Can't install firewall bouncer after failed upgrade.

Question

Can't install firewall bouncer after failed upgrade.

Davst opened this issue a year ago · comments

Firewall bouncer failed to upgrade during a apt-get upgrade.. so I removed it and purged it just to be safe before I tried reinstalling it

However I can't start it once installed again.

> sudo apt-get remove crowdsec-firewall-bouncer-iptables                                                              ~ RC=1
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
  ipset libipset3 libwayland-egl1-mesa linux-headers-4.15.0-206 linux-headers-4.15.0-206-generic linux-headers-4.15.0-208
  linux-headers-4.15.0-208-generic linux-headers-4.15.0-212 linux-headers-4.15.0-212-generic linux-headers-4.15.0-213
  linux-headers-4.15.0-213-generic linux-image-4.15.0-206-generic linux-image-4.15.0-208-generic
  linux-image-4.15.0-212-generic linux-image-4.15.0-213-generic linux-modules-4.15.0-206-generic
  linux-modules-4.15.0-208-generic linux-modules-4.15.0-212-generic linux-modules-4.15.0-213-generic
  linux-modules-extra-4.15.0-206-generic linux-modules-extra-4.15.0-208-generic linux-modules-extra-4.15.0-212-generic
  linux-modules-extra-4.15.0-213-generic linux-tools-4.15.0-206 linux-tools-4.15.0-206-generic linux-tools-4.15.0-208
  linux-tools-4.15.0-208-generic linux-tools-4.15.0-212 linux-tools-4.15.0-212-generic linux-tools-4.15.0-213
  linux-tools-4.15.0-213-generic
Use 'sudo apt autoremove' to remove them.
The following packages will be REMOVED:
  crowdsec-firewall-bouncer-iptables
0 upgraded, 0 newly installed, 1 to remove and 0 not upgraded.
1 not fully installed or removed.
After this operation, 12.7 MB disk space will be freed.
Do you want to continue? [Y/n] y
(Reading database ... 417296 files and directories currently installed.)
Removing crowdsec-firewall-bouncer-iptables (0.0.28) ...
Removed /etc/systemd/system/multi-user.target.wants/crowdsec-firewall-bouncer.service.

> ls | grep crowd                                                                                                       info
crowdsec-firewall-bouncer-iptables.list
crowdsec-firewall-bouncer-iptables.postrm
crowdsec.list
crowdsec.postrm
> sudo rm crowdsec*

> sudo apt-get purge --auto-remove crowdsec-firewall-bouncer-iptables

> sudo apt install crowdsec-firewall-bouncer-iptables                                                                   info
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
  ipset libipset3
The following NEW packages will be installed:
  crowdsec-firewall-bouncer-iptables ipset libipset3
0 upgraded, 3 newly installed, 0 to remove and 0 not upgraded.
Need to get 77.7 kB/3,771 kB of archives.
After this operation, 13.1 MB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://se.archive.ubuntu.com/ubuntu bionic/main amd64 libipset3 amd64 6.34-1 [43.9 kB]
Get:2 http://se.archive.ubuntu.com/ubuntu bionic/main amd64 ipset amd64 6.34-1 [33.7 kB]
Fetched 77.7 kB in 0s (1,049 kB/s)
Selecting previously unselected package libipset3:amd64.
(Reading database ... 274854 files and directories currently installed.)
Preparing to unpack .../libipset3_6.34-1_amd64.deb ...
Unpacking libipset3:amd64 (6.34-1) ...
Selecting previously unselected package ipset.
Preparing to unpack .../ipset_6.34-1_amd64.deb ...
Unpacking ipset (6.34-1) ...
Selecting previously unselected package crowdsec-firewall-bouncer-iptables.
Preparing to unpack .../crowdsec-firewall-bouncer-iptables_0.0.28_amd64.deb ...
Unpacking crowdsec-firewall-bouncer-iptables (0.0.28) ...
Setting up libipset3:amd64 (6.34-1) ...
Setting up ipset (6.34-1) ...
Setting up crowdsec-firewall-bouncer-iptables (0.0.28) ...

