fail2ban/files/fail2ban-openrc.init.in

#!/sbin/openrc-run
# This file is part of Fail2Ban.
#
# Fail2Ban is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# Fail2Ban is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Fail2Ban; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
#
# Author: Sireyessire, Cyril Jaquier
#

description="Ban hosts that cause multiple authentication errors"
description_reload="reload configuration"
extra_started_commands="reload"

# Can't (and shouldn't) be changed by the end-user.
FAIL2BAN_RUNDIR="/run/${RC_SVCNAME}"
FAIL2BAN_SOCKET="${FAIL2BAN_RUNDIR}/${RC_SVCNAME}.sock"

# The fail2ban-client program is also capable of starting and stopping
# the server, but things are simpler if we let start-stop-daemon do it.
command="@BINDIR@/fail2ban-server"
pidfile="${FAIL2BAN_RUNDIR}/${RC_SVCNAME}.pid"

# We force the pidfile/socket location in this service script because
# we're taking responsibility for ensuring that their parent directory
# exists and has the correct permissions (which we can't do if the
# user is allowed to change them).
command_args="${FAIL2BAN_OPTIONS} -p ${pidfile} -s ${FAIL2BAN_SOCKET}"
retry="30"

depend() {
	use logger
	after iptables
}

start_pre() {
	checkpath -d "${FAIL2BAN_RUNDIR}" || return 1
}

reload() {
	# The fail2ban-client uses an undocumented protocol to tell
	# the server to reload(), so we have to use it here rather
	# than e.g. sending a signal to the server daemon.
	ebegin "Reloading ${RC_SVCNAME}"
	"@BINDIR@/fail2ban-client" ${command_args} reload
	eend $? "Failed to reload ${RC_SVCNAME}"
}
Fix Gentoo init script's shebang Use openrc-run instead of runscript. https://github.com/OpenRC/openrc/commit/5d5856c193768d24f11d5f0533e48c39526aef5c 7 years ago			`#!/sbin/openrc-run`
- Added Gentoo init.d script git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@303 a942ae1a-1317-0410-a47c-b1dcaea8d605 19 years ago			`# This file is part of Fail2Ban.`
			`#`
			`# Fail2Ban is free software; you can redistribute it and/or modify`
			`# it under the terms of the GNU General Public License as published by`
			`# the Free Software Foundation; either version 2 of the License, or`
			`# (at your option) any later version.`
			`#`
			`# Fail2Ban is distributed in the hope that it will be useful,`
			`# but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`# GNU General Public License for more details.`
			`#`
			`# You should have received a copy of the GNU General Public License`
			`# along with Fail2Ban; if not, write to the Free Software`
Update Free Software Foundation's address The address has changed from "59 Temple Place, Suite 330, Boston, MA 02111-1307 USA" to "51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA" some time ago. 13 years ago			`# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.`
- Added Gentoo init.d script git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@303 a942ae1a-1317-0410-a47c-b1dcaea8d605 19 years ago			`#`
			`# Author: Sireyessire, Cyril Jaquier`
Fix Gentoo initd script (drop extra_commands) 13 years ago			`#`
- Added Gentoo init.d script git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@303 a942ae1a-1317-0410-a47c-b1dcaea8d605 19 years ago
files/fail2ban-openrc*: let start-stop-daemon manage the server. There are two ways that it would make sense to write the OpenRC service script for fail2ban: 1. Use the fail2ban-client program to stop, start, reload, etc. the server; and try to figure out whether or not it worked afterwards. 2. Use the start-stop-daemon program built into OpenRC to manage the fail2ban-server process. This works only for starting and stopping, because the "reload" command is sent over an undocumented protocol, but has the benefit that you get immediate feedback about the result of calling fail2ban-server. The existing service script combined the two in a way that appeared to work, but didn't make too much sense. It used start-stop-daemon to initiate the fail2ban-client program with either a "start" or "stop" argument. So long as everything goes fine, that appears to work. But the start-stop-daemon is not actually monitoring the fail2ban-client program; it's supposed to be monitoring the fail2ban-server process that gets started as side-effect. The existing stop() function does not do quite what you'd expect; for example the "stop" command is never sent. Again, the daemon does ultimately get stopped so long as the hard-coded PID file contains what you think it does -- so it "works" -- but is misleading. This commit changes everything to use the second approach above, where start-stop-daemon manages everything. This was done mainly to simplify the service script, because now the default start() and stop() phases can be used, allowing us to delete them from our copy. One might worry that there is some special magic behind "fail2ban-client start" and "fail2ban-client stop", however that does not appear to be the case. Admittedly, if in the future those two commands begin to do something nonstandard, the service script would need to be changed again to take the first approach above and use fail2ban-client for everything. 6 years ago			`description="Ban hosts that cause multiple authentication errors"`
gentoo-initd: add descriptions add descriptions to stop syslog errors for extra_started_commands when running: rc-service ipset describe Oct 28 15:13:30 xxxx daemon.warn /etc/init.d/fail2ban[26446]: ^[[1m^[[36mreload^[[m: no description Oct 28 15:13:30 xxxx daemon.warn /etc/init.d/fail2ban[26447]: ^[[1m^[[36mshowlog^[[m: no description 7 years ago			`description_reload="reload configuration"`
files/fail2ban-openrc.init: remove the "showlog" command. The extra "showlog" command in our OpenRC service script was more trouble than it was worth: the only thing it did was call "less" on a log file, and the service script is only guessing at the location of the log file (only the fail2ban server knows its true location). It's not like "/etc/init.d/fail2ban showlog" is that much easier to type than "less /var/log/fail2ban.log" in the first place, so I think the extra complexity (5 more lines in the service script) is not worth it. 6 years ago			`extra_started_commands="reload"`
- Added Gentoo init.d script git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@303 a942ae1a-1317-0410-a47c-b1dcaea8d605 19 years ago
files/fail2ban-openrc.init: force the socket location in the service script. The socket location needs to be set in the service script for the same reason that the PID file location does: because the service script is taking responsibility for ensuring that its parent directory exists and has the correct permissions. We can't do that if the end user is allowed to move the PID file or socket somewhere else (without parsing the config file, which has other security implications). 6 years ago			`# Can't (and shouldn't) be changed by the end-user.`
			`FAIL2BAN_RUNDIR="/run/${RC_SVCNAME}"`
			`FAIL2BAN_SOCKET="${FAIL2BAN_RUNDIR}/${RC_SVCNAME}.sock"`

