mirror of
https://github.com/falcosecurity/falco.git
synced 2025-09-05 00:31:38 +00:00
new(scripts): add a falco.target that consists of falco-X.service units.
falcoctl will then run and bind to falco.target. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
This commit is contained in:
Federico Di Pierro
committed by
poiana
poiana
parent
394d495040
commit
2591ed4d68
@@ -16,6 +16,8 @@
|
||||
#
|
||||
|
||||
# Systemd
|
||||
file(COPY "${PROJECT_SOURCE_DIR}/scripts/systemd/falco.target"
|
||||
DESTINATION "${PROJECT_BINARY_DIR}/scripts/systemd")
|
||||
file(COPY "${PROJECT_SOURCE_DIR}/scripts/systemd/falco-kmod-inject.service"
|
||||
DESTINATION "${PROJECT_BINARY_DIR}/scripts/systemd")
|
||||
file(COPY "${PROJECT_SOURCE_DIR}/scripts/systemd/falco-kmod.service"
|
||||
|
||||
@@ -24,11 +24,7 @@ set -e
|
||||
case "$1" in
|
||||
remove|upgrade|deconfigure)
|
||||
echo "[PRE-REMOVE] Stop all Falco services:"
|
||||
systemctl --system stop 'falco-kmod.service' || true
|
||||
systemctl --system stop 'falco-bpf.service' || true
|
||||
systemctl --system stop 'falco-modern-bpf.service' || true
|
||||
systemctl --system stop 'falco-plugin.service' || true
|
||||
systemctl --system stop 'falcoctl.service' || true
|
||||
systemctl --system stop 'falco.target' || true
|
||||
|
||||
echo "[PRE-REMOVE] Call 'falco-driver-loader --clean:'"
|
||||
falco-driver-loader --clean
|
||||
|
||||
@@ -18,11 +18,7 @@ set -e
|
||||
|
||||
# Currently running falco service uses the driver, so stop it before driver cleanup
|
||||
echo "[PRE-REMOVE] Stop all Falco services:"
|
||||
systemctl --system stop 'falco-kmod.service' || true
|
||||
systemctl --system stop 'falco-bpf.service' || true
|
||||
systemctl --system stop 'falco-modern-bpf.service' || true
|
||||
systemctl --system stop 'falco-plugin.service' || true
|
||||
systemctl --system stop 'falcoctl.service' || true
|
||||
systemctl --system stop 'falco.target' || true
|
||||
|
||||
echo "[PRE-REMOVE] Call 'falco-driver-loader --clean:'"
|
||||
falco-driver-loader --clean
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
[Unit]
|
||||
Description=Falco: Container Native Runtime Security with ebpf
|
||||
Documentation=https://falco.org/docs/
|
||||
PartOf=falco.target
|
||||
Conflicts=falco-kmod.service
|
||||
Conflicts=falco-modern-bpf.service
|
||||
Conflicts=falco-plugin.service
|
||||
@@ -21,7 +22,4 @@ ProtectSystem=full
|
||||
ProtectKernelTunables=true
|
||||
RestrictRealtime=true
|
||||
RestrictAddressFamilies=~AF_PACKET
|
||||
StandardOutput=null
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
StandardOutput=null
|
||||
@@ -3,6 +3,7 @@ Description=Falco: Container Native Runtime Security with kmod
|
||||
Documentation=https://falco.org/docs/
|
||||
After=falco-kmod-inject.service
|
||||
Requires=falco-kmod-inject.service
|
||||
PartOf=falco.target
|
||||
Conflicts=falco-bpf.service
|
||||
Conflicts=falco-modern-bpf.service
|
||||
Conflicts=falco-plugin.service
|
||||
@@ -23,7 +24,4 @@ ProtectKernelTunables=true
|
||||
ReadWritePaths=/sys/module/falco
|
||||
RestrictRealtime=true
|
||||
RestrictAddressFamilies=~AF_PACKET
|
||||
StandardOutput=null
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
StandardOutput=null
|
||||
@@ -1,6 +1,7 @@
|
||||
[Unit]
|
||||
Description=Falco: Container Native Runtime Security with modern ebpf
|
||||
Documentation=https://falco.org/docs/
|
||||
PartOf=falco.target
|
||||
Conflicts=falco-kmod.service
|
||||
Conflicts=falco-bpf.service
|
||||
Conflicts=falco-plugin.service
|
||||
@@ -20,7 +21,4 @@ ProtectSystem=full
|
||||
ProtectKernelTunables=true
|
||||
RestrictRealtime=true
|
||||
RestrictAddressFamilies=~AF_PACKET
|
||||
StandardOutput=null
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
StandardOutput=null
|
||||
@@ -1,6 +1,7 @@
|
||||
[Unit]
|
||||
Description=Falco: Container Native Runtime Security with plugin
|
||||
Documentation=https://falco.org/docs/
|
||||
PartOf=falco.target
|
||||
Conflicts=falco-kmod.service
|
||||
Conflicts=falco-bpf.service
|
||||
Conflicts=falco-modern-bpf.service
|
||||
@@ -21,6 +22,3 @@ ProtectKernelTunables=true
|
||||
RestrictRealtime=true
|
||||
RestrictAddressFamilies=~AF_PACKET
|
||||
StandardOutput=null
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
||||
7
scripts/systemd/falco.target
Normal file
7
scripts/systemd/falco.target
Normal file
@@ -0,0 +1,7 @@
|
||||
[Unit]
|
||||
Description=Main Falco target
|
||||
Requires=multi-user.target
|
||||
After=multi-user.target
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
@@ -1,6 +1,8 @@
|
||||
[Unit]
|
||||
Description=Falco: Automatic rules update service
|
||||
Documentation=https://falco.org/docs/
|
||||
After=falco.target
|
||||
BindsTo=falco.target
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
@@ -15,8 +17,7 @@ NoNewPrivileges=yes
|
||||
ProtectSystem=true
|
||||
ProtectKernelTunables=true
|
||||
RestrictRealtime=true
|
||||
#RestrictAddressFamilies=~AF_PACKET
|
||||
#StandardOutput=null
|
||||
StandardOutput=null
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
||||
Reference in New Issue
Block a user