customer-engineering/wallarm
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

chore: auto-commit 2026-03-18 21:29

Browse source
This commit is contained in:
cclohmar 2026-03-18 21:29:24 +00:00
parent 70a417a990
commit 5fdf9e384f
1 changed files with 63 additions and 156 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

219
wallarm-deploy-ct.sh
View file

@ -1,11 +1,11 @@
#!/bin/bash #!/bin/bash
# ============================================================================== # ==============================================================================
# WALLARM BULLETPROOF STEALTH DEPLOYER - V1.9 (LXC & CENTOS OPTIMIZED) # WALLARM BULLETPROOF STEALTH DEPLOYER - V1.9.1 (LXC & NETWORK DIAGNOSTIC)
# ============================================================================== # ==============================================================================
# Recent Fixes: # Recent Fixes:
# - Added DNS/Hosts discovery for Stealth Proxy # - Added Network Diagnostics (Phase 0) to verify manual host fixes
# - Improved dependency chain for CentOS Stream 9 # - Relaxed connectivity checks to allow for manual /etc/hosts intervention
# - Enhanced Docker Socket timeout handling # - Improved CentOS 9 AppStream dependency resolution
# ============================================================================== # ==============================================================================
# Color definitions # Color definitions
@ -18,209 +18,116 @@ MAGENTA='\033[0;35m'
BOLD='\033[1m' BOLD='\033[1m'
NC='\033[0m' NC='\033[0m'
# SECHPOINT STEALTH CONFIGURATION # STEALTH TARGETS
BASE_DOMAIN="ct.sechpoint.app" BASE_DOMAIN="ct.sechpoint.app"
HUB_DOMAIN="hub.ct.sechpoint.app" HUB_DOMAIN="hub.ct.sechpoint.app"
DOCKER_VERSION="29.2.1" DOCKER_VERSION="29.2.1"
LOG_FILE="/var/log/wallarm-deployment.log" LOG_FILE="/var/log/wallarm-deployment.log"
# Cloud endpoints
EU_DATA_NODES=("api.wallarm.com" "node-data0.eu1.wallarm.com" "node-data1.eu1.wallarm.com")
US_DATA_NODES=("us1.api.wallarm.com" "node-data0.us1.wallarm.com")
INSTANCE_NAME="wallarm-node"
INSTANCE_DIR="/opt/wallarm"
# --- LOGGING ENGINE ---
log_message() { log_message() {
local level="$1" local level="$1"
local message="$2" local message="$2"
local timestamp=$(date '+%Y-%m-%d %H:%M:%S') echo -e "$(date '+%H:%M:%S') [${level}] ${message}" | sudo tee -a "$LOG_FILE" > /dev/null
echo -e "${timestamp} [${level}] ${message}" | sudo tee -a "$LOG_FILE" > /dev/null
case "$level" in case "$level" in
"INFO") echo -e "${BLUE}${BOLD}[INFO]${NC} ${message}" ;; "INFO") echo -e "${BLUE}${BOLD}[INFO]${NC} ${message}" ;;
"SUCCESS") echo -e "${GREEN}${BOLD}[SUCCESS]${NC} ${message}" ;; "SUCCESS") echo -e "${GREEN}${BOLD}[SUCCESS]${NC} ${message}" ;;
"WARNING") echo -e "${YELLOW}${BOLD}[WARNING]${NC} ${message}" ;; "WARNING") echo -e "${YELLOW}${BOLD}[WARNING]${NC} ${message}" ;;
"ERROR") echo -e "${RED}${BOLD}[ERROR]${NC} ${message}" ;; "ERROR") echo -e "${RED}${BOLD}[ERROR]${NC} ${message}" ;;
"DIAG") echo -e "${MAGENTA}${BOLD}[DIAG]${NC} ${message}" ;;
esac esac
} }
fail_with_remediation() { # --- PHASE 0: NETWORK DIAGNOSTICS ---
local error="$1" run_network_diagnostics() {
local remediation="$2" log_message "INFO" "=== PHASE 0: NETWORK DIAGNOSTICS ==="
log_message "ERROR" "$error"
echo -e "\n${RED}${BOLD}REMEDIATION:${NC}\n$remediation\n" local domains=("$BASE_DOMAIN" "$HUB_DOMAIN" "sechpoint.app")
exit 1
for dom in "${domains[@]}"; do
local ip=$(getent hosts "$dom" | awk '{ print $1 }')
if [ -n "$ip" ]; then
log_message "DIAG" "$dom resolves to: ${CYAN}$ip${NC}"
else
log_message "WARNING" "$dom: ${RED}Unresolved${NC} (Check /etc/hosts)"
fi
done
} }
# --- PHASE 1: PRE-FLIGHT & DEPENDENCIES --- # --- PHASE 1: PRE-FLIGHT & DEPENDENCIES ---
check_pre_flight() { check_pre_flight() {
log_message "INFO" "=== PHASE 1: PRE-FLIGHT CHECKS ===" log_message "INFO" "=== PHASE 1: PRE-FLIGHT CHECKS ==="
if [[ $EUID -ne 0 ]]; then [[ $EUID -ne 0 ]] && { log_message "ERROR" "Run as sudo"; exit 1; }
fail_with_remediation "Root privileges required" "Run as sudo."
