diff --git a/wallarm-deploy-ct.sh b/wallarm-deploy-ct.sh index 37eb0b6..bc8b446 100644 --- a/wallarm-deploy-ct.sh +++ b/wallarm-deploy-ct.sh @@ -1,10 +1,11 @@ #!/bin/bash # ============================================================================== -# WALLARM NODE DEPLOYMENT SCRIPT - V1.6 (LXC & CENTOS COMPATIBILITY) +# WALLARM NODE DEPLOYMENT SCRIPT - V1.7 (LXC KERNEL & SOCKET FIX) # ============================================================================== # Features: -# - Added: LXC-specific Docker Daemon configuration (cgroupfs driver) -# - Added: libseccomp and iptables dependency checks +# - Added: Storage driver fallback (vfs) for LXC environments +# - Added: Cgroup/Systemd bypass for nested container execution +# - Added: socket readiness loop to prevent 'Cannot connect to daemon' errors # - Stealth Binary Pull via ct.sechpoint.app (Proxy to download.docker.com) # - Stealth Image Pull via hub.ct.sechpoint.app (Proxy to registry-1.docker.io) # ============================================================================== @@ -58,7 +59,6 @@ check_pre_flight() { fi # Core utilities and Docker runtime dependencies - # iptables is often needed by dockerd even if we disable it in config for cmd_or_lib in tar gzip curl libseccomp iptables; do if ! rpm -q $cmd_or_lib >/dev/null 2>&1 && ! command -v $cmd_or_lib >/dev/null 2>&1; then log_message "WARNING" "Missing dependency: $cmd_or_lib. Attempting auto-fix..." @@ -88,40 +88,51 @@ check_pre_flight() { setup_docker_engine() { log_message "INFO" "Deploying Docker Engine via Stealth Proxy..." - if command -v docker >/dev/null 2>&1; then - log_message "SUCCESS" "Docker engine already installed." + # Check if docker is actually working, not just installed + if command -v docker >/dev/null 2>&1 && sudo docker info >/dev/null 2>&1; then + log_message "SUCCESS" "Docker engine is already installed and running." return 0 fi local binary_file="docker-$DOCKER_VERSION.tgz" local download_url="https://$BASE_DOMAIN/linux/static/stable/$D_ARCH/$binary_file" - log_message "INFO" "Fetching binaries from $download_url" - curl -fL "$download_url" -o "/tmp/$binary_file" || fail_with_remediation "Download failed" "Check Proxy." + if [[ ! -f "/usr/bin/dockerd" ]]; then + log_message "INFO" "Fetching binaries from $download_url" + curl -fL "$download_url" -o "/tmp/$binary_file" || fail_with_remediation "Download failed" "Check Proxy." - log_message "INFO" "Extracting binaries..." - tar xzvf "/tmp/$binary_file" -C /tmp/ > /dev/null 2>&1 || fail_with_remediation "Extraction failed" "Check tar." - sudo cp /tmp/docker/* /usr/bin/ - rm -rf /tmp/docker "/tmp/$binary_file" + log_message "INFO" "Extracting binaries..." + tar xzvf "/tmp/$binary_file" -C /tmp/ > /dev/null 2>&1 || fail_with_remediation "Extraction failed" "Check tar." + sudo cp /tmp/docker/* /usr/bin/ + rm -rf /tmp/docker "/tmp/$binary_file" + fi # --- LXC SPECIFIC CONFIGURATION --- - # We create a daemon.json to force cgroupfs which is more stable in LXC sudo mkdir -p /etc/docker + + # Determine best storage driver for LXC + local storage_driver="vfs" + if grep -q "overlay" /proc/filesystems; then + storage_driver="overlay2" + fi + sudo tee /etc/docker/daemon.json > /dev/null < /dev/null < /dev/null 2>&1 sudo systemctl enable --now docker - log_message "INFO" "Waiting for Docker daemon (LXC Optimized)..." + log_message "INFO" "Waiting for Docker socket (/var/run/docker.sock)..." local counter=0 - while ! docker info >/dev/null 2>&1; do + while [ ! -S /var/run/docker.sock ]; do if [ $counter -gt 20 ]; then - log_message "ERROR" "Docker failed to start in LXC." - echo -e "${YELLOW}Manual Debug:${NC} sudo /usr/bin/dockerd --debug" - fail_with_remediation "Docker Timeout" "Check 'journalctl -u docker' for Cgroup errors." + log_message "ERROR" "Docker socket never appeared." + echo -e "${YELLOW}Debug Command:${NC} sudo /usr/bin/dockerd --debug" + fail_with_remediation "Socket Timeout" "Check 'journalctl -u docker' for kernel/cgroup errors." fi sleep 1 ((counter++)) done + # Final check + if ! sudo docker info >/dev/null 2>&1; then + fail_with_remediation "Daemon Error" "Socket exists but daemon is unresponsive. Check permissions." + fi + log_message "SUCCESS" "Docker Engine is live in LXC." } @@ -156,7 +173,7 @@ deploy_wallarm_node() { log_message "INFO" "Pulling $proxy_img..." if ! sudo docker pull "$proxy_img"; then - fail_with_remediation "Image Pull Failed" "Verify hub.ct.sechpoint.app is reachable." + fail_with_remediation "Image Pull Failed" "Docker daemon is running but pull failed. Check Zoraxy registry logs." fi log_message "INFO" "Normalizing image tags..." @@ -171,7 +188,7 @@ deploy_wallarm_node() { main() { clear echo -e "${CYAN}${BOLD}╔══════════════════════════════════════════════════════════════╗${NC}" - echo -e "${CYAN}${BOLD}║ SECHPOINT WALLARM STEALTH DEPLOYER V1.6 ║${NC}" + echo -e "${CYAN}${BOLD}║ SECHPOINT WALLARM STEALTH DEPLOYER V1.7 ║${NC}" echo -e "${CYAN}${BOLD}╚══════════════════════════════════════════════════════════════╝${NC}\n" check_pre_flight