Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
    Thibault "bui" Koechlin
    @buixor
    Hello
    When the installer starts, it asks for the database connection.
    Not sure to follow you on this one

    Specifically the issue is on the db_config section. This isn't necessary on the agent, right?

    yes you're right

    you can either comment out the local api section in the config file, or start crowdsec with -no-api so that it doesn't try to start the local API
    then it shouldn't try to connect to db :)
    Lamera
    @Lamera

    Not sure if I get you right: If I exclude the whole API part like so:

    #api:
    #  client:
    #    insecure_skip_verify: true
    #    credentials_path: /etc/crowdsec/local_api_credentials.yaml
    #  server:
    #   log_level: info
    #    listen_uri: {{ listen_uri }}:8080
    #    profiles_path: /etc/crowdsec/profiles.yaml
    #    online_client: # Crowdsec API credentials (to push signals and receive bad IPs)
    #      credentials_path: /etc/crowdsec/online_api_credentials.yaml
    #    tls:
    #      cert_file: /etc/crowdsec/ssl/cert.pem
    #      key_file: /etc/crowdsec/ssl/key.pem

    How does the agent connect to the local API on the remote machine then? I tried this how to: https://discourse.crowdsec.net/t/using-machines/128/4

    Thibault "bui" Koechlin
    @buixor
    sorry, only the api->server part :)
    api:
      client:
        insecure_skip_verify: true
        credentials_path: /etc/crowdsec/local_api_credentials.yaml
    #  server:
    #   log_level: info
    #    listen_uri: {{ listen_uri }}:8080
    #    profiles_path: /etc/crowdsec/profiles.yaml
    #    online_client: # Crowdsec API credentials (to push signals and receive bad IPs)
    #      credentials_path: /etc/crowdsec/online_api_credentials.yaml
    #    tls:
    #      cert_file: /etc/crowdsec/ssl/cert.pem
    #      key_file: /etc/crowdsec/ssl/key.pem
    Lamera
    @Lamera
    Ok, I will try that, thanks. :-)
    Thibault "bui" Koechlin
    @buixor
    you're welcome
    and for the multi-machine setup, we have a howto coming out rather soon, because it seems that the doc is far from enough on this yet :)
    Lamera
    @Lamera

    and for the multi-machine setup, we have a howto coming out rather soon, because it seems that the doc is far from enough on this yet :)

    Thats seems to be true ... Working on this playbook since monday xD

    Thibault "bui" Koechlin
    @buixor
    ah sorry it's still a bit troublesome, documentation is always hard :(
    are you going to publish it afterwards ?
    Lamera
    @Lamera
    That's also true. I discovered already a working playbook here: https://git.fws.fr/fws/ansible-roles/src/branch/master/roles/crowdsec
    But we have here a very unique environment.
    Lamera
    @Lamera

    @buixor I tried your solution. But I'm not sure if it is configured correctly. The agent does show up on the "master" api, but the machines cannot be displayed on the agent-only server:

    root@buster-slave:~# cscli machines list
    FATA[15-04-2021 03:38:27 PM] unable to create new database client: DB config is empty

    However, it is possible to view the alerts from that same server.
    The status shows a warning that the API is disabled.

    Apr 15 15:37:12 buster-slave systemd[1]: Starting Crowdsec agent...
    Apr 15 15:37:12 buster-slave crowdsec[2043]: time="2021-04-15T15:37:12+02:00" level=warning msg="crowdsec local API is disabled"
    Apr 15 15:37:13 buster-slave crowdsec[2053]: time="2021-04-15T15:37:13+02:00" level=warning msg="crowdsec local API is disabled"
    Apr 15 15:37:14 buster-slave systemd[1]: Started Crowdsec agent.
    registergoofy
    @registergoofy
    the machine should appear on your master server
    Lamera
    @Lamera
    They do appear on the master, I'm only confused about the error messages.
    registergoofy
    @registergoofy
    on the slave not having the local API, is I think what you want to achieve
    because you have it on the master
    Lamera
    @Lamera
    true.
    registergoofy
    @registergoofy
    mm, now that you have some troubles with that, this seems confusing
    Lamera
    @Lamera
    It's really confusing.
    Maybe the warning messages and the error from cscli machines list shouldn't be displayed.
    registergoofy
    @registergoofy
    yes I'll make an issue
    Lamera
    @Lamera
    The output from cscli machines list and cscli alerts list comes both from the API? So it makes no sense to me that the alerts work and the machines don't.
    registergoofy
    @registergoofy
    you are right, I believe cscli machines list comes from the database
    this isn't right
    Thibault "bui" Koechlin
    @buixor
    oh yes @Lamera you're right and it should be clear in the help message (cscli machines speaks directly to database and not API)
    Lamera
    @Lamera
    Is this intended or a bug?
    Thibault "bui" Koechlin
    @buixor
    that it speaks directly to the database ?
    Lamera
    @Lamera
    yes
    Thibault "bui" Koechlin
    @buixor
    it's intended, didn't want to complexify the API or add levels of privileges
    ah, @registergoofy just opened one as well, too fast
    Lamera
    @Lamera
    Ah, okay! I have another question in this topic: When I try to register a bouncer, this must be done also on the machine with the database?
    Thibault "bui" Koechlin
    @buixor
    no :) it only require API access
    the reason for cscli machines and cscli bouncers requiring DB access is because we didn't want to complexify the API at first
    by adding admin and super admin and whatnot level of privileges
    for now, we're going to address this by better error messages and so on :)
    Lamera
    @Lamera

    no :) it only require API access

    I tried to register the cs-firewall-bouncer on the slave machine here:
    level=fatal msg=\"no database configuration provided\"

    Thibault "bui" Koechlin
    @buixor
    because cscli bouncers must be made on the master (requires DB access)
    while for machines you can register from a slave and accept from master, you can't yet for bouncer (you need to generate the api key on the master)
    Lamera
    @Lamera
    Ah, yes. Then it's correct. But you wrote: "It only require API access".
    Thibault "bui" Koechlin
    @buixor
    yes my bad, I thought you asked if the bouncer needs to run on the same machine as database
    (lack of sleep :p )
    Lamera
    @Lamera
    @buixor @registergoofy no problem, and thank you both for your support! :-D
    Sofian Brabez
    @sbz
    Hey folks, we would like to let your know about our progress on FreeSBD https://discourse.crowdsec.net/t/freebsd-support/177
    Thibault "bui" Koechlin
    @buixor
    o/