github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-08-09 10:07:57 +00:00
Code Issues Projects Releases Wiki Activity

scripts: remove falco.target and use require falcoctl with Wants=

Browse Source 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
This commit is contained in:
Andrea Terzolo 2023-01-23 11:27:47 +01:00 committed by poiana
parent 9b7ab105d8
commit 7ed5f39da0
11 changed files with 70 additions and 79 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
cmake/cpack/CMakeCPackOptions.cmake
View File

@ -1,6 +1,5 @@
if(CPACK_GENERATOR MATCHES "DEB" OR CPACK_GENERATOR MATCHES "RPM") if(CPACK_GENERATOR MATCHES "DEB" OR CPACK_GENERATOR MATCHES "RPM")
list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco.target _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-kmod-inject.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-kmod-inject.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-kmod.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-kmod.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-bpf.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-bpf.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")

48
scripts/debian/postinst.in
View File

@ -17,7 +17,21 @@
# #
chosen_driver= chosen_driver=
enable_falcoctl=0
echo "[POST-INSTALL] Disable all possible enabled 'falco' service:"
systemctl --system stop 'falco-kmod.service' || true
systemctl --system stop 'falco-bpf.service' || true
systemctl --system stop 'falco-modern-bpf.service' || true
systemctl --system stop 'falco-plugin.service' || true
systemctl --system stop 'falcoctl-artifact-follow.service' || true
systemctl --system disable 'falco-kmod.service' || true
systemctl --system disable 'falco-bpf.service' || true
systemctl --system disable 'falco-modern-bpf.service' || true
systemctl --system disable 'falco-plugin.service' || true
systemctl --system disable 'falcoctl-artifact-follow.service' || true
# unmask falcoctl if it was masked
systemctl --system unmask falcoctl-artifact-follow.service || true
if [ "$1" = "configure" ]; then if [ "$1" = "configure" ]; then
if [ -x /usr/bin/dialog ]; then if [ -x /usr/bin/dialog ]; then
@ -49,8 +63,9 @@ if [ "$1" = "configure" ]; then
2 "No" \ 2 "No" \
2>&1 >/dev/tty) 2>&1 >/dev/tty)
case $CHOICE in case $CHOICE in
1) 2)
enable_falcoctl=1 # we don't want falcoctl enabled by defualt, we mask it
systemctl --system mask falcoctl-artifact-follow.service || true
;; ;;
esac esac
fi fi
@ -60,6 +75,9 @@ fi
set -e set -e
echo "[POST-INSTALL] Trigger deamon-reload:"
systemctl --system daemon-reload || true
# If needed, try to load/compile the driver through falco-driver-loader # If needed, try to load/compile the driver through falco-driver-loader
case "$chosen_driver" in case "$chosen_driver" in
"kmod") "kmod")
@ -74,32 +92,10 @@ esac
if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
if [ -n "$chosen_driver" ]; then if [ -n "$chosen_driver" ]; then
# we do this in 2 steps because `enable --now` is not always supported
echo "[POST-INSTALL] Enable 'falco-$chosen_driver.service':" echo "[POST-INSTALL] Enable 'falco-$chosen_driver.service':"
systemctl --system enable "falco-$chosen_driver.service" || true systemctl --system enable "falco-$chosen_driver.service" || true
echo "[POST-INSTALL] Start 'falco-$chosen_driver.service':" echo "[POST-INSTALL] Start 'falco-$chosen_driver.service':"
systemctl --system start "falco-$chosen_driver.service" || true systemctl --system start "falco-$chosen_driver.service" || true
if [ $enable_falcoctl -eq 1 ]; then
echo "[POST-INSTALL] Enable 'falcoctl-artifact-follow.service':"
systemctl --system enable "falcoctl-artifact-follow.service" || true
echo "[POST-INSTALL] Start 'falcoctl-artifact-follow.service':"
systemctl --system start "falcoctl-artifact-follow.service" || true
fi
fi
fi
if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
if [ -d /run/systemd/system ]; then
echo "[POST-INSTALL] Trigger deamon-reload:"
systemctl --system daemon-reload || true
if [ -n "$chosen_driver" ]; then
echo "[POST-INSTALL] Trigger 'falco-$chosen_driver.service' condrestart:"
# restart falco on upgrade if service is already running
systemctl --system condrestart "falco-$chosen_driver.service" || true
if [ $enable_falcoctl -eq 1 ]; then
echo "[POST-INSTALL] Trigger 'falcoctl-artifact-follow.service' condrestart:"
# restart falcoctl-artifact-follow on upgrade if service is already running
systemctl --system condrestart "falcoctl-artifact-follow.service" || true
fi
fi
fi fi
fi fi

