* [Buildroot] [PATCH v2] package/fail2ban: new package
@ 2018-08-22 13:41 Angelo Compagnucci
2018-09-10 22:05 ` Thomas Petazzoni
0 siblings, 1 reply; 8+ messages in thread
From: Angelo Compagnucci @ 2018-08-22 13:41 UTC (permalink / raw)
To: buildroot
Fail2ban scans log files (e.g. /var/log/apache/error_log)
and bans IPs that show malicious behaviours.
Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
---
Changes:
v1->v2:
* Adding sha256 for license file
* getting service file for systemd from source directory
package/Config.in | 1 +
package/fail2ban/Config.in | 14 ++++++++++++++
package/fail2ban/S60fail2ban | 23 +++++++++++++++++++++++
package/fail2ban/fail2ban.hash | 3 +++
package/fail2ban/fail2ban.mk | 28 ++++++++++++++++++++++++++++
5 files changed, 69 insertions(+)
create mode 100644 package/fail2ban/Config.in
create mode 100644 package/fail2ban/S60fail2ban
create mode 100644 package/fail2ban/fail2ban.hash
create mode 100644 package/fail2ban/fail2ban.mk
diff --git a/package/Config.in b/package/Config.in
index f5a1749..1783ab9 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -1740,6 +1740,7 @@ menu "Networking applications"
source "package/ejabberd/Config.in"
source "package/ethtool/Config.in"
source "package/faifa/Config.in"
+ source "package/fail2ban/Config.in"
source "package/fastd/Config.in"
source "package/fcgiwrap/Config.in"
source "package/flannel/Config.in"
diff --git a/package/fail2ban/Config.in b/package/fail2ban/Config.in
new file mode 100644
index 0000000..cf82526
--- /dev/null
+++ b/package/fail2ban/Config.in
@@ -0,0 +1,14 @@
+config BR2_PACKAGE_FAIL2BAN
+ bool "fail2ban"
+ depends on BR2_PACKAGE_PYTHON
+ help
+ Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs
+ that show the malicious signs -- too many password failures, seeking
+ for exploits, etc. Out of the box Fail2Ban comes with filters for
+ various services (apache, courier, ssh, etc).
+
+ Fail2Ban is able to reduce the rate of incorrect authentications
+ attempts however it cannot eliminate the risk that weak authentication
+ presents.
+
+ https://www.fail2ban.org
diff --git a/package/fail2ban/S60fail2ban b/package/fail2ban/S60fail2ban
new file mode 100644
index 0000000..92559e9
--- /dev/null
+++ b/package/fail2ban/S60fail2ban
@@ -0,0 +1,23 @@
+#!/bin/sh
+
+case "$1" in
+ start)
+ printf "Starting fail2ban: "
+ start-stop-daemon -S -q -m -p /run/fail2ban.pid \
+ -b -x fail2ban-server -- -xf start
+ [ $? = 0 ] && echo "OK" || echo "FAIL"
+ ;;
+ stop)
+ printf "Stopping fail2ban: "
+ start-stop-daemon -K -q -p /run/fail2ban.pid
+ [ $? = 0 ] && echo "OK" || echo "FAIL"
+ ;;
+ restart)
+ "$0" stop
+ sleep 1
+ "$0" start
+ ;;
+ *)
+ echo "Usage: $0 {start|stop|restart}"
+ ;;
+esac
diff --git a/package/fail2ban/fail2ban.hash b/package/fail2ban/fail2ban.hash
new file mode 100644
index 0000000..4b59091
--- /dev/null
+++ b/package/fail2ban/fail2ban.hash
@@ -0,0 +1,3 @@
+# sha256 locally computed
+sha256 7ee3fd0e94d58c94298718b25e6bcfa96932712b7aa683580e162403f68d40c8 fail2ban-0.10.3.1.tar.gz
+sha256 a75fec0260742fe6275d63ff6a5d97b924b28766558306b3fa4069763096929b COPYING
diff --git a/package/fail2ban/fail2ban.mk b/package/fail2ban/fail2ban.mk
new file mode 100644
index 0000000..cc6961f
--- /dev/null
+++ b/package/fail2ban/fail2ban.mk
@@ -0,0 +1,28 @@
+################################################################################
+#
+# fail2ban
+#
+################################################################################
+
+FAIL2BAN_VERSION = 0.10.3.1
+FAIL2BAN_SITE = $(call github,fail2ban,fail2ban,$(FAIL2BAN_VERSION))
+FAIL2BAN_LICENSE = GPL-2.0+
+FAIL2BAN_LICENSE_FILES = COPYING
+FAIL2BAN_SETUP_TYPE = setuptools
+FAIL2BAN_INSTALL_TARGET_OPTS = --root=$(TARGET_DIR) --prefix=/usr
+
+define FAIL2BAN_INSTALL_INIT_SYSV
+ $(INSTALL) -D -m 755 package/fail2ban/S60fail2ban \
+ $(TARGET_DIR)/etc/init.d/S60fail2ban
+endef
+
+define FAIL2BAN_INSTALL_INIT_SYSTEMD
+ $(INSTALL) -D -m 0644 $(@D)/files/fail2ban.service.in \
+ $(TARGET_DIR)/usr/lib/systemd/system/fail2ban.service
+ mkdir -p $(TARGET_DIR)/etc/systemd/system/multi-user.target.wants
+ ln -fs ../../../../usr/lib//systemd/system/fail2ban.service \
+ $(TARGET_DIR)/etc/systemd/system/multi-user.target.wants/fail2ban.service
+ $(SED) 's/@BINDIR@/\/usr\/bin/g' $(TARGET_DIR)/usr/lib/systemd/system/fail2ban.service
+endef
+
+$(eval $(python-package))
--
2.7.4
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [Buildroot] [PATCH v2] package/fail2ban: new package
2018-08-22 13:41 [Buildroot] [PATCH v2] package/fail2ban: new package Angelo Compagnucci
@ 2018-09-10 22:05 ` Thomas Petazzoni
2018-09-11 9:47 ` Yegor Yefremov
2018-11-24 23:27 ` Angelo Compagnucci
0 siblings, 2 replies; 8+ messages in thread
From: Thomas Petazzoni @ 2018-09-10 22:05 UTC (permalink / raw)
To: buildroot
Hello,
+Yegor in Cc. Yegor: read all the way to the end, there is a question
about the python-package infrastructure.
On Wed, 22 Aug 2018 15:41:52 +0200, Angelo Compagnucci wrote:
> Fail2ban scans log files (e.g. /var/log/apache/error_log)
> and bans IPs that show malicious behaviours.
>
> Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
I was about to apply this patch (I even made a few minor fixes), but
there is one thing that made me change my mind, see below. I will also
list the minor issues.
> package/Config.in | 1 +
> package/fail2ban/Config.in | 14 ++++++++++++++
> package/fail2ban/S60fail2ban | 23 +++++++++++++++++++++++
> package/fail2ban/fail2ban.hash | 3 +++
> package/fail2ban/fail2ban.mk | 28 ++++++++++++++++++++++++++++
Entry in DEVELOPERS file missing.
> diff --git a/package/fail2ban/Config.in b/package/fail2ban/Config.in
> new file mode 100644
> index 0000000..cf82526
> --- /dev/null
> +++ b/package/fail2ban/Config.in
> @@ -0,0 +1,14 @@
> +config BR2_PACKAGE_FAIL2BAN
> + bool "fail2ban"
> + depends on BR2_PACKAGE_PYTHON
Are you sure it doesn't work with Python 3.x ? The fail2ban
github page says it does.
> + help
> + Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs
> + that show the malicious signs -- too many password failures, seeking
> + for exploits, etc. Out of the box Fail2Ban comes with filters for
> + various services (apache, courier, ssh, etc).
> +
> + Fail2Ban is able to reduce the rate of incorrect authentications
> + attempts however it cannot eliminate the risk that weak authentication
> + presents.
Aren't some of those lines too long? Could you verify with check-package
> +
> + https://www.fail2ban.org
Please add a Config.in comment about the Python dependency.
> diff --git a/package/fail2ban/S60fail2ban b/package/fail2ban/S60fail2ban
> new file mode 100644
> index 0000000..92559e9
> --- /dev/null
> +++ b/package/fail2ban/S60fail2ban
> @@ -0,0 +1,23 @@
> +#!/bin/sh
> +
> +case "$1" in
> + start)
> + printf "Starting fail2ban: "
> + start-stop-daemon -S -q -m -p /run/fail2ban.pid \
Put the PID file in /var/run, to be consistent with most of our other
init scripts.
> + -b -x fail2ban-server -- -xf start
> + [ $? = 0 ] && echo "OK" || echo "FAIL"
> + ;;
> + stop)
> + printf "Stopping fail2ban: "
> + start-stop-daemon -K -q -p /run/fail2ban.pid
Ditto.
> +FAIL2BAN_VERSION = 0.10.3.1
> +FAIL2BAN_SITE = $(call github,fail2ban,fail2ban,$(FAIL2BAN_VERSION))
> +FAIL2BAN_LICENSE = GPL-2.0+
> +FAIL2BAN_LICENSE_FILES = COPYING
> +FAIL2BAN_SETUP_TYPE = setuptools
> +FAIL2BAN_INSTALL_TARGET_OPTS = --root=$(TARGET_DIR) --prefix=/usr
So here is the one thing that made me change my mind. I was wondering:
why do we need to pass those options in the fail2ban package? Why
aren't they passed by the python-package infrastructure?
Turns out that the Python package infrastructure is doing this:
PKG_PYTHON_SETUPTOOLS_INSTALL_TARGET_OPTS = \
--prefix=$(TARGET_DIR)/usr \
--executable=/usr/bin/python \
--single-version-externally-managed \
--root=/
PKG_PYTHON_SETUPTOOLS_INSTALL_STAGING_OPTS = \
--prefix=$(STAGING_DIR)/usr \
--executable=/usr/bin/python \
--single-version-externally-managed \
--root=/
This looks pretty wrong, and it seems like we should be using:
--prefix=/usr \
--root=$(TARGET_DIR)
and ditto for the staging installation, of course. Yegor, do you see
any drawback with doing this change in pkg-python.mk ? To me, it seems
like the right thing to do, and would avoid the need to have a special
case in fail2ban.mk.
Thanks!
