mirror of
https://github.com/falcosecurity/falco.git
synced 2025-07-03 18:06:44 +00:00
new(scripts): add a falco.target that consists of falco-X.service units.
falcoctl will then run and bind to falco.target. Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
This commit is contained in:
parent
394d495040
commit
2591ed4d68
@ -1,6 +1,7 @@
|
|||||||
if(CPACK_GENERATOR MATCHES "DEB" OR CPACK_GENERATOR MATCHES "RPM")
|
if(CPACK_GENERATOR MATCHES "DEB" OR CPACK_GENERATOR MATCHES "RPM")
|
||||||
list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
|
list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
|
||||||
list(APPEND CPACK_INSTALL_COMMANDS "cp -r scripts/systemd/falco-kmod-inject.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
|
list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco.target _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
|
||||||
|
list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-kmod-inject.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
|
||||||
list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-kmod.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
|
list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-kmod.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
|
||||||
list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-bpf.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
|
list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-bpf.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
|
||||||
list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-modern-bpf.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
|
list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-modern-bpf.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
|
||||||
|
@ -16,6 +16,8 @@
|
|||||||
#
|
#
|
||||||
|
|
||||||
# Systemd
|
# Systemd
|
||||||
|
file(COPY "${PROJECT_SOURCE_DIR}/scripts/systemd/falco.target"
|
||||||
|
DESTINATION "${PROJECT_BINARY_DIR}/scripts/systemd")
|
||||||
file(COPY "${PROJECT_SOURCE_DIR}/scripts/systemd/falco-kmod-inject.service"
|
file(COPY "${PROJECT_SOURCE_DIR}/scripts/systemd/falco-kmod-inject.service"
|
||||||
DESTINATION "${PROJECT_BINARY_DIR}/scripts/systemd")
|
DESTINATION "${PROJECT_BINARY_DIR}/scripts/systemd")
|
||||||
file(COPY "${PROJECT_SOURCE_DIR}/scripts/systemd/falco-kmod.service"
|
file(COPY "${PROJECT_SOURCE_DIR}/scripts/systemd/falco-kmod.service"
|
||||||
|
@ -24,11 +24,7 @@ set -e
|
|||||||
case "$1" in
|
case "$1" in
|
||||||
remove|upgrade|deconfigure)
|
remove|upgrade|deconfigure)
|
||||||
echo "[PRE-REMOVE] Stop all Falco services:"
|
echo "[PRE-REMOVE] Stop all Falco services:"
|
||||||
systemctl --system stop 'falco-kmod.service' || true
|
systemctl --system stop 'falco.target' || true
|
||||||
systemctl --system stop 'falco-bpf.service' || true
|
|
||||||
systemctl --system stop 'falco-modern-bpf.service' || true
|
|
||||||
systemctl --system stop 'falco-plugin.service' || true
|
|
||||||
systemctl --system stop 'falcoctl.service' || true
|
|
||||||
|
|
||||||
echo "[PRE-REMOVE] Call 'falco-driver-loader --clean:'"
|
echo "[PRE-REMOVE] Call 'falco-driver-loader --clean:'"
|
||||||
falco-driver-loader --clean
|
falco-driver-loader --clean
|
||||||
|
@ -18,11 +18,7 @@ set -e
|
|||||||
|
|
||||||
# Currently running falco service uses the driver, so stop it before driver cleanup
|
# Currently running falco service uses the driver, so stop it before driver cleanup
|
||||||
echo "[PRE-REMOVE] Stop all Falco services:"
|
echo "[PRE-REMOVE] Stop all Falco services:"
|
||||||
systemctl --system stop 'falco-kmod.service' || true
|
systemctl --system stop 'falco.target' || true
|
||||||
systemctl --system stop 'falco-bpf.service' || true
|
|
||||||
systemctl --system stop 'falco-modern-bpf.service' || true
|
|
||||||
systemctl --system stop 'falco-plugin.service' || true
|
|
||||||
systemctl --system stop 'falcoctl.service' || true
|
|
||||||
|
|
||||||
echo "[PRE-REMOVE] Call 'falco-driver-loader --clean:'"
|
echo "[PRE-REMOVE] Call 'falco-driver-loader --clean:'"
|
||||||
falco-driver-loader --clean
|
falco-driver-loader --clean
|
||||||
|
@ -1,6 +1,7 @@
|
|||||||
[Unit]
|
[Unit]
|
||||||
Description=Falco: Container Native Runtime Security with ebpf
|
Description=Falco: Container Native Runtime Security with ebpf
|
||||||
Documentation=https://falco.org/docs/
