From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 1DC7E138334 for ; Tue, 17 Dec 2019 00:16:43 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 3A3CFE089A; Tue, 17 Dec 2019 00:16:42 +0000 (UTC) Received: from smtp.gentoo.org (dev.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 082D4E089A for ; Tue, 17 Dec 2019 00:16:41 +0000 (UTC) Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 9C1B434D254 for ; Tue, 17 Dec 2019 00:16:40 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 2E77F778 for ; Tue, 17 Dec 2019 00:16:38 +0000 (UTC) From: "Marek Szuba" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Marek Szuba" Message-ID: <1576541779.53159693f527b217acadfb345933d9fd16c46e2c.marecki@gentoo> Subject: [gentoo-commits] repo/gentoo:master commit in: net-analyzer/suricata/files/ X-VCS-Repository: repo/gentoo X-VCS-Files: net-analyzer/suricata/files/suricata.service X-VCS-Directories: net-analyzer/suricata/files/ X-VCS-Committer: marecki X-VCS-Committer-Name: Marek Szuba X-VCS-Revision: 53159693f527b217acadfb345933d9fd16c46e2c X-VCS-Branch: master Date: Tue, 17 Dec 2019 00:16:38 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: 0b5ae65e-e470-4db2-92ef-bad9ef06d4fd X-Archives-Hash: 92eb3dce7999b9e50bdbdd55e59d73a7 commit: 53159693f527b217acadfb345933d9fd16c46e2c Author: Marek Szuba gentoo org> AuthorDate: Tue Dec 17 00:16:19 2019 +0000 Commit: Marek Szuba gentoo org> CommitDate: Tue Dec 17 00:16:19 2019 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=53159693 net-analyzer/suricata: tweak the systemd unit a bit Some of the ideas I picked up from https://gist.github.com/stupidpupil/4edcbe2046b3b22c81c606efee0492d7 do not quite work at present, namely: - limiting capabilities to CAP_NET_ADMIN causes problems e.g. when switching to an unprivileged user or while trying to load eBPF files. Just get rid of it; - suricata can now be launched just fine without Type=forking. Moreover, /run is now used instead of /var/run in the unit file so that systemd doesn't complain about the use of legacy paths. No revbump because even the updated unit does not run out of the box due to specifying neither an interface nor a mode of operations on the command line. Package-Manager: Portage-2.3.79, Repoman-2.3.16 Signed-off-by: Marek Szuba gentoo.org> net-analyzer/suricata/files/suricata.service | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/net-analyzer/suricata/files/suricata.service b/net-analyzer/suricata/files/suricata.service index 5e617388018..294ec637348 100644 --- a/net-analyzer/suricata/files/suricata.service +++ b/net-analyzer/suricata/files/suricata.service @@ -6,11 +6,9 @@ Documentation=man:suricata(8) man:suricatasc(8) Documentation=https://redmine.openinfosecfoundation.org/projects/suricata/wiki [Service] -Type=forking -Environment=OPTIONS='-c /etc/suricata/suricata.yaml' -CapabilityBoundingSet=CAP_NET_ADMIN -PIDFile=/var/run/suricata/suricata.pid -ExecStart=/usr/bin/suricata --pidfile /var/run/suricata/suricata.pid $OPTIONS +Environment=OPTIONS='-c /etc/suricata/suricata.yaml --af-packet' +PIDFile=/run/suricata/suricata.pid +ExecStart=/usr/bin/suricata --pidfile /run/suricata/suricata.pid $OPTIONS ExecReload=/bin/kill -HUP $MAINPID ExecStop=/bin/kill $MAINPID PrivateTmp=yes