new(scrips): improve systemd units for rpm and debian.

Unify them; plus, rework systemd units to support eBPF too.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>

scripts/rpm/falco.service

@@ -1,27 +0,0 @@
-[Unit]
-Description=Falco: Container Native Runtime Security
-Documentation=https://falco.org/docs/
-After=falco_inject_kmod.service
-Requires=falco_inject_kmod.service
-
-[Service]
-Type=simple
-User=root
-ExecStart=/usr/bin/falco --pidfile=/var/run/falco.pid
-ExecStopPost=/sbin/rmmod falco
-UMask=0077
-TimeoutSec=30
-RestartSec=15s
-Restart=on-failure
-PrivateTmp=true
-NoNewPrivileges=yes
-ProtectHome=read-only
-ProtectSystem=full
-ProtectKernelTunables=true
-ReadWritePaths=/sys/module/falco
-RestrictRealtime=true
-RestrictAddressFamilies=~AF_PACKET
-StandardOutput=null
-
-[Install]
-WantedBy=multi-user.target

scripts/rpm/falco_inject_kmod.service

@@ -1,13 +0,0 @@
-[Unit]
-Description=Falco: Container Native Runtime Security
-Documentation=https://falco.org/docs/
-Before=falco.service
-Wants=falco.service
-
-[Service]
-Type=oneshot
-User=root
-ExecStart=/sbin/modprobe falco
-
-[Install]
-WantedBy=multi-user.target

scripts/rpm/postinstall.in

@@ -38,19 +38,19 @@ fi
 # systemd_post macro expands to
 # if postinst:
 #   `systemd-update-helper install-system-units <service>`
-%systemd_post 'falco.service'
+%systemd_post 'falco@kmod.target'
 
 # post install mirrored from .deb
 if [ $1 -eq 1 ]; then
         # This will only remove masks created on package removal.
-        /usr/bin/systemctl --system unmask 'falco.service' >/dev/null || true
+        /usr/bin/systemctl --system unmask 'falco@kmod.target' >/dev/null || true
 
         # enable falco on installation
         # note: DEB postinstall script checks for changed symlinks
-        /usr/bin/systemctl --system enable 'falco.service' >/dev/null || true
+        /usr/bin/systemctl --system enable 'falco@kmod.target' >/dev/null || true
 
         # start falco on installation
-        /usr/bin/systemctl --system start 'falco.service' >/dev/null || true
+        /usr/bin/systemctl --system start 'falco@kmod.target' >/dev/null || true
 fi
 
 # post upgrade mirrored from .deb
@@ -59,6 +59,6 @@ if [ $1 -gt 1 ]; then
         /usr/bin/systemctl --system daemon-reload >/dev/null || true
 
         # restart falco on upgrade if service is already running
-        /usr/bin/systemctl --system condrestart 'falco.service' >/dev/null || true
+        /usr/bin/systemctl --system condrestart 'falco@kmod.target' >/dev/null || true
     fi
 fi

scripts/rpm/postuninstall.in

@@ -20,7 +20,7 @@ set -e
 # post uninstall mirrored from .deb
 if [ -d /run/systemd/system ] && [ "$1" = 0 ]; then
         /usr/bin/systemctl --system daemon-reload >/dev/null || true
-        /usr/bin/systemctl --system mask 'falco.service' >/dev/null || true
+        /usr/bin/systemctl --system mask 'falco@kmod.target' >/dev/null || true
 fi
 
 # validate rpm macros by `rpm -qp --scripts <rpm>`
@@ -30,4 +30,4 @@ fi
 # systemd_postun_with_restart macro expands to
 # if package upgrade, not uninstall:
 #   `systemd-update-helper mark-restart-system-units <service>`
-%systemd_postun_with_restart 'falco.service'
+%systemd_postun_with_restart 'falco@kmod.target'

scripts/rpm/preuninstall.in

@@ -20,7 +20,7 @@ set -e
 # Currently running falco service uses the driver, so stop it before driver cleanup
 if [ -d /run/systemd/system ] && [ $1 -eq 0 ]; then
         # stop falco service before uninstall
-        /usr/bin/systemctl --system stop 'falco.service' >/dev/null || true
+        /usr/bin/systemctl --system stop 'falco@kmod.target' >/dev/null || true
 fi
 
 /usr/bin/falco-driver-loader --clean
@@ -32,4 +32,4 @@ fi
 # systemd_preun macro expands to
 # if preuninstall:
 #  `systemd-update-helper remove-system-units <service>`
-%systemd_preun 'falco.service'
+%systemd_preun 'falco@kmod.target'