Fix fail2ban runtime errors: jail not found, action locks, log noise

This commit implements fixes for three independent bugs in the fail2ban configuration and integration layer: 1. Task 1: Detect UnknownJailException and prevent silent failures - Added JailNotFoundError detection in jail_service.reload_all() - Enhanced error handling in config_file_service to catch JailNotFoundError - Added specific error message with logpath validation hints - Added rollback test for this scenario 2. Task 2: Fix iptables-allports exit code 4 (xtables lock contention) - Added global banaction setting in jail.conf with -w 5 lockingopt - Removed redundant per-jail banaction overrides from bangui-sim and blocklist-import - Added production compose documentation note 3. Task 3: Suppress log noise from unsupported backend/idle commands - Implemented capability detection to cache command support status - Double-check locking to minimize lock contention - Avoids sending unsupported get <jail> backend/idle commands - Returns default values without socket calls when unsupported All changes include comprehensive tests and maintain backward compatibility.
2026-03-15 10:57:00 +01:00
parent 1e33220f59
commit f62785aaf2
8 changed files with 446 additions and 145 deletions
--- a/Docker/compose.prod.yml
+++ b/Docker/compose.prod.yml
@@ -37,6 +37,11 @@ services:
      timeout: 5s
      start_period: 15s
      retries: 3
+    # NOTE: The fail2ban-config volume must be pre-populated with the following files:
+    #   • fail2ban/jail.conf (or jail.d/*.conf) with the DEFAULT section containing:
+    #     banaction = iptables-allports[lockingopt="-w 5"]
+    #   This prevents xtables lock contention errors when multiple jails start in parallel.
+    #   See https://fail2ban.readthedocs.io/en/latest/development/environment.html

  # ── Backend (FastAPI + uvicorn) ─────────────────────────────
  backend:
--- a/Docker/fail2ban-dev-config/fail2ban/jail.d/bangui-sim.conf
+++ b/Docker/fail2ban-dev-config/fail2ban/jail.d/bangui-sim.conf
@@ -14,7 +14,6 @@ backend    = polling
 maxretry   = 3
 findtime   = 120
 bantime    = 60
-banaction  = iptables-allports

 # Never ban localhost, the Docker bridge network, or the host machine.
 ignoreip   = 127.0.0.0/8 ::1 172.16.0.0/12
--- a/Docker/fail2ban-dev-config/fail2ban/jail.d/blocklist-import.conf
+++ b/Docker/fail2ban-dev-config/fail2ban/jail.d/blocklist-import.conf
@@ -20,7 +20,6 @@ maxretry   = 1
 findtime   = 1d
 # Block imported IPs for one week.
 bantime    = 1w
-banaction  = iptables-allports

 # Never ban the Docker bridge network or localhost.
 ignoreip   = 127.0.0.0/8 ::1 172.16.0.0/12