chore(scripts): added support for falco@plugin.target.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
This commit is contained in:
Federico Di Pierro 2022-10-24 17:24:56 +02:00 committed by poiana
parent b04bb2e32e
commit 91fe2e9e24
9 changed files with 38 additions and 3 deletions

View File

@ -39,7 +39,7 @@ case "$1" in
chosen_driver="ebpf"
;;
3)
chosen_driver=
chosen_driver="plugin"
;;
esac
else
@ -65,6 +65,7 @@ if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-decon
# This will only remove masks created by d-s-h on package removal.
deb-systemd-helper unmask "falco@kmod.target" >/dev/null || true
deb-systemd-helper unmask "falco@ebpf.target" >/dev/null || true
deb-systemd-helper unmask "falco@plugin.target" >/dev/null || true
# was-enabled defaults to true, so new installations run enable.
if [ -n "$chosen_driver" ]; then

View File

@ -29,6 +29,7 @@ if [ "$1" = "remove" ]; then
if [ -x "/usr/bin/deb-systemd-helper" ]; then
deb-systemd-helper mask 'falco@kmod.target' >/dev/null || true
deb-systemd-helper mask 'falco@ebpf.target' >/dev/null || true
deb-systemd-helper mask "falco@plugin.target" >/dev/null || true
fi
fi
@ -38,5 +39,7 @@ if [ "$1" = "purge" ]; then
deb-systemd-helper unmask 'falco@kmod.target' >/dev/null || true
deb-systemd-helper purge 'falco@ebpf.target' >/dev/null || true
deb-systemd-helper unmask 'falco@ebpf.target' >/dev/null || true
deb-systemd-helper purge 'falco@plugin.target' >/dev/null || true
deb-systemd-helper unmask 'falco@plugin.target' >/dev/null || true
fi
fi

View File

@ -24,6 +24,7 @@ set -e
if [ -d /run/systemd/system ] && [ "$1" = remove ]; then
deb-systemd-invoke stop 'falco@kmod.target' >/dev/null || true
deb-systemd-invoke stop 'falco@ebpf.target' >/dev/null || true
deb-systemd-invoke stop 'falco@plugin.target' >/dev/null || true
fi
case "$1" in

View File

@ -38,7 +38,7 @@ case "$1" in
chosen_driver="ebpf"
;;
3)
chosen_driver=
chosen_driver="plugin"
;;
esac
else
@ -71,6 +71,7 @@ if [ $1 -eq 1 ]; then
# This will only remove masks created on package removal.
/usr/bin/systemctl --system unmask "falco@kmod.target" >/dev/null || true
/usr/bin/systemctl --system unmask "falco@ebpf.target" >/dev/null || true
/usr/bin/systemctl --system unmask "falco@plugin.target" >/dev/null || true
if [ -n "$chosen_driver" ]; then
# enable falco on installation

View File

@ -22,6 +22,7 @@ if [ -d /run/systemd/system ] && [ "$1" = 0 ]; then
/usr/bin/systemctl --system daemon-reload >/dev/null || true
/usr/bin/systemctl --system mask 'falco@kmod.target' >/dev/null || true
/usr/bin/systemctl --system mask 'falco@ebpf.target' >/dev/null || true
/usr/bin/systemctl --system mask 'falco@plugin.target' >/dev/null || true
fi
# validate rpm macros by `rpm -qp --scripts <rpm>`
@ -33,3 +34,4 @@ fi
# `systemd-update-helper mark-restart-system-units <service>`
%systemd_postun_with_restart 'falco@kmod.target'
%systemd_postun_with_restart 'falco@ebpf.target'
%systemd_postun_with_restart 'falco@plugin.target'

View File

@ -22,6 +22,7 @@ if [ -d /run/systemd/system ] && [ $1 -eq 0 ]; then
# stop falco service before uninstall
/usr/bin/systemctl --system stop 'falco@kmod.target' >/dev/null || true
/usr/bin/systemctl --system stop 'falco@ebpf.target' >/dev/null || true
/usr/bin/systemctl --system stop 'falco@plugin.target' >/dev/null || true
fi
/usr/bin/falco-driver-loader --clean
@ -34,4 +35,5 @@ fi
# if preuninstall:
# `systemd-update-helper remove-system-units <service>`
%systemd_preun 'falco@kmod.target'
%systemd_preun 'falco@ebpf.target'
%systemd_preun 'falco@ebpf.target'
%systemd_preun 'falco@plugin.target'

View File

@ -3,6 +3,7 @@ Description=Falco: Container Native Runtime Security with ebpf
Documentation=https://falco.org/docs/
PartOf=falco@ebpf.target
Conflicts=falco-kmod.service
Conflicts=falco-plugin.service
[Service]
Type=simple

View File

@ -5,6 +5,7 @@ After=falco-kmod-inject.service
Requires=falco-kmod-inject.service
PartOf=falco@kmod.target
Conflicts=falco-ebpf.service
Conflicts=falco-plugin.service
[Service]
Type=simple

View File

@ -0,0 +1,23 @@
[Unit]
Description=Falco: Container Native Runtime Security with plugin
Documentation=https://falco.org/docs/
PartOf=falco@plugin.target
Conflicts=falco-kmod.service
Conflicts=falco-ebpf.service
[Service]
Type=simple
User=%u
ExecStart=/usr/bin/falco --pidfile=/var/run/falco.pid
UMask=0077
TimeoutSec=30
RestartSec=15s
Restart=on-failure
PrivateTmp=true
NoNewPrivileges=yes
ProtectHome=read-only
ProtectSystem=full
ProtectKernelTunables=true
RestrictRealtime=true
RestrictAddressFamilies=~AF_PACKET
StandardOutput=null