new(scripts): add a falco.target that consists of falco-X.service units.

falcoctl will then run and bind to falco.target.

Signed-off-by: Federico Di Pierro <[email protected]>

cmake/cpack/CMakeCPackOptions.cmake

@@ -1,6 +1,7 @@
 if(CPACK_GENERATOR MATCHES "DEB" OR CPACK_GENERATOR MATCHES "RPM")
 	list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
-	list(APPEND CPACK_INSTALL_COMMANDS "cp -r scripts/systemd/falco-kmod-inject.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
+	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco.target _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
+	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-kmod-inject.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
 	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-kmod.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
 	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-bpf.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")
 	list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-modern-bpf.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system")

scripts/CMakeLists.txt

@@ -16,6 +16,8 @@
 #
 
 # Systemd
+file(COPY "${PROJECT_SOURCE_DIR}/scripts/systemd/falco.target"
+		DESTINATION "${PROJECT_BINARY_DIR}/scripts/systemd")
 file(COPY "${PROJECT_SOURCE_DIR}/scripts/systemd/falco-kmod-inject.service"
 		DESTINATION "${PROJECT_BINARY_DIR}/scripts/systemd")
 file(COPY "${PROJECT_SOURCE_DIR}/scripts/systemd/falco-kmod.service"

scripts/debian/prerm.in

@@ -24,11 +24,7 @@ set -e
 case "$1" in
     remove|upgrade|deconfigure)
       echo "[PRE-REMOVE] Stop all Falco services:"
-      systemctl --system stop 'falco-kmod.service' || true
-      systemctl --system stop 'falco-bpf.service' || true
-      systemctl --system stop 'falco-modern-bpf.service' || true
-      systemctl --system stop 'falco-plugin.service' || true
-      systemctl --system stop 'falcoctl.service' || true
+      systemctl --system stop 'falco.target' || true
 
       echo "[PRE-REMOVE] Call 'falco-driver-loader --clean:'"
       falco-driver-loader --clean

scripts/rpm/preuninstall.in

@@ -18,11 +18,7 @@ set -e
 
 # Currently running falco service uses the driver, so stop it before driver cleanup
 echo "[PRE-REMOVE] Stop all Falco services:"
-systemctl --system stop 'falco-kmod.service' || true
-systemctl --system stop 'falco-bpf.service' || true
-systemctl --system stop 'falco-modern-bpf.service' || true
-systemctl --system stop 'falco-plugin.service' || true
-systemctl --system stop 'falcoctl.service' || true
+systemctl --system stop 'falco.target' || true
 
 echo "[PRE-REMOVE] Call 'falco-driver-loader --clean:'"
 falco-driver-loader --clean

scripts/systemd/falco-bpf.service

@@ -1,6 +1,7 @@
 [Unit]
 Description=Falco: Container Native Runtime Security with ebpf
 Documentation=https://falco.org/docs/
+PartOf=falco.target
 Conflicts=falco-kmod.service
 Conflicts=falco-modern-bpf.service
 Conflicts=falco-plugin.service
@@ -21,7 +22,4 @@ ProtectSystem=full
 ProtectKernelTunables=true
 RestrictRealtime=true
 RestrictAddressFamilies=~AF_PACKET
-StandardOutput=null
-
-[Install]
-WantedBy=multi-user.target
+StandardOutput=null

scripts/systemd/falco-kmod.service

@@ -3,6 +3,7 @@ Description=Falco: Container Native Runtime Security with kmod
 Documentation=https://falco.org/docs/
 After=falco-kmod-inject.service
 Requires=falco-kmod-inject.service
+PartOf=falco.target
 Conflicts=falco-bpf.service
 Conflicts=falco-modern-bpf.service
 Conflicts=falco-plugin.service
@@ -23,7 +24,4 @@ ProtectKernelTunables=true
 ReadWritePaths=/sys/module/falco
 RestrictRealtime=true
 RestrictAddressFamilies=~AF_PACKET
-StandardOutput=null
-
-[Install]
-WantedBy=multi-user.target
+StandardOutput=null

scripts/systemd/falco-modern-bpf.service

@@ -1,6 +1,7 @@
 [Unit]
 Description=Falco: Container Native Runtime Security with modern ebpf
 Documentation=https://falco.org/docs/
+PartOf=falco.target
 Conflicts=falco-kmod.service
 Conflicts=falco-bpf.service
 Conflicts=falco-plugin.service
@@ -20,7 +21,4 @@ ProtectSystem=full
 ProtectKernelTunables=true
 RestrictRealtime=true
 RestrictAddressFamilies=~AF_PACKET
-StandardOutput=null
-
-[Install]
-WantedBy=multi-user.target
+StandardOutput=null

scripts/systemd/falco-plugin.service

@@ -1,6 +1,7 @@
 [Unit]
 Description=Falco: Container Native Runtime Security with plugin
 Documentation=https://falco.org/docs/
+PartOf=falco.target
 Conflicts=falco-kmod.service
 Conflicts=falco-bpf.service
 Conflicts=falco-modern-bpf.service
@@ -21,6 +22,3 @@ ProtectKernelTunables=true
 RestrictRealtime=true
 RestrictAddressFamilies=~AF_PACKET
 StandardOutput=null
-
-[Install]
-WantedBy=multi-user.target

scripts/systemd/falco.target

@@ -0,0 +1,7 @@
+[Unit]
+Description=Main Falco target
+Requires=multi-user.target
+After=multi-user.target
+
+[Install]
+WantedBy=multi-user.target

scripts/systemd/falcoctl.service

@@ -1,6 +1,8 @@
 [Unit]
 Description=Falco: Automatic rules update service
 Documentation=https://falco.org/docs/
+After=falco.target
+BindsTo=falco.target
 
 [Service]
 Type=simple
@@ -15,8 +17,7 @@ NoNewPrivileges=yes
 ProtectSystem=true
 ProtectKernelTunables=true
 RestrictRealtime=true
-#RestrictAddressFamilies=~AF_PACKET
-#StandardOutput=null
+StandardOutput=null
 
 [Install]
 WantedBy=multi-user.target