[Podman] error loading cscli bash completion via alias (ubuntu 22.04)

[d03j]

What happened?

$ source <(cscli completion bash) : command not found -bash: /dev/fd/63: line 3: syntax error near unexpected token $'\r'' 'bash: /dev/fd/63: line 3:__cscli_debug()

I got the same error after trying $ cscli completion bash | sudo tee /etc/bash_completion.d/cscli $ source ~/.bashrc

my bash completion for other commands is working and I got the same errors when repeating my steps after $ source /etc/profile

What did you expect to happen?

no errors to be raised and autocompletion to work.

How can we reproduce it (as minimally and precisely as possible)?

$ source <(cscli completion bash)

Anything else we need to know?

I'm running crowdsec o podman and "cscli" is an alias in my ~/.bash_aliases file:

alias cscli='podman exec -t crowdsec cscli'

Crowdsec version

```console $ cscli version # paste output here ``` 2023/10/24 15:49:09 version: v1.5.4-e4dcdd25728b914823525f1efabf18d5c454902b 2023/10/24 15:49:09 Codename: alphaga 2023/10/24 15:49:09 BuildDate: 2023-09-20_12:28:07 2023/10/24 15:49:09 GoVersion: 1.20.8 2023/10/24 15:49:09 Platform: docker 2023/10/24 15:49:09 libre2: C++ 2023/10/24 15:49:09 Constraint_parser: >= 1.0, <= 2.0 2023/10/24 15:49:09 Constraint_scenario: >= 1.0, < 3.0 2023/10/24 15:49:09 Constraint_api: v1 2023/10/24 15:49:09 Constraint_acquis: >= 1.0, < 2.0

OS version

```console # On Linux: $ cat /etc/os-release # paste output here PRETTY_NAME="Ubuntu 22.04.3 LTS" NAME="Ubuntu" VERSION_ID="22.04" VERSION="22.04.3 LTS (Jammy Jellyfish)" VERSION_CODENAME=jammy ID=ubuntu ID_LIKE=debian HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" UBUNTU_CODENAME=jammy $ uname -a # paste output here Linux Box 5.15.0-87-generic #97-Ubuntu SMP Mon Oct 2 21:09:21 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux # On Windows: C:\> wmic os get Caption, Version, BuildNumber, OSArchitecture # paste output here ```

