From: "Marek Szuba" <marecki@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] repo/gentoo:master commit in: net-analyzer/suricata/files/
Date: Tue, 17 Dec 2019 00:16:38 +0000 (UTC) [thread overview]
Message-ID: <1576541779.53159693f527b217acadfb345933d9fd16c46e2c.marecki@gentoo> (raw)
commit: 53159693f527b217acadfb345933d9fd16c46e2c
Author: Marek Szuba <marecki <AT> gentoo <DOT> org>
AuthorDate: Tue Dec 17 00:16:19 2019 +0000
Commit: Marek Szuba <marecki <AT> gentoo <DOT> org>
CommitDate: Tue Dec 17 00:16:19 2019 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=53159693
net-analyzer/suricata: tweak the systemd unit a bit
Some of the ideas I picked up from
https://gist.github.com/stupidpupil/4edcbe2046b3b22c81c606efee0492d7 do
not quite work at present, namely:
- limiting capabilities to CAP_NET_ADMIN causes problems e.g. when
switching to an unprivileged user or while trying to load eBPF files.
Just get rid of it;
- suricata can now be launched just fine without Type=forking.
Moreover, /run is now used instead of /var/run in the unit file so that
systemd doesn't complain about the use of legacy paths.
No revbump because even the updated unit does not run out of the box due
to specifying neither an interface nor a mode of operations on the
command line.
Package-Manager: Portage-2.3.79, Repoman-2.3.16
Signed-off-by: Marek Szuba <marecki <AT> gentoo.org>
net-analyzer/suricata/files/suricata.service | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)
diff --git a/net-analyzer/suricata/files/suricata.service b/net-analyzer/suricata/files/suricata.service
index 5e617388018..294ec637348 100644
--- a/net-analyzer/suricata/files/suricata.service
+++ b/net-analyzer/suricata/files/suricata.service
@@ -6,11 +6,9 @@ Documentation=man:suricata(8) man:suricatasc(8)
Documentation=https://redmine.openinfosecfoundation.org/projects/suricata/wiki
[Service]
-Type=forking
-Environment=OPTIONS='-c /etc/suricata/suricata.yaml'
-CapabilityBoundingSet=CAP_NET_ADMIN
-PIDFile=/var/run/suricata/suricata.pid
-ExecStart=/usr/bin/suricata --pidfile /var/run/suricata/suricata.pid $OPTIONS
+Environment=OPTIONS='-c /etc/suricata/suricata.yaml --af-packet'
+PIDFile=/run/suricata/suricata.pid
+ExecStart=/usr/bin/suricata --pidfile /run/suricata/suricata.pid $OPTIONS
ExecReload=/bin/kill -HUP $MAINPID
ExecStop=/bin/kill $MAINPID
PrivateTmp=yes
next reply other threads:[~2019-12-17 0:16 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-12-17 0:16 Marek Szuba [this message]
-- strict thread matches above, loose matches on Subject: below --
2020-01-22 11:51 [gentoo-commits] repo/gentoo:master commit in: net-analyzer/suricata/files/ Marek Szuba
2018-01-24 7:26 Slawek Lis
2018-01-23 18:57 Slawek Lis
2017-01-16 12:28 Slawek Lis
2017-01-16 12:25 Slawek Lis
2017-01-09 7:22 Slawek Lis
2016-12-30 7:50 Slawek Lis
2016-12-29 6:23 Slawek Lis
2016-12-27 10:43 Slawek Lis
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1576541779.53159693f527b217acadfb345933d9fd16c46e2c.marecki@gentoo \
--to=marecki@gentoo.org \
--cc=gentoo-commits@lists.gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox