only run hub update on error or if it's in a volume

reenable pre-loading
disable the cache more
2024-04-19 09:01:12 +02:00 · 2024-04-19 09:00:39 +02:00 · 2024-04-18 14:54:42 +02:00 · 2024-04-18 14:48:18 +02:00 · 2024-04-18 14:25:58 +02:00 · 2024-04-18 14:18:33 +02:00
5 changed files with 48 additions and 20 deletions
--- a/.github/workflows/docker-tests.yml
+++ b/.github/workflows/docker-tests.yml
@ -59,15 +59,15 @@ jobs:
          cd docker/test
          python -m pip install --upgrade pipenv wheel

-      - name: "Cache virtualenvs"
-        id: cache-pipenv
-        uses: actions/cache@v4
-        with:
-          path: ~/.local/share/virtualenvs
-          key: ${{ runner.os }}-pipenv-${{ hashFiles('**/Pipfile.lock') }}
+      #- name: "Cache virtualenvs"
+      #  id: cache-pipenv
+      #  uses: actions/cache@v4
+      #  with:
+      #    path: ~/.local/share/virtualenvs
+      #    key: ${{ runner.os }}-pipenv-${{ hashFiles('**/Pipfile.lock') }}

      - name: "Install dependencies"
-        if: steps.cache-pipenv.outputs.cache-hit != 'true'
+        #if: steps.cache-pipenv.outputs.cache-hit != 'true'
        run: |
          cd docker/test
          pipenv install --deploy
--- a/docker/README.md
+++ b/docker/README.md
@ -134,6 +134,7 @@ labels:
  type: apache2
 ```

+
 ## Recommended configuration

 ### Volumes
@ -145,14 +146,6 @@ to avoid losing credentials and decision data in case of container destruction a
 * Acquisition: `/etc/crowdsec/acquis.d` and/or `/etc/crowdsec.acquis.yaml` (yes, they can be nested in `/etc/crowdsec`)
 * Database when using SQLite (default): `/var/lib/crowdsec/data`

-### Hub updates
-
-To ensure you have the latest version of the collections, scenarios, parsers, etc., you can set the variable `DO_HUB_UPGRADE` to true.
-This will perform an update/upgrade of the hub every time the container is started.
-
-Be aware that if your container is misbehaving and caught in a restart loop, the CrowdSec hub may ban your IP for some time and your containers
-will run with the version of the hub that is cached in the container's image. If you enable `DO_HUB_UPGRADE`, do it when your infrastructure is running
-correctly and make sure you have some monitoring in place.

 ## Start a Crowdsec instance

@ -323,7 +316,7 @@ config.yaml) each time the container is run.
 | `BOUNCERS_ALLOWED_OU`   | bouncer-ou | OU values allowed for bouncers, separated by comma |
 |                         | | |
 | __Hub management__      | | |
-| `DO_HUB_UPGRADE`        | false | Force hub update / upgrade when the container starts. If for some reason the container restarts too often, it may lead to a temporary ban from hub updates. |
+| `NO_HUB_UPGRADE`        | false | Skip hub update / upgrade when the container starts |
 | `COLLECTIONS`           | | Collections to install, separated by space: `-e COLLECTIONS="crowdsecurity/linux crowdsecurity/apache2"` |
 | `PARSERS`               | | Parsers to install, separated by space |
 | `SCENARIOS`             | | Scenarios to install, separated by space |
--- a/docker/docker_start.sh
+++ b/docker/docker_start.sh
@ -50,6 +50,34 @@ cscli() {
    command cscli -c "$CONFIG_FILE" "$@"
 }

+run_hub_update() {
+    index_modification_time=$(stat -c %Y /etc/crowdsec/hub/.index.json 2>/dev/null)
+    #Run cscli hub update if no date or if the index file is older than 24h
+    if [ -z "$index_modification_time" ] || [ $(( $(date +%s) - $index_modification_time )) -gt 86400 ]; then
+        cscli hub update
+    else
+        echo "Skipping hub update, index file is recent"
+    fi
+}
+
+run_hub_update_if_from_volume() {
+    path=$(readlink -f "/etc/crowdsec/hub/.index.json") # even though it's unlikely, resolve symlink
+    mounts=$(awk '{print $2}' /proc/mounts)
+    while true; do
+        if grep -qE ^"$path"$ <<< "$mounts"; then
+            echo "$path was found in a volume, running hub update"
+            run_hub_update
+            return 0
+        fi
+        path=$(dirname "$path")
+        if [ "$path" = "/" ]; then
+            echo "It looks like the hub index is not in a volume, skipping update"
+            return 1
+        fi
+    done
+    return 1 #unreachable
+}
+
 # conf_get <key> [file_path]
 # retrieve a value from a file (by default $CONFIG_FILE)
 conf_get() {
@ -120,6 +148,12 @@ cscli_if_clean() {
            echo "Running: cscli $error_only $itemtype $action \"$obj\" $*"
            # shellcheck disable=SC2086
            cscli $error_only "$itemtype" "$action" "$obj" "$@"
+            if [ "$?" -ne 0 ]; then
+                echo "Failed to $action $itemtype/$obj, running hub update before retrying"
+                run_hub_update
+                # shellcheck disable=SC2086
+                cscli $error_only "$itemtype" "$action" "$obj" "$@"
+            fi
        fi
    done
 }
@ -304,8 +338,9 @@ conf_set_if "$PLUGIN_DIR" '.config_paths.plugin_dir = strenv(PLUGIN_DIR)'

 ## Install hub items

-if istrue "$DO_HUB_UPGRADE"; then
-    cscli hub update || true
+run_hub_update_if_from_volume || true
+
+if isfalse "$NO_HUB_UPGRADE"; then
    cscli hub upgrade || true
 fi

--- a/docker/preload-hub-items
+++ b/docker/preload-hub-items
@ -19,4 +19,4 @@ for itemtype in $types; do
    fi
 done

-echo " done."
+echo " done."
--- a/test/bin/preload-hub-items
+++ b/test/bin/preload-hub-items
@ -24,4 +24,4 @@ for itemtype in $types; do
    fi
 done

-echo " done."
+echo " done."
Author	SHA1	Message	Date
Sebastien Blot	5870b9fca8	only run hub update on error or if it's in a volume	2024-04-19 09:01:12 +02:00
Sebastien Blot	6cc1e5fc64	reenable pre-loading	2024-04-19 09:00:39 +02:00
Sebastien Blot	6d60362fdd	disable the cache more	2024-04-18 14:54:42 +02:00
Sebastien Blot	f8d75db913	try disabling cache for pipenv	2024-04-18 14:48:18 +02:00
Sebastien Blot	5980810fd8	Revert "docker: pre-download hub items (debian image) (#2934 )" This reverts commit `2291a232cb`.	2024-04-18 14:25:58 +02:00
Sebastien Blot	6a5da6dfae	Revert "docker: pre-download all hub items and data, opt-in hub update/upgrade (#2933 )" This reverts commit `0e8a1c681b`.	2024-04-18 14:18:33 +02:00