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Buildroot] [PATCH v2] package/fail2ban: new package
2018-09-10 22:05 ` Thomas Petazzoni
@ 2018-09-11 9:47 ` Yegor Yefremov
2018-09-11 9:52 ` Thomas Petazzoni
2018-11-24 23:27 ` Angelo Compagnucci
1 sibling, 1 reply; 8+ messages in thread
From: Yegor Yefremov @ 2018-09-11 9:47 UTC (permalink / raw)
To: buildroot
Hi Thomas, Angelo,
On Tue, Sep 11, 2018 at 12:05 AM Thomas Petazzoni
<thomas.petazzoni@bootlin.com> wrote:
>
> Hello,
>
> +Yegor in Cc. Yegor: read all the way to the end, there is a question
> about the python-package infrastructure.
>
> On Wed, 22 Aug 2018 15:41:52 +0200, Angelo Compagnucci wrote:
> > Fail2ban scans log files (e.g. /var/log/apache/error_log)
> > and bans IPs that show malicious behaviours.
> >
> > Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
>
> I was about to apply this patch (I even made a few minor fixes), but
> there is one thing that made me change my mind, see below. I will also
> list the minor issues.
>
> > package/Config.in | 1 +
> > package/fail2ban/Config.in | 14 ++++++++++++++
> > package/fail2ban/S60fail2ban | 23 +++++++++++++++++++++++
> > package/fail2ban/fail2ban.hash | 3 +++
> > package/fail2ban/fail2ban.mk | 28 ++++++++++++++++++++++++++++
>
> Entry in DEVELOPERS file missing.
>
> > diff --git a/package/fail2ban/Config.in b/package/fail2ban/Config.in
> > new file mode 100644
> > index 0000000..cf82526
> > --- /dev/null
> > +++ b/package/fail2ban/Config.in
> > @@ -0,0 +1,14 @@
> > +config BR2_PACKAGE_FAIL2BAN
> > + bool "fail2ban"
> > + depends on BR2_PACKAGE_PYTHON
>
> Are you sure it doesn't work with Python 3.x ? The fail2ban
> github page says it does.
>
> > + help
> > + Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs
> > + that show the malicious signs -- too many password failures, seeking
> > + for exploits, etc. Out of the box Fail2Ban comes with filters for
> > + various services (apache, courier, ssh, etc).
> > +
> > + Fail2Ban is able to reduce the rate of incorrect authentications
> > + attempts however it cannot eliminate the risk that weak authentication
> > + presents.
>
> Aren't some of those lines too long? Could you verify with check-package
>
> > +
> > + https://www.fail2ban.org
>
> Please add a Config.in comment about the Python dependency.
>
> > diff --git a/package/fail2ban/S60fail2ban b/package/fail2ban/S60fail2ban
> > new file mode 100644
> > index 0000000..92559e9
> > --- /dev/null
> > +++ b/package/fail2ban/S60fail2ban
> > @@ -0,0 +1,23 @@
> > +#!/bin/sh
> > +
> > +case "$1" in
> > + start)
> > + printf "Starting fail2ban: "
> > + start-stop-daemon -S -q -m -p /run/fail2ban.pid \
>
> Put the PID file in /var/run, to be consistent with most of our other
> init scripts.
>
> > + -b -x fail2ban-server -- -xf start
> > + [ $? = 0 ] && echo "OK" || echo "FAIL"
> > + ;;
> > + stop)
> > + printf "Stopping fail2ban: "
> > + start-stop-daemon -K -q -p /run/fail2ban.pid
>
> Ditto.
>
>
> > +FAIL2BAN_VERSION = 0.10.3.1
> > +FAIL2BAN_SITE = $(call github,fail2ban,fail2ban,$(FAIL2BAN_VERSION))
> > +FAIL2BAN_LICENSE = GPL-2.0+
> > +FAIL2BAN_LICENSE_FILES = COPYING
> > +FAIL2BAN_SETUP_TYPE = setuptools
> > +FAIL2BAN_INSTALL_TARGET_OPTS = --root=$(TARGET_DIR) --prefix=/usr
>
> So here is the one thing that made me change my mind. I was wondering:
> why do we need to pass those options in the fail2ban package? Why
> aren't they passed by the python-package infrastructure?
>
> Turns out that the Python package infrastructure is doing this:
>
> PKG_PYTHON_SETUPTOOLS_INSTALL_TARGET_OPTS = \
> --prefix=$(TARGET_DIR)/usr \
> --executable=/usr/bin/python \
> --single-version-externally-managed \
> --root=/
>
> PKG_PYTHON_SETUPTOOLS_INSTALL_STAGING_OPTS = \
> --prefix=$(STAGING_DIR)/usr \
> --executable=/usr/bin/python \
> --single-version-externally-managed \
> --root=/
>
> This looks pretty wrong, and it seems like we should be using:
>
> --prefix=/usr \
> --root=$(TARGET_DIR)
>
> and ditto for the staging installation, of course. Yegor, do you see
> any drawback with doing this change in pkg-python.mk ? To me, it seems
> like the right thing to do, and would avoid the need to have a special
> case in fail2ban.mk.