Configuration file '/etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml'
 ==> File on system created by you or by a script.
 ==> File also in package provided by package maintainer.
   What would you like to do about it ?  Your options are:
    Y or I  : install the package maintainer's version
    N or O  : keep your currently-installed version
      D     : show the differences between the versions
      Z     : start a shell to examine the situation
 The default action is to keep your current version.
*** crowdsec-firewall-bouncer.yaml (Y/I/N/O/D/Z) [default=N] ? d

Configuration file '/etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml'
 ==> File on system created by you or by a script.
 ==> File also in package provided by package maintainer.
   What would you like to do about it ?  Your options are:
    Y or I  : install the package maintainer's version
    N or O  : keep your currently-installed version
      D     : show the differences between the versions
      Z     : start a shell to examine the situation
 The default action is to keep your current version.
*** crowdsec-firewall-bouncer.yaml (Y/I/N/O/D/Z) [default=N] ? Y
Installing new version of config file /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml ...
cscli/crowdsec is not present, please set the API key manually
Created symlink /etc/systemd/system/multi-user.target.wants/crowdsec-firewall-bouncer.service → /etc/systemd/system/crowdsec-firewall-bouncer.service.
no api key was generated, you can generate one on your LAPI server by running 'cscli bouncers add <bouncer_name>' and add it to '/etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml'
Processing triggers for libc-bin (2.27-3ubuntu1.6) ...
Processing triggers for man-db (2.8.3-2ubuntu0.1) ...
W: Operation was interrupted before it could finish

Updated the new config file with my api key

Tried to start the service

> sudo systemctl restart crowdsec-firewall-bouncer.service                                                                                                          info
[sudo] password for haddoq:
Job for crowdsec-firewall-bouncer.service failed because the control process exited with error code.
See "systemctl status crowdsec-firewall-bouncer.service" and "journalctl -xe" for details.

> systemctl status crowdsec-firewall-bouncer.service                                                                                                           info RC=1
● crowdsec-firewall-bouncer.service - The firewall bouncer for CrowdSec
   Loaded: loaded (/etc/systemd/system/crowdsec-firewall-bouncer.service; enabled; vendor preset: enabled)
   Active: activating (auto-restart) (Result: exit-code) since Fri 2023-11-10 11:01:14 UTC; 2s ago
  Process: 4634 ExecStartPost=/bin/sleep 0.1 (code=exited, status=0/SUCCESS)
  Process: 4532 ExecStart=/usr/bin/crowdsec-firewall-bouncer -c /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml (code=exited, status=1/FAILURE)
  Process: 4353 ExecStartPre=/usr/bin/crowdsec-firewall-bouncer -c /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml -t (code=exited, status=0/SUCCESS)
 Main PID: 4532 (code=exited, status=1/FAILURE

> journalctl -xe -u crowdsec-firewall-bouncer.service
-- Logs begin at Fri 2023-11-10 00:00:01 UTC, end at Fri 2023-11-10 10:37:04 UTC. --
-- No entries --

Laurence Jones · Answer 1 · Fri Nov 10 2023 19:33:53 GMT+0800 (China Standard Time)

Can you check the log file within /var/log/crowdsec-firewall-bouncer.log

David Stenbeck · Answer 2 · Fri Nov 10 2023 20:45:04 GMT+0800 (China Standard Time)

Log from trying to start the service:

