
+ newins files/${PN}-logrotate ${PN} |
| 118 |
+ |
| 119 |
+ keepdir /var/lib/${PN} |
| 120 |
+ |
| 121 |
+ newbashcomp files/bash-completion ${PN}-client |
| 122 |
+ bashcomp_alias ${PN}-client ${PN}-server ${PN}-regex |
| 123 |
+} |
| 124 |
+ |
| 125 |
+pkg_preinst() { |
| 126 |
+ has_version "<${CATEGORY}/${PN}-0.7" |
| 127 |
+ previous_less_than_0_7=$? |
| 128 |
+} |
| 129 |
+ |
| 130 |
+pkg_postinst() { |
| 131 |
+ tmpfiles_process ${PN}-tmpfiles.conf |
| 132 |
+ |
| 133 |
+ if [[ ${previous_less_than_0_7} = 0 ]] ; then |
| 134 |
+ elog |
| 135 |
+ elog "Configuration files are now in /etc/fail2ban/" |
| 136 |
+ elog "You probably have to manually update your configuration" |
| 137 |
+ elog "files before restarting Fail2Ban!" |
| 138 |
+ elog |
| 139 |
+ elog "Fail2Ban is not installed under /usr/lib anymore. The" |
| 140 |
+ elog "new location is under /usr/share." |
| 141 |
+ elog |
| 142 |
+ elog "You are upgrading from version 0.6.x, please see:" |
| 143 |
+ elog "http://www.fail2ban.org/wiki/index.php/HOWTO_Upgrade_from_0.6_to_0.8" |
| 144 |
+ fi |
| 145 |
+ |
| 146 |
+ if ! has_version dev-python/pyinotify && ! has_version app-admin/gamin ; then |
| 147 |
+ elog "For most jail.conf configurations, it is recommended you install either" |
| 148 |
+ elog "dev-python/pyinotify or app-admin/gamin (in order of preference)" |
| 149 |
+ elog "to control how log file modifications are detected" |
| 150 |
+ fi |
| 151 |
+ |
| 152 |
+ if ! has_version dev-lang/python[sqlite] ; then |
| 153 |
+ elog "If you want to use ${PN}'s persistent database, then reinstall" |
| 154 |
+ elog "dev-lang/python with USE=sqlite. If you do not use the" |
| 155 |
+ elog "persistent database feature, then you should set" |
| 156 |
+ elog "dbfile = :memory: in fail2ban.conf accordingly." |
| 157 |
+ fi |
| 158 |
+ |
| 159 |
+ if has_version sys-apps/systemd[-python] ; then |
| 160 |
+ elog "If you want to track logins through sys-apps/systemd's" |
| 161 |
+ elog "journal backend, then reinstall sys-apps/systemd with USE=python" |
| 162 |
+ fi |
| 163 |
+} |
| 164 |
|
| 165 |
diff --git a/net-analyzer/fail2ban/files/fail2ban-0.11.2-upstream-openrc.patch b/net-analyzer/fail2ban/files/fail2ban-0.11.2-upstream-openrc.patch |
| 166 |
new file mode 100644 |
| 167 |
index 000000000000..7483c5685156 |
| 168 |
--- /dev/null |
| 169 |
+++ b/net-analyzer/fail2ban/files/fail2ban-0.11.2-upstream-openrc.patch |
| 170 |
@@ -0,0 +1,247 @@ |
| 171 |
+https://github.com/fail2ban/fail2ban/pull/2182 |
| 172 |
+ |
| 173 |
+diff --git a/MANIFEST b/MANIFEST |
| 174 |
+index 48c751a0..c2df1e51 100644 |
| 175 |
+--- a/MANIFEST |
| 176 |
++++ b/MANIFEST |
| 177 |
+@@ -393,8 +393,8 @@ files/fail2ban.service.in |
| 178 |
+ files/fail2ban-tmpfiles.conf |
| 179 |
+ files/fail2ban.upstart |
| 180 |
+ files/gen_badbots |
| 181 |
+-files/gentoo-confd |
| 182 |
+-files/gentoo-initd |
| 183 |
++files/fail2ban-openrc.conf |
| 184 |
++files/fail2ban-openrc.init.in |
| 185 |
+ files/ipmasq-ZZZzzz_fail2ban.rul |
| 186 |
+ files/logwatch/fail2ban |
| 187 |
+ files/logwatch/fail2ban-0.8.log |
| 188 |
+diff --git a/files/fail2ban-openrc.conf b/files/fail2ban-openrc.conf |
| 189 |
+new file mode 100644 |
| 190 |
+index 00000000..9454ef68 |
| 191 |
+--- /dev/null |
| 192 |
++++ b/files/fail2ban-openrc.conf |
