#!/bin/sh # SPDX-License-Identifier: Apache-2.0 # # Copyright (C) 2023 The Falco Authors. # # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # chosen_driver= chosen_unit= CHOICE= # Every time we call this script we want to stat from a clean state. echo "[POST-INSTALL] Disable all possible 'falco' services:" systemctl --system stop 'falco-kmod.service' || true systemctl --system stop 'falco-bpf.service' || true systemctl --system stop 'falco-modern-bpf.service' || true systemctl --system stop 'falco-custom.service' || true systemctl --system stop 'falcoctl-artifact-follow.service' || true systemctl --system disable 'falco-kmod.service' || true systemctl --system disable 'falco-bpf.service' || true systemctl --system disable 'falco-modern-bpf.service' || true systemctl --system disable 'falco-custom.service' || true systemctl --system disable 'falcoctl-artifact-follow.service' || true # unmask falcoctl if it was masked systemctl --system unmask falcoctl-artifact-follow.service || true if [ "$1" = "configure" ]; then case $FALCO_DRIVER_CHOICE in kmod) CHOICE=2 ;; ebpf) CHOICE=3 ;; modern_ebpf) CHOICE=4 ;; esac if [ -z $CHOICE ] && [ -x /usr/bin/dialog ] && [ "${FALCO_FRONTEND}" != "noninteractive" ]; then # If dialog is installed, create a dialog to let users choose the correct driver for them CHOICE=$(dialog --clear --title "Falco drivers" --menu "Choose your preferred driver:" 12 55 4 \ 1 "Manual configuration (no unit is started)" \ 2 "Kmod" \ 3 "eBPF" \ 4 "Modern eBPF" \ 2>&1 >/dev/tty) fi case $CHOICE in 2) chosen_driver="kmod" chosen_unit="kmod" ;; 3) chosen_driver="ebpf" chosen_unit="bpf" ;; 4) chosen_driver="modern_ebpf" chosen_unit="modern-bpf" ;; esac if [ -n "$CHOICE" ]; then echo "[POST-INSTALL] Configure falcoctl driver type:" falcoctl driver config --type $chosen_driver CHOICE= case $FALCOCTL_ENABLED in no) CHOICE=2 ;; esac if [ -z $CHOICE ] && [ -x /usr/bin/dialog ] && [ "${FALCO_FRONTEND}" != "noninteractive" ]; then CHOICE=$(dialog --clear --title "Falcoctl" --menu "Do you want to follow automatic ruleset updates?" 10 40 2 \ 1 "Yes" \ 2 "No" \ 2>&1 >/dev/tty) fi case $CHOICE in 2) # we don't want falcoctl enabled, we mask it systemctl --system mask falcoctl-artifact-follow.service || true ;; esac fi clear fi set -e echo "[POST-INSTALL] Trigger deamon-reload:" systemctl --system daemon-reload || true # If needed, try to load/compile the driver through falcoctl case "$chosen_driver" in "kmod") # Only compile for kmod, in this way we use dkms echo "[POST-INSTALL] Call 'falcoctl driver install for kmod:" falcoctl driver install --download=false ;; "ebpf") echo "[POST-INSTALL] Call 'falcoctl driver install for ebpf':" falcoctl driver install ;; esac if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then if [ -n "$chosen_unit" ]; then # we do this in 2 steps because `enable --now` is not always supported echo "[POST-INSTALL] Enable 'falco-$chosen_unit.service':" systemctl --system enable "falco-$chosen_unit.service" || true echo "[POST-INSTALL] Start 'falco-$chosen_unit.service':" systemctl --system start "falco-$chosen_unit.service" || true fi fi