Merge branch 'master' into releases/1.6.x

Author: mmetc

.github/workflows/go-tests.yml

@@ -181,7 +181,18 @@ jobs:
     - name: Unit tests
       run: |
         go install gotest.tools/[email protected]
+        # make the repo read-only, with the exception of coverage output
+        touch coverage.out
+        chmod -R a-w .
+        chmod u+w coverage.out
         make testcover
+        # ignore changes to codecov.yml
+        if [[ $(git status --porcelain -- . ":(exclude).github/codecov.yml") ]]; then
+          echo "Error: Unit tests should not create or alter files inside the repository. Please use the appropriate testing helpers or otherwise temporary locations."
+          git diff --name-only
+          exit 1
+        fi
+        chmod -R u+w .
 
     # check if some component stubs are missing
     - name: "Build profile: minimal"

.golangci.yml

@@ -194,7 +194,7 @@ linters:
       min-complexity: 16
 
     nlreturn:
-      block-size: 5
+      block-size: 6
 
     nolintlint:
       require-explanation: false  # don't require an explanation for nolint directives

cmd/crowdsec-cli/main.go

@@ -1,10 +1,13 @@
 package main
 
 import (
+	"context"
 	"fmt"
 	"os"
+	"os/signal"
 	"path/filepath"
 	"slices"
+	"syscall"
 	"time"
 
 	"github.com/fatih/color"
@@ -171,6 +174,7 @@ func (cli *cliRoot) initialize() error {
 	if csConfig.DbConfig != nil {
 		csConfig.DbConfig.LogLevel = ptr.Of(cli.wantedLogLevel())
 	}
+
 	return nil
 }
 
@@ -295,7 +299,7 @@ It is meant to allow you to manage bans, parsers/scenarios/etc, api and generall
 		cobra.OnInitialize(
 			func() {
 				if err := cli.initialize(); err != nil {
-					log.Fatal(err)
+					fatal(err)
 				}
 			},
 		)
@@ -304,15 +308,27 @@ It is meant to allow you to manage bans, parsers/scenarios/etc, api and generall
 	return cmd, nil
 }
 
-func main() {
+func fatal(err error) {
+	red := color.New(color.FgRed).SprintFunc()
+	fmt.Fprintln(os.Stderr, red("Error:"), err)
+	os.Exit(1)
+}
+
+func mainWrap() error {
+	ctx, stop := signal.NotifyContext(context.Background(), os.Interrupt, syscall.SIGTERM)
+	defer stop()
+
 	cmd, err := newCliRoot().NewCommand()
 	if err != nil {
-		log.Fatal(err)
+		return err
 	}
 
-	if err := cmd.Execute(); err != nil {
-		red := color.New(color.FgRed).SprintFunc()
-		fmt.Fprintln(os.Stderr, red("Error:"), err)
-		os.Exit(1)
+	return cmd.ExecuteContext(ctx)
+}
+
+func main() {
+	err := mainWrap()
+	if err != nil {
+		fatal(err)
 	}
 }

cmd/crowdsec/main.go

@@ -144,7 +144,7 @@ func (l *labelsMap) String() string {
 }
 
 func (l *labelsMap) Set(label string) error {
-	for _, pair := range strings.Split(label, ",") {
+	for pair := range strings.SplitSeq(label, ",") {
 		split := strings.Split(pair, ":")
 		if len(split) != 2 {
 			return fmt.Errorf("invalid format for label '%s', must be key:value", pair)
@@ -233,7 +233,9 @@ func LoadConfig(configFile string, disableAgent bool, disableAPI bool, quiet boo
 	if err := trace.Init(filepath.Join(cConfig.ConfigPaths.DataDir, "trace")); err != nil {
 		return nil, fmt.Errorf("while setting up trace directory: %w", err)
 	}
+
 	var logLevelViaFlag bool
+
 	cConfig.Common.LogLevel, logLevelViaFlag = newLogLevel(cConfig.Common.LogLevel, flags)
 
 	if dumpFolder != "" {
@@ -301,24 +303,14 @@ func LoadConfig(configFile string, disableAgent bool, disableAPI bool, quiet boo
 		if cConfig.API != nil && cConfig.API.Server != nil {
 			cConfig.API.Server.OnlineClient = nil
 		}
-		// if the api is disabled as well, just read file and exit, don't daemonize
-		if cConfig.DisableAPI {
-			cConfig.Common.Daemonize = false
-		}
 
