search

linuxserver / docker-swag

Nginx webserver and reverse proxy with php support and a built-in Certbot (Let's Encrypt) client. It also contains fail2ban for intrusion prevention.
https://docs.linuxserver.io/general/swag
GNU General Public License v3.0
2.66k stars 231 forks source link

[BUG] fail2ban-client restart triggers loop #478

Closed JonLaliberte closed 2 months ago

JonLaliberte commented 2 months ago

Is there an existing issue for this?

Current Behavior

If you run, for example:

docker exec swag fail2ban-client restart And watch your logs, you'll see errors coming up like:

swag | 2024-05-01T15:01:49.247410398Z 2024-05-01 11:01:49,247 fail2ban [2404]: ERROR Server already running

every second or so.

There must be something in the swag container to keep f2b running and it causes some problem.

Running:

docker exec swag fail2ban-client stop Does the trick for restarting since it stops and something restarts f2b right away.

This also works

docker exec swag fail2ban-client stop docker exec swag fail2ban-client start

Expected Behavior

f2b should restart without spamming the log/errors

Steps To Reproduce

See above.

Environment

- OS: Ubuntu 22.04
- How docker service was installed: distro's packagemanager

CPU architecture

x86-64

Docker creation

services:
  swag:
    image: linuxserver/swag
    container_name: swag
    cap_add:
      - NET_ADMIN    # Not mentioned in _composer_ example, but needed for f2b to have access to iptables
    ports:
      - 443:443
      - 80:80
    volumes:
      - /appdata/swag:/config
    restart: always
    environment:
      - PUID=1010
      - PGID=1010
      - EMAIL=X@X.com
      - URL=server.io
      - VALIDATION=dns
      - DNSPLUGIN=cloudflare
      - TZ=America/New_York

Container logs

> swag                  | 2024-05-01T15:01:49.247410398Z 2024-05-01 11:01:49,247 fail2ban                [2404]: ERROR   Server already running
github-actions[bot] commented 2 months ago

Thanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid.

aptalca commented 2 months ago

The service is managed by s6. You shouldn't restart it manually through the client.

JonLaliberte commented 2 months ago

@aptalca Is there a way to ask s6 to restart it? I looked around a bit, but didn't find anything obvious. Normally I'd use service/sysctl, but I started using the f2b client after seeing this post: https://discourse.linuxserver.io/t/swag-how-to-reload-restart-fail2ban-service/8020/4

aptalca commented 2 months ago

s6-svc -h /run/service/svc-fail2ban

But keep in mind that we don't officially support running manual commands inside the container unless we instruct you to do so (like we do for fail2ban-client status <jail name> and fail2ban-client set <jail name> unbanip <IP>). That's because users can easily break things in there and it makes it near impossible for us to reproduce or even figure out what they did. The supported method for restarting services is to restart the container so they go through the proper init steps in a reproducible manner.

JonLaliberte commented 2 months ago

Got it, thanks!