diff --git a/cmake/cpack/CMakeCPackOptions.cmake b/cmake/cpack/CMakeCPackOptions.cmake index ef2a556a..9c530b90 100644 --- a/cmake/cpack/CMakeCPackOptions.cmake +++ b/cmake/cpack/CMakeCPackOptions.cmake @@ -1,6 +1,5 @@ if(CPACK_GENERATOR MATCHES "DEB" OR CPACK_GENERATOR MATCHES "RPM") list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") - list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco.target _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-kmod-inject.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-kmod.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-bpf.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") diff --git a/scripts/debian/postinst.in b/scripts/debian/postinst.in index 99d7c1be..36451ecb 100755 --- a/scripts/debian/postinst.in +++ b/scripts/debian/postinst.in @@ -17,7 +17,21 @@ # chosen_driver= -enable_falcoctl=0 + +echo "[POST-INSTALL] Disable all possible enabled 'falco' service:" +systemctl --system stop 'falco-kmod.service' || true +systemctl --system stop 'falco-bpf.service' || true +systemctl --system stop 'falco-modern-bpf.service' || true +systemctl --system stop 'falco-plugin.service' || true +systemctl --system stop 'falcoctl-artifact-follow.service' || true +systemctl --system disable 'falco-kmod.service' || true +systemctl --system disable 'falco-bpf.service' || true +systemctl --system disable 'falco-modern-bpf.service' || true +systemctl --system disable 'falco-plugin.service' || true +systemctl --system disable 'falcoctl-artifact-follow.service' || true + +# unmask falcoctl if it was masked +systemctl --system unmask falcoctl-artifact-follow.service || true if [ "$1" = "configure" ]; then if [ -x /usr/bin/dialog ]; then @@ -49,8 +63,9 @@ if [ "$1" = "configure" ]; then 2 "No" \ 2>&1 >/dev/tty) case $CHOICE in - 1) - enable_falcoctl=1 + 2) + # we don't want falcoctl enabled by defualt, we mask it + systemctl --system mask falcoctl-artifact-follow.service || true ;; esac fi @@ -60,6 +75,9 @@ fi set -e +echo "[POST-INSTALL] Trigger deamon-reload:" +systemctl --system daemon-reload || true + # If needed, try to load/compile the driver through falco-driver-loader case "$chosen_driver" in "kmod") @@ -74,32 +92,10 @@ esac if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then if [ -n "$chosen_driver" ]; then + # we do this in 2 steps because `enable --now` is not always supported echo "[POST-INSTALL] Enable 'falco-$chosen_driver.service':" systemctl --system enable "falco-$chosen_driver.service" || true echo "[POST-INSTALL] Start 'falco-$chosen_driver.service':" - systemctl --system start "falco-$chosen_driver.service" || true - if [ $enable_falcoctl -eq 1 ]; then - echo "[POST-INSTALL] Enable 'falcoctl-artifact-follow.service':" - systemctl --system enable "falcoctl-artifact-follow.service" || true - echo "[POST-INSTALL] Start 'falcoctl-artifact-follow.service':" - systemctl --system start "falcoctl-artifact-follow.service" || true - fi + systemctl --system start "falco-$chosen_driver.service" || true fi fi - -if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then - if [ -d /run/systemd/system ]; then - echo "[POST-INSTALL] Trigger deamon-reload:" - systemctl --system daemon-reload || true - if [ -n "$chosen_driver" ]; then - echo "[POST-INSTALL] Trigger 'falco-$chosen_driver.service' condrestart:" - # restart falco on upgrade if service is already running - systemctl --system condrestart "falco-$chosen_driver.service" || true - if [ $enable_falcoctl -eq 1 ]; then - echo "[POST-INSTALL] Trigger 'falcoctl-artifact-follow.service' condrestart:" - # restart falcoctl-artifact-follow on upgrade if service is already running - systemctl --system condrestart "falcoctl-artifact-follow.service" || true - fi - fi - fi -fi diff --git a/scripts/debian/prerm.in b/scripts/debian/prerm.in index 5bceda37..855a6a96 100755 --- a/scripts/debian/prerm.in +++ b/scripts/debian/prerm.in @@ -24,7 +24,11 @@ set -e case "$1" in remove|upgrade|deconfigure) echo "[PRE-REMOVE] Stop all Falco services:" - systemctl --system stop 'falco.target' || true + systemctl --system stop 'falco-kmod.service' || true + systemctl --system stop 'falco-bpf.service' || true + systemctl --system stop 'falco-modern-bpf.service' || true + systemctl --system stop 'falco-plugin.service' || true + systemctl --system stop 'falcoctl-artifact-follow.service' || true echo "[PRE-REMOVE] Call 'falco-driver-loader --clean:'" falco-driver-loader --clean diff --git a/scripts/rpm/postinstall.in b/scripts/rpm/postinstall.in index 0bbecae8..490820b3 100755 --- a/scripts/rpm/postinstall.in +++ b/scripts/rpm/postinstall.in @@ -16,7 +16,21 @@ # chosen_driver= -enable_falcoctl=0 + +echo "[POST-INSTALL] Disable all possible enabled 'falco' service:" +systemctl --system stop 'falco-kmod.service' || true +systemctl --system stop 'falco-bpf.service' || true +systemctl --system stop 'falco-modern-bpf.service' || true +systemctl --system stop 'falco-plugin.service' || true +systemctl --system stop 'falcoctl-artifact-follow.service' || true +systemctl --system disable 'falco-kmod.service' || true +systemctl --system disable 'falco-bpf.service' || true +systemctl --system disable 'falco-modern-bpf.service' || true +systemctl --system disable 'falco-plugin.service' || true +systemctl --system disable 'falcoctl-artifact-follow.service' || true + +# unmask falcoctl if it was masked +systemctl --system unmask falcoctl-artifact-follow.service || true if [ $1 -eq 1 ]; then if [ -x /usr/bin/dialog ]; then @@ -48,8 +62,9 @@ if [ $1 -eq 1 ]; then 2 "No" \ 2>&1 >/dev/tty) case $CHOICE in - 1) - enable_falcoctl=1 + 2) + # we don't want falcoctl enabled by defualt, we mask it + systemctl --system mask falcoctl-artifact-follow.service || true ;; esac fi @@ -59,6 +74,9 @@ fi set -e +echo "[POST-INSTALL] Trigger deamon-reload:" +systemctl --system daemon-reload || true + # If needed, try to load/compile the driver through falco-driver-loader case "$chosen_driver" in "kmod") @@ -80,36 +98,12 @@ esac # `systemd-update-helper install-system-units ` %systemd_post "falco-$chosen_driver.service" -# post install mirrored from .deb -if [ $1 -eq 1 ]; then +# post install/upgrade mirrored from .deb +if [ $1 -ge 1 ]; then if [ -n "$chosen_driver" ]; then echo "[POST-INSTALL] Enable 'falco-$chosen_driver.service':" systemctl --system enable "falco-$chosen_driver.service" || true echo "[POST-INSTALL] Start 'falco-$chosen_driver.service':" systemctl --system start "falco-$chosen_driver.service" || true - if [ $enable_falcoctl -eq 1 ]; then - echo "[POST-INSTALL] Enable 'falcoctl-artifact-follow.service':" - systemctl --system enable "falcoctl-artifact-follow.service" || true - echo "[POST-INSTALL] Start 'falcoctl-artifact-follow.service':" - systemctl --system start "falcoctl-artifact-follow.service" || true - fi fi fi - -# post upgrade mirrored from .deb -if [ $1 -gt 1 ]; then - if [ -d /run/systemd/system ]; then - echo "[POST-INSTALL] Trigger deamon-reload:" - systemctl --system daemon-reload || true - if [ -n "$chosen_driver" ]; then - echo "[POST-INSTALL] Trigger 'falco-$chosen_driver.service' condrestart:" - # restart falco on upgrade if service is already running - systemctl --system condrestart "falco-$chosen_driver.service" || true - if [ $enable_falcoctl -eq 1 ]; then - echo "[POST-INSTALL] Trigger 'falcoctl-artifact-follow.service' condrestart:" - # restart falcoctl-artifact-follow on upgrade if service is already running - systemctl --system condrestart "falcoctl-artifact-follow.service" || true - fi - fi - fi -fi diff --git a/scripts/rpm/preuninstall.in b/scripts/rpm/preuninstall.in index 291e62e1..0d34074e 100755 --- a/scripts/rpm/preuninstall.in +++ b/scripts/rpm/preuninstall.in @@ -18,7 +18,11 @@ set -e # Currently running falco service uses the driver, so stop it before driver cleanup echo "[PRE-REMOVE] Stop all Falco services:" -systemctl --system stop 'falco.target' || true +systemctl --system stop 'falco-kmod.service' || true +systemctl --system stop 'falco-bpf.service' || true +systemctl --system stop 'falco-modern-bpf.service' || true +systemctl --system stop 'falco-plugin.service' || true +systemctl --system stop 'falcoctl-artifact-follow.service' || true echo "[PRE-REMOVE] Call 'falco-driver-loader --clean:'" falco-driver-loader --clean @@ -34,4 +38,4 @@ falco-driver-loader --clean %systemd_preun 'falco-bpf.service' %systemd_preun 'falco-modern-bpf.service' %systemd_preun 'falco-plugin.service' -%systemd_preun 'falcoctl-artifact-follow.service' \ No newline at end of file +%systemd_preun 'falcoctl-artifact-follow.service' diff --git a/scripts/systemd/falco-bpf.service b/scripts/systemd/falco-bpf.service index cce39071..51ac8b6b 100644 --- a/scripts/systemd/falco-bpf.service +++ b/scripts/systemd/falco-bpf.service @@ -1,7 +1,8 @@ [Unit] Description=Falco: Container Native Runtime Security with ebpf Documentation=https://falco.org/docs/ -PartOf=falco.target +Before=falcoctl-artifact-follow.service +Wants=falcoctl-artifact-follow.service Conflicts=falco-kmod.service Conflicts=falco-modern-bpf.service Conflicts=falco-plugin.service @@ -25,4 +26,4 @@ RestrictAddressFamilies=~AF_PACKET StandardOutput=null [Install] -WantedBy=multi-user.target \ No newline at end of file +WantedBy=multi-user.target diff --git a/scripts/systemd/falco-kmod.service b/scripts/systemd/falco-kmod.service index 6f084b30..fa5f37ce 100644 --- a/scripts/systemd/falco-kmod.service +++ b/scripts/systemd/falco-kmod.service @@ -3,7 +3,8 @@ Description=Falco: Container Native Runtime Security with kmod Documentation=https://falco.org/docs/ After=falco-kmod-inject.service Requires=falco-kmod-inject.service -PartOf=falco.target +Before=falcoctl-artifact-follow.service +Wants=falcoctl-artifact-follow.service Conflicts=falco-bpf.service Conflicts=falco-modern-bpf.service Conflicts=falco-plugin.service @@ -27,4 +28,4 @@ RestrictAddressFamilies=~AF_PACKET StandardOutput=null [Install] -WantedBy=multi-user.target \ No newline at end of file +WantedBy=multi-user.target diff --git a/scripts/systemd/falco-modern-bpf.service b/scripts/systemd/falco-modern-bpf.service index e370a504..05813835 100644 --- a/scripts/systemd/falco-modern-bpf.service +++ b/scripts/systemd/falco-modern-bpf.service @@ -1,7 +1,8 @@ [Unit] Description=Falco: Container Native Runtime Security with modern ebpf Documentation=https://falco.org/docs/ -PartOf=falco.target +Before=falcoctl-artifact-follow.service +Wants=falcoctl-artifact-follow.service Conflicts=falco-kmod.service Conflicts=falco-bpf.service Conflicts=falco-plugin.service @@ -24,4 +25,4 @@ RestrictAddressFamilies=~AF_PACKET StandardOutput=null [Install] -WantedBy=multi-user.target \ No newline at end of file +WantedBy=multi-user.target diff --git a/scripts/systemd/falco-plugin.service b/scripts/systemd/falco-plugin.service index 60b6dcbf..56e4c83e 100644 --- a/scripts/systemd/falco-plugin.service +++ b/scripts/systemd/falco-plugin.service @@ -1,7 +1,8 @@ [Unit] Description=Falco: Container Native Runtime Security with plugin Documentation=https://falco.org/docs/ -PartOf=falco.target +Before=falcoctl-artifact-follow.service +Wants=falcoctl-artifact-follow.service Conflicts=falco-kmod.service Conflicts=falco-bpf.service Conflicts=falco-modern-bpf.service @@ -24,4 +25,4 @@ RestrictAddressFamilies=~AF_PACKET StandardOutput=null [Install] -WantedBy=multi-user.target \ No newline at end of file +WantedBy=multi-user.target diff --git a/scripts/systemd/falco.target b/scripts/systemd/falco.target deleted file mode 100644 index df13a9e4..00000000 --- a/scripts/systemd/falco.target +++ /dev/null @@ -1,7 +0,0 @@ -[Unit] -Description=Main Falco target -Requires=multi-user.target -After=multi-user.target - -[Install] -WantedBy=multi-user.target \ No newline at end of file diff --git a/scripts/systemd/falcoctl-artifact-follow.service b/scripts/systemd/falcoctl-artifact-follow.service index 6fcabf5c..04538b25 100644 --- a/scripts/systemd/falcoctl-artifact-follow.service +++ b/scripts/systemd/falcoctl-artifact-follow.service @@ -1,9 +1,7 @@ [Unit] Description=Falcoctl Artifact Follow: automatic artifacts update service Documentation=https://falco.org/docs/ -After=falco.target -BindsTo=falco.target -DefaultDependencies=no +PartOf=falco-bpf.service falco-kmod.service falco-modern-bpf.service falco-plugin.service [Service] Type=simple @@ -18,7 +16,6 @@ NoNewPrivileges=yes ProtectSystem=true ProtectKernelTunables=true RestrictRealtime=true -StandardOutput=null [Install] WantedBy=multi-user.target