Enabled collections and parsers

```console $ cscli hub list -o raw # paste output here ``` crowdsecurity/base-http-scenarios,enabled,0.6,http common : scanners detection,collections crowdsecurity/http-cve,enabled,2.3,Detect CVE exploitation in http logs,collections crowdsecurity/iptables,enabled,0.1,iptables support : logs and port-scans detection scenarios,collections crowdsecurity/linux,enabled,0.2,core linux support : syslog+geoip+ssh,collections crowdsecurity/nginx,enabled,0.2,nginx support : parser and generic http scenarios,collections crowdsecurity/sshd,enabled,0.2,sshd support : parser and brute-force detection,collections crowdsecurity/traefik,enabled,0.1,traefik support: parser and generic http scenarios,collections crowdsecurity/whitelist-good-actors,enabled,0.1,Good actors whitelists,collections crowdsecurity/cri-logs,enabled,0.1,CRI logging format parser,parsers crowdsecurity/dateparse-enrich,enabled,0.2,,parsers crowdsecurity/docker-logs,enabled,0.1,docker json logs parser,parsers crowdsecurity/geoip-enrich,enabled,0.2,"Populate event with geoloc info : as, country, coords, source range.",parsers crowdsecurity/http-logs,enabled,1.2,"Parse more Specifically HTTP logs, such as HTTP Code, HTTP path, HTTP args and if its a static ressource",parsers crowdsecurity/iptables-logs,enabled,0.5,Parse iptables drop logs,parsers crowdsecurity/nginx-logs,enabled,1.4,Parse nginx access and error logs,parsers crowdsecurity/sshd-logs,enabled,2.2,Parse openSSH logs,parsers crowdsecurity/syslog-logs,enabled,0.8,,parsers crowdsecurity/traefik-logs,enabled,0.9,Parse Traefik access logs,parsers crowdsecurity/whitelists,enabled,0.2,Whitelist events from private ipv4 addresses,parsers crowdsecurity/CVE-2019-18935,enabled,0.2,Detect Telerik CVE-2019-18935 exploitation attempts,scenarios crowdsecurity/CVE-2022-26134,enabled,0.2,Detect CVE-2022-26134 exploits,scenarios crowdsecurity/CVE-2022-35914,enabled,0.2,Detect CVE-2022-35914 exploits,scenarios crowdsecurity/CVE-2022-37042,enabled,0.2,Detect CVE-2022-37042 exploits,scenarios crowdsecurity/CVE-2022-40684,enabled,0.3,Detect cve-2022-40684 exploitation attempts,scenarios crowdsecurity/CVE-2022-41082,enabled,0.4,Detect CVE-2022-41082 exploits,scenarios crowdsecurity/CVE-2022-41697,enabled,0.2,Detect CVE-2022-41697 enumeration,scenarios crowdsecurity/CVE-2022-42889,enabled,0.3,Detect CVE-2022-42889 exploits (Text4Shell),scenarios crowdsecurity/CVE-2022-44877,enabled,0.3,Detect CVE-2022-44877 exploits,scenarios crowdsecurity/CVE-2022-46169,enabled,0.2,Detect CVE-2022-46169 brute forcing,scenarios crowdsecurity/CVE-2023-22515,enabled,0.1,Detect CVE-2023-22515 exploitation,scenarios crowdsecurity/apache_log4j2_cve-2021-44228,enabled,0.5,Detect cve-2021-44228 exploitation attemps,scenarios crowdsecurity/f5-big-ip-cve-2020-5902,enabled,0.2,Detect cve-2020-5902 exploitation attemps,scenarios crowdsecurity/fortinet-cve-2018-13379,enabled,0.3,Detect cve-2018-13379 exploitation attemps,scenarios crowdsecurity/grafana-cve-2021-43798,enabled,0.2,Detect cve-2021-43798 exploitation attemps,scenarios crowdsecurity/http-backdoors-attempts,enabled,0.4,Detect attempt to common backdoors,scenarios crowdsecurity/http-bad-user-agent,enabled,0.9,Detect bad user-agents,scenarios crowdsecurity/http-crawl-non_statics,enabled,0.4,Detect aggressive crawl from single ip,scenarios crowdsecurity/http-cve-2021-41773,enabled,0.2,cve-2021-41773,scenarios crowdsecurity/http-cve-2021-42013,enabled,0.2,cve-2021-42013,scenarios crowdsecurity/http-generic-bf,enabled,0.5,Detect generic http brute force,scenarios crowdsecurity/http-open-proxy,enabled,0.4,Detect scan for open proxy,scenarios crowdsecurity/http-path-traversal-probing,enabled,0.3,Detect path traversal attempt,scenarios crowdsecurity/http-probing,enabled,0.3,Detect site scanning/probing from a single ip,scenarios crowdsecurity/http-sensitive-files,enabled,0.3,"Detect attempt to access to sensitive files (.log, .db ..) or folders (.git)",scenarios crowdsecurity/http-sqli-probing,enabled,0.3,A scenario that detects SQL injection probing with minimal false positives,scenarios crowdsecurity/http-xss-probing,enabled,0.3,A scenario that detects XSS probing with minimal false positives,scenarios crowdsecurity/iptables-scan-multi_ports,enabled,0.2,ban IPs that are scanning us,scenarios crowdsecurity/jira_cve-2021-26086,enabled,0.2,Detect Atlassian Jira CVE-2021-26086 exploitation attemps,scenarios crowdsecurity/netgear_rce,enabled,0.3,Detect Netgear RCE DGN1000/DGN220 exploitation attempts,scenarios crowdsecurity/nginx-req-limit-exceeded,enabled,0.3,Detects IPs which violate nginx's user set request limit.,scenarios crowdsecurity/pulse-secure-sslvpn-cve-2019-11510,enabled,0.3,Detect cve-2019-11510 exploitation attemps,scenarios crowdsecurity/spring4shell_cve-2022-22965,enabled,0.3,Detect cve-2022-22965 probing,scenarios crowdsecurity/ssh-bf,enabled,0.2,Detect ssh bruteforce,scenarios crowdsecurity/ssh-slow-bf,enabled,0.3,Detect slow ssh bruteforce,scenarios crowdsecurity/thinkphp-cve-2018-20062,enabled,0.4,Detect ThinkPHP CVE-2018-20062 exploitation attemps,scenarios crowdsecurity/vmware-cve-2022-22954,enabled,0.3,Detect Vmware CVE-2022-22954 exploitation attempts,scenarios crowdsecurity/vmware-vcenter-vmsa-2021-0027,enabled,0.2,Detect VMSA-2021-0027 exploitation attemps,scenarios ltsich/http-w00tw00t,enabled,0.2,detect w00tw00t,scenarios crowdsecurity/cdn-whitelist,enabled,0.4,Whitelist CDN providers,postoverflows crowdsecurity/rdns,enabled,0.3,Lookup the DNS associated to the source IP only for overflows,postoverflows crowdsecurity/seo-bots-whitelist,enabled,0.4,Whitelist good search engine crawlers,postoverflows

Acquisition config

