new: ship falcoctl bundled with Falco

[FedeDP]

What type of PR is this?

/kind feature

Any specific area of the project related to this PR?

/area build

What this PR does / why we need it:

This PR bundles falcoctl inside Falco; moreover, it adds a new systemd service for falcoctl that will be used during DEB/RPM installation; moreover, the user will be asked (through a dialog) to enable the automatic feed; by default (when dialog is missing or we are in a non interactive mode), falcoctl is not enabled.

Finally, if no driver is chosen at package installation time, falcoctl dialog won't be shown.

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

new!: ship falcoctl inside Falco

[FedeDP]

RC version for now. To be bumped before release.

[FedeDP]

Install it under the FALCO_COMPONENT_NAME, just like we do for falco-driver-loader.

[FedeDP]

Disabled by default.

[FedeDP]

Small tweaks.

[jasondellaluce]

/milestone 0.34.0

[FedeDP]

CI timed out :/

[FedeDP]

@LucaGuerra @loresuso @alacuku
Let me know if this works for you, given you are the most active devs on falcoctl :D

Minor refinements might be needed on systemd service permissions; moreover, i am not getting who is supposed to ship:

• etc/falcoctl/config.yaml
• /etc/falcoctl/follow.yaml

[FedeDP]

Do we really need StandardOutput=null for all other services?
/cc @leogr

[leogr]

@FedeDP
I'm unsure, but we likely need to keep it. The reason is to avoid polluting /var/logs/messages. See this my old comment.

[FedeDP]

Ok thank you!

[FedeDP]

Side note: if we want falcoctl.service to start after falco service, we would need to create a falco.target so that falcoctl.service can have a After=falco.target line, and every falco-*.service will be PartOf falco target.

Do you think this is important?
@leogr @loresuso

[leogr]

Side note: if we want falcoctl.service to start after falco service, we would need to create a falco.target so that falcoctl.service can have a After=falco.target line, and every falco-*.service will be PartOf falco target.

Do you think this is important? @leogr @loresuso

@FedeDP
Yes, I think so. Although falcoctl should correctly handle the case falco is not yet ready, I believe we should also enforce that via systemd for consistency.

[FedeDP]

Ok, i will add support for it :)

[FedeDP]

Support added in latest commit; basically:

• all the falco-X units are PartOf falco.target
• falco.target declares how units are installed
• falcoctl.service runs after and binds to falco.target; this means that it is run after the falco target and if the falco target is stopped it gets stopped
• preuninstall deb/rpm scripts will then stop just the falco.target, that will then stop falcoctl and falco-X services

[FedeDP]

Enabled by default.

[FedeDP]

Choice is always requested for falcoctl, even when no driver was chosen.

[FedeDP]

Since all units are PartOf falco.target, and falcoctl service is bound to it, we can just stop falco.target.

[jasondellaluce]

Fantastic work! LGTM so far!

[Andreagit97]

/hold

[jasondellaluce]

/approve

[poiana]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: FedeDP, jasondellaluce, leogr

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [FedeDP,jasondellaluce,leogr]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[Andreagit97]

/unhold