Fail2ban git fails to install from PKGBUILD on Arch Linux /var/run/ exists #1142
Comments
|
I doubt, that this would be a thing of fail2ban... may be |
|
Theoretically it is the issue of the packaging helpers/infrastructure. We just need to have /var/run/fail2ban, which is we initiate in our setup.py. Since apparently arch tools then freak out (although again -- path /var/run/fail2ban is legit, just canonical would be /run/fail2ban) you can either patch setup.py or if your init script takes care about creating that directory -- just remove that creation completely. But alternatively -- we could within setup.py resolve the path for /var/run and use what it resolves to as the target directory (so might end up in /run). Let me cook up a PR quickly |
|
Hi Just tested the latest git code - issue persists. Can you please help me with debugging / patching this? Thanks in advance. Andrzej |
|
@AndrzejL-eu "latest git code" -- is that from the PR #1142 or just current master (not yet patched)? with the patch it might persist but message must be different |
|
Apologies. I meant current master. I will figure out how to test PR #1142 repo and let you know... Cheers. Andrzej |
|
On Fri, 31 Jul 2015, AndrzejL wrote:
fwiw if you use my ghpr you could just ghpr co #1142 Yaroslav O. Halchenko, Ph.D. |
|
I tried this: http://pastebin.com/raw.php?i=nNzt6Zwg but it fails. Any idea how to source= pull request 1142 in PKGBUILD? Cheers. Andrzej |
|
just use as source this one: |
|
I used the tar.gz - thanks a lot for that btw. Packaging and installation worked so the original issue is fixed but: http://pastebin.com/raw.php?i=GbipJYVc I am guessing it has something to do with systemd upgrade to version 223... [root@andrzejl andrzejl]# pacman -Q | grep systemd So the 1142 will be added to master soonish right? Should I close this issue and open another one that faces up the new challenge? Cheers. Andrzej |
BF: realpath for /var/run/fail2ban Closes #1142
ver. 0.9.3 (2015/08/01) - lets-all-stay-friends
----------
- IMPORTANT incompatible changes:
* filter.d/roundcube-auth.conf
- Changed logpath to 'errors' log (was 'userlogins')
* action.d/iptables-common.conf
- All calls to iptables command now use -w switch introduced in
iptables 1.4.20 (some distribution could have patched their
earlier base version as well) to provide this locking mechanism
useful under heavy load to avoid contesting on iptables calls.
If you need to disable, define 'action.d/iptables-common.local'
with empty value for 'lockingopt' in `[Init]` section.
* mail-whois-lines, sendmail-geoip-lines and sendmail-whois-lines
actions now include by default only the first 1000 log lines in
the emails. Adjust <grepopts> to augment the behavior.
- Fixes:
* reload in interactive mode appends all the jails twice (gh-825)
* reload server/jail failed if database used (but was not changed) and
some jail active (gh-1072)
* filter.d/dovecot.conf - also match unknown user in passwd-file.
Thanks Anton Shestakov
* Fix fail2ban-regex not parsing journalmatch correctly from filter config
* filter.d/asterisk.conf - fix security log support for Asterisk 12+
* filter.d/roundcube-auth.conf
- Updated regex to work with 'errors' log (1.0.5 and 1.1.1)
- Added regex to work with 'userlogins' log
* action.d/sendmail*.conf - use LC_ALL (superseeding LC_TIME) to override
locale on systems with customized LC_ALL
* performance fix: minimizes connection overhead, close socket only at
communication end (gh-1099)
* unbanip always deletes ip from database (independent of bantime, also if
currently not banned or persistent)
* guarantee order of dbfile to be before dbpurgeage (gh-1048)
* always set 'dbfile' before other database options (gh-1050)
* kill the entire process group of the child process upon timeout (gh-1129).
Otherwise could lead to resource exhaustion due to hanging whois
processes.
* resolve /var/run/fail2ban path in setup.py to help installation
on platforms with /var/run -> /run symlink (gh-1142)
- New Features:
* RETURN iptables target is now a variable: <returntype>
* New type of operation: pass2allow, use fail2ban for "knocking",
opening a closed port by swapping blocktype and returntype
* New filters:
- froxlor-auth - Thanks Joern Muehlencord
- apache-pass - filter Apache access log for successful authentication
* New actions:
- shorewall-ipset-proto6 - using proto feature of the Shorewall. Still requires
manual pre-configuration of the shorewall. See the action file for detail.