-		log.Infof("single file mode : log_media=%s daemonize=%t", cConfig.Common.LogMedia, cConfig.Common.Daemonize)
+		log.Infof("single file mode : log_media=%s", cConfig.Common.LogMedia)
 	}
 
 	if cConfig.Common.PidDir != "" {
 		log.Warn("Deprecation warning: the pid_dir config can be safely removed and is not required")
 	}
 
-	if cConfig.Common.Daemonize && runtime.GOOS == "windows" {
-		log.Debug("Daemonization is not supported on Windows, disabling")
-
-		cConfig.Common.Daemonize = false
-	}
-
 	// recap of the enabled feature flags, because logging
 	// was not enabled when we set them from envvars
 	if fflist := csconfig.ListFeatureFlags(); fflist != "" {

cmd/crowdsec/serve.go

@@ -15,6 +15,7 @@ import (
 	"github.com/crowdsecurity/go-cs-lib/csdaemon"
 	"github.com/crowdsecurity/go-cs-lib/trace"
 
+	"github.com/crowdsecurity/crowdsec/pkg/apiclient"
 	"github.com/crowdsecurity/crowdsec/pkg/csconfig"
 	"github.com/crowdsecurity/crowdsec/pkg/cwhub"
 	"github.com/crowdsecurity/crowdsec/pkg/database"
@@ -322,6 +323,18 @@ func HandleSignals(cConfig *csconfig.Config) error {
 	if err == nil {
 		log.Warning("Crowdsec service shutting down")
 	}
+	if cConfig.API != nil && cConfig.API.Client != nil && cConfig.API.Client.UnregisterOnExit {
+		log.Warning("Unregistering watcher")
+		lapiClient, err := apiclient.GetLAPIClient()
+		if err != nil {
+			return err
+		}
+		_, err = lapiClient.Auth.UnregisterWatcher(context.TODO())
+		if err != nil {
+			return fmt.Errorf("failed to unregister watcher: %w", err)
+		}
+		log.Warning("Watcher unregistered")
+	}
 
 	return err
 }
@@ -418,7 +431,7 @@ func Serve(cConfig *csconfig.Config, agentReady chan bool) error {
 		return nil
 	}
 
-	if cConfig.Common != nil && cConfig.Common.Daemonize {
+	if cConfig.Common != nil && !flags.haveTimeMachine() {
 		_ = csdaemon.Notify(csdaemon.Ready, log.StandardLogger())
 		// wait for signals
 		return HandleSignals(cConfig)

config/config_win.yaml

@@ -1,5 +1,4 @@
 common:
-  daemonize: false
   log_media: file
   log_level: info
   log_dir:  C:\ProgramData\CrowdSec\log\

config/config_win_no_lapi.yaml

@@ -1,5 +1,4 @@
 common:
-  daemonize: true
   log_media: file
   log_level: info
   log_dir:  C:\ProgramData\CrowdSec\log\

config/dev.yaml

@@ -1,5 +1,4 @@
 common:
-  daemonize: true
   log_media: stdout
   log_level: info
 config_paths:

config/user.yaml

@@ -1,5 +1,4 @@
 common:
-  daemonize: false
   log_media: stdout
   log_level: info
   log_dir: /var/log/

docker/README.md

@@ -289,6 +289,7 @@ config.yaml) each time the container is run.
 | __Agent__               | | (these don't work with DISABLE_AGENT) |
 | `TYPE`                  | | [`Labels.type`](https://docs.crowdsec.net/Crowdsec/v1/references/acquisition/) for file in time-machine: `-e TYPE="<type>"` |
 | `DSN`                   | | Process a single source in time-machine: `-e DSN="file:///var/log/toto.log"` or `-e DSN="cloudwatch:///your/group/path:stream_name?profile=dev&backlog=16h"` or `-e DSN="journalctl://filters=_SYSTEMD_UNIT=ssh.service"` |
+| `UNREGISTER_ON_EXIT`    | | Remove the agent from the LAPI when its container is stopped. |
 |                         | | |
 | __Bouncers__            | | |
 | `BOUNCER_KEY_<name>`    | | Register a bouncer with the name `<name>` and a key equal to the value of the environment variable. |