fix(api): restore DefaultConfig() and constants used by config loader
Some checks failed
Build RPM Package / Build RPM Packages (CentOS 7, Rocky 8/9/10) (push) Has been cancelled
Some checks failed
Build RPM Package / Build RPM Packages (CentOS 7, Rocky 8/9/10) (push) Has been cancelled
- Restore api.DefaultConfig() - used by internal/config/loader.go - Restore DefaultInterface, DefaultPort, DefaultBPFFilter constants - Restore DefaultFlowTimeout, DefaultPacketBuffer constants - Remove unused LogLevel* constants (never referenced in codebase) docs(architecture.yml): update packaging and service sections - Update packaging tool from fpm to rpmbuild - Remove CentOS 7 / RHEL 7 from target distros (EOL) - Update rpm_builder stage description for rpmbuild workflow - Add spec_file section with version_macro documentation - Update service to run as root (required for packet capture) - Update security sandboxing to match current systemd unit - Remove pid_file (not used) - Update binary_path from /usr/local/bin to /usr/bin Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
This commit is contained in:
Jacquin Antoine
@ -578,24 +578,22 @@ dev_tools:
|
||||
packaging:
|
||||
description: >
|
||||
ja4sentinel est distribué sous forme de packages .rpm (Rocky Linux/RHEL/CentOS/AlmaLinux),
|
||||
construits intégralement dans Docker avec fpm. Le binaire est compilé sur Rocky Linux 9
|
||||
construits intégralement dans Docker avec rpmbuild. Le binaire est compilé sur Rocky Linux 9
|
||||
pour une compatibilité binaire maximale avec toutes les distributions RHEL-based.
|
||||
formats:
|
||||
- rpm
|
||||
target_distros:
|
||||
rpm:
|
||||
- centos-7
|
||||
- rocky-linux-8+
|
||||
- rocky-linux-9+
|
||||
- rocky-linux-10+
|
||||
- almalinux-8+
|
||||
- almalinux-9+
|
||||
- almalinux-10+
|
||||
- rhel-7+
|
||||
- rhel-8+
|
||||
- rhel-9+
|
||||
- rhel-10+
|
||||
tool: fpm
|
||||
tool: rpmbuild
|
||||
build_pipeline:
|
||||
dockerfile: Dockerfile.package
|
||||
stages:
|
||||
@ -606,14 +604,15 @@ packaging:
|
||||
Le binaire est dynamiquement lié à libpcap pour une compatibilité maximale.
|
||||
- name: rpm_builder
|
||||
description: >
|
||||
Image Rocky Linux 9 avec fpm, rpm-build, ruby. Création de l'arborescence
|
||||
et exécution de fpm pour générer les RPM pour el7, el8, el9, el10.
|
||||
Image Rocky Linux 9 avec rpm-build. Setup de l'arborescence rpmbuild
|
||||
(BUILD, RPMS, SOURCES, SPECS, SRPMS). Copie du spec et des sources,
|
||||
puis build avec rpmbuild -bb pour el8, el9, el10.
|
||||
- name: output
|
||||
description: >
|
||||
Image Alpine minimale contenant les packages RPM dans /packages/rpm/el{7,8,9,10}.
|
||||
Image Alpine minimale contenant les packages RPM dans /packages/rpm/el{8,9,10}.
|
||||
files:
|
||||
binary:
|
||||
source: dist/ja4sentinel-linux-amd64
|
||||
source: dist/ja4sentinel
|
||||
dest: /usr/bin/ja4sentinel
|
||||
mode: "0755"
|
||||
systemd:
|
||||
@ -637,15 +636,20 @@ packaging:
|
||||
mode: "0750"
|
||||
- path: /etc/ja4sentinel
|
||||
mode: "0750"
|
||||
maintainer_scripts:
|
||||
rpm:
|
||||
postinst: packaging/rpm/postinst
|
||||
prerm: packaging/rpm/prerm
|
||||
postrm: packaging/rpm/postrm
|
||||
spec_file:
|
||||
path: packaging/rpm/ja4sentinel.spec
|
||||
version_macro: "%{?build_version}%{!?build_version:1.0.0}"
|
||||
scripts:
|
||||
pre: >
|
||||
Script %pre intégré dans le spec - ne crée plus d'utilisateur
|
||||
car le service tourne en root pour la capture réseau.
