new(scrips): improve systemd units for rpm and debian.

[FedeDP]

What type of PR is this?

/kind feature

Any specific area of the project related to this PR?

What this PR does / why we need it:

Unify systemd units for debian and rpm; plus, rework them to support eBPF, plugins and modern eBPF too.
One will be able to enable falco with eg: bpf by running:

systemctl enable falco-bpf.service

Moreover, since services conflicts with each other, running

systemctl start falco-kmod.service

while falco-bpf.service is active, will bring down bpf one, in favor of the kmod one.

Example dialog:

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

new(scripts): support multiple drivers in systemd units

[FedeDP]

@happy-dude

[FedeDP]

By default, enable falco on kmod, just like we did before.

[FedeDP]

If you enable falco@ebpf.target it will automatically disable falco@kmod.target.

[FedeDP]

The same is true for the other way round.

[FedeDP]

Small service that manages kmod injection.

[FedeDP]

/milestone 0.34.0

[happy-dude]

This is really cool!
This is my first time encountering the @ templating for systemd, so I'll do some extra reading on the side and learn a bit more about it.

EDIT: the below is not possible; see later comment: #2242 (comment)

With regards to taking advantage of the templating aspect of this change, can we move more options over to scripts/systemd/falco@.target ?

The following block of configuration options are shared between the two files:

Type=simple
User=root
ExecStart=/usr/bin/falco --pidfile=/var/run/falco.pid
UMask=0077
TimeoutSec=30
RestartSec=15s
Restart=on-failure
PrivateTmp=true
NoNewPrivileges=yes
ProtectHome=read-only
ProtectSystem=full
ProtectKernelTunables=true
ReadWritePaths=/sys/module/falco
RestrictRealtime=true
RestrictAddressFamilies=~AF_PACKET
StandardOutput=null

At the moment, the only option unique to falco-ebpf.service is Environment=FALCO_BPF_PROBE=.

[FedeDP]

The following block of configuration options are shared between the two files:

Are they inherited? I didn't know that!
Great tip!

[happy-dude]

Are they inherited? I didn't know that!

I'm actually not sure; let me read more into it and see if that's the case 👀

[happy-dude]

I've read a little more in https://www.freedesktop.org/software/systemd/man/systemd.unit.html and https://askubuntu.com/questions/659267/how-do-i-override-or-configure-systemd-services/659268#659268;

systemd unit template file options are not inherited.

Seems like the unit template serves for parameterizing the service and grabbing specifiers; in other words, templating for the service itself and not templating for writing other service unit definitions.

[FedeDP]

systemd unit template file options are not inherited.

:( It could be a very nice cleanup!

[FedeDP]

Rebased on top of master.
A couple of things to work out:

• properly use falco-driver-loader to build the drivers instead of manually using dkms
• add a configure step selection window to allow users to select the falco driver to use (ie: { ebpf, kmod, dontstart }

[happy-dude]

An aside -- I mentioned somewhere that I loaded the BPF probe/ started the Falco process differently:

ExecStart=/bin/bash -c 'FALCO_BPF_PROBE=/etc/falco-bpf/falco_debian_$(uname -r).o exec /usr/bin/falco --pidfile=/var/run/falco.pid'

This is due to my team and I creating falco-bpf probe packages alongside new kernel releases and having a naming format that's not the same as the Falco format. As far as I know, there wasn't a flexible way in a systemd unit to dynamically grab a variable value.

[FedeDP]

TODO:

• test...
• test...
• test...

[FedeDP]

Renamed "Don't start" option to "Plugins" and rebased :)

[poiana]

New changes are detected. LGTM label has been removed.

[FedeDP]

Rebased + added small fix.

[happy-dude]

Hey @FedeDP

I was able to pull down this branch today and play around with it.

Here is some output I was playing around with:

schan@debian:~/falco/build$ falco --version
Falco version: 0.32.1-344+2f21814
Libs version:  0.10.0-rc1
Plugin API:    2.0.0
Driver:
  API version:    3.0.0
  Schema version: 2.0.0
  Default driver: 4.0.0-rc1+driver

schan@debian:~/falco/build$ ls /lib/systemd/system/falco-*
/lib/systemd/system/falco-bpf.service          /lib/systemd/system/falco-kmod.service        /lib/systemd/system/falco-plugin.service
/lib/systemd/system/falco-kmod-inject.service  /lib/systemd/system/falco-modern-bpf.service

schan@debian:~/falco/build$ sudo systemctl enable falco-bpf.service
Created symlink /etc/systemd/system/multi-user.target.wants/falco-bpf.service → /lib/systemd/system/falco-bpf.service.