| 193 |
+@@ -0,0 +1,2 @@ |
| 194 |
++# For available options, plase run "fail2ban-server --help". |
| 195 |
++#FAIL2BAN_OPTIONS="-x" |
| 196 |
+diff --git a/files/fail2ban-openrc.init.in b/files/fail2ban-openrc.init.in |
| 197 |
+new file mode 100755 |
| 198 |
+index 00000000..2c56ee3a |
| 199 |
+--- /dev/null |
| 200 |
++++ b/files/fail2ban-openrc.init.in |
| 201 |
+@@ -0,0 +1,86 @@ |
| 202 |
++#!/sbin/openrc-run |
| 203 |
++# This file is part of Fail2Ban. |
| 204 |
++# |
| 205 |
++# Fail2Ban is free software; you can redistribute it and/or modify |
| 206 |
++# it under the terms of the GNU General Public License as published by |
| 207 |
++# the Free Software Foundation; either version 2 of the License, or |
| 208 |
++# (at your option) any later version. |
| 209 |
++# |
| 210 |
++# Fail2Ban is distributed in the hope that it will be useful, |
| 211 |
++# but WITHOUT ANY WARRANTY; without even the implied warranty of |
| 212 |
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| 213 |
++# GNU General Public License for more details. |
| 214 |
++# |
| 215 |
++# You should have received a copy of the GNU General Public License |
| 216 |
++# along with Fail2Ban; if not, write to the Free Software |
| 217 |
++# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. |
| 218 |
++# |
| 219 |
++# Author: Sireyessire, Cyril Jaquier |
| 220 |
++# |
| 221 |
++ |
| 222 |
++description="Ban hosts that cause multiple authentication errors" |
| 223 |
++description_reload="reload configuration without dropping bans" |
| 224 |
++extra_started_commands="reload" |
| 225 |
++ |
| 226 |
++# Can't (and shouldn't) be changed by the end-user. |
| 227 |
++# |
| 228 |
++# Note that @BINDIR@ is already supplied by the build system. Some |
| 229 |
++# day, it might be nice to have @RUNDIR@ supplied by the build system |
| 230 |
++# as well, so that we don't have to hard-code /run here. |
| 231 |
++FAIL2BAN_RUNDIR="/run/${RC_SVCNAME}" |
| 232 |
++FAIL2BAN_SOCKET="${FAIL2BAN_RUNDIR}/${RC_SVCNAME}.sock" |
| 233 |
++ |
| 234 |
++# The fail2ban-client program is also capable of starting and stopping |
| 235 |
++# the server, but things are simpler if we let start-stop-daemon do it. |
| 236 |
++command="@BINDIR@/fail2ban-server" |
| 237 |
++pidfile="${FAIL2BAN_RUNDIR}/${RC_SVCNAME}.pid" |
| 238 |
++ |
| 239 |
++# We force the pidfile/socket location in this service script because |
| 240 |
++# we're taking responsibility for ensuring that their parent directory |
| 241 |
++# exists and has the correct permissions (which we can't do if the |
| 242 |
++# user is allowed to change them). |
| 243 |
++command_args="${FAIL2BAN_OPTIONS} -p ${pidfile} -s ${FAIL2BAN_SOCKET}" |
| 244 |
++retry="30" |
| 245 |
++ |
| 246 |
++depend() { |
| 247 |
++ use logger |
| 248 |
++ after iptables |
| 249 |
++} |
| 250 |
++ |
| 251 |
++checkconfig() { |
| 252 |
++ "${command}" ${command_args} --test |
| 253 |
++} |
| 254 |
++ |
| 255 |
++start_pre() { |
| 256 |
++ # If this isn't a restart, make sure that the user's config isn't |
| 257 |
++ # busted before we try to start the daemon (this will produce |
| 258 |
++ # better error messages than if we just try to start it blindly). |
| 259 |
++ # |
| 260 |
++ # If, on the other hand, this *is* a restart, then the stop_pre |
| 261 |
