github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-06-29 16:17:32 +00:00
Code Issues Projects Releases Wiki Activity

new(scrips): improve systemd units for rpm and debian.

Browse Source 
Unify them; plus, rework systemd units to support eBPF too.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
This commit is contained in:
Federico Di Pierro 2022-10-10 14:54:42 +02:00 committed by poiana
parent f43e6c445a
commit 06fe9e6985
14 changed files with 66 additions and 75 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
cmake/cpack/CMakeCPackOptions.cmake
View File

@ -1,13 +1,17 @@
if(CPACK_GENERATOR MATCHES "DEB") if(CPACK_GENERATOR MATCHES "DEB")
list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/debian/falco.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco@.target _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/debian/falco_inject_kmod.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-kmod.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-kmod-inject.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-ebpf.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
endif() endif()
if(CPACK_GENERATOR MATCHES "RPM") if(CPACK_GENERATOR MATCHES "RPM")
list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/rpm/falco.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco@.target _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/rpm/falco_inject_kmod.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-kmod.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-kmod-inject.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-ebpf.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
endif() endif()
if(CPACK_GENERATOR MATCHES "TGZ") if(CPACK_GENERATOR MATCHES "TGZ")

24
scripts/CMakeLists.txt
View File

@ -15,26 +15,26 @@
# limitations under the License. # limitations under the License.
# #
# Systemd
file(COPY "${PROJECT_SOURCE_DIR}/scripts/systemd/falco@.target"
DESTINATION "${PROJECT_BINARY_DIR}/scripts/systemd")
file(COPY "${PROJECT_SOURCE_DIR}/scripts/systemd/falco-kmod-inject.service"
DESTINATION "${PROJECT_BINARY_DIR}/scripts/systemd")
file(COPY "${PROJECT_SOURCE_DIR}/scripts/systemd/falco-kmod.service"
DESTINATION "${PROJECT_BINARY_DIR}/scripts/systemd")
file(COPY "${PROJECT_SOURCE_DIR}/scripts/systemd/falco-ebpf.service"
DESTINATION "${PROJECT_BINARY_DIR}/scripts/systemd")
# Debian
configure_file(debian/postinst.in debian/postinst) configure_file(debian/postinst.in debian/postinst)
configure_file(debian/postrm.in debian/postrm) configure_file(debian/postrm.in debian/postrm)
configure_file(debian/prerm.in debian/prerm) configure_file(debian/prerm.in debian/prerm)
file(COPY "${PROJECT_SOURCE_DIR}/scripts/debian/falco.service" # Rpm
DESTINATION "${PROJECT_BINARY_DIR}/scripts/debian")
file(COPY "${PROJECT_SOURCE_DIR}/scripts/debian/falco_inject_kmod.service"
DESTINATION "${PROJECT_BINARY_DIR}/scripts/debian")
configure_file(rpm/postinstall.in rpm/postinstall) configure_file(rpm/postinstall.in rpm/postinstall)
configure_file(rpm/postuninstall.in rpm/postuninstall) configure_file(rpm/postuninstall.in rpm/postuninstall)
configure_file(rpm/preuninstall.in rpm/preuninstall) configure_file(rpm/preuninstall.in rpm/preuninstall)
file(COPY "${PROJECT_SOURCE_DIR}/scripts/rpm/falco.service"
DESTINATION "${PROJECT_BINARY_DIR}/scripts/rpm")
file(COPY "${PROJECT_SOURCE_DIR}/scripts/rpm/falco_inject_kmod.service"
DESTINATION "${PROJECT_BINARY_DIR}/scripts/rpm")
configure_file(falco-driver-loader falco-driver-loader @ONLY) configure_file(falco-driver-loader falco-driver-loader @ONLY)
if(CMAKE_SYSTEM_NAME MATCHES "Linux") if(CMAKE_SYSTEM_NAME MATCHES "Linux")

13
scripts/debian/falco_inject_kmod.service
View File

@ -1,13 +0,0 @@
[Unit]
Description=Falco: Container Native Runtime Security
Documentation=https://falco.org/docs/
Before=falco.service
Wants=falco.service
[Service]
Type=oneshot
User=root
ExecStart=/sbin/modprobe falco
[Install]
WantedBy=multi-user.target

10
scripts/debian/postinst.in
View File

@ -47,17 +47,17 @@ esac
if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
# This will only remove masks created by d-s-h on package removal. # This will only remove masks created by d-s-h on package removal.
deb-systemd-helper unmask 'falco.service' >/dev/null || true deb-systemd-helper unmask 'falco@kmod.target' >/dev/null || true
# was-enabled defaults to true, so new installations run enable. # was-enabled defaults to true, so new installations run enable.
if deb-systemd-helper --quiet was-enabled 'falco.service'; then if deb-systemd-helper --quiet was-enabled 'falco@kmod.target'; then
# Enables the unit on first installation, creates new # Enables the unit on first installation, creates new
# symlinks on upgrades if the unit file has changed. # symlinks on upgrades if the unit file has changed.
deb-systemd-helper enable 'falco.service' >/dev/null || true deb-systemd-helper enable 'falco@kmod.target' >/dev/null || true
else else
# Update the statefile to add new symlinks (if any), which need to be # Update the statefile to add new symlinks (if any), which need to be
# cleaned up on purge. Also remove old symlinks. # cleaned up on purge. Also remove old symlinks.
deb-systemd-helper update-state 'falco.service' >/dev/null || true deb-systemd-helper update-state 'falco@kmod.target' >/dev/null || true
fi fi
fi fi
@ -69,6 +69,6 @@ if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-decon
else else
_dh_action=start _dh_action=start
fi fi
deb-systemd-invoke $_dh_action 'falco.service' >/dev/null || true deb-systemd-invoke $_dh_action 'falco@kmod.target' >/dev/null || true
fi fi
fi fi

6
scripts/debian/postrm.in
View File

@ -27,13 +27,13 @@ fi
if [ "$1" = "remove" ]; then if [ "$1" = "remove" ]; then
if [ -x "/usr/bin/deb-systemd-helper" ]; then if [ -x "/usr/bin/deb-systemd-helper" ]; then
deb-systemd-helper mask 'falco.service' >/dev/null || true deb-systemd-helper mask 'falco@kmod.target' >/dev/null || true
fi fi
fi fi
if [ "$1" = "purge" ]; then if [ "$1" = "purge" ]; then
if [ -x "/usr/bin/deb-systemd-helper" ]; then if [ -x "/usr/bin/deb-systemd-helper" ]; then
deb-systemd-helper purge 'falco.service' >/dev/null || true deb-systemd-helper purge 'falco@kmod.target' >/dev/null || true
deb-systemd-helper unmask 'falco.service' >/dev/null || true deb-systemd-helper unmask 'falco@kmod.target' >/dev/null || true
fi fi
fi fi

2
scripts/debian/prerm.in
View File

@ -22,7 +22,7 @@ set -e
# Currently running falco service uses the driver, so stop it before driver cleanup # Currently running falco service uses the driver, so stop it before driver cleanup
if [ -d /run/systemd/system ] && [ "$1" = remove ]; then if [ -d /run/systemd/system ] && [ "$1" = remove ]; then
deb-systemd-invoke stop 'falco.service' >/dev/null || true deb-systemd-invoke stop 'falco@kmod.target' >/dev/null || true
fi fi
case "$1" in case "$1" in

13
scripts/rpm/falco_inject_kmod.service
View File

@ -1,13 +0,0 @@
[Unit]
Description=Falco: Container Native Runtime Security
Documentation=https://falco.org/docs/
Before=falco.service
Wants=falco.service
[Service]
Type=oneshot
User=root
ExecStart=/sbin/modprobe falco
[Install]
WantedBy=multi-user.target

10
scripts/rpm/postinstall.in
View File

@ -38,19 +38,19 @@ fi
# systemd_post macro expands to # systemd_post macro expands to
# if postinst: # if postinst:
# `systemd-update-helper install-system-units <service>` # `systemd-update-helper install-system-units <service>`
%systemd_post 'falco.service' %systemd_post 'falco@kmod.target'
# post install mirrored from .deb # post install mirrored from .deb
if [ $1 -eq 1 ]; then if [ $1 -eq 1 ]; then
# This will only remove masks created on package removal. # This will only remove masks created on package removal.
/usr/bin/systemctl --system unmask 'falco.service' >/dev/null || true /usr/bin/systemctl --system unmask 'falco@kmod.target' >/dev/null || true
# enable falco on installation # enable falco on installation
# note: DEB postinstall script checks for changed symlinks # note: DEB postinstall script checks for changed symlinks
/usr/bin/systemctl --system enable 'falco.service' >/dev/null || true /usr/bin/systemctl --system enable 'falco@kmod.target' >/dev/null || true
# start falco on installation # start falco on installation
/usr/bin/systemctl --system start 'falco.service' >/dev/null || true /usr/bin/systemctl --system start 'falco@kmod.target' >/dev/null || true
fi fi
# post upgrade mirrored from .deb # post upgrade mirrored from .deb
@ -59,6 +59,6 @@ if [ $1 -gt 1 ]; then
/usr/bin/systemctl --system daemon-reload >/dev/null || true /usr/bin/systemctl --system daemon-reload >/dev/null || true
# restart falco on upgrade if service is already running # restart falco on upgrade if service is already running
/usr/bin/systemctl --system condrestart 'falco.service' >/dev/null || true /usr/bin/systemctl --system condrestart 'falco@kmod.target' >/dev/null || true
fi fi
fi fi

4
scripts/rpm/postuninstall.in
View File

@ -20,7 +20,7 @@ set -e
# post uninstall mirrored from .deb # post uninstall mirrored from .deb
if [ -d /run/systemd/system ] && [ "$1" = 0 ]; then if [ -d /run/systemd/system ] && [ "$1" = 0 ]; then
/usr/bin/systemctl --system daemon-reload >/dev/null || true /usr/bin/systemctl --system daemon-reload >/dev/null || true
/usr/bin/systemctl --system mask 'falco.service' >/dev/null || true /usr/bin/systemctl --system mask 'falco@kmod.target' >/dev/null || true
fi fi
# validate rpm macros by `rpm -qp --scripts <rpm>` # validate rpm macros by `rpm -qp --scripts <rpm>`
@ -30,4 +30,4 @@ fi
# systemd_postun_with_restart macro expands to # systemd_postun_with_restart macro expands to
# if package upgrade, not uninstall: # if package upgrade, not uninstall:
# `systemd-update-helper mark-restart-system-units <service>` # `systemd-update-helper mark-restart-system-units <service>`
%systemd_postun_with_restart 'falco.service' %systemd_postun_with_restart 'falco@kmod.target'

4
scripts/rpm/preuninstall.in
View File

@ -20,7 +20,7 @@ set -e
# Currently running falco service uses the driver, so stop it before driver cleanup # Currently running falco service uses the driver, so stop it before driver cleanup
if [ -d /run/systemd/system ] && [ $1 -eq 0 ]; then if [ -d /run/systemd/system ] && [ $1 -eq 0 ]; then
# stop falco service before uninstall # stop falco service before uninstall
/usr/bin/systemctl --system stop 'falco.service' >/dev/null || true /usr/bin/systemctl --system stop 'falco@kmod.target' >/dev/null || true
fi fi
/usr/bin/falco-driver-loader --clean /usr/bin/falco-driver-loader --clean
@ -32,4 +32,4 @@ fi
# systemd_preun macro expands to # systemd_preun macro expands to
# if preuninstall: # if preuninstall:
# `systemd-update-helper remove-system-units <service>` # `systemd-update-helper remove-system-units <service>`
%systemd_preun 'falco.service' %systemd_preun 'falco@kmod.target'

13
scripts/debian/falco.service → scripts/systemd/falco-ebpf.service
View File

@ -1,14 +1,14 @@
[Unit] [Unit]
Description=Falco: Container Native Runtime Security Description=Falco: Container Native Runtime Security with ebpf
Documentation=https://falco.org/docs/ Documentation=https://falco.org/docs/
After=falco_inject_kmod.service PartOf=falco@ebpf.target
Requires=falco_inject_kmod.service Conflicts=falco-kmod.service
[Service] [Service]
Type=simple Type=simple
User=root User=root
Environment=FALCO_BPF_PROBE=
ExecStart=/usr/bin/falco --pidfile=/var/run/falco.pid ExecStart=/usr/bin/falco --pidfile=/var/run/falco.pid
ExecStopPost=/sbin/rmmod falco
UMask=0077 UMask=0077
TimeoutSec=30 TimeoutSec=30
RestartSec=15s RestartSec=15s
@ -18,9 +18,6 @@ NoNewPrivileges=yes
ProtectHome=read-only ProtectHome=read-only
ProtectSystem=full ProtectSystem=full
ProtectKernelTunables=true ProtectKernelTunables=true
ReadWritePaths=/sys/module/falco
RestrictRealtime=true RestrictRealtime=true
RestrictAddressFamilies=~AF_PACKET RestrictAddressFamilies=~AF_PACKET
StandardOutput=null
[Install]
WantedBy=multi-user.target

11
scripts/systemd/falco-kmod-inject.service Normal file
View File

@ -0,0 +1,11 @@
[Unit]
Description=Falco: Container Native Runtime Security with kmod, inject.
Documentation=https://falco.org/docs/
PartOf=falco@kmod.target
[Service]
Type=oneshot
RemainAfterExit=yes
User=root
ExecStart=/sbin/modprobe falco
ExecStop=/sbin/rmmod falco

12
scripts/rpm/falco.service → scripts/systemd/falco-kmod.service
View File

@ -1,14 +1,15 @@
[Unit] [Unit]
Description=Falco: Container Native Runtime Security Description=Falco: Container Native Runtime Security with kmod
Documentation=https://falco.org/docs/ Documentation=https://falco.org/docs/
After=falco_inject_kmod.service After=falco-kmod-inject.service
Requires=falco_inject_kmod.service Requires=falco-kmod-inject.service
PartOf=falco@kmod.target
Conflicts=falco-ebpf.service
[Service] [Service]
Type=simple Type=simple
User=root User=root
ExecStart=/usr/bin/falco --pidfile=/var/run/falco.pid ExecStart=/usr/bin/falco --pidfile=/var/run/falco.pid
ExecStopPost=/sbin/rmmod falco
UMask=0077 UMask=0077
TimeoutSec=30 TimeoutSec=30
RestartSec=15s RestartSec=15s
@ -22,6 +23,3 @@ ReadWritePaths=/sys/module/falco
RestrictRealtime=true RestrictRealtime=true
RestrictAddressFamilies=~AF_PACKET RestrictAddressFamilies=~AF_PACKET
StandardOutput=null StandardOutput=null
[Install]
WantedBy=multi-user.target

7
scripts/systemd/falco@.target Normal file
View File

@ -0,0 +1,7 @@
[Unit]
Description=Falco generic startup target [kmod,ebpf]
Requires=multi-user.target falco-%i.service
After=multi-user.target
[Install]
WantedBy=multi-user.target