fix: retry, semaphore, reload lock, activation verify, bans_by_jail diagnostics

Stage 1.1-1.3: reload_all include/exclude_jails params already implemented; added keyword-arg assertions in router and service tests. Stage 2.1/6.1: _send_command_sync retry loop (3 attempts, 150ms exp backoff) retrying on EAGAIN/ECONNREFUSED/ENOBUFS; immediate raise on all other errors. Stage 2.2: asyncio.Lock at module level in jail_service.reload_all to serialize concurrent reload--all commands. Stage 3.1: activate_jail re-queries _get_active_jail_names after reload; returns active=False with descriptive message if jail did not start. Stage 4.1/6.2: asyncio.Semaphore (max 10) in Fail2BanClient.send, lazy- initialized; logs fail2ban_command_waiting_semaphore at debug when waiting. Stage 5.1/5.2: unit tests asserting reload_all is called with include_jails and exclude_jails; activation verification happy/sad path tests. Stage 6.3: TestSendCommandSyncRetry (5 cases) + TestFail2BanClientSemaphore concurrency test. Stage 7.1-7.3: _since_unix uses time.time(); bans_by_jail debug logging with since_iso; diagnostic warning when total==0 despite table rows; unit test verifying the warning fires for stale data.
2026-03-14 11:09:55 +01:00
parent 2274e20123
commit 2f2e5a7419
9 changed files with 880 additions and 115 deletions
--- a/backend/app/services/config_file_service.py
+++ b/backend/app/services/config_file_service.py
@@ -899,10 +899,30 @@ async def activate_jail(
    )

    try:
-        await jail_service.reload_all(socket_path)
+        await jail_service.reload_all(socket_path, include_jails=[name])
    except Exception as exc:  # noqa: BLE001
        log.warning("reload_after_activate_failed", jail=name, error=str(exc))

+    # Verify the jail actually started after the reload.  A config error
+    # (bad regex, missing log file, etc.) may silently prevent fail2ban from
+    # starting the jail even though the reload command succeeded.
+    post_reload_names = await _get_active_jail_names(socket_path)
+    actually_running = name in post_reload_names
+    if not actually_running:
+        log.warning(
+            "jail_activation_unverified",
+            jail=name,
+            message="Jail did not appear in running jails after reload.",
+        )
+        return JailActivationResponse(
+            name=name,
+            active=False,
+            message=(
+                f"Jail {name!r} was written to config but did not start after "
+                "reload — check the jail configuration (filters, log paths, regex)."
+            ),
+        )
+
    log.info("jail_activated", jail=name)
    return JailActivationResponse(
        name=name,
@@ -962,7 +982,7 @@ async def deactivate_jail(
    )

    try:
-        await jail_service.reload_all(socket_path)
+        await jail_service.reload_all(socket_path, exclude_jails=[name])
    except Exception as exc:  # noqa: BLE001
        log.warning("reload_after_deactivate_failed", jail=name, error=str(exc))