mirror of
https://github.com/falcosecurity/falco.git
synced 2025-09-09 18:49:22 +00:00
Migrate from init to systemd in rpm package
Signed-off-by: JenTing Hsiao <jenting.hsiao@suse.com>
This commit is contained in:
JenTing Hsiao
poiana
@@ -4,8 +4,8 @@ if(CPACK_GENERATOR MATCHES "DEB")
|
||||
endif()
|
||||
|
||||
if(CPACK_GENERATOR MATCHES "RPM")
|
||||
list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/etc/rc.d/init.d/")
|
||||
list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/rpm/falco _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/etc/rc.d/init.d")
|
||||
list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
|
||||
list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/rpm/falco.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
|
||||
endif()
|
||||
|
||||
if(CPACK_GENERATOR MATCHES "TGZ")
|
||||
|
||||
@@ -46,8 +46,9 @@ set(CPACK_DEBIAN_PACKAGE_CONTROL_EXTRA
|
||||
)
|
||||
|
||||
set(CPACK_RPM_PACKAGE_LICENSE "Apache v2.0")
|
||||
set(CPACK_RPM_PACKAGE_ARCHITECTURE, "amd64")
|
||||
set(CPACK_RPM_PACKAGE_URL "https://www.falco.org")
|
||||
set(CPACK_RPM_PACKAGE_REQUIRES "dkms, kernel-devel, ncurses")
|
||||
set(CPACK_RPM_PACKAGE_REQUIRES "dkms, kernel-devel, ncurses, systemd")
|
||||
set(CPACK_RPM_POST_INSTALL_SCRIPT_FILE "${CMAKE_BINARY_DIR}/scripts/rpm/postinstall")
|
||||
set(CPACK_RPM_PRE_UNINSTALL_SCRIPT_FILE "${CMAKE_BINARY_DIR}/scripts/rpm/preuninstall")
|
||||
set(CPACK_RPM_POST_UNINSTALL_SCRIPT_FILE "${CMAKE_BINARY_DIR}/scripts/rpm/postuninstall")
|
||||
@@ -59,9 +60,7 @@ set(CPACK_RPM_EXCLUDE_FROM_AUTO_FILELIST_ADDITION
|
||||
/etc
|
||||
/usr
|
||||
/usr/bin
|
||||
/usr/share
|
||||
/etc/rc.d
|
||||
/etc/rc.d/init.d)
|
||||
/usr/share)
|
||||
set(CPACK_RPM_PACKAGE_RELOCATABLE "OFF")
|
||||
|
||||
include(CPack)
|
||||
|
||||
@@ -26,7 +26,7 @@ configure_file(rpm/postinstall.in rpm/postinstall)
|
||||
configure_file(rpm/postuninstall.in rpm/postuninstall)
|
||||
configure_file(rpm/preuninstall.in rpm/preuninstall)
|
||||
|
||||
file(COPY "${PROJECT_SOURCE_DIR}/scripts/rpm/falco"
|
||||
file(COPY "${PROJECT_SOURCE_DIR}/scripts/rpm/falco.service"
|
||||
DESTINATION "${PROJECT_BINARY_DIR}/scripts/rpm")
|
||||
|
||||
configure_file(falco-driver-loader falco-driver-loader @ONLY)
|
||||
|
||||
@@ -1,127 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
#
|
||||
# Copyright (C) 2019 The Falco Authors.
|
||||
#
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
#
|
||||
|
||||
#
|
||||
# falco syscall monitoring agent
|
||||
#
|
||||
# chkconfig: 2345 55 45
|
||||
# description: Falco syscall monitoring agent
|
||||
#
|
||||
|
||||
### BEGIN INIT INFO
|
||||
# Provides:
|
||||
# Required-Start:
|
||||
# Required-Stop:
|
||||
# Should-Start:
|
||||
# Should-Stop:
|
||||
# Default-Start:
|
||||
# Default-Stop:
|
||||
# Short-Description:
|
||||
# Description:
|
||||
### END INIT INFO
|
||||
|
||||
# Source function library.
|
||||
. /etc/rc.d/init.d/functions
|
||||
|
||||
exec="/usr/bin/falco"
|
||||
prog="falco"
|
||||
# config="<path to major config file>"
|
||||
|
||||
[ -e /etc/sysconfig/$prog ] && . /etc/sysconfig/$prog
|
||||
|
||||
lockfile=/var/lock/subsys/$prog
|
||||
pidfile="/var/run/falco.pid"
|
||||
|
||||
start() {
|
||||
[ -x $exec ] || exit 5
|
||||
# [ -f $config ] || exit 6
|
||||
echo -n $"Starting $prog: "
|
||||
daemon $exec --daemon --pidfile=$pidfile
|
||||
if [ ! -d /sys/module/falco ]; then
|
||||
/sbin/modprobe falco || return $?
