1 |
commit: cfb2e41c5dff7fa16debdb27c58fcdfb66f3c5b8 |
2 |
Author: Marek Szuba <marecki <AT> gentoo <DOT> org> |
3 |
AuthorDate: Wed Aug 24 15:34:28 2022 +0000 |
4 |
Commit: Marek Szuba <marecki <AT> gentoo <DOT> org> |
5 |
CommitDate: Wed Aug 24 15:36:18 2022 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cfb2e41c |
7 |
|
8 |
net-analyzer/suricata: remove bashisms from the init script |
9 |
|
10 |
Closes: https://bugs.gentoo.org/840945 |
11 |
Signed-off-by: Marek Szuba <marecki <AT> gentoo.org> |
12 |
|
13 |
net-analyzer/suricata/files/suricata.confd | 62 +++++++++ |
14 |
net-analyzer/suricata/files/suricata.initd | 147 +++++++++++++++++++++ |
15 |
...icata-6.0.6.ebuild => suricata-6.0.6-r1.ebuild} | 4 +- |
16 |
3 files changed, 211 insertions(+), 2 deletions(-) |
17 |
|
18 |
diff --git a/net-analyzer/suricata/files/suricata.confd b/net-analyzer/suricata/files/suricata.confd |
19 |
new file mode 100644 |
20 |
index 000000000000..7f22113dbf0d |
21 |
--- /dev/null |
22 |
+++ b/net-analyzer/suricata/files/suricata.confd |
23 |
@@ -0,0 +1,62 @@ |
24 |
+# Config file for /etc/init.d/suricata* |
25 |
+ |
26 |
+# Where config files are stored. Default: |
27 |
+ |
28 |
+# SURICATA_DIR="/etc/suricata" |
29 |
+ |
30 |
+# Pass options to each suricata service. |
31 |
+# |
32 |
+# You can launch more than one service at the same time with different options. |
33 |
+# This can be useful in a multi-queue gateway, for example. |
34 |
+# You can expand on the Suricata inline example found at: |
35 |
+# http://suricata.readthedocs.io/en/latest/setting-up-ipsinline-for-linux.html |
36 |
+# Instead of configuring iptables to send traffic to just one queue, you can configure it to "load balance" |
37 |
+# on several queues. You can then have a Suricata instance processing traffic for each queue. |
38 |
+# This should help improve performance on the gateway/firewall. |
39 |
+# |
40 |
+# Suppose you configured iptables to use queues 0 and 1 named q0 and q1. You can now do the following: |
41 |
+# ln -s /etc/init.d/suricata /etc/init.d/suricata.q0 |
42 |
+# ln -s /etc/init.d/suricata /etc/init.d/suricata.q1 |
43 |
+# cp /etc/suricata/suricata.yaml /etc/suricata/suricata-q0.yaml |
44 |
+# cp /etc/suricata/suricata.yaml /etc/suricata/suricata-q1.yaml |
45 |
+# |
46 |
+# Edit both suricata-q{0,1}.yaml files and set values accordingly. |
47 |
+# You can override these yaml config file names with SURICATA_CONF* below (optional). |
48 |
+# This allows you to use the same yaml config file for multiple instances as long as you override |
49 |
+# sensible options such as the log file paths. |
50 |
+# SURICATA_CONF_q0="suricata-queues.yaml" |
51 |
+# SURICATA_CONF_q1="suricata-queues.yaml" |
52 |
+# SURICATA_CONF="suricata.yaml" |
53 |
+ |
54 |
+# You can define the options here: |
55 |
+# NB: avoid using -l, -c, --user, --group and setting logging.outputs.1.file.filename as the init script will try to set them for you. |
56 |
+ |
57 |
+# SURICATA_OPTS_q0="-q 0" |
58 |
+# SURICATA_OPTS_q1="-q 1" |
59 |
+ |
60 |
+# If you want to use ${SURICATA_DIR}/suricata.yaml and start the service with /etc/init.d/suricata |
61 |
+# then you can set: |
62 |
+ |
63 |
+SURICATA_OPTS="--af-packet" |
64 |
+ |
65 |
+# Log paths listed here will be created by the init script and will override the log path |
66 |
+# set in the yaml file, if present. |
67 |
+# SURICATA_LOG_FILE_q0="/var/log/suricata/q0/suricata.log" |
68 |
+# SURICATA_LOG_FILE_q1="/var/log/suricata/q1/suricata.log" |
69 |
+# SURICATA_LOG_FILE="/var/log/suricata/suricata.log" |
70 |
+ |
71 |
+# Run as user/group. |
72 |
+# Do not define if you want to run as root or as the user defined in the yaml config file (run-as). |
73 |
+# The ebuild should have created the dedicated user/group suricata:suricata for you to specify here below. |
74 |
+# SURICATA_USER_q0="suricata" |
75 |
+# SURICATA_GROUP_q0="suricata" |
76 |
+# SURICATA_USER_q1="suricata" |
77 |
+# SURICATA_GROUP_q1="suricata" |
78 |
+# SURICATA_USER="suricata" |
79 |
+# SURICATA_GROUP="suricata" |
80 |
+ |
81 |
+# Suricata processes can take a long time to shut down. |
82 |
+# If necessary, adjust timeout in seconds to be used when calling stop from the init script. |
83 |
+# Examples: |
84 |
+# SURICATA_MAX_WAIT_ON_STOP="300" |
85 |
+# SURICATA_MAX_WAIT_ON_STOP="SIGTERM/30" |
86 |
|
87 |
diff --git a/net-analyzer/suricata/files/suricata.initd b/net-analyzer/suricata/files/suricata.initd |
88 |
new file mode 100644 |
89 |
index 000000000000..154636ef828e |
90 |
--- /dev/null |
91 |
+++ b/net-analyzer/suricata/files/suricata.initd |
92 |
@@ -0,0 +1,147 @@ |
93 |
+#!/sbin/openrc-run |
94 |
+# Copyright 1999-2019 Gentoo Authors |
95 |
+# Distributed under the terms of the GNU General Public License v2 |
96 |
+ |
97 |
+SURICATA_BIN=/usr/bin/suricata |
98 |
+SURICATA_DIR=${SURICATA_DIR:-/etc/suricata} |
99 |
+SURICATA=${SVCNAME#*.} |
100 |
+SURICATAID=$(shell_var "${SURICATA}") |
101 |
+if [ -n "${SURICATA}" ] && [ ${SVCNAME} != "suricata" ]; then |
102 |
+ eval SURICATACONF=\$SURICATA_CONF_${SURICATAID} |
103 |
+ [ ${#SURICATACONF} -eq 0 ] && SURICATACONF="${SURICATA_DIR}/suricata-${SURICATA}.yaml" || SURICATACONF="${SURICATA_DIR}/${SURICATACONF}" |
104 |
+ SURICATAPID="/run/suricata/suricata.${SURICATA}.pid" |
105 |
+ eval SURICATAOPTS=\$SURICATA_OPTS_${SURICATAID} |
106 |
+ eval SURICATALOGPATH=\$SURICATA_LOG_FILE_${SURICATAID} |
107 |
+ eval SURICATAUSER=\$SURICATA_USER_${SURICATAID} |
108 |
+ eval SURICATAGROUP=\$SURICATA_GROUP_${SURICATAID} |
109 |
+else |
110 |
+ SURICATACONF=${SURICATA_CONF} |
111 |
+ [ ${#SURICATACONF} -eq 0 ] && SURICATACONF="${SURICATA_DIR}/suricata.yaml" || SURICATACONF="${SURICATA_DIR}/${SURICATACONF}" |
112 |
+ SURICATAPID="/run/suricata/suricata.pid" |
113 |
+ SURICATAOPTS=${SURICATA_OPTS} |
114 |
+ SURICATALOGPATH=${SURICATA_LOG_FILE} |
115 |
+ SURICATAUSER=${SURICATA_USER} |
116 |
+ SURICATAGROUP=${SURICATA_GROUP} |
117 |
+fi |
118 |
+SURICATAUSER=${SURICATAUSER:-${SURICATA_USER}} |
119 |
+SURICATAGROUP=${SURICATAGROUP:-${SURICATA_GROUP}} |
120 |
+[ -e ${SURICATACONF} ] && SURICATAOPTS="-c ${SURICATACONF} ${SURICATAOPTS}" |
121 |
+[ -z "${SURICATA_MAX_WAIT_ON_STOP}" ] || SURICATA_RETRY="--retry ${SURICATA_MAX_WAIT_ON_STOP}" |
122 |
+ |
123 |
+description="Suricata IDS/IPS" |
124 |
+extra_commands="checkconfig dump" |
125 |
+description_checkconfig="Check config for ${SVCNAME}" |
126 |
+description_dump="List all config values that can be used with --set" |
127 |
+extra_started_commands="reload relog" |
128 |
+description_reload="Live rule and config reload" |
129 |
+description_relog="Close and re-open all log files" |
130 |
+ |
131 |
+depend() { |
132 |
+ need net |
133 |
+ after mysql |
134 |
+ after postgresql |
135 |
+} |
136 |
+ |
137 |
+checkconfig() { |
138 |
+ if [ ! -d "/run/suricata" ] ; then |
139 |
+ checkpath -d /run/suricata |
140 |
+ fi |
141 |
+ if [ ${#SURICATALOGPATH} -gt 0 ]; then |
142 |
+ SURICATALOGFILE=$( basename ${SURICATALOGPATH} ) |
143 |
+ SURICATALOGFILE=${SURICATALOGFILE:-suricata.log} |
144 |
+ SURICATALOGPATH=$( dirname ${SURICATALOGPATH} ) |
145 |
+ if [ ! -d "${SURICATALOGPATH}" ] ; then |
146 |
+ checkpath -d "${SURICATALOGPATH}" |
147 |
+ fi |
148 |
+ if [ ${#SURICATAUSER} -gt 0 ] && [ ${#SURICATAGROUP} -gt 0 ] && [ -e "${SURICATALOGPATH}" ]; then |
149 |
+ chown ${SURICATAUSER}:${SURICATAGROUP} "${SURICATALOGPATH}" || return 1 |
150 |
+ chown ${SURICATAUSER}:${SURICATAGROUP} "${SURICATALOGPATH}"/* >/dev/null 2>&1 3>&1 |
151 |
+ fi |
152 |
+ SURICATAOPTS="${SURICATAOPTS} --set logging.outputs.1.file.filename=${SURICATALOGPATH}/${SURICATALOGFILE}" |
153 |
+ SURICATALOGPATH="-l ${SURICATALOGPATH}" |
154 |
+ fi |
155 |
+ if [ ! -e ${SURICATACONF} ] ; then |
156 |
+ einfo "The configuration file ${SURICATACONF} was not found." |
157 |
+ einfo "If this is OK then make sure you set enough options for ${SVCNAME} in /etc/conf.d/suricata." |
158 |
+ einfo "Take a look at the suricata arguments --set and --dump-config." |
159 |
+ fi |
160 |
+ if [ ${#SURICATAUSER} -gt 0 ] && [ ${#SURICATAGROUP} -gt 0 ]; then |
161 |
+ einfo "${SVCNAME} will run as user ${SURICATAUSER}:${SURICATAGROUP}." |
162 |
+ SURICATAOPTS="${SURICATAOPTS} --user=${SURICATAUSER} --group=${SURICATAGROUP}" |
163 |
+ fi |
164 |
+} |
165 |
+ |
166 |
+initpidinfo() { |
167 |
+ [ -e ${SURICATAPID} ] && SUR_PID="$(cat ${SURICATAPID})" |
168 |
+ if [ ${#SUR_PID} -gt 0 ]; then |
169 |
+ SUR_PID_CHECK="$(ps -eo pid | grep -c ${SUR_PID})" |
170 |
+ SUR_USER="$(ps -p ${SUR_PID} --no-headers -o user)" |
171 |
+ fi |
172 |
+} |
173 |
+ |
174 |
+checkpidinfo() { |
175 |
+ initpidinfo |
176 |
+ if [ ! -e ${SURICATAPID} ]; then |
177 |
+ eerror "${SVCNAME} isn't running" |
178 |
+ return 1 |
179 |
+ elif [ ${#SUR_PID} -eq 0 ] || [ $((SUR_PID_CHECK)) -ne 1 ]; then |
180 |
+ eerror "Could not determine PID of ${SVCNAME}! Did the service crash?" |
181 |
+ return 1 |
182 |
+ elif [ ${#SUR_USER} -eq 0 ]; then |
183 |
+ eerror "Unable to determine user running ${SVCNAME}!" |
184 |
+ return 1 |
185 |
+ elif [ "x${SUR_USER}" != "xroot" ]; then |
186 |
+ ewarn "${SVCNAME} may need to be running as root or as a priviledged user for the extra commands reload and relog to work." |
187 |
+ fi |
188 |
+} |
189 |
+ |
190 |
+start() { |
191 |
+ checkconfig || return 1 |
192 |
+ ebegin "Starting ${SVCNAME}" |
193 |
+ start-stop-daemon --start --quiet --exec ${SURICATA_BIN} \ |
194 |
+ -- --pidfile ${SURICATAPID} -D ${SURICATAOPTS} ${SURICATALOGPATH} >/dev/null 2>&1 |
195 |
+ local SUR_EXIT=$? |
196 |
+ if [ $((SUR_EXIT)) -ne 0 ]; then |
197 |
+ einfo "Could not start ${SURICATA_BIN} with:" |
198 |
+ einfo "--pidfile ${SURICATAPID} -D ${SURICATAOPTS} ${SURICATALOGPATH}" |
199 |
+ einfo "Exit code ${SUR_EXIT}" |
200 |
+ fi |
201 |
+ eend ${SUR_EXIT} |
202 |
+} |
203 |
+ |
204 |
+stop() { |
205 |
+ ebegin "Stopping ${SVCNAME}" |
206 |
+ start-stop-daemon --stop ${SURICATA_RETRY} --quiet --pidfile ${SURICATAPID} >/dev/null 2>&1 |
207 |
+ eend $? |
208 |
+} |
209 |
+ |
210 |
+reload() { |
211 |
+ checkpidinfo || return 1 |
212 |
+ checkconfig || return 1 |
213 |
+ ebegin "Sending USR2 signal to ${SVCNAME} to perform a live rule and config reload." |
214 |
+ if [ ${#SURICATAUSER} -gt 0 ] && [ ${#SURICATAGROUP} -gt 0 ]; then |
215 |
+ start-stop-daemon --user ${SURICATAUSER} --group ${SURICATAGROUP} --signal USR2 --pidfile ${SURICATAPID} |
216 |
+ else |
217 |
+ start-stop-daemon --signal USR2 --pidfile ${SURICATAPID} |
218 |
+ fi |
219 |
+ eend $? |
220 |
+} |
221 |
+ |
222 |
+relog() { |
223 |
+ checkpidinfo || return 1 |
224 |
+ checkconfig || return 1 |
225 |
+ ebegin "Sending HUP signal to ${SVCNAME} to close and re-open all log files." |
226 |
+ if [ ${#SURICATAUSER} -gt 0 ] && [ ${#SURICATAGROUP} -gt 0 ]; then |
227 |
+ start-stop-daemon --user ${SURICATAUSER} --group ${SURICATAGROUP} --signal HUP --pidfile ${SURICATAPID} |
228 |
+ else |
229 |
+ start-stop-daemon --signal HUP --pidfile ${SURICATAPID} |
230 |
+ fi |
231 |
+ eend $? |
232 |
+} |
233 |
+ |
234 |
+dump() { |
235 |
+ checkconfig || return 1 |
236 |
+ ebegin "Dumping ${SVCNAME} config values and quitting." |
237 |
+ ${SURICATA_BIN} --dump-config --pidfile ${SURICATAPID} ${SURICATAOPTS} ${SURICATALOGPATH} |
238 |
+ eend $? |
239 |
+} |
240 |
|
241 |
diff --git a/net-analyzer/suricata/suricata-6.0.6.ebuild b/net-analyzer/suricata/suricata-6.0.6-r1.ebuild |
242 |
similarity index 98% |
243 |
rename from net-analyzer/suricata/suricata-6.0.6.ebuild |
244 |
rename to net-analyzer/suricata/suricata-6.0.6-r1.ebuild |
245 |
index 054eb7c52431..aa3162a55d94 100644 |
246 |
--- a/net-analyzer/suricata/suricata-6.0.6.ebuild |
247 |
+++ b/net-analyzer/suricata/suricata-6.0.6-r1.ebuild |
248 |
@@ -145,8 +145,8 @@ src_install() { |
249 |
fperms 750 "/var/lib/${PN}" "/var/log/${PN}" "/etc/${PN}" |
250 |
fperms 2750 "/var/lib/${PN}/rules" "/var/lib/${PN}/update" |
251 |
|
252 |
- newinitd "${FILESDIR}/${PN}-5.0.1-init" ${PN} |
253 |
- newconfd "${FILESDIR}/${PN}-5.0.1-conf" ${PN} |
254 |
+ newinitd "${FILESDIR}/${PN}.initd" ${PN} |
255 |
+ newconfd "${FILESDIR}/${PN}.confd" ${PN} |
256 |
systemd_dounit "${FILESDIR}"/${PN}.service |
257 |
newtmpfiles "${FILESDIR}"/${PN}.tmpfiles ${PN}.conf |