diff --git a/cmake/cpack/CMakeCPackOptions.cmake b/cmake/cpack/CMakeCPackOptions.cmake index 967cf882..3dbcdbdb 100644 --- a/cmake/cpack/CMakeCPackOptions.cmake +++ b/cmake/cpack/CMakeCPackOptions.cmake @@ -1,6 +1,7 @@ if(CPACK_GENERATOR MATCHES "DEB" OR CPACK_GENERATOR MATCHES "RPM") list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") - list(APPEND CPACK_INSTALL_COMMANDS "cp -r scripts/systemd/falco-kmod-inject.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") + list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco.target _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") + list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-kmod-inject.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-kmod.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-bpf.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-modern-bpf.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") diff --git a/scripts/CMakeLists.txt b/scripts/CMakeLists.txt index de6b2aa2..b2598518 100644 --- a/scripts/CMakeLists.txt +++ b/scripts/CMakeLists.txt @@ -16,6 +16,8 @@ # # Systemd +file(COPY "${PROJECT_SOURCE_DIR}/scripts/systemd/falco.target" + DESTINATION "${PROJECT_BINARY_DIR}/scripts/systemd") file(COPY "${PROJECT_SOURCE_DIR}/scripts/systemd/falco-kmod-inject.service" DESTINATION "${PROJECT_BINARY_DIR}/scripts/systemd") file(COPY "${PROJECT_SOURCE_DIR}/scripts/systemd/falco-kmod.service" diff --git a/scripts/debian/prerm.in b/scripts/debian/prerm.in index 90cb8816..5bceda37 100755 --- a/scripts/debian/prerm.in +++ b/scripts/debian/prerm.in @@ -24,11 +24,7 @@ set -e case "$1" in remove|upgrade|deconfigure) echo "[PRE-REMOVE] Stop all Falco services:" - systemctl --system stop 'falco-kmod.service' || true - systemctl --system stop 'falco-bpf.service' || true - systemctl --system stop 'falco-modern-bpf.service' || true - systemctl --system stop 'falco-plugin.service' || true - systemctl --system stop 'falcoctl.service' || true + systemctl --system stop 'falco.target' || true echo "[PRE-REMOVE] Call 'falco-driver-loader --clean:'" falco-driver-loader --clean diff --git a/scripts/rpm/preuninstall.in b/scripts/rpm/preuninstall.in index dd7c0cf1..18220f49 100755 --- a/scripts/rpm/preuninstall.in +++ b/scripts/rpm/preuninstall.in @@ -18,11 +18,7 @@ set -e # Currently running falco service uses the driver, so stop it before driver cleanup echo "[PRE-REMOVE] Stop all Falco services:" -systemctl --system stop 'falco-kmod.service' || true -systemctl --system stop 'falco-bpf.service' || true -systemctl --system stop 'falco-modern-bpf.service' || true -systemctl --system stop 'falco-plugin.service' || true -systemctl --system stop 'falcoctl.service' || true +systemctl --system stop 'falco.target' || true echo "[PRE-REMOVE] Call 'falco-driver-loader --clean:'" falco-driver-loader --clean diff --git a/scripts/systemd/falco-bpf.service b/scripts/systemd/falco-bpf.service index de8c57e6..58127cd6 100644 --- a/scripts/systemd/falco-bpf.service +++ b/scripts/systemd/falco-bpf.service @@ -1,6 +1,7 @@ [Unit] Description=Falco: Container Native Runtime Security with ebpf Documentation=https://falco.org/docs/ +PartOf=falco.target Conflicts=falco-kmod.service Conflicts=falco-modern-bpf.service Conflicts=falco-plugin.service @@ -21,7 +22,4 @@ ProtectSystem=full ProtectKernelTunables=true RestrictRealtime=true RestrictAddressFamilies=~AF_PACKET -StandardOutput=null - -[Install] -WantedBy=multi-user.target +StandardOutput=null \ No newline at end of file diff --git a/scripts/systemd/falco-kmod.service b/scripts/systemd/falco-kmod.service index f6251638..500bb93e 100644 --- a/scripts/systemd/falco-kmod.service +++ b/scripts/systemd/falco-kmod.service @@ -3,6 +3,7 @@ Description=Falco: Container Native Runtime Security with kmod Documentation=https://falco.org/docs/ After=falco-kmod-inject.service Requires=falco-kmod-inject.service +PartOf=falco.target Conflicts=falco-bpf.service Conflicts=falco-modern-bpf.service Conflicts=falco-plugin.service @@ -23,7 +24,4 @@ ProtectKernelTunables=true ReadWritePaths=/sys/module/falco RestrictRealtime=true RestrictAddressFamilies=~AF_PACKET -StandardOutput=null - -[Install] -WantedBy=multi-user.target +StandardOutput=null \ No newline at end of file diff --git a/scripts/systemd/falco-modern-bpf.service b/scripts/systemd/falco-modern-bpf.service index 9b682500..ef4bdc2e 100644 --- a/scripts/systemd/falco-modern-bpf.service +++ b/scripts/systemd/falco-modern-bpf.service @@ -1,6 +1,7 @@ [Unit] Description=Falco: Container Native Runtime Security with modern ebpf Documentation=https://falco.org/docs/ +PartOf=falco.target Conflicts=falco-kmod.service Conflicts=falco-bpf.service Conflicts=falco-plugin.service @@ -20,7 +21,4 @@ ProtectSystem=full ProtectKernelTunables=true RestrictRealtime=true RestrictAddressFamilies=~AF_PACKET -StandardOutput=null - -[Install] -WantedBy=multi-user.target +StandardOutput=null \ No newline at end of file diff --git a/scripts/systemd/falco-plugin.service b/scripts/systemd/falco-plugin.service index 84befe71..dac0c1d0 100644 --- a/scripts/systemd/falco-plugin.service +++ b/scripts/systemd/falco-plugin.service @@ -1,6 +1,7 @@ [Unit] Description=Falco: Container Native Runtime Security with plugin Documentation=https://falco.org/docs/ +PartOf=falco.target Conflicts=falco-kmod.service Conflicts=falco-bpf.service Conflicts=falco-modern-bpf.service @@ -21,6 +22,3 @@ ProtectKernelTunables=true RestrictRealtime=true RestrictAddressFamilies=~AF_PACKET StandardOutput=null - -[Install] -WantedBy=multi-user.target diff --git a/scripts/systemd/falco.target b/scripts/systemd/falco.target new file mode 100644 index 00000000..df13a9e4 --- /dev/null +++ b/scripts/systemd/falco.target @@ -0,0 +1,7 @@ +[Unit] +Description=Main Falco target +Requires=multi-user.target +After=multi-user.target + +[Install] +WantedBy=multi-user.target \ No newline at end of file diff --git a/scripts/systemd/falcoctl.service b/scripts/systemd/falcoctl.service index 1adefd2c..bc12c6ed 100644 --- a/scripts/systemd/falcoctl.service +++ b/scripts/systemd/falcoctl.service @@ -1,6 +1,8 @@ [Unit] Description=Falco: Automatic rules update service Documentation=https://falco.org/docs/ +After=falco.target +BindsTo=falco.target [Service] Type=simple @@ -15,8 +17,7 @@ NoNewPrivileges=yes ProtectSystem=true ProtectKernelTunables=true RestrictRealtime=true -#RestrictAddressFamilies=~AF_PACKET -#StandardOutput=null +StandardOutput=null [Install] WantedBy=multi-user.target