I've applied this hack:
diff --git a/package/pkg-python.mk b/package/pkg-python.mk
index f57e486dad..fcb7309ef9 100644
--- a/package/pkg-python.mk
+++ b/package/pkg-python.mk
@@ -66,10 +66,10 @@ PKG_PYTHON_SETUPTOOLS_ENV = \
_python_exec_prefix=/usr
PKG_PYTHON_SETUPTOOLS_INSTALL_TARGET_OPTS = \
- --prefix=$(TARGET_DIR)/usr \
+ --prefix=/usr \
--executable=/usr/bin/python \
--single-version-externally-managed \
- --root=/
+ --root=$(TARGET_DIR)
PKG_PYTHON_SETUPTOOLS_INSTALL_STAGING_OPTS = \
--prefix=$(STAGING_DIR)/usr \
And performed some tests with following packages (both via python
"console" and using packe own scripts like watchmedo or miniterm.py):
python-serial, python-watchdog, python-cryptography, python-pytablewriter
So far I haven't experienced any issues.
Regards,
Yegor
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [Buildroot] [PATCH v2] package/fail2ban: new package
2018-09-11 9:47 ` Yegor Yefremov
@ 2018-09-11 9:52 ` Thomas Petazzoni
2018-09-11 9:58 ` Angelo Compagnucci
0 siblings, 1 reply; 8+ messages in thread
From: Thomas Petazzoni @ 2018-09-11 9:52 UTC (permalink / raw)
To: buildroot
Hello,
On Tue, 11 Sep 2018 11:47:36 +0200, Yegor Yefremov wrote:
> > and ditto for the staging installation, of course. Yegor, do you see
> > any drawback with doing this change in pkg-python.mk ? To me, it seems
> > like the right thing to do, and would avoid the need to have a special
> > case in fail2ban.mk.
>
> I've applied this hack:
Why do you say "hack" ? It should be the right thing, compared to what
we're doing today.
> diff --git a/package/pkg-python.mk b/package/pkg-python.mk
> index f57e486dad..fcb7309ef9 100644
> --- a/package/pkg-python.mk
> +++ b/package/pkg-python.mk
> @@ -66,10 +66,10 @@ PKG_PYTHON_SETUPTOOLS_ENV = \
> _python_exec_prefix=/usr
>
> PKG_PYTHON_SETUPTOOLS_INSTALL_TARGET_OPTS = \
> - --prefix=$(TARGET_DIR)/usr \
> + --prefix=/usr \
> --executable=/usr/bin/python \
> --single-version-externally-managed \
> - --root=/
> + --root=$(TARGET_DIR)
>
> PKG_PYTHON_SETUPTOOLS_INSTALL_STAGING_OPTS = \
> --prefix=$(STAGING_DIR)/usr \
It should also be fixed in the staging installation commands, which
have the same problem.
> And performed some tests with following packages (both via python
> "console" and using packe own scripts like watchmedo or miniterm.py):
>
> python-serial, python-watchdog, python-cryptography, python-pytablewriter
>
> So far I haven't experienced any issues.
Great, thanks for doing this test! I think it would be a nice thing to
fix.
Angelo: just curious, for fail2ban, what made you realize you had to
override the --prefix and --root values ?
Best regards,
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Buildroot] [PATCH v2] package/fail2ban: new package
2018-09-11 9:52 ` Thomas Petazzoni
@ 2018-09-11 9:58 ` Angelo Compagnucci
0 siblings, 0 replies; 8+ messages in thread
From: Angelo Compagnucci @ 2018-09-11 9:58 UTC (permalink / raw)
To: buildroot
Thomas, Yegor,
On Tue, Sep 11, 2018 at 11:52 AM Thomas Petazzoni
<thomas.petazzoni@bootlin.com> wrote:
>
> Hello,
>
> On Tue, 11 Sep 2018 11:47:36 +0200, Yegor Yefremov wrote:
> > > and ditto for the staging installation, of course. Yegor, do you see
> > > any drawback with doing this change in pkg-python.mk ? To me, it seems
> > > like the right thing to do, and would avoid the need to have a special
> > > case in fail2ban.mk.
> >
> > I've applied this hack:
>
> Why do you say "hack" ? It should be the right thing, compared to what
> we're doing today.
>
> > diff --git a/package/pkg-python.mk b/package/pkg-python.mk
> > index f57e486dad..fcb7309ef9 100644
> > --- a/package/pkg-python.mk
> > +++ b/package/pkg-python.mk
> > @@ -66,10 +66,10 @@ PKG_PYTHON_SETUPTOOLS_ENV = \
> > _python_exec_prefix=/usr
> >
> > PKG_PYTHON_SETUPTOOLS_INSTALL_TARGET_OPTS = \
> > - --prefix=$(TARGET_DIR)/usr \
> > + --prefix=/usr \
> > --executable=/usr/bin/python \
> > --single-version-externally-managed \
> > - --root=/
> > + --root=$(TARGET_DIR)
> >
> > PKG_PYTHON_SETUPTOOLS_INSTALL_STAGING_OPTS = \
> > --prefix=$(STAGING_DIR)/usr \
>
> It should also be fixed in the staging installation commands, which
> have the same problem.
>
> > And performed some tests with following packages (both via python
> > "console" and using packe own scripts like watchmedo or miniterm.py):
> >
> > python-serial, python-watchdog, python-cryptography, python-pytablewriter
> >
> > So far I haven't experienced any issues.