```console # On Linux: $ cat /etc/crowdsec/acquis.yaml /etc/crowdsec/acquis.d/* # paste output here filenames: - /var/log/auth.log - /var/log/syslog - /var/log/kern.log - /var/log/ufw.log - /var/log/mail.log labels: type: syslog --- filenames: - /logs/web/traefik-access.log labels: type: traefik --- # On Windows: C:\> Get-Content C:\ProgramData\CrowdSec\config\acquis.yaml # paste output here

Config show

```console $ cscli config show # paste output here ``` Global: - Configuration Folder : /etc/crowdsec - Data Folder : /var/lib/crowdsec/data - Hub Folder : /etc/crowdsec/hub - Simulation File : /etc/crowdsec/simulation.yaml - Log Folder : /var/log/ - Log level : info - Log Media : stdout Crowdsec: - Acquisition File : /etc/crowdsec/acquis.yaml - Parsers routines : 1 - Acquisition Folder : /etc/crowdsec/acquis.d cscli: - Output : human - Hub Branch : - Hub Folder : /etc/crowdsec/hub API Client: - URL : http://0.0.0.0:8080/ - Login : localhost - Credentials File : /etc/crowdsec/local_api_credentials.yaml Local API Server: - Listen URL : 0.0.0.0:8080 - Profile File : /etc/crowdsec/profiles.yaml - Trusted IPs: - 127.0.0.1 - ::1 - Database: - Type : sqlite - Path : /var/lib/crowdsec/data/crowdsec.db - Flush age : 7d - Flush size : 5000

Prometheus metrics

```console $ cscli metrics # paste output here ```

Acquisition Metrics: ╭───────────────────────────────────┬────────────┬──────────────┬────────────────┬────────────────────────╮ │ Source │ Lines read │ Lines parsed │ Lines unparsed │ Lines poured to bucket │ ├───────────────────────────────────┼────────────┼──────────────┼────────────────┼────────────────────────┤ │ file:/logs/web/traefik-access.log │ 48 │ 48 │ - │ - │ ╰───────────────────────────────────┴────────────┴──────────────┴────────────────┴────────────────────────╯

