diff --git a/cmake/cpack/CMakeCPackOptions.cmake b/cmake/cpack/CMakeCPackOptions.cmake index 18bc5a6b..3a77eafa 100644 --- a/cmake/cpack/CMakeCPackOptions.cmake +++ b/cmake/cpack/CMakeCPackOptions.cmake @@ -1,13 +1,17 @@ if(CPACK_GENERATOR MATCHES "DEB") list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") - list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/debian/falco.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") - list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/debian/falco_inject_kmod.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") + list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco@.target _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") + list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-kmod.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") + list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-kmod-inject.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") + list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-ebpf.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") endif() if(CPACK_GENERATOR MATCHES "RPM") list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") - list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/rpm/falco.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") - list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/rpm/falco_inject_kmod.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") + list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco@.target _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") + list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-kmod.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") + list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-kmod-inject.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") + list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-ebpf.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") endif() if(CPACK_GENERATOR MATCHES "TGZ") diff --git a/scripts/CMakeLists.txt b/scripts/CMakeLists.txt index 61172f6f..7da84dac 100644 --- a/scripts/CMakeLists.txt +++ b/scripts/CMakeLists.txt @@ -15,26 +15,26 @@ # limitations under the License. # +# Systemd +file(COPY "${PROJECT_SOURCE_DIR}/scripts/systemd/falco@.target" + DESTINATION "${PROJECT_BINARY_DIR}/scripts/systemd") +file(COPY "${PROJECT_SOURCE_DIR}/scripts/systemd/falco-kmod-inject.service" + DESTINATION "${PROJECT_BINARY_DIR}/scripts/systemd") +file(COPY "${PROJECT_SOURCE_DIR}/scripts/systemd/falco-kmod.service" + DESTINATION "${PROJECT_BINARY_DIR}/scripts/systemd") +file(COPY "${PROJECT_SOURCE_DIR}/scripts/systemd/falco-ebpf.service" + DESTINATION "${PROJECT_BINARY_DIR}/scripts/systemd") + +# Debian configure_file(debian/postinst.in debian/postinst) configure_file(debian/postrm.in debian/postrm) configure_file(debian/prerm.in debian/prerm) -file(COPY "${PROJECT_SOURCE_DIR}/scripts/debian/falco.service" - DESTINATION "${PROJECT_BINARY_DIR}/scripts/debian") - -file(COPY "${PROJECT_SOURCE_DIR}/scripts/debian/falco_inject_kmod.service" - DESTINATION "${PROJECT_BINARY_DIR}/scripts/debian") - +# Rpm configure_file(rpm/postinstall.in rpm/postinstall) configure_file(rpm/postuninstall.in rpm/postuninstall) configure_file(rpm/preuninstall.in rpm/preuninstall) -file(COPY "${PROJECT_SOURCE_DIR}/scripts/rpm/falco.service" - DESTINATION "${PROJECT_BINARY_DIR}/scripts/rpm") - -file(COPY "${PROJECT_SOURCE_DIR}/scripts/rpm/falco_inject_kmod.service" - DESTINATION "${PROJECT_BINARY_DIR}/scripts/rpm") - configure_file(falco-driver-loader falco-driver-loader @ONLY) if(CMAKE_SYSTEM_NAME MATCHES "Linux") diff --git a/scripts/debian/falco_inject_kmod.service b/scripts/debian/falco_inject_kmod.service deleted file mode 100644 index 73639ec1..00000000 --- a/scripts/debian/falco_inject_kmod.service +++ /dev/null @@ -1,13 +0,0 @@ -[Unit] -Description=Falco: Container Native Runtime Security -Documentation=https://falco.org/docs/ -Before=falco.service -Wants=falco.service - -[Service] -Type=oneshot -User=root -ExecStart=/sbin/modprobe falco - -[Install] -WantedBy=multi-user.target diff --git a/scripts/debian/postinst.in b/scripts/debian/postinst.in index d58d54c1..9e2de714 100755 --- a/scripts/debian/postinst.in +++ b/scripts/debian/postinst.in @@ -47,17 +47,17 @@ esac if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then # This will only remove masks created by d-s-h on package removal. - deb-systemd-helper unmask 'falco.service' >/dev/null || true + deb-systemd-helper unmask 'falco@kmod.target' >/dev/null || true # was-enabled defaults to true, so new installations run enable. - if deb-systemd-helper --quiet was-enabled 'falco.service'; then + if deb-systemd-helper --quiet was-enabled 'falco@kmod.target'; then # Enables the unit on first installation, creates new # symlinks on upgrades if the unit file has changed. - deb-systemd-helper enable 'falco.service' >/dev/null || true + deb-systemd-helper enable 'falco@kmod.target' >/dev/null || true else # Update the statefile to add new symlinks (if any), which need to be # cleaned up on purge. Also remove old symlinks. - deb-systemd-helper update-state 'falco.service' >/dev/null || true + deb-systemd-helper update-state 'falco@kmod.target' >/dev/null || true fi fi @@ -69,6 +69,6 @@ if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-decon else _dh_action=start fi - deb-systemd-invoke $_dh_action 'falco.service' >/dev/null || true + deb-systemd-invoke $_dh_action 'falco@kmod.target' >/dev/null || true fi fi diff --git a/scripts/debian/postrm.in b/scripts/debian/postrm.in index 8134d806..d90627c2 100755 --- a/scripts/debian/postrm.in +++ b/scripts/debian/postrm.in @@ -27,13 +27,13 @@ fi if [ "$1" = "remove" ]; then if [ -x "/usr/bin/deb-systemd-helper" ]; then - deb-systemd-helper mask 'falco.service' >/dev/null || true + deb-systemd-helper mask 'falco@kmod.target' >/dev/null || true fi fi if [ "$1" = "purge" ]; then if [ -x "/usr/bin/deb-systemd-helper" ]; then - deb-systemd-helper purge 'falco.service' >/dev/null || true - deb-systemd-helper unmask 'falco.service' >/dev/null || true + deb-systemd-helper purge 'falco@kmod.target' >/dev/null || true + deb-systemd-helper unmask 'falco@kmod.target' >/dev/null || true fi fi diff --git a/scripts/debian/prerm.in b/scripts/debian/prerm.in index 1a72292e..791abdde 100755 --- a/scripts/debian/prerm.in +++ b/scripts/debian/prerm.in @@ -22,7 +22,7 @@ set -e # Currently running falco service uses the driver, so stop it before driver cleanup if [ -d /run/systemd/system ] && [ "$1" = remove ]; then - deb-systemd-invoke stop 'falco.service' >/dev/null || true + deb-systemd-invoke stop 'falco@kmod.target' >/dev/null || true fi case "$1" in diff --git a/scripts/rpm/falco_inject_kmod.service b/scripts/rpm/falco_inject_kmod.service deleted file mode 100644 index 73639ec1..00000000 --- a/scripts/rpm/falco_inject_kmod.service +++ /dev/null @@ -1,13 +0,0 @@ -[Unit] -Description=Falco: Container Native Runtime Security -Documentation=https://falco.org/docs/ -Before=falco.service -Wants=falco.service - -[Service] -Type=oneshot -User=root -ExecStart=/sbin/modprobe falco - -[Install] -WantedBy=multi-user.target diff --git a/scripts/rpm/postinstall.in b/scripts/rpm/postinstall.in index 4848efcd..3bb225a6 100755 --- a/scripts/rpm/postinstall.in +++ b/scripts/rpm/postinstall.in @@ -38,19 +38,19 @@ fi # systemd_post macro expands to # if postinst: # `systemd-update-helper install-system-units ` -%systemd_post 'falco.service' +%systemd_post 'falco@kmod.target' # post install mirrored from .deb if [ $1 -eq 1 ]; then # This will only remove masks created on package removal. - /usr/bin/systemctl --system unmask 'falco.service' >/dev/null || true + /usr/bin/systemctl --system unmask 'falco@kmod.target' >/dev/null || true # enable falco on installation # note: DEB postinstall script checks for changed symlinks - /usr/bin/systemctl --system enable 'falco.service' >/dev/null || true + /usr/bin/systemctl --system enable 'falco@kmod.target' >/dev/null || true # start falco on installation - /usr/bin/systemctl --system start 'falco.service' >/dev/null || true + /usr/bin/systemctl --system start 'falco@kmod.target' >/dev/null || true fi # post upgrade mirrored from .deb @@ -59,6 +59,6 @@ if [ $1 -gt 1 ]; then /usr/bin/systemctl --system daemon-reload >/dev/null || true # restart falco on upgrade if service is already running - /usr/bin/systemctl --system condrestart 'falco.service' >/dev/null || true + /usr/bin/systemctl --system condrestart 'falco@kmod.target' >/dev/null || true fi fi diff --git a/scripts/rpm/postuninstall.in b/scripts/rpm/postuninstall.in index 8fd9b692..2542fe1e 