time="10-11-2023 12:43:58" level=info msg="Starting crowdsec-firewall-bouncer v0.0.28-debian-pragmatic-af6e7e25822c2b1a02168b99ebbf8458bc6728e5"
time="10-11-2023 12:43:58" level=info msg="backend type : iptables"
time="10-11-2023 12:43:58" level=info msg="IPV6 is disabled"
time="10-11-2023 12:43:58" level=info msg="iptables for ipv4 initiated"
time="10-11-2023 12:43:58" level=info msg="iptables clean-up : /sbin/iptables -D INPUT -m set --match-set crowdsec-blacklists src -j DROP"
time="10-11-2023 12:43:58" level=info msg="ipset 'crowdsec-blacklists' doesn't exist, skip"
time="10-11-2023 12:43:58" level=info msg="iptables clean-up : /sbin/iptables -D DOCKER-USER -m set --match-set crowdsec-blacklists src -j DROP"
time="10-11-2023 12:43:58" level=info msg="ipset 'crowdsec-blacklists' doesn't exist, skip"
time="10-11-2023 12:43:58" level=info msg="ipset clean-up : /sbin/ipset -exist destroy crowdsec-blacklists"
time="10-11-2023 12:43:58" level=info msg="ipset 'crowdsec-blacklists' doesn't exist, skip"
time="10-11-2023 12:43:58" level=info msg="Checking existing set"
time="10-11-2023 12:43:58" level=info msg="ipset set-up : /sbin/ipset -exist create crowdsec-blacklists nethash timeout 300 maxelem 131072"
time="10-11-2023 12:43:59" level=info msg="Rule doesn't exist (/sbin/iptables -C INPUT -m set --match-set crowdsec-blacklists src -j DROP)"
time="10-11-2023 12:43:59" level=info msg="Rule doesn't exist (/sbin/iptables -C DOCKER-USER -m set --match-set crowdsec-blacklists src -j DROP)"
time="10-11-2023 12:43:59" level=info msg="iptables set-up : /sbin/iptables -I INPUT -m set --match-set crowdsec-blacklists src -j DROP"
time="10-11-2023 12:43:59" level=info msg="iptables set-up : /sbin/iptables -I DOCKER-USER -m set --match-set crowdsec-blacklists src -j DROP"
time="10-11-2023 12:43:59" level=info msg="Using API key auth"
time="10-11-2023 12:43:59" level=info msg="config is valid"
time="10-11-2023 12:43:59" level=info msg="Shutting down backend"
time="10-11-2023 12:43:59" level=info msg="iptables clean-up : /sbin/iptables -D INPUT -m set --match-set crowdsec-blacklists src -j DROP"
time="10-11-2023 12:43:59" level=info msg="iptables clean-up : /sbin/iptables -D DOCKER-USER -m set --match-set crowdsec-blacklists src -j DROP"
time="10-11-2023 12:43:59" level=info msg="ipset clean-up : /sbin/ipset -exist destroy crowdsec-blacklists"
time="10-11-2023 12:43:59" level=info msg="Starting crowdsec-firewall-bouncer v0.0.28-debian-pragmatic-af6e7e25822c2b1a02168b99ebbf8458bc6728e5"
time="10-11-2023 12:43:59" level=info msg="backend type : iptables"
time="10-11-2023 12:43:59" level=info msg="IPV6 is disabled"
time="10-11-2023 12:43:59" level=info msg="iptables for ipv4 initiated"
time="10-11-2023 12:43:59" level=info msg="iptables clean-up : /sbin/iptables -D INPUT -m set --match-set crowdsec-blacklists src -j DROP"
time="10-11-2023 12:43:59" level=info msg="ipset 'crowdsec-blacklists' doesn't exist, skip"
time="10-11-2023 12:43:59" level=info msg="iptables clean-up : /sbin/iptables -D DOCKER-USER -m set --match-set crowdsec-blacklists src -j DROP"
time="10-11-2023 12:43:59" level=info msg="ipset 'crowdsec-blacklists' doesn't exist, skip"
time="10-11-2023 12:43:59" level=info msg="ipset clean-up : /sbin/ipset -exist destroy crowdsec-blacklists"
time="10-11-2023 12:43:59" level=info msg="ipset 'crowdsec-blacklists' doesn't exist, skip"
time="10-11-2023 12:43:59" level=info msg="Checking existing set"