|
||||
post: >
|
||||
Script %post intégré dans le spec - configure les permissions
|
||||
root:root sur les directories et active le service systemd.
|
||||
dependencies:
|
||||
rpm:
|
||||
- systemd
|
||||
- libpcap >= 1.4.0
|
||||
- libpcap >= 1.9.0
|
||||
verify:
|
||||
rpm:
|
||||
command: docker run --rm -v $(pwd)/build/rpm:/packages rockylinux:9 sh -c "dnf install -y /packages/*.rpm"
|
||||
@ -656,16 +660,18 @@ service:
|
||||
description: "JA4 client fingerprinting daemon"
|
||||
wanted_by: "multi-user.target"
|
||||
exec:
|
||||
binary_path: "/usr/local/bin/ja4sentinel"
|
||||
binary_path: "/usr/bin/ja4sentinel"
|
||||
args:
|
||||
- "--config"
|
||||
- "/etc/ja4sentinel/config.yml"
|
||||
user_group:
|
||||
user: "ja4sentinel"
|
||||
group: "ja4sentinel"
|
||||
user: "root"
|
||||
group: "root"
|
||||
note: >
|
||||
Le service tourne en root pour la capture réseau (CAP_NET_RAW, CAP_NET_ADMIN).
|
||||
La création d'utilisateur ja4sentinel a été supprimée.
|
||||
runtime:
|
||||
working_directory: "/var/lib/ja4sentinel"
|
||||
pid_file: "/run/ja4sentinel.pid"
|
||||
restart: "on-failure"
|
||||
restart_sec: 5
|
||||
environment_prefix: "JA4SENTINEL_"
|
||||
@ -680,16 +686,22 @@ service:
|
||||
- "CAP_NET_RAW"
|
||||
- "CAP_NET_ADMIN"
|
||||
sandboxing:
|
||||
- "NoNewPrivileges=yes"
|
||||
- "ProtectSystem=full"
|
||||
- "ProtectHome=true"
|
||||
- "PrivateTmp=true"
|
||||
- "ProtectSystem=strict"
|
||||
- "ProtectHome=yes"
|
||||
- "PrivateTmp=yes"
|
||||
- "ProtectKernelTunables=yes"
|
||||
- "ProtectKernelModules=yes"
|
||||
- "ProtectControlGroups=yes"
|
||||
- "RestrictRealtime=yes"
|
||||
- "RestrictSUIDSGID=yes"
|
||||
- "LockPersonality=yes"
|
||||
- "ReadWritePaths=/var/lib/ja4sentinel /var/log/ja4sentinel"
|
||||
integration_rules:
|
||||
- "Le binaire doit s’arrêter proprement sur SIGTERM (systemd stop)."
|
||||
- "Le binaire doit s'arrêter proprement sur SIGTERM (systemd stop)."
|
||||
- "Le module cmd_ja4sentinel gère les signaux et termine la capture proprement."
|
||||
- "Les chemins (config, socket UNIX, logs) doivent être compatibles avec FHS (/etc, /var/run, /var/log)."
|
||||
- "Le module cmd_ja4sentinel capture SIGTERM/SIGINT et déclenche un arrêt propre (stop capture, flush outputs, fermer socket UNIX)."
|
||||
- "Le processus doit retourner un code de sortie non nul en cas d’erreur fatale au démarrage."
|
||||
- "Le processus doit retourner un code de sortie non nul en cas d'erreur fatale au démarrage."
|
||||
|
||||
logging:
|
||||
strategy:
|
||||
|
||||
Reference in New Issue
Block a user