* New jails:
- pass2allow-ftp - allows FTP traffic after successful HTTP authentication
- Enhancements:
* action.d/cloudflare.conf - improved documentation on how to allow
multiple CF accounts, and jail.conf got new compound action
definition action_cf_mwl to submit cloudflare report.
* Check access to socket for more detailed logging on error (gh-595)
* fail2ban-testcases man page
* filter.d/apache-badbots.conf, filter.d/nginx-botsearch.conf - add
HEAD method verb
* Revamp of Travis and coverage automated testing
* Added a space between IP address and the following colon
in notification emails for easier text selection
* Character detection heuristics for whois output via optional setting
in mail-whois*.conf. Thanks Thomas Mayer.
Not enabled by default, if _whois_command is set to be
%(_whois_convert_charset)s (e.g. in action.d/mail-whois-common.local),
it
- detects character set of whois output (which is undefined by
RFC 3912) via heuristics of the file command
- converts whois data to UTF-8 character set with iconv
- sends the whois output in UTF-8 character set to mail program
- avoids that heirloom mailx creates binary attachment for input with
unknown character set
* tag '0.9.3': (99 commits)
Release changes (too much of manual "labor"! ;))
BF: realpath for /var/run/fail2ban Closes #1142
Changelog entry for killpg fix
Changelog entries for Serge's fixes
bug fix: option 'dbpurgeage' was never set (always default) by start of fail2ban, because of invalid sorting of options ('dbfile' should be always set before other database options) / closes #1048, closes #1050
BF: guarantee order of dbfile to be before dbpurgeage (Closes #1048)
DOC: Changelog for shorewall-ipset-proto6.conf + adjusted its description
DOC: moved and adjusted changelog entry from 0.9.2 within 0.9.3 to come
TST: test to verify killing stuck children processes
BF: kill the entire process group upon timeout (Close #1129)
Limit the number of log lines in *-lines.conf actions
ipjailmatches is on one line with its description in man jail.conf
DOC: Changelog for iptables -w change
Remove self.printlog() call
Remove literal "TODO" from method's name
BF: do not wrap iptables into itself. Thanks Lee
Added a space between IP address and the following colon
BF: symbiosis-blacklist-allports now also requires iptables-common.conf
RF: use <iptables> to take effect of it being a parameter
ENH: added lockingopt option for iptables actions, made iptables cmd itself a parameter
...
ver. 0.9.3 (2015/08/01) - lets-all-stay-friends
----------
- IMPORTANT incompatible changes:
* filter.d/roundcube-auth.conf
- Changed logpath to 'errors' log (was 'userlogins')
* action.d/iptables-common.conf
- All calls to iptables command now use -w switch introduced in
iptables 1.4.20 (some distribution could have patched their
earlier base version as well) to provide this locking mechanism
useful under heavy load to avoid contesting on iptables calls.
If you need to disable, define 'action.d/iptables-common.local'
with empty value for 'lockingopt' in `[Init]` section.
* mail-whois-lines, sendmail-geoip-lines and sendmail-whois-lines
actions now include by default only the first 1000 log lines in
the emails. Adjust <grepopts> to augment the behavior.
- Fixes:
* reload in interactive mode appends all the jails twice (fail2bangh-825)
* reload server/jail failed if database used (but was not changed) and
some jail active (fail2bangh-1072)
* filter.d/dovecot.conf - also match unknown user in passwd-file.
Thanks Anton Shestakov
* Fix fail2ban-regex not parsing journalmatch correctly from filter config
* filter.d/asterisk.conf - fix security log support for Asterisk 12+
* filter.d/roundcube-auth.conf
- Updated regex to work with 'errors' log (1.0.5 and 1.1.1)
- Added regex to work with 'userlogins' log
* action.d/sendmail*.conf - use LC_ALL (superseeding LC_TIME) to override
locale on systems with customized LC_ALL
* performance fix: minimizes connection overhead, close socket only at
communication end (fail2bangh-1099)
* unbanip always deletes ip from database (independent of bantime, also if
currently not banned or persistent)
* guarantee order of dbfile to be before dbpurgeage (fail2bangh-1048)
* always set 'dbfile' before other database options (fail2bangh-1050)
* kill the entire process group of the child process upon timeout (fail2bangh-1129).
