dcd6bd0a94
Some checks failed
Build RPM Package / Build RPM Packages (CentOS 7, Rocky 8/9/10) (push) Has been cancelled
- Add github.com/coreos/go-systemd/v22/daemon dependency - Signal SdNotifyReady after configuration is loaded - Start watchdog goroutine that pings systemd every WatchdogSec/2 - Signal SdNotifyStopping during graceful shutdown - Update systemd unit file: - Type=notify (instead of simple) - WatchdogSec=30 (auto-restart if service hangs) - NotifyAccess=main (only main process can notify) Benefits: - systemd knows when service is truly ready - Automatic detection of hung/frozen service - Better integration with systemd supervision - More accurate service status reporting Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
41 lines
959 B
Desktop File
41 lines
959 B
Desktop File
[Unit]
|
|
Description=JA4 client fingerprinting daemon
|
|
Documentation=https://github.com/your-repo/ja4sentinel
|
|
After=network.target
|
|
Wants=network-online.target
|
|
|
|
[Service]
|
|
Type=notify
|
|
User=root
|
|
Group=root
|
|
WorkingDirectory=/var/lib/ja4sentinel
|
|
ExecStart=/usr/bin/ja4sentinel --config /etc/ja4sentinel/config.yml
|
|
Restart=on-failure
|
|
RestartSec=5
|
|
WatchdogSec=30
|
|
NotifyAccess=main
|
|
Environment=JA4SENTINEL_LOG_LEVEL=info
|
|
|
|
# Security hardening (compatible with root for packet capture)
|
|
ProtectSystem=strict
|
|
ProtectHome=yes
|
|
PrivateTmp=yes
|
|
ProtectKernelTunables=yes
|
|
ProtectKernelModules=yes
|
|
ProtectControlGroups=yes
|
|
RestrictRealtime=yes
|
|
RestrictSUIDSGID=yes
|
|
LockPersonality=yes
|
|
ReadWritePaths=/var/lib/ja4sentinel /var/log/ja4sentinel
|
|
|
|
# Capabilities for packet capture (inherited by root)
|
|
AmbientCapabilities=CAP_NET_RAW CAP_NET_ADMIN
|
|
CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN
|
|
|
|
# Resource limits
|
|
LimitNOFILE=65536
|
|
LimitNPROC=64
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|