>
> Great, thanks for doing this test! I think it would be a nice thing to
> fix.
>
> Angelo: just curious, for fail2ban, what made you realize you had to
> override the --prefix and --root values ?
Python setuptools installs data_files into python_root, so the
fail2ban setup.py failed blatantly in buildroot trying to writing
something to /etc/fail2ban instead of $(TARGET_DIR)/etc/fail2ban.
I'm glad it will be fixed globally, I honestly thought it was like
that for a reason!
Sincerely, Angelo
>
> Best regards,
>
> Thomas
> --
> Thomas Petazzoni, CTO, Bootlin
> Embedded Linux and Kernel engineering
> https://bootlin.com
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Buildroot] [PATCH v2] package/fail2ban: new package
2018-09-10 22:05 ` Thomas Petazzoni
2018-09-11 9:47 ` Yegor Yefremov
@ 2018-11-24 23:27 ` Angelo Compagnucci
2018-11-30 8:54 ` Yegor Yefremov
1 sibling, 1 reply; 8+ messages in thread
From: Angelo Compagnucci @ 2018-11-24 23:27 UTC (permalink / raw)
To: buildroot
Hi Thomas,
Il giorno mar 11 set 2018 alle ore 00:05 Thomas Petazzoni
<thomas.petazzoni@bootlin.com> ha scritto:
>
> Hello,
>
> +Yegor in Cc. Yegor: read all the way to the end, there is a question
> about the python-package infrastructure.
>
> On Wed, 22 Aug 2018 15:41:52 +0200, Angelo Compagnucci wrote:
> > Fail2ban scans log files (e.g. /var/log/apache/error_log)
> > and bans IPs that show malicious behaviours.
> >
> > Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
>
> I was about to apply this patch (I even made a few minor fixes), but
> there is one thing that made me change my mind, see below. I will also
> list the minor issues.
>
> > package/Config.in | 1 +
> > package/fail2ban/Config.in | 14 ++++++++++++++
> > package/fail2ban/S60fail2ban | 23 +++++++++++++++++++++++
> > package/fail2ban/fail2ban.hash | 3 +++
> > package/fail2ban/fail2ban.mk | 28 ++++++++++++++++++++++++++++
>
> Entry in DEVELOPERS file missing.
>
> > diff --git a/package/fail2ban/Config.in b/package/fail2ban/Config.in
> > new file mode 100644
> > index 0000000..cf82526
> > --- /dev/null
> > +++ b/package/fail2ban/Config.in
> > @@ -0,0 +1,14 @@
> > +config BR2_PACKAGE_FAIL2BAN
> > + bool "fail2ban"
> > + depends on BR2_PACKAGE_PYTHON
>
> Are you sure it doesn't work with Python 3.x ? The fail2ban
> github page says it does.
Probably it say so, but simply trying to run the software with python3:
File "/home/angelo/DEV/BUILDROOT/br_qemu_arm/build/fail2ban-0.10.4/fail2ban/__init__.py",
line 85, in _init
for i in xrange(50):
NameError: name 'xrange' is not defined
>
> > + help
> > + Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs
> > + that show the malicious signs -- too many password failures, seeking
> > + for exploits, etc. Out of the box Fail2Ban comes with filters for
> > + various services (apache, courier, ssh, etc).
> > +
> > + Fail2Ban is able to reduce the rate of incorrect authentications
> > + attempts however it cannot eliminate the risk that weak authentication
> > + presents.
>
> Aren't some of those lines too long? Could you verify with check-package
>
> > +
> > + https://www.fail2ban.org
>
> Please add a Config.in comment about the Python dependency.
>
> > diff --git a/package/fail2ban/S60fail2ban b/package/fail2ban/S60fail2ban
> > new file mode 100644
> > index 0000000..92559e9
> > --- /dev/null
> > +++ b/package/fail2ban/S60fail2ban
> > @@ -0,0 +1,23 @@
> > +#!/bin/sh
> > +
> > +case "$1" in
> > + start)
> > + printf "Starting fail2ban: "
> > + start-stop-daemon -S -q -m -p /run/fail2ban.pid \
>
> Put the PID file in /var/run, to be consistent with most of our other
> init scripts.
>
> > + -b -x fail2ban-server -- -xf start
> > + [ $? = 0 ] && echo "OK" || echo "FAIL"
> > + ;;
> > + stop)
> > + printf "Stopping fail2ban: "
> > + start-stop-daemon -K -q -p /run/fail2ban.pid
>
> Ditto.
>
>
> > +FAIL2BAN_VERSION = 0.10.3.1
> > +FAIL2BAN_SITE = $(call github,fail2ban,fail2ban,$(FAIL2BAN_VERSION))
> > +FAIL2BAN_LICENSE = GPL-2.0+
> > +FAIL2BAN_LICENSE_FILES = COPYING
> > +FAIL2BAN_SETUP_TYPE = setuptools
> > +FAIL2BAN_INSTALL_TARGET_OPTS = --root=$(TARGET_DIR) --prefix=/usr
>
> So here is the one thing that made me change my mind. I was wondering:
> why do we need to pass those options in the fail2ban package? Why
> aren't they passed by the python-package infrastructure?