time="10-11-2023 12:43:59" level=info msg="ipset set-up : /sbin/ipset -exist create crowdsec-blacklists nethash timeout 300 maxelem 131072"
time="10-11-2023 12:44:00" level=info msg="Rule doesn't exist (/sbin/iptables -C INPUT -m set --match-set crowdsec-blacklists src -j DROP)"
time="10-11-2023 12:44:00" level=info msg="Rule doesn't exist (/sbin/iptables -C DOCKER-USER -m set --match-set crowdsec-blacklists src -j DROP)"
time="10-11-2023 12:44:00" level=info msg="iptables set-up : /sbin/iptables -I INPUT -m set --match-set crowdsec-blacklists src -j DROP"
time="10-11-2023 12:44:00" level=info msg="iptables set-up : /sbin/iptables -I DOCKER-USER -m set --match-set crowdsec-blacklists src -j DROP"
time="10-11-2023 12:44:00" level=info msg="Using API key auth"
time="10-11-2023 12:44:00" level=info msg="Processing new and deleted decisions . . ."
time="10-11-2023 12:44:00" level=error msg="http code 404, invalid body: invalid character '<' looking for beginning of value"
time="10-11-2023 12:44:00" level=info msg="Shutting down backend"
time="10-11-2023 12:44:00" level=info msg="iptables clean-up : /sbin/iptables -D INPUT -m set --match-set crowdsec-blacklists src -j DROP"
time="10-11-2023 12:44:00" level=info msg="iptables clean-up : /sbin/iptables -D DOCKER-USER -m set --match-set crowdsec-blacklists src -j DROP"
time="10-11-2023 12:44:00" level=info msg="ipset clean-up : /sbin/ipset -exist destroy crowdsec-blacklists"
time="10-11-2023 12:44:00" level=fatal msg="process terminated with error: bouncer stream halted"
time="10-11-2023 12:44:03" level=info msg="Starting crowdsec-firewall-bouncer v0.0.28-debian-pragmatic-af6e7e25822c2b1a02168b99ebbf8458bc6728e5"
time="10-11-2023 12:44:03" level=info msg="backend type : iptables"
time="10-11-2023 12:44:03" level=info msg="IPV6 is disabled"
time="10-11-2023 12:44:03" level=info msg="iptables for ipv4 initiated"
time="10-11-2023 12:44:03" level=info msg="iptables clean-up : /sbin/iptables -D INPUT -m set --match-set crowdsec-blacklists src -j DROP"
time="10-11-2023 12:44:03" level=info msg="ipset 'crowdsec-blacklists' doesn't exist, skip"
time="10-11-2023 12:44:03" level=info msg="iptables clean-up : /sbin/iptables -D DOCKER-USER -m set --match-set crowdsec-blacklists src -j DROP"
time="10-11-2023 12:44:03" level=info msg="ipset 'crowdsec-blacklists' doesn't exist, skip"
time="10-11-2023 12:44:03" level=info msg="ipset clean-up : /sbin/ipset -exist destroy crowdsec-blacklists"
time="10-11-2023 12:44:03" level=info msg="ipset 'crowdsec-blacklists' doesn't exist, skip"
time="10-11-2023 12:44:03" level=info msg="Checking existing set"
time="10-11-2023 12:44:03" level=info msg="ipset set-up : /sbin/ipset -exist create crowdsec-blacklists nethash timeout 300 maxelem 131072"
time="10-11-2023 12:44:04" level=info msg="Rule doesn't exist (/sbin/iptables -C INPUT -m set --match-set crowdsec-blacklists src -j DROP)"
time="10-11-2023 12:44:04" level=info msg="Rule doesn't exist (/sbin/iptables -C DOCKER-USER -m set --match-set crowdsec-blacklists src -j DROP)"
time="10-11-2023 12:44:04" level=info msg="iptables set-up : /sbin/iptables -I INPUT -m set --match-set crowdsec-blacklists src -j DROP"
time="10-11-2023 12:44:04" level=info msg="iptables set-up : /sbin/iptables -I DOCKER-USER -m set --match-set crowdsec-blacklists src -j DROP"
time="10-11-2023 12:44:04" level=info msg="Using API key auth"
time="10-11-2023 12:44:04" level=info msg="config is valid"
time="10-11-2023 12:44:04" level=info msg="Shutting down backend"
