Access denied on Geolite2-City.mmdb when running cscli hub upgrade while Crowdsec is running on Windows Platform

[cstisa]

What happened?

Dear Crowdsec Community,

When we perform a cscli hub upgrade or cscli hub upgrade --force on a host running Windows Server Operating System we have the following error :

C:\Windows\system32>cscli hub upgrade
level=info msg="Upgrading parsers"
level=info msg="crowdsecurity/http-logs: up-to-date"
level=info msg="crowdsecurity/mssql-logs: up-to-date"
level=info msg="crowdsecurity/dateparse-enrich: up-to-date"
level=info msg="crowdsecurity/geoip-enrich: up-to-date"
level=error msg="Failed to remove destination file before renaming: remove C:\\ProgramData\\CrowdSec\\data\\GeoLite2-City.mmdb: Access is denied." url="https://hub-data.crowdsec.net/mmdb_update/GeoLite2-City.mmdb"
level=fatal msg="crowdsecurity/geoip-enrich: download failed: while downloading data for C:\\ProgramData\\CrowdSec\\config\\parsers\\s02-enrich\\geoip-enrich.yaml: while getting data: remove C:\\ProgramData\\CrowdSec\\data\\GeoLite2-City.mmdb: Access is denied."

C:\Windows\system32>cscli hub upgrade --force
level=info msg="Upgrading parsers"
level=info msg="crowdsecurity/geoip-enrich: up-to-date"
level=error msg="Failed to remove destination file before renaming: remove C:\\ProgramData\\CrowdSec\\data\\GeoLite2-City.mmdb: Access is denied." url="https://hub-data.crowdsec.net/mmdb_update/GeoLite2-City.mmdb"
level=fatal msg="crowdsecurity/geoip-enrich: download failed: while downloading data for C:\\ProgramData\\CrowdSec\\config\\parsers\\s02-enrich\\geoip-enrich.yaml: while getting data: remove C:\\ProgramData\\CrowdSec\\data\\GeoLite2-City.mmdb: Access is denied."

It seems that it can not remove the GeoLite2-City.mmdb while Crowdsec Service is running

After stopping the service and running again the command the process is working as expected.

When there are no update of this mmdb Geolite file the process is working as expected.

What did you expect to happen?

The process of running cscli hub upgrade should work without any intervention (stopping) on the service.

How can we reproduce it (as minimally and precisely as possible)?

Perform a cscli hub upgrade on a command prompt with administrator privilege while crowdsec is running and the Geolite files are not up to date.

Anything else we need to know?

No response

Crowdsec version

C:\Windows\system32>cscli version
version: v1.6.3-188f580f
Codename: alphaga
BuildDate: 2024-09-13_09:47:13
GoVersion: 1.22.6
Platform: windows
libre2: WebAssembly
User-Agent: crowdsec/v1.6.3-188f580f-windows
Constraint_parser: >= 1.0, <= 3.0
Constraint_scenario: >= 1.0, <= 3.0
Constraint_api: v1
Constraint_acquis: >= 1.0, < 2.0

OS version

# On Windows:
C:\Windows\system32>wmic os get Caption, Version, BuildNumber, OSArchitecture
BuildNumber  Caption                                 OSArchitecture  Version
17763        Microsoft Windows Server 2019 Standard  64-bit          10.0.17763

Enabled collections and parsers

$ cscli hub list -o raw
# paste output here

Acquisition config

```console # On Linux: $ cat /etc/crowdsec/acquis.yaml /etc/crowdsec/acquis.d/* # paste output here

On Windows:

C:> Get-Content C:\ProgramData\CrowdSec\config\acquis.yaml

paste output here

Config show

No response

Prometheus metrics

No response

Related custom configs versions (if applicable) : notification plugins, custom scenarios, parsers etc.

No response

Thanks for the help and support !

Have a nice day

Edouard Fazenda for CSTI SA.

[github-actions[bot]]

@cstisa: Thanks for opening an issue, it is currently awaiting triage.

In the meantime, you can:

1. Check Crowdsec Documentation to see if your issue can be self resolved.
2. You can also join our Discord.
3. Check Releases to make sure your agent is on the latest version.

Details

I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository.

[blotus]

Hello,

This one might be a bit tricky: the MMDB files are mmap()'ed (or the Windows equivalent in your case) on startup, and windows (AFAIK) forbids deleting/replacing a file that has valid handles pointing to it.

This issue was most likely hidden in the past as we did not support automatically updating the datafiles, and after we did, the auto-update for the MMDB files was disabled server-side to workaround a crash while we implemented the fix in crowdsec.

We'll try to come up with a solution and let you know.