github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-07-03 01:46:38 +00:00
Code Issues Projects Releases Wiki Activity

Migrate from init to systemd in debian package

Browse Source 
Signed-off-by: JenTing Hsiao <jenting.hsiao@suse.com>
This commit is contained in:
JenTing Hsiao 2020-10-19 09:22:44 +08:00 committed by poiana
parent 3ba62a4031
commit 39bb5c28c7
8 changed files with 35 additions and 205 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
cmake/cpack/CMakeCPackOptions.cmake
View File

@ -1,6 +1,6 @@
if(CPACK_GENERATOR MATCHES "DEB") if(CPACK_GENERATOR MATCHES "DEB")
list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/etc/init.d/") list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/debian/falco _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/etc/init.d") list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/debian/falco.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
endif() endif()
if(CPACK_GENERATOR MATCHES "RPM") if(CPACK_GENERATOR MATCHES "RPM")

2
scripts/CMakeLists.txt
View File

@ -19,7 +19,7 @@ configure_file(debian/postinst.in debian/postinst)
configure_file(debian/postrm.in debian/postrm) configure_file(debian/postrm.in debian/postrm)
configure_file(debian/prerm.in debian/prerm) configure_file(debian/prerm.in debian/prerm)
file(COPY "${PROJECT_SOURCE_DIR}/scripts/debian/falco" file(COPY "${PROJECT_SOURCE_DIR}/scripts/debian/falco.service"
DESTINATION "${PROJECT_BINARY_DIR}/scripts/debian") DESTINATION "${PROJECT_BINARY_DIR}/scripts/debian")
configure_file(rpm/postinstall.in rpm/postinstall) configure_file(rpm/postinstall.in rpm/postinstall)

176
scripts/debian/falco
View File

@ -1,176 +0,0 @@
#! /bin/sh
#
# Copyright (C) 2020 The Falco Authors.
#
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
### BEGIN INIT INFO
# Provides: falco
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Falco syscall activity monitoring agent
# Description: Falco is a system activity monitoring agent
# driven by system calls with support for containers.
### END INIT INFO
# Author: The Falco Authors <cncf-falco-dev@lists.cncf.io>
# Do NOT "set -e"
# PATH should only include /usr/* if it runs after the mountnfs.sh script
PATH=/sbin:/usr/sbin:/bin:/usr/bin
DESC="Falco"
NAME=falco
DAEMON=/usr/bin/$NAME
PIDFILE=/var/run/$NAME.pid
DAEMON_ARGS="--daemon --pidfile=$PIDFILE"
SCRIPTNAME=/etc/init.d/$NAME
# Exit if the package is not installed
[ -x "$DAEMON" ] || exit 0
# Read configuration variable file if it is present
[ -r /etc/default/$NAME ] && . /etc/default/$NAME
# Load the VERBOSE setting and other rcS variables
. /lib/init/vars.sh
# Define LSB log_* functions.
# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
# and status_of_proc is working.
. /lib/lsb/init-functions
#
# Function that starts the daemon/service
#
do_start()
{
# Return
# 0 if daemon has been started
# 1 if daemon was already running
# 2 if daemon could not be started
start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
|| return 1
if [ ! -d /sys/module/falco ]; then
/sbin/modprobe falco || exit 1
fi
start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- \
$DAEMON_ARGS \
|| return 2
# Add code here, if necessary, that waits for the process to be ready
# to handle requests from services started subsequently which depend
# on this one. As a last resort, sleep for some time.
}
#
# Function that stops the daemon/service
#
do_stop()
{
# Return
# 0 if daemon has been stopped
# 1 if daemon was already stopped
# 2 if daemon could not be stopped
# other if a failure occurred
start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
RETVAL="$?"
[ "$RETVAL" = 2 ] && return 2
# Wait for children to finish too if this is a daemon that forks
# and if the daemon is only ever run from this initscript.
# If the above conditions are not satisfied then add some other code
# that waits for the process to drop all resources that could be
# needed by services started subsequently. A last resort is to
# sleep for some time.
start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
[ "$?" = 2 ] && return 2
/sbin/rmmod falco
# Many daemons don't delete their pidfiles when they exit.
rm -f $PIDFILE
return "$RETVAL"
}
#
# Function that sends a SIGHUP to the daemon/service
#
do_reload() {
#
# If the daemon can reload its configuration without
# restarting (for example, when it is sent a SIGHUP),
# then implement that here.
#
start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
return 0
}
case "$1" in
start)
[ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
do_start
case "$?" in
0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
esac
;;
stop)
[ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
do_stop
case "$?" in
0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
esac
;;
status)
status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
;;
#reload|force-reload)
#
# If do_reload() is not implemented then leave this commented out
# and leave 'force-reload' as an alias for 'restart'.
#
#log_daemon_msg "Reloading $DESC" "$NAME"
#do_reload
#log_end_msg $?
#;;
restart|force-reload)
#
# If the "reload" option is implemented then remove the
# 'force-reload' alias
#
log_daemon_msg "Restarting $DESC" "$NAME"
do_stop
case "$?" in
0|1)
do_start
case "$?" in
0) log_end_msg 0 ;;
1) log_end_msg 1 ;; # Old process is still running
*) log_end_msg 1 ;; # Failed to start
esac
;;
*)
# Failed to stop
log_end_msg 1
;;
esac
;;
*)
#echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
exit 3
;;
esac
:

29
scripts/debian/falco.service Normal file
View File

@ -0,0 +1,29 @@
[Unit]
Description=Falco: Container Native Runtime Security
[Service]
Type=simple
User=root
ExecStart=/usr/bin/falco --pidfile=/var/run/falco.pid
UMask=0077
TimeoutSec=30
RestartSec=15s
#Restart=always
Restart=on-failure
NoNewPrivileges=yes
PrivateTmp=true
ProtectHome=read-only
ProtectSystem=full
ProtectKernelTunables=true
RestrictRealtime=true
#RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
RestrictAddressFamilies=~AF_PACKET
SystemCallFilter=~@debug @mount @cpu-emulation @obsolete @privileged
# FIXME!
# PANIC: unprotected error in call to Lua API (runtime code generation failed, restricted kernel?)
# https://www.freelists.org/post/luajit/luajit-crashes-with-grsec-kernel,1
# MemoryDenyWriteExecute=true
# PrivateMounts=true
[Install]
WantedBy=multi-user.target

7
scripts/debian/postinst.in
View File

@ -1,6 +1,6 @@
#!/bin/sh #!/bin/sh
# #
# Copyright (C) 2019 The Falco Authors. # Copyright (C) 2020 The Falco Authors.
# #
# #
# Licensed under the Apache License, Version 2.0 (the "License"); # Licensed under the Apache License, Version 2.0 (the "License");
@ -41,8 +41,3 @@ case "$1" in
fi fi
;; ;;
esac esac
if [ -x "/etc/init.d/$NAME" ]; then
update-rc.d $NAME defaults >/dev/null
fi

9
scripts/debian/postrm.in
View File

@ -1,6 +1,6 @@
#!/bin/sh #!/bin/sh
# #
# Copyright (C) 2019 The Falco Authors. # Copyright (C) 2020 The Falco Authors.
# #
# #
# Licensed under the Apache License, Version 2.0 (the "License"); # Licensed under the Apache License, Version 2.0 (the "License");
@ -15,10 +15,3 @@
# See the License for the specific language governing permissions and # See the License for the specific language governing permissions and
# limitations under the License. # limitations under the License.
# #
set -e
NAME=falco
if [ "$1" = "purge" ] ; then
update-rc.d $NAME remove >/dev/null
fi

12
scripts/debian/prerm.in
View File

@ -1,6 +1,6 @@
#!/bin/sh #!/bin/sh
# #
# Copyright (C) 2019 The Falco Authors. # Copyright (C) 2020 The Falco Authors.
# #
# #
# Licensed under the Apache License, Version 2.0 (the "License"); # Licensed under the Apache License, Version 2.0 (the "License");
@ -17,16 +17,6 @@
# #
set -e set -e
NAME="@PACKAGE_NAME@"
if [ -x "/etc/init.d/$NAME" ]; then
if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then
invoke-rc.d $NAME stop || exit $?
else
/etc/init.d/$NAME stop || exit $?
fi
fi
DKMS_PACKAGE_NAME="@PACKAGE_NAME@" DKMS_PACKAGE_NAME="@PACKAGE_NAME@"
DKMS_VERSION="@PROBE_VERSION@" DKMS_VERSION="@PROBE_VERSION@"

1
scripts/rpm/falco.service
View File

@ -10,7 +10,6 @@ TimeoutSec=30
RestartSec=15s RestartSec=15s
#Restart=always #Restart=always
Restart=on-failure Restart=on-failure
PrivateTmp=true
NoNewPrivileges=yes NoNewPrivileges=yes
PrivateTmp=true PrivateTmp=true
ProtectHome=read-only ProtectHome=read-only