Parser Metrics: ╭──────────────────────────────────┬──────┬────────┬──────────╮ │ Parsers │ Hits │ Parsed │ Unparsed │ ├──────────────────────────────────┼──────┼────────┼──────────┤ │ child-crowdsecurity/http-logs │ 144 │ 96 │ 48 │ │ child-crowdsecurity/traefik-logs │ 96 │ 48 │ 48 │ │ crowdsecurity/dateparse-enrich │ 48 │ 48 │ - │ │ crowdsecurity/geoip-enrich │ 48 │ 48 │ - │ │ crowdsecurity/http-logs │ 48 │ 48 │ - │ │ crowdsecurity/non-syslog │ 48 │ 48 │ - │ │ crowdsecurity/traefik-logs │ 48 │ 48 │ - │ │ crowdsecurity/whitelists │ 48 │ 48 │ - │ ╰──────────────────────────────────┴──────┴────────┴──────────╯

Local API Metrics: ╭──────────────────────┬────────┬──────╮ │ Route │ Method │ Hits │ ├──────────────────────┼────────┼──────┤ │ /v1/decisions/stream │ GET │ 293 │ │ /v1/heartbeat │ GET │ 48 │ │ /v1/watchers/login │ POST │ 1 │ ╰──────────────────────┴────────┴──────╯

Local API Machines Metrics: ╭───────────┬───────────────┬────────┬──────╮ │ Machine │ Route │ Method │ Hits │ ├───────────┼───────────────┼────────┼──────┤ │ localhost │ /v1/heartbeat │ GET │ 48 │ ╰───────────┴───────────────┴────────┴──────╯

Local API Bouncers Metrics: ╭────────────────────────────┬──────────────────────┬────────┬──────╮ │ Bouncer │ Route │ Method │ Hits │ ├────────────────────────────┼──────────────────────┼────────┼──────┤ │ firewall-bouncer │ /v1/decisions/stream │ GET │ 293 │ ╰────────────────────────────┴──────────────────────┴────────┴──────╯

Local API Decisions: ╭────────────────────────────────────────────┬────────┬────────┬───────╮ │ Reason │ Origin │ Action │ Count │ ├────────────────────────────────────────────┼────────┼────────┼───────┤ │ crowdsecurity/CVE-2023-22515 │ CAPI │ ban │ 3 │ │ crowdsecurity/http-backdoors-attempts │ CAPI │ ban │ 749 │ │ crowdsecurity/http-bad-user-agent │ CAPI │ ban │ 5545 │ │ firehol_botscout_7d │ lists │ ban │ 3163 │ │ crowdsecurity/CVE-2022-26134 │ CAPI │ ban │ 178 │ │ crowdsecurity/http-sensitive-files │ CAPI │ ban │ 17 │ │ crowdsecurity/ssh-bf │ CAPI │ ban │ 17928 │ │ crowdsecurity/http-open-proxy │ CAPI │ ban │ 543 │ │ crowdsecurity/ssh-slow-bf │ CAPI │ ban │ 18 │ │ ltsich/http-w00tw00t │ CAPI │ ban │ 2 │ │ crowdsecurity/f5-big-ip-cve-2020-5902 │ CAPI │ ban │ 33 │ │ crowdsecurity/nginx-req-limit-exceeded │ CAPI │ ban │ 107 │ │ crowdsecurity/CVE-2019-18935 │ CAPI │ ban │ 50 │ │ crowdsecurity/apache_log4j2_cve-2021-44228 │ CAPI │ ban │ 430 │ │ crowdsecurity/http-crawl-non_statics │ CAPI │ ban │ 499 │ │ crowdsecurity/http-cve-2021-41773 │ CAPI │ ban │ 32 │ │ crowdsecurity/iptables-scan-multi_ports │ CAPI │ ban │ 312 │ │ firehol_cruzit_web_attacks │ lists │ ban │ 13252 │ │ crowdsecurity/CVE-2022-37042 │ CAPI │ ban │ 21 │ │ crowdsecurity/fortinet-cve-2018-13379 │ CAPI │ ban │ 112 │ │ crowdsecurity/grafana-cve-2021-43798 │ CAPI │ ban │ 64 │ │ crowdsecurity/http-path-traversal-probing │ CAPI │ ban │ 64 │ │ crowdsecurity/netgear_rce │ CAPI │ ban │ 41 │ │ crowdsecurity/CVE-2022-41082 │ CAPI │ ban │ 954 │ │ crowdsecurity/CVE-2022-42889 │ CAPI │ ban │ 15 │ │ crowdsecurity/http-probing │ CAPI │ ban │ 1792 │ │ crowdsecurity/jira_cve-2021-26086 │ CAPI │ ban │ 29 │ │ crowdsecurity/CVE-2022-35914 │ CAPI │ ban │ 54 │ │ crowdsecurity/http-generic-bf │ CAPI │ ban │ 22 │ │ crowdsecurity/thinkphp-cve-2018-20062 │ CAPI │ ban │ 57 │ │ http probe │ cscli │ ban │ 30 │ │ otx-webscanners │ lists │ ban │ 9302 │ ╰────────────────────────────────────────────┴────────┴────────┴───────╯

