Closed bmendezlut closed 4 months ago
@bmendezlut: Thanks for opening an issue, it is currently awaiting triage.
In the meantime, you can:
Hello,
I've opened a PR with a fix.
For now, I've removed the 1.6.2 release from our repositories to avoid further issues. You can install 1.6.1 again, and we'll publish a new version most likely tomorrow (it will likely be tagged 1.6.2).
For our testing, do you happen to know which IP triggered the crash ? Looking at the code, it can happen if the geoip databases are not setup properly (likely not your case as you have the proper parser), or if we cannot find anything about the IP in the geoip database.
Thank you. I am not sure which IP might have caused the crash, how can I find it? Searching through the CrowdSec logs, I found the following:
time="2024-05-30T13:30:32-06:00" level=error msg="unable to open GeoLite2-City.mmdb : error opening database: invalid MaxMind DB file"
time="2024-05-30T13:30:32-06:00" level=warning msg="unable to initialize GeoIP: error opening database: invalid MaxMind DB
The GeoLite2-City.mmdb file is in hub/parsers/s02-enrich/crowdsecurity/geoip-enrich.yaml and it references https://hub-data.crowdsec.net/mmdb/GeoLite2-City.mmdb.
I hope this is helpful.
Hello,
After investigating a bit more, the issue seems to only happen when you have a corrupted maxmind DB.
Could you upload the /var/lib/crowdsec/data/GeoLite2-City.mmdb
file somewhere so we can have a look at the content ?
Do you see the unable to open GeoLite2-City.mmdb : error opening database: invalid MaxMind DB file
message in the logs prior to the upgrade ? This would help us understand if the file got corrupted before or after the upgrade.
The log message unable to open GeoLite2-City.mmdb: error opening database: invalid MaxMind DB file
appeared after the update, and it happened on 3 computers. When I reverted to CrowdSec version 1.6.1, it worked normally without any other changes. I created a repository with the 3 files from the 3 computers https://github.com/bmendezlut/GeoLite2-City.mmdb.
The 3 databases are corrupted and are way smaller than they should be: they are all around 7MB (each with a different size) but they should be around 60 MB. Do your machines use a proxy or something like this to access the internet ? Or do they have a "slow" internet connection ?
No, I do not use any proxy or anything like that, and the internet is good, it's 500 megabytes. Sometimes it has packet loss, but it is very rare when that happens.
What happened?
Hello, I updated CrowdSec to version 1.6.2, and upon restarting the CrowdSec service, an error was flagged as the connection to the API on port 8080 was being refused. Upon reviewing the logs, I encountered the following trace. error: interface conversion: interface {} is nil, not geoip2.City [0/1811] version: v1.6.2-debian-pragmatic-amd64-7d6514c7 BuildDate: 2024-05-30_14:59:20 GoVersion: 1.22.2 Platform: linux goroutine 58 [running]: runtime/debug.Stack() runtime/debug/stack.go:24 +0x5e github.com/crowdsecurity/go-cs-lib/trace.(traceKeeper).writeStackTrace(0x383de60, {0x1e9cf20, 0xc001263050}) github.com/crowdsecurity/go-cs-lib@v0.0.11/trace/trace.go:152 +0x173 github.com/crowdsecurity/go-cs-lib/trace.(traceKeeper).catchPanic(0x383de60, {0x2168dae, 0x11}) github.com/crowdsecurity/go-cs-lib@v0.0.11/trace/trace.go:168 +0x13d github.com/crowdsecurity/go-cs-lib/trace.CatchPanic(...) github.com/crowdsecurity/go-cs-lib@v0.0.11/trace/trace.go:37 panic({0x1e9cf20?, 0xc001263050?}) runtime/panic.go:770 +0x132 github.com/crowdsecurity/crowdsec/pkg/parser.GeoIpCity({0xc001242080, 0xf}, 0x2144088?, 0xc000bb25b0) github.com/crowdsecurity/crowdsec/pkg/parser/enrich_geoip.go:77 +0x745 github.com/crowdsecurity/crowdsec/pkg/parser.(Node).ProcessStatics(0xc000fc8be8, {0xc0005ad688?, 0x2178ff7?, 0x4?}, 0xc0010e8300) github.com/crowdsecurity/crowdsec/pkg/parser/runtime.go:158 +0xbac github.com/crowdsecurity/crowdsec/pkg/parser.(Node).process(0xc000fc8be8, 0xc0010e8300, {{0x0, 0x0}, {0xc000b9acc0, 0x3, 0x4}, 0x1, {0xc000b0c618, 0x16}}, ...) github.com/crowdsecurity/crowdsec/pkg/parser/node.go:402 +0x15c5 github.com/crowdsecurity/crowdsec/pkg/parser.Parse({{, }, {, , }, , {, }}, {0x0, 0x0, ...}, ...) github.com/crowdsecurity/crowdsec/pkg/parser/runtime.go:333 +0x1056 main.runParse(0xc000a26240, 0xc000a261e0, {{0x0, 0x0}, {0xc000b9acc0, 0x3, 0x4}, 0x1, {0xc000b0c618, 0x16}}, ...) github.com/crowdsecurity/crowdsec/cmd/crowdsec/parse.go:39 +0x3ff main.runCrowdsec.func1.1() github.com/crowdsecurity/crowdsec/cmd/crowdsec/crowdsec.go:80 +0xd2 gopkg.in/tomb%2ev2.(Tomb).run(0x38f2900, 0x0?) gopkg.in/tomb.v2@v2.0.0-20161208151619-d5d1b5820637/tomb.go:163 +0x2b created by gopkg.in/tomb%2ev2.(*Tomb).Go in goroutine 260 gopkg.in/tomb.v2@v2.0.0-20161208151619-d5d1b5820637/tomb.go:159 +0xe5
What did you expect to happen?
I want it to work normally.
How can we reproduce it (as minimally and precisely as possible)?
I have the following collections and parsers hub/collections/crowdsecurity/windows.yaml:4: - crowdsecurity/geoip-enrich hub/collections/crowdsecurity/linux.yaml:3: - crowdsecurity/geoip-enrich hub/collections/crowdsecurity/linux.yaml:7:description: "core linux support : syslog+geoip+ssh" hub/parsers/s02-enrich/crowdsecurity/geoip-enrich.yaml:2:name: crowdsecurity/geoip-enrich
Anything else we need to know?
No response
Crowdsec version
OS version
Enabled collections and parsers
Acquisition config
Config show
Prometheus metrics
Related custom configs versions (if applicable) : notification plugins, custom scenarios, parsers etc.