|
||||
fi
|
||||
retval=$?
|
||||
echo
|
||||
[ $retval -eq 0 ] && touch $lockfile
|
||||
return $retval
|
||||
}
|
||||
|
||||
stop() {
|
||||
echo -n $"Stopping $prog: "
|
||||
killproc -p $pidfile
|
||||
retval=$?
|
||||
echo
|
||||
/sbin/rmmod falco
|
||||
[ $retval -eq 0 ] && rm -f $lockfile
|
||||
return $retval
|
||||
}
|
||||
|
||||
restart() {
|
||||
stop
|
||||
start
|
||||
}
|
||||
|
||||
reload() {
|
||||
restart
|
||||
}
|
||||
|
||||
force_reload() {
|
||||
restart
|
||||
}
|
||||
|
||||
rh_status() {
|
||||
status -p $pidfile $prog
|
||||
}
|
||||
|
||||
rh_status_q() {
|
||||
rh_status >/dev/null 2>&1
|
||||
}
|
||||
|
||||
|
||||
case "$1" in
|
||||
start)
|
||||
rh_status_q && exit 0
|
||||
$1
|
||||
;;
|
||||
stop)
|
||||
rh_status_q || exit 0
|
||||
$1
|
||||
;;
|
||||
restart)
|
||||
$1
|
||||
;;
|
||||
reload)
|
||||
rh_status_q || exit 7
|
||||
$1
|
||||
;;
|
||||
force-reload)
|
||||
force_reload
|
||||
;;
|
||||
status)
|
||||
rh_status
|
||||
;;
|
||||
condrestart|try-restart)
|
||||
rh_status_q || exit 0
|
||||
restart
|
||||
;;
|
||||
*)
|
||||
echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}"
|
||||
exit 2
|
||||
esac
|
||||
exit $?
|
||||
30
scripts/rpm/falco.service
Normal file
30
scripts/rpm/falco.service
Normal file
@@ -0,0 +1,30 @@
|
||||
[Unit]
|
||||
Description=Falco: Container Native Runtime Security
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
User=root
|
||||
ExecStart=/usr/bin/falco --pidfile=/var/run/falco.pid
|
||||
UMask=0077
|
||||
TimeoutSec=30
|
||||
RestartSec=15s
|
||||
#Restart=always
|
||||
Restart=on-failure
|
||||
PrivateTmp=true
|
||||
NoNewPrivileges=yes
|
||||
PrivateTmp=true
|
||||
ProtectHome=read-only
|
||||
ProtectSystem=full
|
||||
ProtectKernelTunables=true
|
||||
RestrictRealtime=true
|
||||
#RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
|
||||
RestrictAddressFamilies=~AF_PACKET
|
||||
SystemCallFilter=~@debug @mount @cpu-emulation @obsolete @privileged
|
||||
# FIXME!
|
||||
# PANIC: unprotected error in call to Lua API (runtime code generation failed, restricted kernel?)
|
||||
# https://www.freelists.org/post/luajit/luajit-crashes-with-grsec-kernel,1
|
||||
# MemoryDenyWriteExecute=true
|
||||
# PrivateMounts=true
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
@@ -29,5 +29,3 @@ else
|
||||
echo -e "Module build for the currently running kernel was skipped since the"
|
||||
echo -e "kernel source for this kernel does not seem to be installed."
|
||||
fi
|
||||
|
||||
/sbin/chkconfig --add falco
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
#
|
||||
# Copyright (C) 2019 The Falco Authors.
|
||||
# Copyright (C) 2020 The Falco Authors.
|
||||
#
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
@@ -14,7 +14,3 @@
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
#
|
||||
|
||||
if [ "$1" -ge "1" ]; then
|
||||
/sbin/service falco condrestart > /dev/null 2>&1
|
||||
fi
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
#
|
||||
# Copyright (C) 2019 The Falco Authors.
|
||||
# Copyright (C) 2020 The Falco Authors.
|
||||
#
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
@@ -15,10 +15,5 @@
|
||||
# limitations under the License.
|
||||
#
|
||||
|
||||
if [ $1 = 0 ]; then
|
||||
/sbin/service falco stop > /dev/null 2>&1
|
||||
/sbin/chkconfig --del falco
|
||||
fi
|
||||
|
||||
mod_version="@PROBE_VERSION@"
|
||||
dkms remove -m falco -v $mod_version --all --rpm_safe_upgrade
|
||||
|
||||
Reference in New Issue
Block a user