time="10-11-2023 12:44:04" level=info msg="iptables clean-up : /sbin/iptables -D INPUT -m set --match-set crowdsec-blacklists src -j DROP"
time="10-11-2023 12:44:04" level=info msg="iptables clean-up : /sbin/iptables -D DOCKER-USER -m set --match-set crowdsec-blacklists src -j DROP"
time="10-11-2023 12:44:04" level=info msg="ipset clean-up : /sbin/ipset -exist destroy crowdsec-blacklists"
time="10-11-2023 12:44:04" level=info msg="Starting crowdsec-firewall-bouncer v0.0.28-debian-pragmatic-af6e7e25822c2b1a02168b99ebbf8458bc6728e5"
time="10-11-2023 12:44:04" level=info msg="backend type : iptables"
time="10-11-2023 12:44:04" level=info msg="IPV6 is disabled"
time="10-11-2023 12:44:04" level=info msg="iptables for ipv4 initiated"
time="10-11-2023 12:44:04" level=info msg="iptables clean-up : /sbin/iptables -D INPUT -m set --match-set crowdsec-blacklists src -j DROP"
time="10-11-2023 12:44:04" level=info msg="ipset 'crowdsec-blacklists' doesn't exist, skip"
time="10-11-2023 12:44:04" level=info msg="iptables clean-up : /sbin/iptables -D DOCKER-USER -m set --match-set crowdsec-blacklists src -j DROP"
time="10-11-2023 12:44:04" level=info msg="ipset 'crowdsec-blacklists' doesn't exist, skip"
time="10-11-2023 12:44:04" level=info msg="ipset clean-up : /sbin/ipset -exist destroy crowdsec-blacklists"
time="10-11-2023 12:44:04" level=info msg="ipset 'crowdsec-blacklists' doesn't exist, skip"
time="10-11-2023 12:44:04" level=info msg="Checking existing set"
time="10-11-2023 12:44:04" level=info msg="ipset set-up : /sbin/ipset -exist create crowdsec-blacklists nethash timeout 300 maxelem 131072"
time="10-11-2023 12:44:05" level=info msg="Rule doesn't exist (/sbin/iptables -C INPUT -m set --match-set crowdsec-blacklists src -j DROP)"
time="10-11-2023 12:44:05" level=info msg="Rule doesn't exist (/sbin/iptables -C DOCKER-USER -m set --match-set crowdsec-blacklists src -j DROP)"
time="10-11-2023 12:44:05" level=info msg="iptables set-up : /sbin/iptables -I INPUT -m set --match-set crowdsec-blacklists src -j DROP"
time="10-11-2023 12:44:05" level=info msg="iptables set-up : /sbin/iptables -I DOCKER-USER -m set --match-set crowdsec-blacklists src -j DROP"
time="10-11-2023 12:44:05" level=info msg="Using API key auth"
time="10-11-2023 12:44:05" level=info msg="Processing new and deleted decisions . . ."
time="10-11-2023 12:44:05" level=error msg="http code 404, invalid body: invalid character '<' looking for beginning of value"
time="10-11-2023 12:44:05" level=info msg="Shutting down backend"
time="10-11-2023 12:44:05" level=info msg="iptables clean-up : /sbin/iptables -D INPUT -m set --match-set crowdsec-blacklists src -j DROP"
time="10-11-2023 12:44:05" level=info msg="iptables clean-up : /sbin/iptables -D DOCKER-USER -m set --match-set crowdsec-blacklists src -j DROP"
time="10-11-2023 12:44:05" level=info msg="ipset clean-up : /sbin/ipset -exist destroy crowdsec-blacklists"
time="10-11-2023 12:44:05" level=fatal msg="process terminated with error: bouncer stream halted"

Laurence Jones · Answer 3 · Tue Nov 21 2023 20:48:22 GMT+0800 (China Standard Time)

time="10-11-2023 12:44:05" level=error msg="http code 404, invalid body: invalid character '<' looking for beginning of value"
time="10-11-2023 12:44:05" level=info msg="Shutting down backend"

There an issue communicating to the configured api url. Can you check the configuration and ensure it is correct?

Laurence Jones · Answer 4 · Thu Dec 28 2023 05:59:59 GMT+0800 (China Standard Time)

Closing issue due to staleness