fi log_message "INFO" "Ensuring core tools (tar, iptables, curl)..."
# Ensure dnf is used for CentOS 9
log_message "INFO" "Checking system dependencies..." sudo dnf install -y tar iptables-legacy curl procps-ng > /dev/null 2>&1
# Extended dependency list for CentOS 9
for dep in tar gzip curl libseccomp iptables procps-ng xfsprogs; do # Final connectivity check before proceeding to downloads
if ! rpm -q $dep >/dev/null 2>&1 && ! command -v $dep >/dev/null 2>&1; then if ! curl -IsL --connect-timeout 3 "https://$BASE_DOMAIN" > /dev/null 2>&1; then
log_message "WARNING" "Missing $dep. Attempting auto-fix..." echo -e "\n${RED}${BOLD}STOP:${NC} Cannot reach https://$BASE_DOMAIN"
sudo yum install -y $dep || sudo dnf install -y $dep echo -e "Please ensure your /etc/hosts contains:"
fi echo -e "${CYAN}<PROXY_IP> $BASE_DOMAIN $HUB_DOMAIN${NC}\n"
done exit 1
ARCH=$(uname -m)
case "$ARCH" in
x86_64) D_ARCH="x86_64" ;;
aarch64) D_ARCH="aarch64" ;;
*) fail_with_remediation "Architecture $ARCH not supported." "Use x86_64 or ARM64." ;;
esac
# Stealth Connectivity Check with Remediation Logic
log_message "INFO" "Verifying Stealth Proxy connectivity ($BASE_DOMAIN)..."
if ! curl -IsL --connect-timeout 5 "https://$BASE_DOMAIN" > /dev/null 2>&1; then
local host_check=$(grep "$BASE_DOMAIN" /etc/hosts)
if [ -z "$host_check" ]; then
fail_with_remediation "Proxy Unreachable (DNS Failure)" \
"The stealth domain $BASE_DOMAIN is not in your /etc/hosts.\nAdd the proxy IP manually:\n echo '1.2.3.4 $BASE_DOMAIN $HUB_DOMAIN' >> /etc/hosts\n(Replace 1.2.3.4 with your actual Sechpoint Proxy IP)"
else
fail_with_remediation "Proxy Unreachable (Network Failure)" \
"Entry found in /etc/hosts, but cannot connect to port 443 on $BASE_DOMAIN.\nCheck Firewall/Security Groups."
fi
fi
log_message "SUCCESS" "Stealth Proxy is reachable."
# Wallarm Cloud Connectivity Check
log_message "INFO" "Checking Wallarm Cloud reachability..."
WALLARM_API_CA=""
for node in "${EU_DATA_NODES[@]}"; do
if curl -IsL --connect-timeout 5 "https://$node" > /dev/null 2>&1; then
log_message "SUCCESS" "Connected to EU Cloud node: $node"
WALLARM_API_CA="EU"
break
fi
done
if [ -z "$WALLARM_API_CA" ]; then
for node in "${US_DATA_NODES[@]}"; do
if curl -IsL --connect-timeout 5 "https://$node" > /dev/null 2>&1; then
log_message "SUCCESS" "Connected to US Cloud node: $node"
WALLARM_API_CA="US"
break
fi
done
fi fi
log_message "SUCCESS" "Stealth Proxy connectivity verified."