++ # action will have ensured that the config is usable and we don't |
| 262 |
++ # need to do that again. |
| 263 |
++ if [ "${RC_CMD}" != "restart" ] ; then |
| 264 |
++ checkconfig || return $? |
| 265 |
++ fi |
| 266 |
++ checkpath -d "${FAIL2BAN_RUNDIR}" |
| 267 |
++} |
| 268 |
++ |
| 269 |
++stop_pre() { |
| 270 |
++ # If this is a restart, check to make sure the user's config |
| 271 |
++ # isn't busted before we stop the running daemon. |
| 272 |
++ if [ "${RC_CMD}" = "restart" ] ; then |
| 273 |
++ checkconfig || return $? |
| 274 |
++ fi |
| 275 |
++} |
| 276 |
++ |
| 277 |
++reload() { |
| 278 |
++ # The fail2ban-client uses an undocumented protocol to tell |
| 279 |
++ # the server to reload(), so we have to use it here rather |
| 280 |
++ # than e.g. sending a signal to the server daemon. Note that |
| 281 |
++ # the reload will fail (on the server side) if the new config |
| 282 |
++ # is invalid; we therefore don't need to test it ourselves |
| 283 |
++ # with checkconfig() before initiating the reload. |
| 284 |
++ ebegin "Reloading ${RC_SVCNAME}" |
| 285 |
++ "@BINDIR@/fail2ban-client" ${command_args} reload |
| 286 |
++ eend $? "Failed to reload ${RC_SVCNAME}" |
| 287 |
++} |
| 288 |
+diff --git a/files/gentoo-confd b/files/gentoo-confd |
| 289 |
+deleted file mode 100644 |
| 290 |
+index 00d19f8b..00000000 |
| 291 |
+--- a/files/gentoo-confd |
| 292 |
++++ /dev/null |
| 293 |
+@@ -1,8 +0,0 @@ |
| 294 |
+-# Config file for /etc/init.d/fail2ban |
| 295 |
+-# |
| 296 |
+-# For information on options, see "/usr/bin/fail2ban-client -h". |
| 297 |
+- |
| 298 |
+-FAIL2BAN_OPTIONS="" |
| 299 |
+- |
| 300 |
+-# Force execution of the server even if the socket already exists: |
| 301 |
+-#FAIL2BAN_OPTIONS="-x" |
| 302 |
+diff --git a/files/gentoo-initd b/files/gentoo-initd |
| 303 |
+deleted file mode 100755 |
| 304 |
+index 0fb157cd..00000000 |
| 305 |
+--- a/files/gentoo-initd |
| 306 |
++++ /dev/null |
| 307 |
+@@ -1,60 +0,0 @@ |
| 308 |
+-#!/sbin/openrc-run |
| 309 |
+-# This file is part of Fail2Ban. |
| 310 |
+-# |
| 311 |
+-# Fail2Ban is free software; you can redistribute it and/or modify |
| 312 |
+-# it under the terms of the GNU General Public License as published by |
| 313 |
+-# the Free Software Foundation; either version 2 of the License, or |
| 314 |
+-# (at your option) any later version. |
| 315 |
+-# |
| 316 |
+-# Fail2Ban is distributed in the hope that it will be useful, |
| 317 |
+-# but WITHOUT ANY WARRANTY; without even the implied warranty of |
| 318 |
+-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| 319 |
+-# GNU General Public License for more details. |
| 320 |
+-# |
| 321 |
+-# You should have received a copy of the GNU General Public License |
| 322 |
+-# along with Fail2Ban; if not, write to the Free Software |
| 323 |
+-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. |
| 324 |
+-# |
| 325 |
+-# Author: Sireyessire, Cyril Jaquier |
| 326 |
+-# |
| 327 |
+- |
| 328 |
+-description="Daemon to ban hosts that cause multiple authentication errors" |
| 329 |
+-description_reload="reload configuration" |
| 330 |
+-description_showlog="show fail2ban logs" |
| 331 |
+-extra_started_commands="reload showlog" |
| 332 |
+- |
| 333 |
+-FAIL2BAN="/usr/bin/fail2ban-client ${FAIL2BAN_OPTIONS}" |
| 334 |