|
Documentation=https://falco.org/docs/
|
||||||
|
PartOf=falco.target
|
||||||
Conflicts=falco-kmod.service
|
Conflicts=falco-kmod.service
|
||||||
Conflicts=falco-modern-bpf.service
|
Conflicts=falco-modern-bpf.service
|
||||||
Conflicts=falco-plugin.service
|
Conflicts=falco-plugin.service
|
||||||
@ -22,6 +23,3 @@ ProtectKernelTunables=true
|
|||||||
RestrictRealtime=true
|
RestrictRealtime=true
|
||||||
RestrictAddressFamilies=~AF_PACKET
|
RestrictAddressFamilies=~AF_PACKET
|
||||||
StandardOutput=null
|
StandardOutput=null
|
||||||
|
|
||||||
[Install]
|
|
||||||
WantedBy=multi-user.target
|
|
||||||
|
@ -3,6 +3,7 @@ Description=Falco: Container Native Runtime Security with kmod
|
|||||||
Documentation=https://falco.org/docs/
|
Documentation=https://falco.org/docs/
|
||||||
After=falco-kmod-inject.service
|
After=falco-kmod-inject.service
|
||||||
Requires=falco-kmod-inject.service
|
Requires=falco-kmod-inject.service
|
||||||
|
PartOf=falco.target
|
||||||
Conflicts=falco-bpf.service
|
Conflicts=falco-bpf.service
|
||||||
Conflicts=falco-modern-bpf.service
|
Conflicts=falco-modern-bpf.service
|
||||||
Conflicts=falco-plugin.service
|
Conflicts=falco-plugin.service
|
||||||
@ -24,6 +25,3 @@ ReadWritePaths=/sys/module/falco
|
|||||||
RestrictRealtime=true
|
RestrictRealtime=true
|
||||||
RestrictAddressFamilies=~AF_PACKET
|
RestrictAddressFamilies=~AF_PACKET
|
||||||
StandardOutput=null
|
StandardOutput=null
|
||||||
|
|
||||||
[Install]
|
|
||||||
WantedBy=multi-user.target
|
|
||||||
|
@ -1,6 +1,7 @@
|
|||||||
[Unit]
|
[Unit]
|
||||||
Description=Falco: Container Native Runtime Security with modern ebpf
|
Description=Falco: Container Native Runtime Security with modern ebpf
|
||||||
Documentation=https://falco.org/docs/
|
Documentation=https://falco.org/docs/
|
||||||
|
PartOf=falco.target
|
||||||
Conflicts=falco-kmod.service
|
Conflicts=falco-kmod.service
|
||||||
Conflicts=falco-bpf.service
|
Conflicts=falco-bpf.service
|
||||||
Conflicts=falco-plugin.service
|
Conflicts=falco-plugin.service
|
||||||
@ -21,6 +22,3 @@ ProtectKernelTunables=true
|
|||||||
RestrictRealtime=true
|
RestrictRealtime=true
|
||||||
RestrictAddressFamilies=~AF_PACKET
|
RestrictAddressFamilies=~AF_PACKET
|
||||||
StandardOutput=null
|
StandardOutput=null
|
||||||
|
|
||||||
[Install]
|
|
||||||
WantedBy=multi-user.target
|
|
||||||
|
@ -1,6 +1,7 @@
|
|||||||
[Unit]
|
[Unit]
|
||||||
Description=Falco: Container Native Runtime Security with plugin
|
Description=Falco: Container Native Runtime Security with plugin
|
||||||
Documentation=https://falco.org/docs/
|
Documentation=https://falco.org/docs/
|
||||||
|
PartOf=falco.target
|
||||||
Conflicts=falco-kmod.service
|
Conflicts=falco-kmod.service
|
||||||
Conflicts=falco-bpf.service
|
Conflicts=falco-bpf.service
|
||||||
Conflicts=falco-modern-bpf.service
|
Conflicts=falco-modern-bpf.service
|
||||||
@ -21,6 +22,3 @@ ProtectKernelTunables=true
|
|||||||
RestrictRealtime=true
|
RestrictRealtime=true
|
||||||
RestrictAddressFamilies=~AF_PACKET
|
RestrictAddressFamilies=~AF_PACKET
|
||||||
StandardOutput=null
|
StandardOutput=null
|
||||||
|
|
||||||
[Install]
|
|
||||||
WantedBy=multi-user.target
|
|
||||||
|
7
scripts/systemd/falco.target
Normal file
7
scripts/systemd/falco.target
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=Main Falco target
|
||||||
|
Requires=multi-user.target
|
||||||
|
After=multi-user.target
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
@ -1,6 +1,8 @@
|
|||||||
[Unit]
|
[Unit]
|
||||||
Description=Falco: Automatic rules update service
|
Description=Falco: Automatic rules update service
|
||||||
Documentation=https://falco.org/docs/
|
Documentation=https://falco.org/docs/
|
||||||
|
After=falco.target
|
||||||
|
BindsTo=falco.target
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
Type=simple
|
Type=simple
|
||||||
@ -15,8 +17,7 @@ NoNewPrivileges=yes
|
|||||||
ProtectSystem=true
|
ProtectSystem=true
|
||||||
ProtectKernelTunables=true
|
ProtectKernelTunables=true
|
||||||
RestrictRealtime=true
|
RestrictRealtime=true
|
||||||
#RestrictAddressFamilies=~AF_PACKET
|
StandardOutput=null
|
||||||
#StandardOutput=null
|
|
||||||
|
|
||||||
[Install]
|
[Install]
|
||||||
WantedBy=multi-user.target
|
WantedBy=multi-user.target
|
||||||
|
Loading…
Reference in New Issue
Block a user