github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-09-08 18:19:30 +00:00
Code Issues Projects Releases Wiki Activity

update: remove falco target

Browse Source 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
This commit is contained in:
Andrea Terzolo
2022-11-11 12:54:08 +00:00
committed by poiana
parent 988256d930
commit ee08c4d3de
14 changed files with 69 additions and 95 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
cmake/cpack/CMakeCPackOptions.cmake
View File

@@ -1,8 +1,7 @@
if(CPACK_GENERATOR MATCHES "DEB" OR CPACK_GENERATOR MATCHES "RPM") if(CPACK_GENERATOR MATCHES "DEB" OR CPACK_GENERATOR MATCHES "RPM")
list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco@.target _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") list(APPEND CPACK_INSTALL_COMMANDS "cp -r scripts/systemd/falco-kmod-inject.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-kmod.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-kmod.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-kmod-inject.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-bpf.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-bpf.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-modern-bpf.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-modern-bpf.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-plugin.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-plugin.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")

2
scripts/CMakeLists.txt
View File

@@ -16,8 +16,6 @@
# #
# Systemd # Systemd
file(COPY "${PROJECT_SOURCE_DIR}/scripts/systemd/falco@.target"
DESTINATION "${PROJECT_BINARY_DIR}/scripts/systemd")
file(COPY "${PROJECT_SOURCE_DIR}/scripts/systemd/falco-kmod-inject.service" file(COPY "${PROJECT_SOURCE_DIR}/scripts/systemd/falco-kmod-inject.service"
DESTINATION "${PROJECT_BINARY_DIR}/scripts/systemd") DESTINATION "${PROJECT_BINARY_DIR}/scripts/systemd")
file(COPY "${PROJECT_SOURCE_DIR}/scripts/systemd/falco-kmod.service" file(COPY "${PROJECT_SOURCE_DIR}/scripts/systemd/falco-kmod.service"

25
scripts/debian/postinst.in
View File

@@ -50,37 +50,32 @@ fi
# If needed, try to load/compile the driver through falco-driver-loader # If needed, try to load/compile the driver through falco-driver-loader
case "$chosen_driver" in case "$chosen_driver" in
"kmod") "kmod")
echo "[POST-INSTALL] Call 'falco-driver-loader module':"
falco-driver-loader module falco-driver-loader module
;; ;;
"bpf") "bpf")
echo "[POST-INSTALL] Call 'falco-driver-loader bpf':"
falco-driver-loader bpf falco-driver-loader bpf
;; ;;
esac esac
# Based off what debhelper dh_systemd_enable/13.3.4 would have added
# ref: https://www.debian.org/doc/manuals/debmake-doc/ch05.en.html#debhelper
if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
# This will only remove masks created by d-s-h on package removal.
systemctl --system unmask "falco@.target" >/dev/null || true
systemctl --system unmask "falco-kmod.service" >/dev/null || true
systemctl --system unmask "falco-bpf.service" >/dev/null || true
systemctl --system unmask "falco-modern-bpf.service" >/dev/null || true
systemctl --system unmask "falco-plugin.service" >/dev/null || true
# was-enabled defaults to true, so new installations run enable.
if [ -n "$chosen_driver" ]; then if [ -n "$chosen_driver" ]; then
systemctl --system enable "falco@$chosen_driver.target" >/dev/null || true echo "[POST-INSTALL] Enable 'falco-$chosen_driver.service':"
systemctl --system start "falco@$chosen_driver.target" >/dev/null || true systemctl --system enable "falco-$chosen_driver.service" || true
echo "[POST-INSTALL] Start 'falco-$chosen_driver.service':"
systemctl --system start "falco-$chosen_driver.service" || true
fi fi
fi fi
if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
if [ -d /run/systemd/system ]; then if [ -d /run/systemd/system ]; then
systemctl --system daemon-reload >/dev/null || true echo "[POST-INSTALL] Trigger deamon-reload:"
systemctl --system daemon-reload || true
if [ -n "$chosen_driver" ]; then if [ -n "$chosen_driver" ]; then
echo "[POST-INSTALL] Trigger 'falco-$chosen_driver.service' condrestart:"
# restart falco on upgrade if service is already running # restart falco on upgrade if service is already running
/usr/bin/systemctl --system condrestart "falco@$chosen_driver.target" >/dev/null || true systemctl --system condrestart "falco-$chosen_driver.service" || true
fi fi
fi fi
fi fi

18
scripts/debian/postrm.in
View File

@@ -22,15 +22,11 @@
set -e set -e
if [ -d /run/systemd/system ] && [ "$1" = remove ]; then if [ -d /run/systemd/system ] && [ "$1" = remove ]; then
systemctl --system daemon-reload >/dev/null || true echo "[POST-REMOVE] Disable all Falco services:"
fi systemctl --system disable 'falco-kmod.service' || true
systemctl --system disable 'falco-bpf.service' || true
if [ "$1" = "remove" ]; then systemctl --system disable 'falco-modern-bpf.service' || true
if [ -x "/usr/bin/deb-systemd-helper" ]; then systemctl --system disable 'falco-plugin.service' || true
systemctl --system mask 'falco@.target' >/dev/null || true echo "[POST-REMOVE] Trigger deamon-reload:"
systemctl --system mask 'falco-kmod.service' >/dev/null || true systemctl --system daemon-reload || true
systemctl --system mask 'falco-bpf.service' >/dev/null || true
systemctl --system mask 'falco-modern-bpf.service' >/dev/null || true
systemctl --system mask "falco-plugin.service" >/dev/null || true
fi
fi fi

12
scripts/debian/prerm.in
View File

@@ -22,14 +22,16 @@ set -e
# Currently running falco service uses the driver, so stop it before driver cleanup # Currently running falco service uses the driver, so stop it before driver cleanup
if [ -d /run/systemd/system ] && [ "$1" = remove ]; then if [ -d /run/systemd/system ] && [ "$1" = remove ]; then
systemctl --system stop 'falco@kmod.target' >/dev/null || true echo "[POST-REMOVE] Stop all Falco services:"
systemctl --system stop 'falco@bpf.target' >/dev/null || true systemctl --system stop 'falco-kmod.service' || true
systemctl --system stop 'falco@modern-bpf.target' >/dev/null || true systemctl --system stop 'falco-bpf.service' || true
systemctl --system stop 'falco@plugin.target' >/dev/null || true systemctl --system stop 'falco-modern-bpf.service' || true
systemctl --system stop 'falco-plugin.service' || true
fi fi
case "$1" in case "$1" in
remove|upgrade|deconfigure) remove|upgrade|deconfigure)
/usr/bin/falco-driver-loader --clean echo "[POST-REMOVE] Call 'falco-driver-loader --clean:'"
falco-driver-loader --clean
;; ;;
esac esac

27
scripts/rpm/postinstall.in
View File

@@ -49,9 +49,11 @@ fi
# If needed, try to load/compile the driver through falco-driver-loader # If needed, try to load/compile the driver through falco-driver-loader
case "$chosen_driver" in case "$chosen_driver" in
"kmod") "kmod")
echo "[POST-INSTALL] Call 'falco-driver-loader module':"
falco-driver-loader module falco-driver-loader module
;; ;;
"bpf") "bpf")
echo "[POST-INSTALL] Call 'falco-driver-loader bpf':"
falco-driver-loader bpf falco-driver-loader bpf
;; ;;
esac esac
@@ -63,34 +65,27 @@ esac
# systemd_post macro expands to # systemd_post macro expands to
# if postinst: # if postinst:
# `systemd-update-helper install-system-units <service>` # `systemd-update-helper install-system-units <service>`
%systemd_post "falco@$chosen_driver.target" %systemd_post "falco-$chosen_driver.service"
# post install mirrored from .deb # post install mirrored from .deb
if [ $1 -eq 1 ]; then if [ $1 -eq 1 ]; then
# This will only remove masks created on package removal.
/usr/bin/systemctl --system unmask "falco@.target" >/dev/null || true
/usr/bin/systemctl --system unmask "falco-kmod.service" >/dev/null || true
/usr/bin/systemctl --system unmask "falco-bpf.service" >/dev/null || true
/usr/bin/systemctl --system unmask "falco-modern-bpf.service" >/dev/null || true
/usr/bin/systemctl --system unmask "falco-plugin.service" >/dev/null || true
if [ -n "$chosen_driver" ]; then if [ -n "$chosen_driver" ]; then
# enable falco on installation echo "[POST-INSTALL] Enable 'falco-$chosen_driver.service':"
# note: DEB postinstall script checks for changed symlinks systemctl --system enable "falco-$chosen_driver.service" || true
/usr/bin/systemctl --system enable "falco@$chosen_driver.target" >/dev/null || true echo "[POST-INSTALL] Start 'falco-$chosen_driver.service':"
systemctl --system start "falco-$chosen_driver.service" || true
# start falco on installation
/usr/bin/systemctl --system start "falco@$chosen_driver.target" >/dev/null || true
fi fi
fi fi
# post upgrade mirrored from .deb # post upgrade mirrored from .deb
if [ $1 -gt 1 ]; then if [ $1 -gt 1 ]; then
if [ -d /run/systemd/system ]; then if [ -d /run/systemd/system ]; then
/usr/bin/systemctl --system daemon-reload >/dev/null || true echo "[POST-INSTALL] Trigger deamon-reload:"
systemctl --system daemon-reload || true
if [ -n "$chosen_driver" ]; then if [ -n "$chosen_driver" ]; then
echo "[POST-INSTALL] Trigger 'falco-$chosen_driver.service' condrestart:"
# restart falco on upgrade if service is already running # restart falco on upgrade if service is already running
/usr/bin/systemctl --system condrestart "falco@$chosen_driver.target" >/dev/null || true systemctl --system condrestart "falco-$chosen_driver.service" || true
fi fi
fi fi
fi fi

28
scripts/rpm/postuninstall.in
View File

@@ -17,24 +17,12 @@
set -e set -e
# post uninstall mirrored from .deb if [ -d /run/systemd/system ] && [ $1 -eq 0 ]; then
if [ -d /run/systemd/system ] && [ "$1" = 0 ]; then echo "[POST-REMOVE] Disable all Falco services:"
/usr/bin/systemctl --system daemon-reload >/dev/null || true systemctl --system disable 'falco-kmod.service'|| true
/usr/bin/systemctl --system mask 'falco@.target' >/dev/null || true systemctl --system disable 'falco-bpf.service' || true
/usr/bin/systemctl --system mask 'falco-kmod.service' >/dev/null || true systemctl --system disable 'falco-modern-bpf.service' || true
/usr/bin/systemctl --system mask 'falco-bpf.service' >/dev/null || true systemctl --system disable 'falco-plugin.service' || true
/usr/bin/systemctl --system mask 'falco-modern-bpf.service' >/dev/null || true echo "[POST-REMOVE] Trigger deamon-reload:"
/usr/bin/systemctl --system mask 'falco-plugin.service' >/dev/null || true systemctl --system daemon-reload || true
fi fi
# validate rpm macros by `rpm -qp --scripts <rpm>`
# RPM scriptlets: https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_systemd
# https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax
# systemd_postun_with_restart macro expands to
# if package upgrade, not uninstall:
# `systemd-update-helper mark-restart-system-units <service>`
%systemd_postun_with_restart 'falco@kmod.target'
%systemd_postun_with_restart 'falco@bpf.target'
%systemd_postun_with_restart 'falco@modern-bpf.target'
%systemd_postun_with_restart 'falco@plugin.target'

21
scripts/rpm/preuninstall.in
View File

@@ -19,14 +19,15 @@ set -e
# pre uninstall mirrored from .deb # pre uninstall mirrored from .deb
# Currently running falco service uses the driver, so stop it before driver cleanup # Currently running falco service uses the driver, so stop it before driver cleanup
if [ -d /run/systemd/system ] && [ $1 -eq 0 ]; then if [ -d /run/systemd/system ] && [ $1 -eq 0 ]; then
# stop falco service before uninstall echo "[POST-REMOVE] Stop all Falco services:"
/usr/bin/systemctl --system stop 'falco@kmod.target' >/dev/null || true systemctl --system stop 'falco-kmod.service' || true
/usr/bin/systemctl --system stop 'falco@bpf.target' >/dev/null || true systemctl --system stop 'falco-bpf.service' || true
/usr/bin/systemctl --system stop 'falco@modern-bpf.target' >/dev/null || true systemctl --system stop 'falco-modern-bpf.service' || true
/usr/bin/systemctl --system stop 'falco@plugin.target' >/dev/null || true systemctl --system stop 'falco-plugin.service' || true
fi fi
/usr/bin/falco-driver-loader --clean echo "[POST-REMOVE] Call 'falco-driver-loader --clean:'"
falco-driver-loader --clean
# validate rpm macros by `rpm -qp --scripts <rpm>` # validate rpm macros by `rpm -qp --scripts <rpm>`
# RPM scriptlets: https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_systemd # RPM scriptlets: https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_systemd
@@ -35,7 +36,7 @@ fi
# systemd_preun macro expands to # systemd_preun macro expands to
# if preuninstall: # if preuninstall:
# `systemd-update-helper remove-system-units <service>` # `systemd-update-helper remove-system-units <service>`
%systemd_preun 'falco@kmod.target' %systemd_preun 'falco-kmod.service'
%systemd_preun 'falco@bpf.target' %systemd_preun 'falco-bpf.service'
%systemd_preun 'falco@modern-bpf.target' %systemd_preun 'falco-modern-bpf.service'
%systemd_preun 'falco@plugin.target' %systemd_preun 'falco-plugin.service'

