chore: Remove wrapper script for fail2ban service (#3032)

* chore: Remove the wrapper script for `fail2ban`

- This does not appear necessary. The server can be run with foreground mode.
- `daemons-stack.sh` removal of the socket can be handled by the fail2ban server when using the `-x` option.

* chore: Remove `touch /var/log/auth.log`

These were both added as supposed fixes in 2016 for the then Ubuntu 2014 base image.

Removing them causes no failures in tests.

* fix: Install optional python packages for `fail2ban`

These have barely any overhead in layer weight. The DNS package may provide some QoL improvements, while the `pyinotify` is a better alternative than polling logs to check for updates.

We have `gamin` package installed but `fail2ban` would complain in the log that it was not able to initialize the module for it. There only appears to be a `python-gamin` dependent on EOL python 2, no longer available from Debian Bullseye.
This commit is contained in:
Brennan Kinney 2023-01-30 01:35:57 +13:00 committed by GitHub
parent 14829a8459
commit 3d8cfc5b5a
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 2 additions and 38 deletions

View file

@ -240,7 +240,6 @@ RUN <<EOF
rm -rf /usr/share/locale/*
rm -rf /usr/share/man/*
rm -rf /usr/share/doc/*
touch /var/log/auth.log
update-locale
rm /etc/postsrsd.secret
rm /etc/cron.daily/00logwatch

View file

@ -153,6 +153,7 @@ function _install_fail2ban
local FAIL2BAN_GPG_PUBLIC_KEY_SERVER='hkps://keyserver.ubuntu.com'
_log 'debug' 'Installing Fail2ban'
apt-get "${QUIET}" --no-install-recommends install python3-pyinotify python3-dnspython
gpg --keyserver "${FAIL2BAN_GPG_PUBLIC_KEY_SERVER}" --recv-keys "${FAIL2BAN_GPG_PUBLIC_KEY_ID}" 2>&1

View file

@ -56,11 +56,6 @@ function _start_daemon_postgrey
function _start_daemon_fail2ban
{
touch /var/log/auth.log
# delete fail2ban.sock that probably was left here after container restart
[[ -e /var/run/fail2ban/fail2ban.sock ]] && rm /var/run/fail2ban/fail2ban.sock
_default_start_daemon 'fail2ban'
}

View file

@ -1,31 +0,0 @@
#!/bin/bash
# You cannot start fail2ban in some foreground mode and
# it's more or less important that docker doesn't kill
# fail2ban and its chilren if you stop the container.
#
# Use this script with supervisord and it will take
# care about starting and stopping fail2ban correctly.
#
# supervisord config snippet for fail2ban-wrapper:
#
# [program:fail2ban]
# process_name = fail2ban
# command = /path/to/fail2ban-wrapper.sh
# startsecs = 0
# autorestart = false
#
trap "/usr/bin/fail2ban-client stop" SIGINT
trap "/usr/bin/fail2ban-client stop" SIGTERM
trap "/usr/bin/fail2ban-client reload" SIGHUP
/usr/bin/fail2ban-client start
sleep 5
# wait until fail2ban is dead (triggered by trap)
while kill -0 "$(< /var/run/fail2ban/fail2ban.pid)"
do
sleep 5
done

View file

@ -40,7 +40,7 @@ autostart=false
autorestart=true
stdout_logfile=/var/log/supervisor/%(program_name)s.log
stderr_logfile=/var/log/supervisor/%(program_name)s.log
command=/usr/local/bin/fail2ban-wrapper.sh
command=/usr/bin/fail2ban-server -xf start
[program:opendkim]
startsecs=0