100755 --- a/scripts/rpm/postuninstall.in +++ b/scripts/rpm/postuninstall.in @@ -20,7 +20,7 @@ set -e # post uninstall mirrored from .deb if [ -d /run/systemd/system ] && [ "$1" = 0 ]; then /usr/bin/systemctl --system daemon-reload >/dev/null || true - /usr/bin/systemctl --system mask 'falco.service' >/dev/null || true + /usr/bin/systemctl --system mask 'falco@kmod.target' >/dev/null || true fi # validate rpm macros by `rpm -qp --scripts ` @@ -30,4 +30,4 @@ fi # systemd_postun_with_restart macro expands to # if package upgrade, not uninstall: # `systemd-update-helper mark-restart-system-units ` -%systemd_postun_with_restart 'falco.service' +%systemd_postun_with_restart 'falco@kmod.target' diff --git a/scripts/rpm/preuninstall.in b/scripts/rpm/preuninstall.in index 4dba0180..bb3eda94 100755 --- a/scripts/rpm/preuninstall.in +++ b/scripts/rpm/preuninstall.in @@ -20,7 +20,7 @@ set -e # Currently running falco service uses the driver, so stop it before driver cleanup if [ -d /run/systemd/system ] && [ $1 -eq 0 ]; then # stop falco service before uninstall - /usr/bin/systemctl --system stop 'falco.service' >/dev/null || true + /usr/bin/systemctl --system stop 'falco@kmod.target' >/dev/null || true fi /usr/bin/falco-driver-loader --clean @@ -32,4 +32,4 @@ fi # systemd_preun macro expands to # if preuninstall: # `systemd-update-helper remove-system-units ` -%systemd_preun 'falco.service' +%systemd_preun 'falco@kmod.target' diff --git a/scripts/debian/falco.service b/scripts/systemd/falco-ebpf.service similarity index 61% rename from scripts/debian/falco.service rename to scripts/systemd/falco-ebpf.service index 0e3e16ce..bcb90a2d 100644 --- a/scripts/debian/falco.service +++ b/scripts/systemd/falco-ebpf.service @@ -1,14 +1,14 @@ [Unit] -Description=Falco: Container Native Runtime Security +Description=Falco: Container Native Runtime Security with ebpf Documentation=https://falco.org/docs/ -After=falco_inject_kmod.service -Requires=falco_inject_kmod.service +PartOf=falco@ebpf.target +Conflicts=falco-kmod.service [Service] Type=simple User=root +Environment=FALCO_BPF_PROBE= ExecStart=/usr/bin/falco --pidfile=/var/run/falco.pid -ExecStopPost=/sbin/rmmod falco UMask=0077 TimeoutSec=30 RestartSec=15s @@ -18,9 +18,6 @@ NoNewPrivileges=yes ProtectHome=read-only ProtectSystem=full ProtectKernelTunables=true -ReadWritePaths=/sys/module/falco RestrictRealtime=true RestrictAddressFamilies=~AF_PACKET - -[Install] -WantedBy=multi-user.target +StandardOutput=null diff --git a/scripts/systemd/falco-kmod-inject.service b/scripts/systemd/falco-kmod-inject.service new file mode 100644 index 00000000..d2293d99 --- /dev/null +++ b/scripts/systemd/falco-kmod-inject.service @@ -0,0 +1,11 @@ +[Unit] +Description=Falco: Container Native Runtime Security with kmod, inject. +Documentation=https://falco.org/docs/ +PartOf=falco@kmod.target + +[Service] +Type=oneshot +RemainAfterExit=yes +User=root +ExecStart=/sbin/modprobe falco +ExecStop=/sbin/rmmod falco diff --git a/scripts/rpm/falco.service b/scripts/systemd/falco-kmod.service similarity index 68% rename from scripts/rpm/falco.service rename to scripts/systemd/falco-kmod.service index 1d66d440..a4328247 100644 --- a/scripts/rpm/falco.service +++ b/scripts/systemd/falco-kmod.service @@ -1,14 +1,15 @@ [Unit] -Description=Falco: Container Native Runtime Security +Description=Falco: Container Native Runtime Security with kmod Documentation=https://falco.org/docs/ -After=falco_inject_kmod.service -Requires=falco_inject_kmod.service +After=falco-kmod-inject.service +Requires=falco-kmod-inject.service +PartOf=falco@kmod.target +Conflicts=falco-ebpf.service [Service] Type=simple User=root ExecStart=/usr/bin/falco --pidfile=/var/run/falco.pid -ExecStopPost=/sbin/rmmod falco UMask=0077 TimeoutSec=30 RestartSec=15s @@ -22,6 +23,3 @@ ReadWritePaths=/sys/module/falco RestrictRealtime=true RestrictAddressFamilies=~AF_PACKET StandardOutput=null - -[Install] -WantedBy=multi-user.target diff --git a/scripts/systemd/falco@.target b/scripts/systemd/falco@.target new file mode 100644 index 00000000..3178ec16 --- /dev/null +++ b/scripts/systemd/falco@.target @@ -0,0 +1,7 @@ +[Unit] +Description=Falco generic startup target [kmod,ebpf] +Requires=multi-user.target falco-%i.service +After=multi-user.target + +[Install] +WantedBy=multi-user.target