Messages

I have executed the command "killall crowdsec".
12834 of 13158 are processes by the name "notification-*".

How can I stop these processes?

"kill 12834" and keep the most recent.

Do I understand correctly that I now have to stop each individual process (12834 in total)?
How do I know which process is the last one?

Hi,

could you test this

# fetch -o /usr/local/etc/rc.d/crowdsec https://github.com/crowdsecurity/plugins/releases/download/crowdsec-1.6.3-2-hotfix/crowdsec

and try start/stop.

Thanks

Do I have to use an additional command to install the hotfix?
I suspect that the update did not work. (Screenshots attached)

No it's ok. The fetch command overwrites a script without installing a new package version. Now if you click start/stop from the UI it should just work.

Thank you for the information.

I have noticed that the service can be stopped via the GUI. (Visible because service status is deactivated in the crowdsec overview)
However, the service is displayed as active in the dashboard and in the overview of services.

You have orphan crowdsec processes and possibly notification plugins.

"killall crowdsec" and check if there are processes that go by the name "notification-*"

I have executed the command "killall crowdsec".
12834 of 13158 are processes by the name "notification-*".

How can I stop these processes?
Why does this problem occur?

Hi,

could you test this

# fetch -o /usr/local/etc/rc.d/crowdsec https://github.com/crowdsecurity/plugins/releases/download/crowdsec-1.6.3-2-hotfix/crowdsec

and try start/stop.

Thanks

Do I have to use an additional command to install the hotfix?
I suspect that the update did not work. (Screenshots attached)

No it's ok. The fetch command overwrites a script without installing a new package version. Now if you click start/stop from the UI it should just work.

Thank you for the information.

I have noticed that the service can be stopped via the GUI. (Visible because service status is deactivated in the crowdsec overview)
However, the service is displayed as active in the dashboard and in the overview of services.

Hi,

could you test this

# fetch -o /usr/local/etc/rc.d/crowdsec https://github.com/crowdsecurity/plugins/releases/download/crowdsec-1.6.3-2-hotfix/crowdsec

and try start/stop.

Thanks

Do I have to use an additional command to install the hotfix?
I suspect that the update did not work. (Screenshots attached)

terminate the second process (kill -9 40515) and upgrade to 1.6.3. This changes the script to send a "stronger" signal to stop the process.

I am already on version 1.6.3_1 since the OPNsense update to 24.7.5

I will run the command "cscli support dump" the next time a RAM problem occurs.
I restarted my OPNsense this morning after entering the post.

Start top.
Press "o" for "order".
Type "res" for "resident memory" and ENTER.

The process at the top is the one with the highest memory consumption.

If it's a scripting language like PHP or Python, note the process ID (PID), exit top ("q"), type "ps awwux" and ENTER, look for the process - you should see the full command line, i.e. the name of the script and its parameters.

Thank you for the explanation.
I will try it out next time.

I have now found out who caused it.
Crowdsec generates an enormous RAM load since the update to 24.7.5 or rather in the included crowdsec update.

The interesting thing is that crowdsec cannot be terminated.
Neither via the GUI, nor with pkill {PID} can crowdsec be terminated. The service continues to run.
Are there any other options here?

Edit:
I have now also tried kill -9 {PID}.
The OPNsense first hung up and then rebooted automatically.

Start top.
Press "o" for "order".
Type "res" for "resident memory" and ENTER.

The process at the top is the one with the highest memory consumption.

If it's a scripting language like PHP or Python, note the process ID (PID), exit top ("q"), type "ps awwux" and ENTER, look for the process - you should see the full command line, i.e. the name of the script and its parameters.

Thank you for the explanation.
I will try it out next time.

OTOH - why throw an alarm for 90% memory usage? Free memory is wasted memory. A long running system will always tend to use up all there is.

In Monit, a warning is stored by default for RAM utilization > 75%.
I have never really thought about this before or have never received this message.

But you're right, a 90% RAM load shouldn't really be a problem.

Hey,

Since the update to 24.7.5 I get a notification from Monit every 2-3 days that the resource limit has been reached. (mem usage > 90%)
After a restart I am back to the usual ~10%.

For your information: I use ZFS as file system, but the ARC cache remains in the usual range.

What is the best way to check what is causing this significant RAM increase?

Ich konnte das Problem nun lösen.

Scheinbar gab es einen Adresskonflikt.

Ich habe den Adressbereich in meinem Heimnetzwerk von 192.168.200.1/24 auf 10.0.1.1/24 geändert.
Das problematische WLAN in meiner Arbeit hat 192.168.201.1/24 (Dürfte eigentlich ja kein Problem sein)

Laut diesem Tutorial steht in der Client-Konfiguration bei "[Interface]" unter "Address" ebenfalls die IP vom Server und nicht vom Client.

https://blog.francium.tech/wireguard-vpn-server-and-client-configuration-abe8a18e8192

Wenn ich das ändere, funktioniert leider gar keine Verbindung mehr.

Ich hab mir gedacht ich nehm die anderen Clients aus Übersichtsgründen raus. -> Anbei nochmal die Server Config mit allen Client`s.

Die Android Config hab ich direkt für die Config fürs iPhone übernommen. (Key`s einfach ausgetauscht)
Deswegen keine 2 Config`s für die beiden Geräte.

Hier mal meine Server und Client Config Dateien.
Vielleicht fällt von euch jemanden etwas auf was nicht passen könnte.

Kommenden Montag 18.09.23 soll ja iOS 17 rauskommen, mal schauen ob sich hier etwas ändert.

Falls nicht, versuche ich danach mal die eingebaute IPsec Funktion.

Anbei die beiden Logs aus der Passepartout-App.

Was wir aufgefallen ist:
Die Meldung

DNS64: mapped XXX.XXX.XXX.XXX to itself.

taucht auch im Log auf, wenn ich mich in einem anderen WLAN oder im mobilen Netzwerk befinde, wo WireGuard normal funktioniert. -> Das ist es schon mal nicht.

Ich glaub das die Meldung

Received invalid response message from XXX.XXX.XXX.XXX:51633

anzeigt, dass die Verbindung ins Heimnetz nicht fuktioniert.
Nur weiß ich leider nicht was ich mit dieser Meldung anfangen soll.

"Allowed IPs" habe ich bereits auf 0.0.0.0/0 gesetzt.

Habe jetzt auch mal eine andere App probiert (Passepartout).
Leider ebenfalls ohne Erfolg.

Zusätzlich habe ich noch WireGuard auf meinem Unraid Server eingerichtet und versucht mich dorthin zu verbinden.
Portweiterleitung im Router angelegt.
Leider komme ich hier weder ins Internet noch ins Heimnetzwerk.
Adressbereich WLAN Arbeit 192.168.201.1/24 / Adressbereich Heimnetzwerk 192.168.200.1/24
Also an einer Überschneidung sollte es eigentlich nicht liegen.

Kann es an irgendwelchen Routings und Einstellungen in der OPNsense liegen?