4
scripts/systemd/falco-bpf.service
View File

@@ -1,7 +1,6 @@
[Unit] [Unit]
Description=Falco: Container Native Runtime Security with ebpf Description=Falco: Container Native Runtime Security with ebpf
Documentation=https://falco.org/docs/ Documentation=https://falco.org/docs/
PartOf=falco@bpf.target
Conflicts=falco-kmod.service Conflicts=falco-kmod.service
Conflicts=falco-modern-bpf.service Conflicts=falco-modern-bpf.service
Conflicts=falco-plugin.service Conflicts=falco-plugin.service
@@ -23,3 +22,6 @@ ProtectKernelTunables=true
RestrictRealtime=true RestrictRealtime=true
RestrictAddressFamilies=~AF_PACKET RestrictAddressFamilies=~AF_PACKET
StandardOutput=null StandardOutput=null
[Install]
WantedBy=multi-user.target

1
scripts/systemd/falco-kmod-inject.service
View File

@@ -1,7 +1,6 @@
[Unit] [Unit]
Description=Falco: Container Native Runtime Security with kmod, inject. Description=Falco: Container Native Runtime Security with kmod, inject.
Documentation=https://falco.org/docs/ Documentation=https://falco.org/docs/
PartOf=falco@kmod.target
[Service] [Service]
Type=oneshot Type=oneshot

4
scripts/systemd/falco-kmod.service
View File

@@ -3,7 +3,6 @@ Description=Falco: Container Native Runtime Security with kmod
Documentation=https://falco.org/docs/ Documentation=https://falco.org/docs/
After=falco-kmod-inject.service After=falco-kmod-inject.service
Requires=falco-kmod-inject.service Requires=falco-kmod-inject.service
PartOf=falco@kmod.target
Conflicts=falco-bpf.service Conflicts=falco-bpf.service
Conflicts=falco-modern-bpf.service Conflicts=falco-modern-bpf.service
Conflicts=falco-plugin.service Conflicts=falco-plugin.service
@@ -25,3 +24,6 @@ ReadWritePaths=/sys/module/falco
RestrictRealtime=true RestrictRealtime=true
RestrictAddressFamilies=~AF_PACKET RestrictAddressFamilies=~AF_PACKET
StandardOutput=null StandardOutput=null
[Install]
WantedBy=multi-user.target

6
scripts/systemd/falco-modern-bpf.service
View File

@@ -1,7 +1,6 @@
[Unit] [Unit]
Description=Falco: Container Native Runtime Security with ebpf Description=Falco: Container Native Runtime Security with modern ebpf
Documentation=https://falco.org/docs/ Documentation=https://falco.org/docs/
PartOf=falco@modern-bpf.target
Conflicts=falco-kmod.service Conflicts=falco-kmod.service
Conflicts=falco-bpf.service Conflicts=falco-bpf.service
Conflicts=falco-plugin.service Conflicts=falco-plugin.service
@@ -22,3 +21,6 @@ ProtectKernelTunables=true
RestrictRealtime=true RestrictRealtime=true
RestrictAddressFamilies=~AF_PACKET RestrictAddressFamilies=~AF_PACKET
StandardOutput=null StandardOutput=null
[Install]
WantedBy=multi-user.target

4
scripts/systemd/falco-plugin.service
View File

@@ -1,7 +1,6 @@
[Unit] [Unit]
Description=Falco: Container Native Runtime Security with plugin Description=Falco: Container Native Runtime Security with plugin
Documentation=https://falco.org/docs/ Documentation=https://falco.org/docs/
PartOf=falco@plugin.target
Conflicts=falco-kmod.service Conflicts=falco-kmod.service
Conflicts=falco-bpf.service Conflicts=falco-bpf.service
Conflicts=falco-modern-bpf.service Conflicts=falco-modern-bpf.service
@@ -22,3 +21,6 @@ ProtectKernelTunables=true
RestrictRealtime=true RestrictRealtime=true
RestrictAddressFamilies=~AF_PACKET RestrictAddressFamilies=~AF_PACKET
StandardOutput=null StandardOutput=null
[Install]
WantedBy=multi-user.target

7
scripts/systemd/falco@.target
View File

@@ -1,7 +0,0 @@
[Unit]
Description=Falco generic startup target [kmod,ebpf]
Requires=multi-user.target falco-%i.service
After=multi-user.target
[Install]
WantedBy=multi-user.target