schan@debian:~/falco/build$ sudo systemctl start falco-bpf.service

schan@debian:~/falco/build$ sudo systemctl status falco-bpf.service
● falco-bpf.service - Falco: Container Native Runtime Security with ebpf
     Loaded: loaded (/lib/systemd/system/falco-bpf.service; enabled; preset: enabled)
     Active: active (running) since Wed 2022-12-14 12:52:06 CST; 6s ago
       Docs: https://falco.org/docs/
   Main PID: 88417 (falco)
      Tasks: 14 (limit: 9505)
     Memory: 22.2M
        CPU: 303ms
     CGroup: /system.slice/falco-bpf.service
             └─88417 /usr/bin/falco --pidfile=/var/run/falco.pid

Dec 14 12:52:06 debian systemd[1]: Started Falco: Container Native Runtime Security with ebpf.
Dec 14 12:52:07 debian falco[88417]: Falco version: 0.32.1-344+2f21814 (aarch64)
Dec 14 12:52:07 debian falco[88417]: Falco initialized with configuration file: /etc/falco/falco.yaml
Dec 14 12:52:07 debian falco[88417]: Loading rules from file /etc/falco/falco_rules.yaml
Dec 14 12:52:07 debian falco[88417]: Loading rules from file /etc/falco/falco_rules.local.yaml
Dec 14 12:52:07 debian falco[88417]: The chosen syscall buffer dimension is: 8388608 bytes (8 MBs)
Dec 14 12:52:07 debian falco[88417]: Starting health webserver with threadiness 6, listening on port 8765
Dec 14 12:52:07 debian falco[88417]: Enabled event sources: syscall
Dec 14 12:52:07 debian falco[88417]: Opening capture with BPF probe. BPF probe path: /root/.falco/falco-bpf.o

schan@debian:~/falco/build$ sudo systemctl disable falco-bpf
Removed "/etc/systemd/system/multi-user.target.wants/falco-bpf.service".
schan@debian:~/falco/build$ sudo systemctl stop falco-bpf
schan@debian:~/falco/build$ sudo systemctl status falco-bpf.service
○ falco-bpf.service - Falco: Container Native Runtime Security with ebpf
     Loaded: loaded (/lib/systemd/system/falco-bpf.service; disabled; preset: enabled)
     Active: inactive (dead)
       Docs: https://falco.org/docs/

Dec 14 12:52:07 debian falco[88417]: Loading rules from file /etc/falco/falco_rules.yaml
Dec 14 12:52:07 debian falco[88417]: Loading rules from file /etc/falco/falco_rules.local.yaml
Dec 14 12:52:07 debian falco[88417]: The chosen syscall buffer dimension is: 8388608 bytes (8 MBs)
Dec 14 12:52:07 debian falco[88417]: Starting health webserver with threadiness 6, listening on port 8765
Dec 14 12:52:07 debian falco[88417]: Enabled event sources: syscall
Dec 14 12:52:07 debian falco[88417]: Opening capture with BPF probe. BPF probe path: /root/.falco/falco-bpf.o
Dec 14 12:52:51 debian falco[88417]: SIGINT received, exiting...
Dec 14 12:52:51 debian systemd[1]: Stopping Falco: Container Native Runtime Security with ebpf...
Dec 14 12:52:51 debian systemd[1]: falco-bpf.service: Deactivated successfully.
Dec 14 12:52:51 debian systemd[1]: Stopped Falco: Container Native Runtime Security with ebpf.

However, I was unable to start/enable the service as described in the description with falco@bpf.target

schan@debian:~/falco/build$ sudo systemctl start falco
Failed to start falco.service: Unit falco.service is masked.

schan@debian:~/falco/build$ sudo systemctl start falco@bpf
Failed to start falco@bpf.service: Unit falco@bpf.service not found.

schan@debian:~/falco/build$ sudo systemctl start falco@bpf.target
Failed to start falco@bpf.target: Unit falco@bpf.target not found.

schan@debian:~/falco/build$ sudo systemctl start falco@bpf.service
Failed to start falco@bpf.service: Unit falco@bpf.service not found.

schan@debian:~/falco/build$ sudo systemctl status falco
○ falco.service
     Loaded: masked (Reason: Unit falco.service is masked.)
     Active: inactive (dead)


schan@debian:~/falco/build$ ls /lib/systemd/system/falco-*
/lib/systemd/system/falco-bpf.service          /lib/systemd/system/falco-kmod.service        /lib/systemd/system/falco-plugin.service
/lib/systemd/system/falco-kmod-inject.service  /lib/systemd/system/falco-modern-bpf.service

Just wanted to double check and ask if this was working as expected?

[FedeDP]

However, I was unable to start/enable the service as described in the description with falco@bpf.target

Yep it is expected since there is no more a falco@bpf.target 😆

[FedeDP]

@happy-dude i updated the OP!

[leogr]

I believe this PR has finally reached a very great status and is ready to be tested in the real world.

🥳

[jasondellaluce]

/approve

[poiana]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: FedeDP, jasondellaluce, leogr

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [FedeDP,jasondellaluce,leogr]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[FedeDP]

/unhold