C
CrowdSec8mo ago
AR2000

How do you write a custom bouncer script fed from stdin ?

I'm trying to update my custom bouncer to use stdin but it looks like it is never called, and something crash without a proper error msg. 
time="2025-01-03T13:54:16Z" level=info msg="Loading yaml file: '/crowdsec-custom-bouncer.yaml' with additional values from '/crowdsec-custom-bouncer.yaml.local'"
time="2025-01-03T13:54:16Z" level=info msg="Starting crowdsec-custom-bouncer -dc188f560ad1a428b6aead8aaf44ffb300b29956"
time="2025-01-03T13:54:16Z" level=info msg="Using API key auth"
time="2025-01-03T13:54:16Z" level=debug msg="[URL] GET http://127.0.0.1:43254/v1/decisions/stream?origins=crowdsec%2Ccscli%2CCAPI&scenarios_containing=ssh&scopes=Ip&startup=true"
time="2025-01-03T13:54:16Z" level=debug msg="req-api: GET http://127.0.0.1:43254/v1/decisions/stream?origins=crowdsec%2Ccscli%2CCAPI&scenarios_containing=ssh&scopes=Ip&startup=true"
time="2025-01-03T13:54:16Z" level=info msg="Processing new and deleted decisions . . ."
time="2025-01-03T13:54:16Z" level=info msg="terminating bouncer process"
time="2025-01-03T13:54:17Z" level=debug msg="resp-api: http 200"
time="2025-01-03T13:54:17Z" level=debug msg="[headers] Content-Type : [application/json; charset=utf-8]"
time="2025-01-03T13:54:17Z" level=debug msg="[headers] Date : [Fri, 03 Jan 2025 13:54:17 GMT]"
time="2025-01-03T13:54:17Z" level=debug msg="Response: HTTP/1.1 200 OK\r\nTransfer-Encoding: chunked\r\nContent-Type: application/json; charset=utf-8\r\ [...]
time="2025-01-03T13:54:16Z" level=info msg="Loading yaml file: '/crowdsec-custom-bouncer.yaml' with additional values from '/crowdsec-custom-bouncer.yaml.local'"
time="2025-01-03T13:54:16Z" level=info msg="Starting crowdsec-custom-bouncer -dc188f560ad1a428b6aead8aaf44ffb300b29956"
time="2025-01-03T13:54:16Z" level=info msg="Using API key auth"
time="2025-01-03T13:54:16Z" level=debug msg="[URL] GET http://127.0.0.1:43254/v1/decisions/stream?origins=crowdsec%2Ccscli%2CCAPI&scenarios_containing=ssh&scopes=Ip&startup=true"
time="2025-01-03T13:54:16Z" level=debug msg="req-api: GET http://127.0.0.1:43254/v1/decisions/stream?origins=crowdsec%2Ccscli%2CCAPI&scenarios_containing=ssh&scopes=Ip&startup=true"
time="2025-01-03T13:54:16Z" level=info msg="Processing new and deleted decisions . . ."
time="2025-01-03T13:54:16Z" level=info msg="terminating bouncer process"
time="2025-01-03T13:54:17Z" level=debug msg="resp-api: http 200"
time="2025-01-03T13:54:17Z" level=debug msg="[headers] Content-Type : [application/json; charset=utf-8]"
time="2025-01-03T13:54:17Z" level=debug msg="[headers] Date : [Fri, 03 Jan 2025 13:54:17 GMT]"
time="2025-01-03T13:54:17Z" level=debug msg="Response: HTTP/1.1 200 OK\r\nTransfer-Encoding: chunked\r\nContent-Type: application/json; charset=utf-8\r\ [...]