>
> Turns out that the Python package infrastructure is doing this:
>
> PKG_PYTHON_SETUPTOOLS_INSTALL_TARGET_OPTS = \
> --prefix=$(TARGET_DIR)/usr \
> --executable=/usr/bin/python \
> --single-version-externally-managed \
> --root=/
>
> PKG_PYTHON_SETUPTOOLS_INSTALL_STAGING_OPTS = \
> --prefix=$(STAGING_DIR)/usr \
> --executable=/usr/bin/python \
> --single-version-externally-managed \
> --root=/
>
> This looks pretty wrong, and it seems like we should be using:
>
> --prefix=/usr \
> --root=$(TARGET_DIR)
>
> and ditto for the staging installation, of course. Yegor, do you see
> any drawback with doing this change in pkg-python.mk ? To me, it seems
> like the right thing to do, and would avoid the need to have a special
> case in fail2ban.mk.
>
> Thanks!
>
> Thomas
> --
> Thomas Petazzoni, CTO, Bootlin
> Embedded Linux and Kernel engineering
> https://bootlin.com
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot
--
Profile: http://it.linkedin.com/in/compagnucciangelo
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Buildroot] [PATCH v2] package/fail2ban: new package
2018-11-24 23:27 ` Angelo Compagnucci
@ 2018-11-30 8:54 ` Yegor Yefremov
2018-11-30 9:14 ` Angelo Compagnucci
0 siblings, 1 reply; 8+ messages in thread
From: Yegor Yefremov @ 2018-11-30 8:54 UTC (permalink / raw)
To: buildroot
Hi Angelo,
On Sun, Nov 25, 2018 at 12:28 AM Angelo Compagnucci
<angelo.compagnucci@gmail.com> wrote:
>
> Hi Thomas,
> Il giorno mar 11 set 2018 alle ore 00:05 Thomas Petazzoni
> <thomas.petazzoni@bootlin.com> ha scritto:
> >
> > Hello,
> >
> > +Yegor in Cc. Yegor: read all the way to the end, there is a question
> > about the python-package infrastructure.
> >
> > On Wed, 22 Aug 2018 15:41:52 +0200, Angelo Compagnucci wrote:
> > > Fail2ban scans log files (e.g. /var/log/apache/error_log)
> > > and bans IPs that show malicious behaviours.
> > >
> > > Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
> >
> > I was about to apply this patch (I even made a few minor fixes), but
> > there is one thing that made me change my mind, see below. I will also
> > list the minor issues.
> >
> > > package/Config.in | 1 +
> > > package/fail2ban/Config.in | 14 ++++++++++++++
> > > package/fail2ban/S60fail2ban | 23 +++++++++++++++++++++++
> > > package/fail2ban/fail2ban.hash | 3 +++
> > > package/fail2ban/fail2ban.mk | 28 ++++++++++++++++++++++++++++
> >
> > Entry in DEVELOPERS file missing.
> >
> > > diff --git a/package/fail2ban/Config.in b/package/fail2ban/Config.in
> > > new file mode 100644
> > > index 0000000..cf82526
> > > --- /dev/null
> > > +++ b/package/fail2ban/Config.in
> > > @@ -0,0 +1,14 @@
> > > +config BR2_PACKAGE_FAIL2BAN
> > > + bool "fail2ban"
> > > + depends on BR2_PACKAGE_PYTHON
> >
> > Are you sure it doesn't work with Python 3.x ? The fail2ban
> > github page says it does.
>
> Probably it say so, but simply trying to run the software with python3:
>
> File "/home/angelo/DEV/BUILDROOT/br_qemu_arm/build/fail2ban-0.10.4/fail2ban/__init__.py",
> line 85, in _init
> for i in xrange(50):
> NameError: name 'xrange' is not defined
This was fixed in [1], but it seems like if you'll have wait till the
next release.
[1] https://github.com/fail2ban/fail2ban/commit/657b147c0d7830f3600f3dc7feaa4815a7e19fde#diff-ac23116c0e156f1acc787e57fe98391c
Yegor
> >
> > > + help
> > > + Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs
> > > + that show the malicious signs -- too many password failures, seeking
> > > + for exploits, etc. Out of the box Fail2Ban comes with filters for
> > > + various services (apache, courier, ssh, etc).
> > > +
> > > + Fail2Ban is able to reduce the rate of incorrect authentications
> > > + attempts however it cannot eliminate the risk that weak authentication
> > > + presents.
> >
> > Aren't some of those lines too long? Could you verify with check-package
> >
> > > +
> > > + https://www.fail2ban.org
> >
> > Please add a Config.in comment about the Python dependency.
> >
> > > diff --git a/package/fail2ban/S60fail2ban b/package/fail2ban/S60fail2ban
> > > new file mode 100644
> > > index 0000000..92559e9
> > > --- /dev/null
> > > +++ b/package/fail2ban/S60fail2ban
> > > @@ -0,0 +1,23 @@
> > > +#!/bin/sh
> > > +
> > > +case "$1" in
> > > + start)
> > > + printf "Starting fail2ban: "
> > > + start-stop-daemon -S -q -m -p /run/fail2ban.pid \
> >
> > Put the PID file in /var/run, to be consistent with most of our other
> > init scripts.
