chore: auto-commit 2026-03-18 20:59

2026-03-18 20:59:00 +00:00 · 2026-03-18 20:59:00 +00:00 · 2e349cf279
commit 2e349cf279
parent 66928424a4
1 changed files with 40 additions and 23 deletions
--- a/wallarm-deploy-ct.sh
+++ b/wallarm-deploy-ct.sh
@ -1,10 +1,11 @@
 #!/bin/bash
 # ==============================================================================
-# WALLARM NODE DEPLOYMENT SCRIPT - V1.6 (LXC & CENTOS COMPATIBILITY)
+# WALLARM NODE DEPLOYMENT SCRIPT - V1.7 (LXC KERNEL & SOCKET FIX)
 # ==============================================================================
 # Features:
-# - Added: LXC-specific Docker Daemon configuration (cgroupfs driver)
-# - Added: libseccomp and iptables dependency checks
+# - Added: Storage driver fallback (vfs) for LXC environments
+# - Added: Cgroup/Systemd bypass for nested container execution
+# - Added: socket readiness loop to prevent 'Cannot connect to daemon' errors
 # - Stealth Binary Pull via ct.sechpoint.app (Proxy to download.docker.com)
 # - Stealth Image Pull via hub.ct.sechpoint.app (Proxy to registry-1.docker.io)
 # ==============================================================================
@ -58,7 +59,6 @@ check_pre_flight() {
    fi

    # Core utilities and Docker runtime dependencies
-    # iptables is often needed by dockerd even if we disable it in config
    for cmd_or_lib in tar gzip curl libseccomp iptables; do
        if ! rpm -q $cmd_or_lib >/dev/null 2>&1 && ! command -v $cmd_or_lib >/dev/null 2>&1; then
            log_message "WARNING" "Missing dependency: $cmd_or_lib. Attempting auto-fix..."
@ -88,14 +88,16 @@ check_pre_flight() {
 setup_docker_engine() {
    log_message "INFO" "Deploying Docker Engine via Stealth Proxy..."

-    if command -v docker >/dev/null 2>&1; then
-        log_message "SUCCESS" "Docker engine already installed."
+    # Check if docker is actually working, not just installed
+    if command -v docker >/dev/null 2>&1 && sudo docker info >/dev/null 2>&1; then
+        log_message "SUCCESS" "Docker engine is already installed and running."
        return 0
    fi

    local binary_file="docker-$DOCKER_VERSION.tgz"
    local download_url="https://$BASE_DOMAIN/linux/static/stable/$D_ARCH/$binary_file"

+    if [[ ! -f "/usr/bin/dockerd" ]]; then
        log_message "INFO" "Fetching binaries from $download_url"
        curl -fL "$download_url" -o "/tmp/$binary_file" || fail_with_remediation "Download failed" "Check Proxy."

@ -103,25 +105,34 @@ setup_docker_engine() {
        tar xzvf "/tmp/$binary_file" -C /tmp/ > /dev/null 2>&1 || fail_with_remediation "Extraction failed" "Check tar."
        sudo cp /tmp/docker/* /usr/bin/
        rm -rf /tmp/docker "/tmp/$binary_file"
+    fi

    # --- LXC SPECIFIC CONFIGURATION ---
-    # We create a daemon.json to force cgroupfs which is more stable in LXC
    sudo mkdir -p /etc/docker
+    
+    # Determine best storage driver for LXC
+    local storage_driver="vfs"
+    if grep -q "overlay" /proc/filesystems; then
+        storage_driver="overlay2"
+    fi
+
    sudo tee /etc/docker/daemon.json > /dev/null <<EOF
 {
  "exec-opts": ["native.cgroupdriver=cgroupfs"],
-  "storage-driver": "vfs",
+  "storage-driver": "$storage_driver",
  "iptables": false,
-  "bridge": "none"
+  "bridge": "none",
+  "data-root": "/var/lib/docker"
 }
 EOF

-    # Create systemd service
+    # Create systemd service with manual start to ensure clean socket
    sudo tee /etc/systemd/system/docker.service > /dev/null <<EOF
 [Unit]
 Description=Docker Engine
 After=network.target
 [Service]
+ExecStartPre=/usr/bin/rm -f /var/run/docker.pid /var/run/docker.sock
 ExecStart=/usr/bin/dockerd --group docker
 Restart=on-failure
 [Install]
@ -129,20 +140,26 @@ WantedBy=multi-user.target
 EOF

    sudo systemctl daemon-reload
+    sudo systemctl stop docker > /dev/null 2>&1
    sudo systemctl enable --now docker
    
-    log_message "INFO" "Waiting for Docker daemon (LXC Optimized)..."
+    log_message "INFO" "Waiting for Docker socket (/var/run/docker.sock)..."
    local counter=0
-    while ! docker info >/dev/null 2>&1; do
+    while [ ! -S /var/run/docker.sock ]; do
        if [ $counter -gt 20 ]; then
-            log_message "ERROR" "Docker failed to start in LXC."
-            echo -e "${YELLOW}Manual Debug:${NC} sudo /usr/bin/dockerd --debug"
-            fail_with_remediation "Docker Timeout" "Check 'journalctl -u docker' for Cgroup errors."
+            log_message "ERROR" "Docker socket never appeared."
+            echo -e "${YELLOW}Debug Command:${NC} sudo /usr/bin/dockerd --debug"
+            fail_with_remediation "Socket Timeout" "Check 'journalctl -u docker' for kernel/cgroup errors."
        fi
        sleep 1
        ((counter++))
    done

+    # Final check
+    if ! sudo docker info >/dev/null 2>&1; then
+        fail_with_remediation "Daemon Error" "Socket exists but daemon is unresponsive. Check permissions."
+    fi
+
    log_message "SUCCESS" "Docker Engine is live in LXC."
 }

@ -156,7 +173,7 @@ deploy_wallarm_node() {

    log_message "INFO" "Pulling $proxy_img..."
    if ! sudo docker pull "$proxy_img"; then
-        fail_with_remediation "Image Pull Failed" "Verify hub.ct.sechpoint.app is reachable."
+        fail_with_remediation "Image Pull Failed" "Docker daemon is running but pull failed. Check Zoraxy registry logs."
    fi

    log_message "INFO" "Normalizing image tags..."
@ -171,7 +188,7 @@ deploy_wallarm_node() {
 main() {
    clear
    echo -e "${CYAN}${BOLD}╔══════════════════════════════════════════════════════════════╗${NC}"
-    echo -e "${CYAN}${BOLD}║           SECHPOINT WALLARM STEALTH DEPLOYER V1.6          ║${NC}"
+    echo -e "${CYAN}${BOLD}║           SECHPOINT WALLARM STEALTH DEPLOYER V1.7          ║${NC}"
    echo -e "${CYAN}${BOLD}╚══════════════════════════════════════════════════════════════╝${NC}\n"

    check_pre_flight