Local API Alerts: ╭────────────┬───────╮ │ Reason │ Count │ ├────────────┼───────┤ │ http probe │ 154 │ ╰────────────┴───────╯

Related custom configs versions (if applicable) : notification plugins, custom scenarios, parsers etc.

[github-actions[bot]]

@d03j: Thanks for opening an issue, it is currently awaiting triage.

In the meantime, you can:

1. Check Crowdsec Documentation to see if your issue can be self resolved.
2. You can also join our Discord.
3. Check Releases to make sure your agent is on the latest version.

Details

I am a bot created to help the [crowdsecurity](https://github.com/crowdsecurity) developers manage community feedback and contributions. You can check out my [manifest file](https://github.com/crowdsecurity/crowdsec/blob/master/.github/governance.yml) to understand my behavior and what I can do. If you want to use this for your project, you can check out the [BirthdayResearch/oss-governance-bot](https://github.com/BirthdayResearch/oss-governance-bot) repository.

[LaurenceJJones]

Hey 👋🏻

Thank you for opening an issue, so my main theory is because you are using an alias rather than the cscli binary the fd are inside the container rather than on disc.

Here is the commands via cscli installed on host:

root@bullseye:~# cat ~/.bashrc
# ~/.bashrc: executed by bash(1) for non-login shells.

# Note: PS1 and umask are already set in /etc/profile. You should not
# need this unless you want different defaults for root.
# PS1='${debian_chroot:+($debian_chroot)}\h:\w\$ '
# umask 022

# You may uncomment the following lines if you want `ls' to be colorized:
# export LS_OPTIONS='--color=auto'
# eval "$(dircolors)"
# alias ls='ls $LS_OPTIONS'
# alias ll='ls $LS_OPTIONS -l'
# alias l='ls $LS_OPTIONS -lA'
#
# Some more alias to avoid making mistakes:
# alias rm='rm -i'
# alias cp='cp -i'
# alias mv='mv -i'
if [ -f /etc/bash_completion ] && ! shopt -oq posix; then
. /etc/bash_completion
fi
root@bullseye:~# source <(cscli completion bash)
root@bullseye:~# cscli
alerts         completion     decisions      hubtest        notifications  simulation
bouncers       config         explain        lapi           parsers        support
capi           console        help           machines       postoverflows  version
collections    dashboard      hub            metrics        scenarios
root@bullseye:~# cscli

Via just running podman:

root@bullseye:~# cat ~/.bashrc
# ~/.bashrc: executed by bash(1) for non-login shells.