> >
> > > + -b -x fail2ban-server -- -xf start
> > > + [ $? = 0 ] && echo "OK" || echo "FAIL"
> > > + ;;
> > > + stop)
> > > + printf "Stopping fail2ban: "
> > > + start-stop-daemon -K -q -p /run/fail2ban.pid
> >
> > Ditto.
> >
> >
> > > +FAIL2BAN_VERSION = 0.10.3.1
> > > +FAIL2BAN_SITE = $(call github,fail2ban,fail2ban,$(FAIL2BAN_VERSION))
> > > +FAIL2BAN_LICENSE = GPL-2.0+
> > > +FAIL2BAN_LICENSE_FILES = COPYING
> > > +FAIL2BAN_SETUP_TYPE = setuptools
> > > +FAIL2BAN_INSTALL_TARGET_OPTS = --root=$(TARGET_DIR) --prefix=/usr
> >
> > So here is the one thing that made me change my mind. I was wondering:
> > why do we need to pass those options in the fail2ban package? Why
> > aren't they passed by the python-package infrastructure?
> >
> > Turns out that the Python package infrastructure is doing this:
> >
> > PKG_PYTHON_SETUPTOOLS_INSTALL_TARGET_OPTS = \
> > --prefix=$(TARGET_DIR)/usr \
> > --executable=/usr/bin/python \
> > --single-version-externally-managed \
> > --root=/
> >
> > PKG_PYTHON_SETUPTOOLS_INSTALL_STAGING_OPTS = \
> > --prefix=$(STAGING_DIR)/usr \
> > --executable=/usr/bin/python \
> > --single-version-externally-managed \
> > --root=/
> >
> > This looks pretty wrong, and it seems like we should be using:
> >
> > --prefix=/usr \
> > --root=$(TARGET_DIR)
> >
> > and ditto for the staging installation, of course. Yegor, do you see
> > any drawback with doing this change in pkg-python.mk ? To me, it seems
> > like the right thing to do, and would avoid the need to have a special
> > case in fail2ban.mk.
> >
> > Thanks!
> >
> > Thomas
> > --
> > Thomas Petazzoni, CTO, Bootlin
> > Embedded Linux and Kernel engineering
> > https://bootlin.com
> > _______________________________________________
> > buildroot mailing list
> > buildroot at busybox.net
> > http://lists.busybox.net/mailman/listinfo/buildroot
>
>
>
> --
> Profile: http://it.linkedin.com/in/compagnucciangelo
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Buildroot] [PATCH v2] package/fail2ban: new package
2018-11-30 8:54 ` Yegor Yefremov
@ 2018-11-30 9:14 ` Angelo Compagnucci
0 siblings, 0 replies; 8+ messages in thread
From: Angelo Compagnucci @ 2018-11-30 9:14 UTC (permalink / raw)
To: buildroot
Dear Yegor,
Il giorno ven 30 nov 2018 alle ore 09:54 Yegor Yefremov
<yegorslists@googlemail.com> ha scritto:
>
> Hi Angelo,
>
> On Sun, Nov 25, 2018 at 12:28 AM Angelo Compagnucci
> <angelo.compagnucci@gmail.com> wrote:
> >
> > Hi Thomas,
> > Il giorno mar 11 set 2018 alle ore 00:05 Thomas Petazzoni
> > <thomas.petazzoni@bootlin.com> ha scritto:
> > >
> > > Hello,
> > >
> > > +Yegor in Cc. Yegor: read all the way to the end, there is a question
> > > about the python-package infrastructure.
> > >
> > > On Wed, 22 Aug 2018 15:41:52 +0200, Angelo Compagnucci wrote:
> > > > Fail2ban scans log files (e.g. /var/log/apache/error_log)
> > > > and bans IPs that show malicious behaviours.
> > > >
> > > > Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
> > >
> > > I was about to apply this patch (I even made a few minor fixes), but
> > > there is one thing that made me change my mind, see below. I will also
> > > list the minor issues.
> > >
> > > > package/Config.in | 1 +
> > > > package/fail2ban/Config.in | 14 ++++++++++++++
> > > > package/fail2ban/S60fail2ban | 23 +++++++++++++++++++++++
> > > > package/fail2ban/fail2ban.hash | 3 +++
> > > > package/fail2ban/fail2ban.mk | 28 ++++++++++++++++++++++++++++
> > >
> > > Entry in DEVELOPERS file missing.
> > >
> > > > diff --git a/package/fail2ban/Config.in b/package/fail2ban/Config.in
> > > > new file mode 100644
> > > > index 0000000..cf82526
> > > > --- /dev/null
> > > > +++ b/package/fail2ban/Config.in
> > > > @@ -0,0 +1,14 @@
> > > > +config BR2_PACKAGE_FAIL2BAN
> > > > + bool "fail2ban"
> > > > + depends on BR2_PACKAGE_PYTHON
> > >
> > > Are you sure it doesn't work with Python 3.x ? The fail2ban
> > > github page says it does.
> >
> > Probably it say so, but simply trying to run the software with python3:
> >
> > File "/home/angelo/DEV/BUILDROOT/br_qemu_arm/build/fail2ban-0.10.4/fail2ban/__init__.py",
> > line 85, in _init
> > for i in xrange(50):
> > NameError: name 'xrange' is not defined
>
> This was fixed in [1], but it seems like if you'll have wait till the
> next release.
