Fix bouncer signal handling

- Ensure the bouncer do not daemonize itself - Run container with --init to ensure zombies are reaped - Bouncer: systemd unit ignore exit code 1, returned also with SIGTERM - Controller: systemd unit ignore exit code 143 (SIGTERM)
NethServer · Apr 4, 2024 · 5aa7f56 · 5aa7f56
1 parent f8da055
commit 5aa7f56
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 1 deletion.
diff --git a/imageroot/crowdsec-firewall-bouncer.service b/imageroot/crowdsec-firewall-bouncer.service
@@ -23,8 +23,10 @@ LimitNOFILE=65536
 TimeoutStopSec=70
 ExecStartPre=/bin/rm -f %t/%N.pid %t/%N.cid
 ExecStartPre=runagent -m ${MODULE_ID} expand-bouncer-configuration
+SuccessExitStatus=1
 ExecStart=/usr/bin/podman run \
     --detach \
+    --init \
     --conmon-pidfile %t/%N.pid \
     --cidfile %t/%N.cid \
     --cgroups=no-conmon \

diff --git a/imageroot/crowdsec.service b/imageroot/crowdsec.service
@@ -24,8 +24,10 @@ ExecStartPre=/bin/mkdir -vp crowdsec_config/postoverflows/s01-whitelist
 ExecStartPre=/bin/mkdir -vp crowdsec_config/parsers/s02-enrich
 ExecStartPre=/usr/local/bin/runagent -m %N expand-configuration
 ExecStartPre=/usr/local/bin/runagent -m %N expand-smarthost
+SuccessExitStatus=143
 ExecStart=/usr/bin/podman run \
     --detach \
+    --init \
     --privileged \
     --conmon-pidfile %t/%N.pid \
     --cidfile %t/%N.cid \

diff --git a/imageroot/templates/crowdsec-firewall-bouncer.yaml.local b/imageroot/templates/crowdsec-firewall-bouncer.yaml.local
@@ -1,7 +1,7 @@
 mode: nftables
 pid_dir: /var/run/
 update_frequency: 10s
-daemonize: true
+daemonize: false
 log_mode: stdout
 log_dir: /var/log/
 log_level: info