files/fail2ban-openrc*: let start-stop-daemon manage the server. There are two ways that it would make sense to write the OpenRC service script for fail2ban: 1. Use the fail2ban-client program to stop, start, reload, etc. the server; and try to figure out whether or not it worked afterwards. 2. Use the start-stop-daemon program built into OpenRC to manage the fail2ban-server process. This works only for starting and stopping, because the "reload" command is sent over an undocumented protocol, but has the benefit that you get immediate feedback about the result of calling fail2ban-server. The existing service script combined the two in a way that appeared to work, but didn't make too much sense. It used start-stop-daemon to initiate the fail2ban-client program with either a "start" or "stop" argument. So long as everything goes fine, that appears to work. But the start-stop-daemon is not actually monitoring the fail2ban-client program; it's supposed to be monitoring the fail2ban-server process that gets started as side-effect. The existing stop() function does not do quite what you'd expect; for example the "stop" command is never sent. Again, the daemon does ultimately get stopped so long as the hard-coded PID file contains what you think it does -- so it "works" -- but is misleading. This commit changes everything to use the second approach above, where start-stop-daemon manages everything. This was done mainly to simplify the service script, because now the default start() and stop() phases can be used, allowing us to delete them from our copy. One might worry that there is some special magic behind "fail2ban-client start" and "fail2ban-client stop", however that does not appear to be the case. Admittedly, if in the future those two commands begin to do something nonstandard, the service script would need to be changed again to take the first approach above and use fail2ban-client for everything. 6 years ago			`# The fail2ban-client program is also capable of starting and stopping`
			`# the server, but things are simpler if we let start-stop-daemon do it.`
files/fail2ban-openrc.init: replace @BINDIR@ at build-time. This commit renames fail2ban-openrc.init to fail2ban-openrc.init.in, and replaces the hard-coded value "/usr/bin" with "@BINDIR@" therein. At build-time, setup.py will replace that string with the correct value, and rename the file (without the ".in" suffix). This mimics the procedure done for "fail2ban-service.in" entirely. 6 years ago			`command="@BINDIR@/fail2ban-server"`
files/fail2ban-openrc.init: force the socket location in the service script. The socket location needs to be set in the service script for the same reason that the PID file location does: because the service script is taking responsibility for ensuring that its parent directory exists and has the correct permissions. We can't do that if the end user is allowed to move the PID file or socket somewhere else (without parsing the config file, which has other security implications). 6 years ago			`pidfile="${FAIL2BAN_RUNDIR}/${RC_SVCNAME}.pid"`

			`# We force the pidfile/socket location in this service script because`
			`# we're taking responsibility for ensuring that their parent directory`
			`# exists and has the correct permissions (which we can't do if the`
			`# user is allowed to change them).`
			`command_args="${FAIL2BAN_OPTIONS} -p ${pidfile} -s ${FAIL2BAN_SOCKET}"`
files/fail2ban-openrc.init: use the standard OpenRC "retry" variable. If the "retry" variable is set in the service script, we don't have to pass it to start-stop-daemon explicitly. While we can't immediately eliminate any code with this change, it will be necessary later to adopt the default OpenRC stop() function. 6 years ago			`retry="30"`
- Added Gentoo init.d script git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@303 a942ae1a-1317-0410-a47c-b1dcaea8d605 19 years ago
			`depend() {`
files/fail2ban-openrc.init: change "need logger" dependency to "use logger". Our OpenRC service script contained a "need logger" dependency, which meant that the life cycle of the fail2ban service was tied to that of the system logger service. That isn't quite correct: fail2ban functions fine even if the system logger is stopped: 1. fail2ban is capable of analyzing non-syslog log files. 2. Even if fail2ban is solely analyzing syslog files, we don't want to stop the fail2ban service simply because syslog was stopped -- fail2ban just won't see any new log lines until syslog is started again. This commit changes the "need net" dependency to "use net", which will still attempt to start the system logger service, but which won't kill fail2ban if the system logger is ever stopped. 6 years ago			`use logger`
- Added Gentoo init.d script git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@303 a942ae1a-1317-0410-a47c-b1dcaea8d605 19 years ago			`after iptables`
			`}`

files/fail2ban-openrc.init: move pre-flight checks into start_pre(). Our OpenRC service script performs two tasks before starting the service: 1. It removes any stake sockets (from e.g. a system crash). 2. It ensures that the PID file directory exists. These have both been moved into the "start_pre" phase, which is designed to do such things (and will allow us to simplify the "start" phase in the future). The existing "mkdir -p" has also been converted into a "checkpath -d" command which is built-in to OpenRC. 6 years ago			`start_pre() {`
files/fail2ban-openrc.init: force the socket location in the service script. The socket location needs to be set in the service script for the same reason that the PID file location does: because the service script is taking responsibility for ensuring that its parent directory exists and has the correct permissions. We can't do that if the end user is allowed to move the PID file or socket somewhere else (without parsing the config file, which has other security implications). 6 years ago			`checkpath -d "${FAIL2BAN_RUNDIR}" \|\| return 1`
- Added Gentoo init.d script git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@303 a942ae1a-1317-0410-a47c-b1dcaea8d605 19 years ago			`}`

			`reload() {`
files/fail2ban-openrc*: let start-stop-daemon manage the server. There are two ways that it would make sense to write the OpenRC service script for fail2ban: 1. Use the fail2ban-client program to stop, start, reload, etc. the server; and try to figure out whether or not it worked afterwards. 2. Use the start-stop-daemon program built into OpenRC to manage the fail2ban-server process. This works only for starting and stopping, because the "reload" command is sent over an undocumented protocol, but has the benefit that you get immediate feedback about the result of calling fail2ban-server. The existing service script combined the two in a way that appeared to work, but didn't make too much sense. It used start-stop-daemon to initiate the fail2ban-client program with either a "start" or "stop" argument. So long as everything goes fine, that appears to work. But the start-stop-daemon is not actually monitoring the fail2ban-client program; it's supposed to be monitoring the fail2ban-server process that gets started as side-effect. The existing stop() function does not do quite what you'd expect; for example the "stop" command is never sent. Again, the daemon does ultimately get stopped so long as the hard-coded PID file contains what you think it does -- so it "works" -- but is misleading. This commit changes everything to use the second approach above, where start-stop-daemon manages everything. This was done mainly to simplify the service script, because now the default start() and stop() phases can be used, allowing us to delete them from our copy. One might worry that there is some special magic behind "fail2ban-client start" and "fail2ban-client stop", however that does not appear to be the case. Admittedly, if in the future those two commands begin to do something nonstandard, the service script would need to be changed again to take the first approach above and use fail2ban-client for everything. 6 years ago			`# The fail2ban-client uses an undocumented protocol to tell`
			`# the server to reload(), so we have to use it here rather`
			`# than e.g. sending a signal to the server daemon.`
files/fail2ban-openrc.init: use RC_SVCNAME instead of hard-coding the name. If our service is installed under some other name, then we don't want the service script to say things like "Starting fail2ban..." because the name "fail2ban" won't make any sense at that point. Instead, we use the $RC_SVCNAME variable to ensure that the service name matches what we tell the user. Typically, however, $RC_SVCNAME will still be "fail2ban". 6 years ago			`ebegin "Reloading ${RC_SVCNAME}"`
files/fail2ban-openrc.init: replace @BINDIR@ at build-time. This commit renames fail2ban-openrc.init to fail2ban-openrc.init.in, and replaces the hard-coded value "/usr/bin" with "@BINDIR@" therein. At build-time, setup.py will replace that string with the correct value, and rename the file (without the ".in" suffix). This mimics the procedure done for "fail2ban-service.in" entirely. 6 years ago			`"@BINDIR@/fail2ban-client" ${command_args} reload`
files/fail2ban-openrc.init: use RC_SVCNAME instead of hard-coding the name. If our service is installed under some other name, then we don't want the service script to say things like "Starting fail2ban..." because the name "fail2ban" won't make any sense at that point. Instead, we use the $RC_SVCNAME variable to ensure that the service name matches what we tell the user. Typically, however, $RC_SVCNAME will still be "fail2ban". 6 years ago			`eend $? "Failed to reload ${RC_SVCNAME}"`
- Added Gentoo init.d script git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@303 a942ae1a-1317-0410-a47c-b1dcaea8d605 19 years ago			`}`