This is my script for testing purposes : 
#!/bin/bash
echo test >> /bouncer.stdin.out
while read line
do
  echo "$line" >> /bouncer.stdin.out
done
#!/bin/bash
echo test >> /bouncer.stdin.out
while read line
do
  echo "$line" >> /bouncer.stdin.out
done
it never get called (output file doesn't exists)
23 Replies
CrowdSec
CrowdSec8mo ago
Important Information
This post has been marked as resolved. If this is a mistake please press the red button below or type /unresolve
© Created By WhyAydan for CrowdSec ❤️
AR2000
AR2000OP8mo ago
FROM golang:1.21.4 AS build-stage
WORKDIR /app
RUN git clone --depth 1 https://github.com/crowdsecurity/cs-custom-bouncer.git
WORKDIR /app/cs-custom-bouncer
RUN CGO_ENABLED=0 GOOS=linux make release
FROM golang:1.21.4 AS build-stage
WORKDIR /app
RUN git clone --depth 1 https://github.com/crowdsecurity/cs-custom-bouncer.git
WORKDIR /app/cs-custom-bouncer
RUN CGO_ENABLED=0 GOOS=linux make release
Sample from my dockerfile (to see how I'm building the custom bouncer bin)
iiamloz
iiamloz8mo ago
Do you have an entrypoint or is that being defined when you run or via the compose args?
AR2000
AR2000OP8mo ago
No entrypoint. Just the CMD 
[...]
FROM iptables-${IPTABLES_MODE} AS crowdsec-custom-bouncer
RUN mkdir -p /etc/crowdsec/bouncers
COPY --from=build-stage /app/cs-custom-bouncer/crowdsec-custom-bouncer \
    /usr/bin/crowdsec-custom-bouncer
COPY --from=build-stage /app/cs-custom-bouncer/config/crowdsec-custom-bouncer.yaml \
    /crowdsec-custom-bouncer.yaml
ADD --chmod=770 bouncer.sh /bouncer.sh
ENV BINARY_PATH=/bouncer.sh
CMD ["/usr/bin/crowdsec-custom-bouncer", "-c", "/crowdsec-custom-bouncer.yaml"]
[...]
FROM iptables-${IPTABLES_MODE} AS crowdsec-custom-bouncer
RUN mkdir -p /etc/crowdsec/bouncers
COPY --from=build-stage /app/cs-custom-bouncer/crowdsec-custom-bouncer \
    /usr/bin/crowdsec-custom-bouncer
COPY --from=build-stage /app/cs-custom-bouncer/config/crowdsec-custom-bouncer.yaml \
    /crowdsec-custom-bouncer.yaml
ADD --chmod=770 bouncer.sh /bouncer.sh
ENV BINARY_PATH=/bouncer.sh
CMD ["/usr/bin/crowdsec-custom-bouncer", "-c", "/crowdsec-custom-bouncer.yaml"]
iiamloz
iiamloz8mo ago
and the crowdsec-custom-bouncer.yaml is trying to use $BINARY_PATH?
AR2000
AR2000OP8mo ago
yes
AR2000
AR2000OP8mo ago
https://gitea.ar2000.me/AR2000/crowdsec-legacy-firewall-bouncer
Gitea
crowdsec-legacy-firewall-bouncer
Crowdsec firewall bouncer for systems that does not support ipset. Base on crowdsec-custom-bouncer
AR2000
AR2000OP8mo ago
it's the default file and it does
iiamloz
iiamloz8mo ago
afaik the custom bouncer doesnt read env keys, it only runs the local patcher
iiamloz
iiamloz8mo ago
yeah if you set in the yaml the path to the binary does it work? https://github.com/crowdsecurity/cs-custom-bouncer/blob/dc188f560ad1a428b6aead8aaf44ffb300b29956/pkg/cfg/config.go#L41-L48
GitHub
cs-custom-bouncer/pkg/cfg/config.go at dc188f560ad1a428b6aead8aaf44...
CrowdSec bouncer to use custom scripts. Contribute to crowdsecurity/cs-custom-bouncer development by creating an account on GitHub.