Otherwise could lead to resource exhaustion due to hanging whois
processes.
* resolve /var/run/fail2ban path in setup.py to help installation
on platforms with /var/run -> /run symlink (fail2bangh-1142)
- New Features:
* RETURN iptables target is now a variable: <returntype>
* New type of operation: pass2allow, use fail2ban for "knocking",
opening a closed port by swapping blocktype and returntype
* New filters:
- froxlor-auth - Thanks Joern Muehlencord
- apache-pass - filter Apache access log for successful authentication
* New actions:
- shorewall-ipset-proto6 - using proto feature of the Shorewall. Still requires
manual pre-configuration of the shorewall. See the action file for detail.
* New jails:
- pass2allow-ftp - allows FTP traffic after successful HTTP authentication
- Enhancements:
* action.d/cloudflare.conf - improved documentation on how to allow
multiple CF accounts, and jail.conf got new compound action
definition action_cf_mwl to submit cloudflare report.
* Check access to socket for more detailed logging on error (fail2bangh-595)
* fail2ban-testcases man page
* filter.d/apache-badbots.conf, filter.d/nginx-botsearch.conf - add
HEAD method verb
* Revamp of Travis and coverage automated testing
* Added a space between IP address and the following colon
in notification emails for easier text selection
* Character detection heuristics for whois output via optional setting
in mail-whois*.conf. Thanks Thomas Mayer.
Not enabled by default, if _whois_command is set to be
%(_whois_convert_charset)s (e.g. in action.d/mail-whois-common.local),
it
- detects character set of whois output (which is undefined by
RFC 3912) via heuristics of the file command
- converts whois data to UTF-8 character set with iconv
- sends the whois output in UTF-8 character set to mail program
- avoids that heirloom mailx creates binary attachment for input with
unknown character set
Conflicts:
config/jail.conf
Hi there.
I wrote (re-wrote / modified / plagiarized...) PKGBUILD a while back:
http://pastebin.com/raw.php?i=5E4cpjNq
It used to work fine and sweet... but now:
[andrzejl@andrzejl fail2ban-git]$ makepkg -s -i ./
==> WARNING: Cannot find the sudo binary. Will use su to acquire root privileges.
==> Making package: fail2ban-git 0.9.2.r132.gc37009a-1 (Thu Jul 30 18:25:25 IST 2015)
==> Checking runtime dependencies...
==> Checking buildtime dependencies...
==> Retrieving sources...
-> Updating fail2ban-git git repo...
Fetching origin
==> Validating source files with sha512sums...
fail2ban-git ... Skipped
==> Extracting sources...
-> Creating working copy of fail2ban git repo...
Switched to a new branch 'makepkg'
==> Starting pkgver()...
==> WARNING: A package has already been built, installing existing package...
==> Installing package fail2ban-git with pacman -U...
Password:
loading packages...
resolving dependencies...
looking for conflicting packages...
Packages (1) fail2ban-git-0.9.2.r132.gc37009a-1
Total Installed Size: 1.87 MiB
Net Upgrade Size: 0.03 MiB
:: Proceed with installation? Y/n checking keys in keyring [##########################################] 100%
(1/1) checking package integrity [##########################################] 100%
(1/1) loading package files [##########################################] 100%
(1/1) checking for file conflicts [##########################################] 100%
error: failed to commit transaction (conflicting files)
fail2ban-git: /var/run exists in filesystem
Errors occurred, no packages were upgraded.
==> WARNING: Failed to install built package(s).
[andrzejl@andrzejl fail2ban-git]$
The problem is that:
[root@andrzejl andrzejl]# ls --full /var/ | grep run
lrwxrwxrwx 1 root root 11 2015-02-15 21:58:46.000000000 +0000 lock -> ../run/lock
lrwxrwxrwx 1 root root 6 2015-02-15 21:58:46.000000000 +0000 run -> ../run
[root@andrzejl andrzejl]#
/var/run is a symlink pointing to /run.
Anyone knows how to bite this thing?
Cheers.
Andrzej
The text was updated successfully, but these errors were encountered: