From a40589249d11d0042016b6c55a199e2b7d0f8563 Mon Sep 17 00:00:00 2001 From: Federico Di Pierro Date: Thu, 19 Jan 2023 16:02:02 +0100 Subject: [PATCH] new(scripts): add a falco.target that consists of falco-X.service units. falcoctl will then run and bind to falco.target. Signed-off-by: Federico Di Pierro --- cmake/cpack/CMakeCPackOptions.cmake | 3 ++- scripts/CMakeLists.txt | 2 ++ scripts/debian/prerm.in | 6 +----- scripts/rpm/preuninstall.in | 6 +----- scripts/systemd/falco-bpf.service | 6 ++---- scripts/systemd/falco-kmod.service | 6 ++---- scripts/systemd/falco-modern-bpf.service | 6 ++---- scripts/systemd/falco-plugin.service | 4 +--- scripts/systemd/falco.target | 7 +++++++ scripts/systemd/falcoctl.service | 5 +++-- 10 files changed, 23 insertions(+), 28 deletions(-) create mode 100644 scripts/systemd/falco.target diff --git a/cmake/cpack/CMakeCPackOptions.cmake b/cmake/cpack/CMakeCPackOptions.cmake index 967cf882d77..3dbcdbdb6e3 100644 --- a/cmake/cpack/CMakeCPackOptions.cmake +++ b/cmake/cpack/CMakeCPackOptions.cmake @@ -1,6 +1,7 @@ if(CPACK_GENERATOR MATCHES "DEB" OR CPACK_GENERATOR MATCHES "RPM") list(APPEND CPACK_INSTALL_COMMANDS "mkdir -p _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") - list(APPEND CPACK_INSTALL_COMMANDS "cp -r scripts/systemd/falco-kmod-inject.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") + list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco.target _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") + list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-kmod-inject.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-kmod.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-bpf.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") list(APPEND CPACK_INSTALL_COMMANDS "cp scripts/systemd/falco-modern-bpf.service _CPack_Packages/${CPACK_TOPLEVEL_TAG}/${CPACK_GENERATOR}/${CPACK_PACKAGE_FILE_NAME}/usr/lib/systemd/system") diff --git a/scripts/CMakeLists.txt b/scripts/CMakeLists.txt index de6b2aa23b2..b2598518ce7 100644 --- a/scripts/CMakeLists.txt +++ b/scripts/CMakeLists.txt @@ -16,6 +16,8 @@ # # Systemd +file(COPY "${PROJECT_SOURCE_DIR}/scripts/systemd/falco.target" + DESTINATION "${PROJECT_BINARY_DIR}/scripts/systemd") file(COPY "${PROJECT_SOURCE_DIR}/scripts/systemd/falco-kmod-inject.service" DESTINATION "${PROJECT_BINARY_DIR}/scripts/systemd") file(COPY "${PROJECT_SOURCE_DIR}/scripts/systemd/falco-kmod.service" diff --git a/scripts/debian/prerm.in b/scripts/debian/prerm.in index 90cb88168d2..5bceda3744d 100755 --- a/scripts/debian/prerm.in +++ b/scripts/debian/prerm.in @@ -24,11 +24,7 @@ set -e case "$1" in remove|upgrade|deconfigure) echo "[PRE-REMOVE] Stop all Falco services:" - systemctl --system stop 'falco-kmod.service' || true - systemctl --system stop 'falco-bpf.service' || true - systemctl --system stop 'falco-modern-bpf.service' || true - systemctl --system stop 'falco-plugin.service' || true - systemctl --system stop 'falcoctl.service' || true + systemctl --system stop 'falco.target' || true echo "[PRE-REMOVE] Call 'falco-driver-loader --clean:'" falco-driver-loader --clean diff --git a/scripts/rpm/preuninstall.in b/scripts/rpm/preuninstall.in index dd7c0cf185f..18220f496b7 100755 --- a/scripts/rpm/preuninstall.in +++ b/scripts/rpm/preuninstall.in @@ -18,11 +18,7 @@ set -e # Currently running falco service uses the driver, so stop it before driver cleanup echo "[PRE-REMOVE] Stop all Falco services:" -systemctl --system stop 'falco-kmod.service' || true -systemctl --system stop 'falco-bpf.service' || true -systemctl --system stop 'falco-modern-bpf.service' || true -systemctl --system stop 'falco-plugin.service' || true -systemctl --system stop 'falcoctl.service' || true +systemctl --system stop 'falco.target' || true