From 003f740c2d8fc3345490206760620a2243f689c1 Mon Sep 17 00:00:00 2001 From: Markus Pesch Date: Fri, 7 Jul 2023 13:29:55 +0200 Subject: [PATCH 1/4] fix(Makefile): trim pkg path --- Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/Makefile b/Makefile index 4421341..84a1aae 100644 --- a/Makefile +++ b/Makefile @@ -46,6 +46,7 @@ build: -X main.date=${shell date --iso-8601=seconds} \ -X main.builtBy=manual \ " \ + -trimpath \ -o fail2ban_exporter \ exporter.go From 099694c6366bb8f0232324f9c60222af0e16b58e Mon Sep 17 00:00:00 2001 From: Markus Pesch Date: Fri, 7 Jul 2023 13:30:16 +0200 Subject: [PATCH 2/4] fix(Makefile): add install target --- .editorconfig | 15 +++++++++++++++ Makefile | 19 +++++++++++++++++-- prometheus-fail2ban-exporter | 6 ++++++ systemd/systemd.service | 22 ++++++++++++++++++++++ 4 files changed, 60 insertions(+), 2 deletions(-) create mode 100644 .editorconfig create mode 100644 prometheus-fail2ban-exporter create mode 100644 systemd/systemd.service diff --git a/.editorconfig b/.editorconfig new file mode 100644 index 0000000..dd69de0 --- /dev/null +++ b/.editorconfig @@ -0,0 +1,15 @@ +# EditorConfig is awesome: https://EditorConfig.org + +# top-most EditorConfig file +root = true + +[*] +indent_style = space +indent_size = 2 +end_of_line = lf +charset = utf-8 +trim_trailing_whitespace = true +insert_final_newline = false + +[Makefile] +indent_style = tab \ No newline at end of file diff --git a/Makefile b/Makefile index 84a1aae..1115b9f 100644 --- a/Makefile +++ b/Makefile @@ -1,3 +1,7 @@ +DESTDIR?= +PREFIX?=/usr/local +EXECUTABLE?=fail2ban_exporter + # List make commands .PHONY: ls ls: @@ -47,10 +51,21 @@ build: -X main.builtBy=manual \ " \ -trimpath \ - -o fail2ban_exporter \ + -o ${EXECUTABLE} \ exporter.go # Build project docker container .PHONY: build/docker build/docker: build - docker build -t fail2ban-prometheus-exporter . + docker build -t ${EXECUTABLE} . + +.PHONY: install +install: build + install -D --mode 0644 systemd/systemd.service ${DESTDIR}/usr/lib/systemd/system/${EXECUTABLE}.service + + install -D --mode 0755 --target-directory ${DESTDIR}${PREFIX}/bin/${EXECUTABLE} ${EXECUTABLE} + +# NOTE: Set restrict file permissions by default to protect optional basic auth credentials + install -D --mode 0600 --target-directory ${DESTDIR}/etc/conf.d ${EXECUTABLE} + + install -D --mode 0755 --target-directory ${DESTDIR}${PREFIX}/share/licenses/LICENSE LICENSE \ No newline at end of file diff --git a/prometheus-fail2ban-exporter b/prometheus-fail2ban-exporter new file mode 100644 index 0000000..d0286e8 --- /dev/null +++ b/prometheus-fail2ban-exporter @@ -0,0 +1,6 @@ +# F2B_COLLECTOR_SOCKET="" +# F2B_COLLECTOR_TEXT_PATH="" +# F2B_WEB_LISTEN_ADDRESS="" +# F2B_WEB_BASICAUTH_USER="" +# F2B_WEB_BASICAUTH_PASS="" +# F2B_EXIT_ON_SOCKET_CONN_ERROR="" diff --git a/systemd/systemd.service b/systemd/systemd.service new file mode 100644 index 0000000..7b3917b --- /dev/null +++ b/systemd/systemd.service @@ -0,0 +1,22 @@ +[Unit] +Description=Prometheus exporter for fail2ban metrics +Requires=network-online.target +After=network-online.target + +[Service] +EnvironmentFile=/etc/conf.d/prometheus-fail2ban-exporter +ExecStart=/usr/bin/prometheus-fail2ban-exporter +ExecReload=/bin/kill -HUP $MAINPID +Restart=on-failure +RestartSec=5s + +NoNewPrivileges=true + +# NOTE: Would be great to create and use a dedicated user/group via +# sysusers.conf to access the fail2ban socket, but currently it is no possible +# without manual configuration of the fail2ban daemon. +User=root +Group=root + +[Install] +WantedBy=multi-user.target From 3639b7a3f4b2154e47ae86aa42fed0e437e8cf18 Mon Sep 17 00:00:00 2001 From: Markus Pesch Date: Fri, 7 Jul 2023 13:33:21 +0200 Subject: [PATCH 3/4] fix(Makefile): add uninstall target --- Makefile | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 1115b9f..ed459f7 100644 --- a/Makefile +++ b/Makefile @@ -68,4 +68,12 @@ install: build # NOTE: Set restrict file permissions by default to protect optional basic auth credentials install -D --mode 0600 --target-directory ${DESTDIR}/etc/conf.d ${EXECUTABLE} - install -D --mode 0755 --target-directory ${DESTDIR}${PREFIX}/share/licenses/LICENSE LICENSE \ No newline at end of file + install -D --mode 0755 --target-directory ${DESTDIR}${PREFIX}/share/licenses/LICENSE LICENSE + +.PHONY: uninstall +uninstall: + -rm --recursive --force \ + ${DESTDIR}${PREFIX}/bin/${EXECUTABLE} \ + ${DESTDIR}/usr/lib/systemd/system/${EXECUTABLE}.service \ + ${DESTDIR}/etc/conf.d/${EXECUTABLE} \ + ${DESTDIR}${PREFIX}/share/licenses/${EXECUTABLE}/LICENSE From 24346152589237b142943c1f49f1fbad7c5225d4 Mon Sep 17 00:00:00 2001 From: Markus Pesch Date: Fri, 7 Jul 2023 14:04:07 +0200 Subject: [PATCH 4/4] feat: multi-stage build for container image Adapt the Makefile and Dockerfile for a multi-stage build of the container image. It is now not anymore required to have go locally installed to build the container image. Inside the multi-stage build, the newly create make install command will be executed. The compbiled files will than be copied to a new base image with less dependencies. Further improvement would be to use instead of debian:10 scratch, because the application does not have any C dependencies (CGO_ENABLED=0). Additionally it is not possible to build the container image with alternative container runtimes like podman instead of docker. make build/container-image CONTAINER_RUNTIME=podman The used base image names are now defined as fully qualified image names (with registry host), to support local container registry mirror configurations. --- Dockerfile | 23 ++++++++++++++++------- Makefile | 22 ++++++++++++++-------- prometheus-fail2ban-exporter => env | 0 systemd/systemd.service | 4 ++-- 4 files changed, 32 insertions(+), 17 deletions(-) rename prometheus-fail2ban-exporter => env (100%) diff --git a/Dockerfile b/Dockerfile index 1955792..9959a07 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,10 +1,19 @@ -FROM debian:buster-slim +FROM docker.io/library/golang:1.20.5-buster AS build -# Create main app folder to run from -WORKDIR /app +WORKDIR /workspace +ADD . /workspace -# Copy compiled binary to release image -# (must build the binary before running docker build) -COPY fail2ban_exporter /app/fail2ban_exporter +RUN apt update --yes && \ + apt install --yes build-essential && \ + make install \ + PREFIX=/usr \ + DESTDIR=/app \ + EXECUTABLE=fail2ban_exporter -ENTRYPOINT ["/app/fail2ban_exporter"] +FROM docker.io/library/debian:10-slim + +COPY --from=build /app / + +EXPOSE 9191 + +ENTRYPOINT [ "/usr/bin/fail2ban_exporter" ] diff --git a/Makefile b/Makefile index ed459f7..6b0be1a 100644 --- a/Makefile +++ b/Makefile @@ -2,6 +2,8 @@ DESTDIR?= PREFIX?=/usr/local EXECUTABLE?=fail2ban_exporter +CONTAINER_RUNTIME?=$(shell which docker) + # List make commands .PHONY: ls ls: @@ -54,21 +56,25 @@ build: -o ${EXECUTABLE} \ exporter.go -# Build project docker container -.PHONY: build/docker -build/docker: build - docker build -t ${EXECUTABLE} . +# build container-image +.PHONY: build/container-image +build/container-image: + ${CONTAINER_RUNTIME} build \ + --tag ${EXECUTABLE} \ + . .PHONY: install install: build - install -D --mode 0644 systemd/systemd.service ${DESTDIR}/usr/lib/systemd/system/${EXECUTABLE}.service + mkdir --parents ${DESTDIR}/usr/lib/systemd/system + sed -e "s/EXECUTABLE/${EXECUTABLE}/gm" systemd/systemd.service > ${DESTDIR}/usr/lib/systemd/system/${EXECUTABLE}.service + chmod 0644 ${DESTDIR}/usr/lib/systemd/system/${EXECUTABLE}.service - install -D --mode 0755 --target-directory ${DESTDIR}${PREFIX}/bin/${EXECUTABLE} ${EXECUTABLE} + install -D --mode 0755 --target-directory ${DESTDIR}${PREFIX}/bin ${EXECUTABLE} # NOTE: Set restrict file permissions by default to protect optional basic auth credentials - install -D --mode 0600 --target-directory ${DESTDIR}/etc/conf.d ${EXECUTABLE} + install -D --mode 0600 env ${DESTDIR}/etc/conf.d/${EXECUTABLE} - install -D --mode 0755 --target-directory ${DESTDIR}${PREFIX}/share/licenses/LICENSE LICENSE + install -D --mode 0755 --target-directory ${DESTDIR}${PREFIX}/share/licenses/${EXECUTABLE} LICENSE .PHONY: uninstall uninstall: diff --git a/prometheus-fail2ban-exporter b/env similarity index 100% rename from prometheus-fail2ban-exporter rename to env diff --git a/systemd/systemd.service b/systemd/systemd.service index 7b3917b..1622c9f 100644 --- a/systemd/systemd.service +++ b/systemd/systemd.service @@ -4,8 +4,8 @@ Requires=network-online.target After=network-online.target [Service] -EnvironmentFile=/etc/conf.d/prometheus-fail2ban-exporter -ExecStart=/usr/bin/prometheus-fail2ban-exporter +EnvironmentFile=/etc/conf.d/EXECUTABLE +ExecStart=/usr/bin/EXECUTABLE ExecReload=/bin/kill -HUP $MAINPID Restart=on-failure RestartSec=5s