+- |
| 335 |
+-depend() { |
| 336 |
+- need net |
| 337 |
+- need logger |
| 338 |
+- after iptables |
| 339 |
+-} |
| 340 |
+- |
| 341 |
+-start() { |
| 342 |
+- ebegin "Starting fail2ban" |
| 343 |
+- mkdir -p /var/run/fail2ban || return 1 |
| 344 |
+- # remove stalled sock file after system crash |
| 345 |
+- # bug 347477 |
| 346 |
+- rm -f /var/run/fail2ban/fail2ban.sock || return 1 |
| 347 |
+- start-stop-daemon --start --pidfile /var/run/fail2ban/fail2ban.pid \ |
| 348 |
+- -- ${FAIL2BAN} start |
| 349 |
+- eend $? "Failed to start fail2ban" |
| 350 |
+-} |
| 351 |
+- |
| 352 |
+-stop() { |
| 353 |
+- ebegin "Stopping fail2ban" |
| 354 |
+- start-stop-daemon --stop --pidfile /var/run/fail2ban/fail2ban.pid --retry 30 \ |
| 355 |
+- -- ${FAIL2BAN} stop |
| 356 |
+- eend $? "Failed to stop fail2ban" |
| 357 |
+-} |
| 358 |
+- |
| 359 |
+-reload() { |
| 360 |
+- ebegin "Reloading fail2ban" |
| 361 |
+- ${FAIL2BAN} reload |
| 362 |
+- eend $? "Failed to reload fail2ban" |
| 363 |
+-} |
| 364 |
+- |
| 365 |
+-showlog(){ |
| 366 |
+- less /var/log/fail2ban.log |
| 367 |
+-} |
| 368 |
+diff --git a/setup.py b/setup.py |
| 369 |
+index 98413273..91f71cf2 100755 |
| 370 |
+--- a/setup.py |
| 371 |
++++ b/setup.py |
| 372 |
+@@ -89,24 +89,27 @@ class install_scripts_f2b(install_scripts): |
| 373 |
+ if install_dir.startswith(root): |
| 374 |
+ install_dir = install_dir[len(root):] |
| 375 |
+ except: # pragma: no cover |
| 376 |
+- print('WARNING: Cannot find root-base option, check the bin-path to fail2ban-scripts in "fail2ban.service".') |
| 377 |
+- print('Creating %s/fail2ban.service (from fail2ban.service.in): @BINDIR@ -> %s' % (buildroot, install_dir)) |
| 378 |
+- with open(os.path.join(source_dir, 'files/fail2ban.service.in'), 'r') as fn: |
| 379 |
+- lines = fn.readlines() |
| 380 |
+- fn = None |
| 381 |
+- if not dry_run: |
| 382 |
+- fn = open(os.path.join(buildroot, 'fail2ban.service'), 'w') |
| 383 |
+- try: |
| 384 |
+- for ln in lines: |
| 385 |
+- ln = re.sub(r'@BINDIR@', lambda v: install_dir, ln) |
| 386 |
+- if dry_run: |
| 387 |
+- sys.stdout.write(' | ' + ln) |
| 388 |
+- continue |
| 389 |
+- fn.write(ln) |
| 390 |
+- finally: |
| 391 |
+- if fn: fn.close() |
| 392 |
+- if dry_run: |
| 393 |
+- print(' `') |
| 394 |
++ print('WARNING: Cannot find root-base option, check the bin-path to fail2ban-scripts in "fail2ban.service" and "fail2ban-openrc.init".') |
| 395 |
++ |
| 396 |
++ scripts = ['fail2ban.service', 'fail2ban-openrc.init'] |
| 397 |
++ for script in scripts: |
| 398 |
++ print('Creating %s/%s (from %s.in): @BINDIR@ -> %s' % (buildroot, script, script, install_dir)) |
| 399 |
++ with open(os.path.join(source_dir, 'files/%s.in' % script), 'r') as fn: |
| 400 |
++ lines = fn.readlines() |
| 401 |
++ fn = None |
| 402 |
++ if not dry_run: |
| 403 |
++ fn = open(os.path.join(buildroot, script), 'w') |
| 404 |
++ try: |
| 405 |
++ for ln in lines: |
| 406 |
++ ln = re.sub(r'@BINDIR@', lambda v: install_dir, ln) |
| 407 |
++ if dry_run: |
| 408 |
++ sys.stdout.write(' | ' + ln) |
| 409 |
++ continue |
| 410 |
++ fn.write(ln) |
| 411 |
++ finally: |
| 412 |
++ if fn: fn.close() |
| 413 |
++ if dry_run: |
| 414 |
++ print(' `') |
| 415 |
+ |
| 416 |
+ |
| 417 |
+ # Wrapper to specify fail2ban own options: |
Archives