6
scripts/debian/prerm.in
View File

@ -24,7 +24,11 @@ set -e
case "$1" in case "$1" in
remove|upgrade|deconfigure) remove|upgrade|deconfigure)
echo "[PRE-REMOVE] Stop all Falco services:" echo "[PRE-REMOVE] Stop all Falco services:"
systemctl --system stop 'falco.target' || true systemctl --system stop 'falco-kmod.service' || true
systemctl --system stop 'falco-bpf.service' || true
systemctl --system stop 'falco-modern-bpf.service' || true
systemctl --system stop 'falco-plugin.service' || true
systemctl --system stop 'falcoctl-artifact-follow.service' || true
echo "[PRE-REMOVE] Call 'falco-driver-loader --clean:'" echo "[PRE-REMOVE] Call 'falco-driver-loader --clean:'"
falco-driver-loader --clean falco-driver-loader --clean

52
scripts/rpm/postinstall.in
View File

@ -16,7 +16,21 @@
# #
chosen_driver= chosen_driver=
enable_falcoctl=0
echo "[POST-INSTALL] Disable all possible enabled 'falco' service:"
systemctl --system stop 'falco-kmod.service' || true
systemctl --system stop 'falco-bpf.service' || true
systemctl --system stop 'falco-modern-bpf.service' || true
systemctl --system stop 'falco-plugin.service' || true
systemctl --system stop 'falcoctl-artifact-follow.service' || true
systemctl --system disable 'falco-kmod.service' || true
systemctl --system disable 'falco-bpf.service' || true
systemctl --system disable 'falco-modern-bpf.service' || true
systemctl --system disable 'falco-plugin.service' || true
systemctl --system disable 'falcoctl-artifact-follow.service' || true
# unmask falcoctl if it was masked
systemctl --system unmask falcoctl-artifact-follow.service || true
if [ $1 -eq 1 ]; then if [ $1 -eq 1 ]; then
if [ -x /usr/bin/dialog ]; then if [ -x /usr/bin/dialog ]; then
@ -48,8 +62,9 @@ if [ $1 -eq 1 ]; then
2 "No" \ 2 "No" \
2>&1 >/dev/tty) 2>&1 >/dev/tty)
case $CHOICE in case $CHOICE in
1) 2)
enable_falcoctl=1 # we don't want falcoctl enabled by defualt, we mask it
systemctl --system mask falcoctl-artifact-follow.service || true
;; ;;
esac esac
fi fi
@ -59,6 +74,9 @@ fi
set -e set -e
echo "[POST-INSTALL] Trigger deamon-reload:"
systemctl --system daemon-reload || true
# If needed, try to load/compile the driver through falco-driver-loader # If needed, try to load/compile the driver through falco-driver-loader
case "$chosen_driver" in case "$chosen_driver" in
"kmod") "kmod")
@ -80,36 +98,12 @@ esac
# `systemd-update-helper install-system-units <service>` # `systemd-update-helper install-system-units <service>`
%systemd_post "falco-$chosen_driver.service" %systemd_post "falco-$chosen_driver.service"
# post install mirrored from .deb # post install/upgrade mirrored from .deb
if [ $1 -eq 1 ]; then if [ $1 -ge 1 ]; then
if [ -n "$chosen_driver" ]; then if [ -n "$chosen_driver" ]; then
echo "[POST-INSTALL] Enable 'falco-$chosen_driver.service':" echo "[POST-INSTALL] Enable 'falco-$chosen_driver.service':"
systemctl --system enable "falco-$chosen_driver.service" || true systemctl --system enable "falco-$chosen_driver.service" || true
echo "[POST-INSTALL] Start 'falco-$chosen_driver.service':" echo "[POST-INSTALL] Start 'falco-$chosen_driver.service':"
systemctl --system start "falco-$chosen_driver.service" || true systemctl --system start "falco-$chosen_driver.service" || true
if [ $enable_falcoctl -eq 1 ]; then
echo "[POST-INSTALL] Enable 'falcoctl-artifact-follow.service':"
systemctl --system enable "falcoctl-artifact-follow.service" || true
echo "[POST-INSTALL] Start 'falcoctl-artifact-follow.service':"
systemctl --system start "falcoctl-artifact-follow.service" || true
fi
fi
fi
# post upgrade mirrored from .deb
if [ $1 -gt 1 ]; then
if [ -d /run/systemd/system ]; then
echo "[POST-INSTALL] Trigger deamon-reload:"
systemctl --system daemon-reload || true
if [ -n "$chosen_driver" ]; then
echo "[POST-INSTALL] Trigger 'falco-$chosen_driver.service' condrestart:"
# restart falco on upgrade if service is already running
systemctl --system condrestart "falco-$chosen_driver.service" || true
if [ $enable_falcoctl -eq 1 ]; then
echo "[POST-INSTALL] Trigger 'falcoctl-artifact-follow.service' condrestart:"
# restart falcoctl-artifact-follow on upgrade if service is already running
systemctl --system condrestart "falcoctl-artifact-follow.service" || true
fi
fi
fi fi
fi fi