Yes I know and meanwhile I submitted a PR to disable installation of
tests files hoping that the next release contains both fixes, but as
far as I can tell the project has a load of backlog!
Thanks!
>
> [1] https://github.com/fail2ban/fail2ban/commit/657b147c0d7830f3600f3dc7feaa4815a7e19fde#diff-ac23116c0e156f1acc787e57fe98391c
>
> Yegor
>
> > >
> > > > + help
> > > > + Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs
> > > > + that show the malicious signs -- too many password failures, seeking
> > > > + for exploits, etc. Out of the box Fail2Ban comes with filters for
> > > > + various services (apache, courier, ssh, etc).
> > > > +
> > > > + Fail2Ban is able to reduce the rate of incorrect authentications
> > > > + attempts however it cannot eliminate the risk that weak authentication
> > > > + presents.
> > >
> > > Aren't some of those lines too long? Could you verify with check-package
> > >
> > > > +
> > > > + https://www.fail2ban.org
> > >
> > > Please add a Config.in comment about the Python dependency.
> > >
> > > > diff --git a/package/fail2ban/S60fail2ban b/package/fail2ban/S60fail2ban
> > > > new file mode 100644
> > > > index 0000000..92559e9
> > > > --- /dev/null
> > > > +++ b/package/fail2ban/S60fail2ban
> > > > @@ -0,0 +1,23 @@
> > > > +#!/bin/sh
> > > > +
> > > > +case "$1" in
> > > > + start)
> > > > + printf "Starting fail2ban: "
> > > > + start-stop-daemon -S -q -m -p /run/fail2ban.pid \
> > >
> > > Put the PID file in /var/run, to be consistent with most of our other
> > > init scripts.
> > >
> > > > + -b -x fail2ban-server -- -xf start
> > > > + [ $? = 0 ] && echo "OK" || echo "FAIL"
> > > > + ;;
> > > > + stop)
> > > > + printf "Stopping fail2ban: "
> > > > + start-stop-daemon -K -q -p /run/fail2ban.pid
> > >
> > > Ditto.
> > >
> > >
> > > > +FAIL2BAN_VERSION = 0.10.3.1
> > > > +FAIL2BAN_SITE = $(call github,fail2ban,fail2ban,$(FAIL2BAN_VERSION))
> > > > +FAIL2BAN_LICENSE = GPL-2.0+
> > > > +FAIL2BAN_LICENSE_FILES = COPYING
> > > > +FAIL2BAN_SETUP_TYPE = setuptools
> > > > +FAIL2BAN_INSTALL_TARGET_OPTS = --root=$(TARGET_DIR) --prefix=/usr
> > >
> > > So here is the one thing that made me change my mind. I was wondering:
> > > why do we need to pass those options in the fail2ban package? Why
> > > aren't they passed by the python-package infrastructure?
> > >
> > > Turns out that the Python package infrastructure is doing this:
> > >
> > > PKG_PYTHON_SETUPTOOLS_INSTALL_TARGET_OPTS = \
> > > --prefix=$(TARGET_DIR)/usr \
> > > --executable=/usr/bin/python \
> > > --single-version-externally-managed \
> > > --root=/
> > >
> > > PKG_PYTHON_SETUPTOOLS_INSTALL_STAGING_OPTS = \
> > > --prefix=$(STAGING_DIR)/usr \
> > > --executable=/usr/bin/python \
> > > --single-version-externally-managed \
> > > --root=/
> > >
> > > This looks pretty wrong, and it seems like we should be using:
> > >
> > > --prefix=/usr \
> > > --root=$(TARGET_DIR)
> > >
> > > and ditto for the staging installation, of course. Yegor, do you see
> > > any drawback with doing this change in pkg-python.mk ? To me, it seems
> > > like the right thing to do, and would avoid the need to have a special
> > > case in fail2ban.mk.
> > >
> > > Thanks!
> > >
> > > Thomas
> > > --
> > > Thomas Petazzoni, CTO, Bootlin
> > > Embedded Linux and Kernel engineering
> > > https://bootlin.com
> > > _______________________________________________
> > > buildroot mailing list
> > > buildroot at busybox.net
> > > http://lists.busybox.net/mailman/listinfo/buildroot
> >
> >
> >
> > --
> > Profile: http://it.linkedin.com/in/compagnucciangelo
> > _______________________________________________
> > buildroot mailing list
> > buildroot at busybox.net
> > http://lists.busybox.net/mailman/listinfo/buildroot
--
Profile: http://it.linkedin.com/in/compagnucciangelo
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2018-11-30 9:14 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-08-22 13:41 [Buildroot] [PATCH v2] package/fail2ban: new package Angelo Compagnucci
2018-09-10 22:05 ` Thomas Petazzoni
2018-09-11 9:47 ` Yegor Yefremov
2018-09-11 9:52 ` Thomas Petazzoni
2018-09-11 9:58 ` Angelo Compagnucci
2018-11-24 23:27 ` Angelo Compagnucci
2018-11-30 8:54 ` Yegor Yefremov
2018-11-30 9:14 ` Angelo Compagnucci
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.