echo "[PRE-REMOVE] Call 'falco-driver-loader --clean:'" falco-driver-loader --clean diff --git a/scripts/systemd/falco-bpf.service b/scripts/systemd/falco-bpf.service index de8c57e6705..58127cd6eb3 100644 --- a/scripts/systemd/falco-bpf.service +++ b/scripts/systemd/falco-bpf.service @@ -1,6 +1,7 @@ [Unit] Description=Falco: Container Native Runtime Security with ebpf Documentation=https://falco.org/docs/ +PartOf=falco.target Conflicts=falco-kmod.service Conflicts=falco-modern-bpf.service Conflicts=falco-plugin.service @@ -21,7 +22,4 @@ ProtectSystem=full ProtectKernelTunables=true RestrictRealtime=true RestrictAddressFamilies=~AF_PACKET -StandardOutput=null - -[Install] -WantedBy=multi-user.target +StandardOutput=null \ No newline at end of file diff --git a/scripts/systemd/falco-kmod.service b/scripts/systemd/falco-kmod.service index f62516381ef..500bb93e793 100644 --- a/scripts/systemd/falco-kmod.service +++ b/scripts/systemd/falco-kmod.service @@ -3,6 +3,7 @@ Description=Falco: Container Native Runtime Security with kmod Documentation=https://falco.org/docs/ After=falco-kmod-inject.service Requires=falco-kmod-inject.service +PartOf=falco.target Conflicts=falco-bpf.service Conflicts=falco-modern-bpf.service Conflicts=falco-plugin.service @@ -23,7 +24,4 @@ ProtectKernelTunables=true ReadWritePaths=/sys/module/falco RestrictRealtime=true RestrictAddressFamilies=~AF_PACKET -StandardOutput=null - -[Install] -WantedBy=multi-user.target +StandardOutput=null \ No newline at end of file diff --git a/scripts/systemd/falco-modern-bpf.service b/scripts/systemd/falco-modern-bpf.service index 9b6825005c1..ef4bdc2e351 100644 --- a/scripts/systemd/falco-modern-bpf.service +++ b/scripts/systemd/falco-modern-bpf.service @@ -1,6 +1,7 @@ [Unit] Description=Falco: Container Native Runtime Security with modern ebpf Documentation=https://falco.org/docs/ +PartOf=falco.target Conflicts=falco-kmod.service Conflicts=falco-bpf.service Conflicts=falco-plugin.service @@ -20,7 +21,4 @@ ProtectSystem=full ProtectKernelTunables=true RestrictRealtime=true RestrictAddressFamilies=~AF_PACKET -StandardOutput=null - -[Install] -WantedBy=multi-user.target +StandardOutput=null \ No newline at end of file diff --git a/scripts/systemd/falco-plugin.service b/scripts/systemd/falco-plugin.service index 84befe716ec..dac0c1d0207 100644 --- a/scripts/systemd/falco-plugin.service +++ b/scripts/systemd/falco-plugin.service @@ -1,6 +1,7 @@ [Unit] Description=Falco: Container Native Runtime Security with plugin Documentation=https://falco.org/docs/ +PartOf=falco.target Conflicts=falco-kmod.service Conflicts=falco-bpf.service Conflicts=falco-modern-bpf.service @@ -21,6 +22,3 @@ ProtectKernelTunables=true RestrictRealtime=true RestrictAddressFamilies=~AF_PACKET StandardOutput=null - -[Install] -WantedBy=multi-user.target diff --git a/scripts/systemd/falco.target b/scripts/systemd/falco.target new file mode 100644 index 00000000000..df13a9e40fc --- /dev/null +++ b/scripts/systemd/falco.target @@ -0,0 +1,7 @@ +[Unit] +Description=Main Falco target +Requires=multi-user.target +After=multi-user.target + +[Install] +WantedBy=multi-user.target \ No newline at end of file diff --git a/scripts/systemd/falcoctl.service b/scripts/systemd/falcoctl.service index 1adefd2c726..bc12c6ed66e 100644 --- a/scripts/systemd/falcoctl.service +++ b/scripts/systemd/falcoctl.service @@ -1,6 +1,8 @@ [Unit] Description=Falco: Automatic rules update service Documentation=https://falco.org/docs/ +After=falco.target +BindsTo=falco.target [Service] Type=simple @@ -15,8 +17,7 @@ NoNewPrivileges=yes ProtectSystem=true ProtectKernelTunables=true RestrictRealtime=true -#RestrictAddressFamilies=~AF_PACKET -#StandardOutput=null +StandardOutput=null [Install] WantedBy=multi-user.target