AR2000
AR2000OP8mo ago
It does. I just fixed this issue. The env value was incorrect and it showd in the log. Also it work in non stdin mode
iiamloz
iiamloz8mo ago
ahh okay, my lack of using the custom bouncer
AR2000
AR2000OP8mo ago
fair crowdsec-custom-bouncer.yaml.local 
log_mode: stdout # file or stdout
log_level: debug
api_url: http://127.0.0.1:43254/
api_key: <REDACTED> # as created in crowdsec
scenarios_containing: ["ssh"]
scopes: ["Ip"]
origins: ["crowdsec", "cscli", "CAPI"]
supported_decisions_types:
  - ban
feed_via_stdin: true
log_mode: stdout # file or stdout
log_level: debug
api_url: http://127.0.0.1:43254/
api_key: <REDACTED> # as created in crowdsec
scenarios_containing: ["ssh"]
scopes: ["Ip"]
origins: ["crowdsec", "cscli", "CAPI"]
supported_decisions_types:
  - ban
feed_via_stdin: true
iiamloz
iiamloz8mo ago
and you dont even see test?
AR2000
AR2000OP8mo ago
nop 
# ls
bin         crowdsec-custom-bouncer.yaml        etc   lib64  opt   run   sys  var
boot        crowdsec-custom-bouncer.yaml.local  home  media  proc  sbin  tmp
bouncer.sh  dev                                 lib   mnt    root  srv   usr
# ls
bin         crowdsec-custom-bouncer.yaml        etc   lib64  opt   run   sys  var
boot        crowdsec-custom-bouncer.yaml.local  home  media  proc  sbin  tmp
bouncer.sh  dev                                 lib   mnt    root  srv   usr
the file doesn't exist And since you are probably asking yourself the question : iptables-nft and ipset don't work on my server (as for why idk) so I need to use iptables-legacy which the official firewall bouncer doesn't support
iiamloz
iiamloz8mo ago
nah I remember your thread from december, I know the reason for making it 👍 I am going to play around with it to see what might be happening
AR2000
AR2000OP8mo ago
Anything new ? I couldn't find a way to make it work yet
iiamloz
iiamloz8mo ago
apologies, it slipped my mind, I added a todo for tomorrow morning to work on replicating it Just so I can ask what is this image FROM iptables-${IPTABLES_MODE} AS crowdsec-custom-bouncer ?
AR2000
AR2000OP8mo ago
the iptables-${IPTABLES_MODE} image ? It's either iptables-legacy or iptables-nft depending on the build arg IPTABLES_MODE They are declared in the same dockerfile https://docs.docker.com/build/building/multi-stage/ It's a multi-stage build so I can have both a legacy and nft images https://docs.docker.com/build/building/variables/#arg-usage-example which is use is defined with ARG docker build --build-arg IPTABLES_MODE=legacy I pushed a commented version of the Dockerfile
iiamloz
iiamloz8mo ago
My bad I forgot you linked your repo! will check it out soon i can see it ubuntu based that was the main thing I was missing @AR2000 managed to debug the issue and its kinda stupid, we should also issue a fix to the binary a workaround for you right now is set this property in the yaml 
total_retries: 3
total_retries: 3
This needs to be set basically > 0 as the code is checking if 0 > 1 and the check always fails
iiamloz
iiamloz8mo ago
https://github.com/crowdsecurity/cs-custom-bouncer/pull/104
GitHub
fix: Feedviastdin total retires by LaurenceJJones · Pull Request #1...
If total retries is not set then it will never execute the binary because we start the for loop at 1, changing to 0 means it at least tries to execute the binary once before attempting the total re...
AR2000
AR2000OP8mo ago
Merci beacoup. Mon script fonctionne desormais
CrowdSec
CrowdSec8mo ago
Resolving How do you write a custom bouncer script fed from stdin ? This has now been resolved. If you think this is a mistake please run /unresolve

Did you find this page helpful?