# Note: PS1 and umask are already set in /etc/profile. You should not
# need this unless you want different defaults for root.
# PS1='${debian_chroot:+($debian_chroot)}\h:\w\$ '
# umask 022

# You may uncomment the following lines if you want `ls' to be colorized:
# export LS_OPTIONS='--color=auto'
# eval "$(dircolors)"
# alias ls='ls $LS_OPTIONS'
# alias ll='ls $LS_OPTIONS -l'
# alias l='ls $LS_OPTIONS -lA'
#
# Some more alias to avoid making mistakes:
# alias rm='rm -i'
# alias cp='cp -i'
# alias mv='mv -i'
if [ -f /etc/bash_completion ] && ! shopt -oq posix; then
. /etc/bash_completion
fi
root@bullseye:~# podman run -d docker://crowdsecurity/crowdsec:v1.5.4
root@bullseye:~# alias cscli='podman exec -lit cscli'
root@bullseye:~# cscli
cscli is the main command to interact with your crowdsec service, scenarios & db.
It is meant to allow you to manage bans, parsers/scenarios/etc, api and generally manage you crowdsec setup.

Usage:

cscli [command]

Available Commands:

alerts         Manage alerts
bouncers       Manage bouncers [requires local API]
capi           Manage interaction with Central API (CAPI)
collections    Manage collections from hub
completion     Generate completion script
config         Allows to view current config
console        Manage interaction with Crowdsec console (https://app.crowdsec.net)
dashboard      Manage your metabase dashboard container [requires local API]
decisions      Manage decisions
explain        Explain log pipeline
help           Help about any command
hub            Manage Hub
hubtest        Run functional tests on hub configurations
lapi           Manage interaction with Local API (LAPI)
machines       Manage local API machines [requires local API]
metrics        Display crowdsec prometheus metrics.
notifications  Helper for notification plugin configuration
parsers        Install/Remove/Upgrade/Inspect parser(s) from hub
postoverflows  Install/Remove/Upgrade/Inspect postoverflow(s) from hub
scenarios      Install/Remove/Upgrade/Inspect scenario(s) from hub
simulation     Manage simulation status of scenarios
support        Provide commands to help during support
version        Display version

Flags:

-c, --config string   path to crowdsec config file (default "/etc/crowdsec/config.yaml")
-o, --output string   Output format: human, json, raw
--color string    Output color: yes, no, auto (default "auto")
--debug           Set logging to debug
--info            Set logging to info
--warning         Set logging to warning
--error           Set logging to error
--trace           Set logging to trace
-h, --help            help for cscli

Use "cscli [command] --help" for more information about a command.

root@bullseye:~# source <(cscli completion bash)
bash: $'\r': command not found
bash: /dev/fd/63: line 3: syntax error near unexpected token `$'\r''
'ash: /dev/fd/63: line 3: `__cscli_debug()

So the issue is the container layer between the host. We never tested the completion like this.

Edit: looking deeper it most likely would never work since some completions rely on the binary having two way sync. Other workaround is installing just the cscli binary on the host. However, we dont have this documented anywhere so this should be improved on.

[LaurenceJJones]

Updated the title to reflect the contents of the issue

[LaurenceJJones]

A slight workaround, however, I cant confirm all functionality will work

cd /tmp
wget -qO- https://github.com/crowdsecurity/crowdsec/releases/download/v1.5.5/crowdsec-release.tgz | tar xz
cd crowdsec*
./cmd/crowdsec-cli/cscli completion bash | sudo tee /etc/bash_completion.d/cscli

[d03j]

thanks! I'll have a look and report back.

FYI - I'm running podman instead of docker so I can run rootless containers. I suspect that might be relatively common amongst docker users. otherwise why not stay with docker? I know it makes no difference in this case. Just mentioning it for future cases where you test a container on docker, as you may want to check if it works when ran by a non root user.

[d03j]

A slight workaround, however, I cant confirm all functionality will work

cd /tmp
wget -qO- https://github.com/crowdsecurity/crowdsec/releases/download/v1.5.5/crowdsec-release.tgz | tar xz
cd crowdsec*
./cmd/crowdsec-cli/cscli completion bash | sudo tee /etc/bash_completion.d/cscli

follow the above, add

source .bashrc

and it works like a charm!

Thank you!