6
scripts/rpm/preuninstall.in
View File

@ -18,7 +18,11 @@ set -e
# Currently running falco service uses the driver, so stop it before driver cleanup # Currently running falco service uses the driver, so stop it before driver cleanup
echo "[PRE-REMOVE] Stop all Falco services:" echo "[PRE-REMOVE] Stop all Falco services:"
systemctl --system stop 'falco.target' || true systemctl --system stop 'falco-kmod.service' || true
systemctl --system stop 'falco-bpf.service' || true
systemctl --system stop 'falco-modern-bpf.service' || true
systemctl --system stop 'falco-plugin.service' || true
systemctl --system stop 'falcoctl-artifact-follow.service' || true
echo "[PRE-REMOVE] Call 'falco-driver-loader --clean:'" echo "[PRE-REMOVE] Call 'falco-driver-loader --clean:'"
falco-driver-loader --clean falco-driver-loader --clean

3
scripts/systemd/falco-bpf.service
View File

@ -1,7 +1,8 @@
[Unit] [Unit]
Description=Falco: Container Native Runtime Security with ebpf Description=Falco: Container Native Runtime Security with ebpf
Documentation=https://falco.org/docs/ Documentation=https://falco.org/docs/
PartOf=falco.target Before=falcoctl-artifact-follow.service
Wants=falcoctl-artifact-follow.service
Conflicts=falco-kmod.service Conflicts=falco-kmod.service
Conflicts=falco-modern-bpf.service Conflicts=falco-modern-bpf.service
Conflicts=falco-plugin.service Conflicts=falco-plugin.service

3
scripts/systemd/falco-kmod.service
View File

@ -3,7 +3,8 @@ Description=Falco: Container Native Runtime Security with kmod
Documentation=https://falco.org/docs/ Documentation=https://falco.org/docs/
After=falco-kmod-inject.service After=falco-kmod-inject.service
Requires=falco-kmod-inject.service Requires=falco-kmod-inject.service
PartOf=falco.target Before=falcoctl-artifact-follow.service
Wants=falcoctl-artifact-follow.service
Conflicts=falco-bpf.service Conflicts=falco-bpf.service
Conflicts=falco-modern-bpf.service Conflicts=falco-modern-bpf.service
Conflicts=falco-plugin.service Conflicts=falco-plugin.service

3
scripts/systemd/falco-modern-bpf.service
View File

@ -1,7 +1,8 @@
[Unit] [Unit]
Description=Falco: Container Native Runtime Security with modern ebpf Description=Falco: Container Native Runtime Security with modern ebpf
Documentation=https://falco.org/docs/ Documentation=https://falco.org/docs/
PartOf=falco.target Before=falcoctl-artifact-follow.service
Wants=falcoctl-artifact-follow.service
Conflicts=falco-kmod.service Conflicts=falco-kmod.service
Conflicts=falco-bpf.service Conflicts=falco-bpf.service
Conflicts=falco-plugin.service Conflicts=falco-plugin.service

3
scripts/systemd/falco-plugin.service
View File

@ -1,7 +1,8 @@
[Unit] [Unit]
Description=Falco: Container Native Runtime Security with plugin Description=Falco: Container Native Runtime Security with plugin
Documentation=https://falco.org/docs/ Documentation=https://falco.org/docs/
PartOf=falco.target Before=falcoctl-artifact-follow.service
Wants=falcoctl-artifact-follow.service
Conflicts=falco-kmod.service Conflicts=falco-kmod.service
Conflicts=falco-bpf.service Conflicts=falco-bpf.service
Conflicts=falco-modern-bpf.service Conflicts=falco-modern-bpf.service

7
scripts/systemd/falco.target
View File

@ -1,7 +0,0 @@
[Unit]
Description=Main Falco target
Requires=multi-user.target
After=multi-user.target
[Install]
WantedBy=multi-user.target

5
scripts/systemd/falcoctl-artifact-follow.service
View File

@ -1,9 +1,7 @@
[Unit] [Unit]
Description=Falcoctl Artifact Follow: automatic artifacts update service Description=Falcoctl Artifact Follow: automatic artifacts update service
Documentation=https://falco.org/docs/ Documentation=https://falco.org/docs/
After=falco.target PartOf=falco-bpf.service falco-kmod.service falco-modern-bpf.service falco-plugin.service
BindsTo=falco.target
DefaultDependencies=no
[Service] [Service]
Type=simple Type=simple
@ -18,7 +16,6 @@ NoNewPrivileges=yes
ProtectSystem=true ProtectSystem=true
ProtectKernelTunables=true ProtectKernelTunables=true
RestrictRealtime=true RestrictRealtime=true
StandardOutput=null
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target