Debian postinst throws error from `ss` due to incorrect $PORT detection.

[AlexeyDemidov]

What happened?

During apt upgrade to update crowdsec to 1.6.9 over 1.6.8 on Debian Bookworm, the postinst script threw an error from ss due to incorrect parameters.

What did you expect to happen?

No errors.

How can we reproduce it (as minimally and precisely as possible)?

Due to having the following section in /etc/crowdsec/config.yaml

api:
  server:
    enable: false

The code here doesn't check that cscli config show --key "Config.API.Server.ListenURI" returned non-empty valid URI, causing the following ss -nlt "sport = ${PORT} to throw an error due to an empty value in ${PORT} variable.

Anything else we need to know?

No response

Crowdsec version

$ cscli version
version: v1.6.9-debian-pragmatic-amd64-40b8cfe6
Codename: alphaga
BuildDate: 2025-06-17_14:01:07
GoVersion: 1.24.3
Platform: linux
libre2: C++
User-Agent: crowdsec/v1.6.9-debian-pragmatic-amd64-40b8cfe6-linux
Constraint_parser: >= 1.0, <= 3.0
Constraint_scenario: >= 1.0, <= 3.0
Constraint_api: v1
Constraint_acquis: >= 1.0, < 2.0
Built-in optional components: cscli_setup, datasource_appsec, datasource_cloudwatch, datasource_docker, datasource_file, datasource_http, datasource_journalctl, datasource_k8s-audit, datasource_kafka, datasource_kinesis, datasource_loki, datasource_s3, datasource_syslog, datasource_victorialogs, datasource_wineventlog

OS version

Debian GNU/Linux 12 (bookworm)

Enabled collections and parsers

Acquisition config

Config show

No response

Prometheus metrics

Related custom configs versions (if applicable) : notification plugins, custom scenarios, parsers etc.

No response

[github-actions]

@AlexeyDemidov: Thanks for opening an issue, it is currently awaiting triage.

In the meantime, you can:

1. Check Crowdsec Documentation to see if your issue can be self resolved.
2. You can also join our Discord.
3. Check Releases to make sure your agent is on the latest version.

Details

I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository.

[AlexeyDemidov]

The same happens on Ubuntu 24.04

[LaurenceJJones]

Good catch, so within your config.yaml you have no other properties set for api.server other than enable to false?

[LaurenceJJones]

Checking the code and the postint script for now as a workaround you can just remove entirely api.server

crowdsec/pkg/csconfig/api.go

Lines 311 to 322 in b5d90ff

	if c.API.Server == nil {
	log.Warning("crowdsec local API is disabled")
	c.DisableAPI = true
	return nil
	}
	if c.API.Server.Enable == nil {
	// if the option is not present, it is enabled by default
	c.API.Server.Enable = ptr.Of(true)
	}

This will disable LAPI and postint script checks if api.server is non existent and skips the port check but we do still need to handle this case.

[AlexeyDemidov]

Please note that this setting api.server.enable = false is recommended in your tutorial on multi-server setup, so it is going to hit more people.

[LaurenceJJones]

Please note that this setting api.server.enable = false is recommended in your tutorial on multi-server setup, so it is going to hit more people.

True but it also doesnt say to remove everything else within the default configuration, but then it also doesnt say not not to do this so the OP didnt expect users to go that extra mile and remove all other properties.

But yes we are not saying this doesnt need to be fixed, solely just purposing a workaround until we can push one.