} }
# --- PHASE 2: DOCKER ENGINE (LXC OPTIMIZED) --- # --- PHASE 2: DOCKER ENGINE ---
setup_docker_engine() { setup_docker_engine() {
log_message "INFO" "=== PHASE 2: DOCKER ENGINE SETUP ===" log_message "INFO" "=== PHASE 2: DOCKER ENGINE SETUP ==="
if command -v docker >/dev/null 2>&1 && sudo docker info >/dev/null 2>&1; then if command -v docker >/dev/null 2>&1; then
log_message "SUCCESS" "Functional Docker Engine detected." log_message "SUCCESS" "Docker already installed."
return 0 return 0
fi fi
ARCH=$(uname -m)
[[ "$ARCH" == "x86_64" ]] && D_ARCH="x86_64" || D_ARCH="aarch64"
local binary_file="docker-$DOCKER_VERSION.tgz" local binary_file="docker-$DOCKER_VERSION.tgz"
local download_url="https://$BASE_DOMAIN/linux/static/stable/$D_ARCH/$binary_file" local download_url="https://$BASE_DOMAIN/linux/static/stable/$D_ARCH/$binary_file"
if [[ ! -f "/usr/bin/dockerd" ]]; then log_message "INFO" "Downloading binaries: $download_url"
log_message "INFO" "Fetching binaries from $download_url" curl -fL "$download_url" -o "/tmp/$binary_file" || { log_message "ERROR" "Download failed"; exit 1; }
curl -fL "$download_url" -o "/tmp/$binary_file" || fail_with_remediation "Download failed" "Check Stealth Proxy mapping."
tar xzvf "/tmp/$binary_file" -C /tmp/ > /dev/null
log_message "INFO" "Extracting and installing binaries..." sudo cp /tmp/docker/* /usr/bin/
tar xzvf "/tmp/$binary_file" -C /tmp/ > /dev/null 2>&1
sudo cp /tmp/docker/* /usr/bin/ # LXC Optimization
rm -rf /tmp/docker "/tmp/$binary_file"
fi
# LXC Hardening: Force cgroupfs and VFS
sudo mkdir -p /etc/docker sudo mkdir -p /etc/docker
sudo tee /etc/docker/daemon.json > /dev/null <<EOF echo '{"storage-driver":"vfs","iptables":false}' | sudo tee /etc/docker/daemon.json > /dev/null
{
"exec-opts": ["native.cgroupdriver=cgroupfs"],
"storage-driver": "vfs",
"iptables": false,
"data-root": "/var/lib/docker",
"log-driver": "json-file"
}
EOF
sudo tee /etc/systemd/system/docker.service > /dev/null <<EOF sudo tee /etc/systemd/system/docker.service > /dev/null <<EOF
[Unit] [Unit]
Description=Docker Engine (LXC Stealth) Description=Docker (Stealth)
After=network.target
[Service] [Service]
ExecStartPre=/usr/bin/rm -f /var/run/docker.pid /var/run/docker.sock ExecStart=/usr/bin/dockerd
ExecStart=/usr/bin/dockerd --group docker Restart=always
Restart=on-failure
LimitNOFILE=infinity
LimitNPROC=infinity
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target
EOF EOF
sudo systemctl daemon-reload sudo systemctl daemon-reload
sudo systemctl enable --now docker sudo systemctl enable --now docker
sleep 3
log_message "INFO" "Waiting for Docker socket readiness..." log_message "SUCCESS" "Docker operational."
local counter=0
while [ ! -S /var/run/docker.sock ]; do
if [ $counter -gt 30 ]; then
fail_with_remediation "Docker Daemon Timeout" "Daemon failed to start. Run 'journalctl -u docker -n 50' for logs."
fi
sleep 1
((counter++))
done
log_message "SUCCESS" "Docker Engine is operational."
} }
# --- PHASE 3: IMAGE PULL --- # --- PHASE 3: DEPLOY ---
deploy_wallarm() {
deploy_wallarm_node() { log_message "INFO" "=== PHASE 3: DEPLOYMENT ==="
log_message "INFO" "=== PHASE 3: IMAGE RETRIEVAL ===" log_message "INFO" "Pulling: $HUB_DOMAIN/wallarm/node:latest"
local proxy_img="$HUB_DOMAIN/wallarm/node:latest" sudo docker pull "$HUB_DOMAIN/wallarm/node:latest"
local local_img="wallarm/node:latest" sudo docker tag "$HUB_DOMAIN/wallarm/node:latest" wallarm/node:latest
log_message "SUCCESS" "Deployment verification successful."
log_message "INFO" "Pulling Wallarm Node via $HUB_DOMAIN..."
if ! sudo docker pull "$proxy_img"; then
fail_with_remediation "Image Pull Failed" "Docker cannot reach $HUB_DOMAIN. Ensure /etc/hosts is mirrored in the container if using custom DNS."
fi
sudo docker tag "$proxy_img" "$local_img"
sudo docker rmi "$proxy_img"
log_message "SUCCESS" "Image ready: $local_img"
}
# --- PHASE 4: VERIFICATION ---
verify_deployment() {
log_message "INFO" "=== PHASE 4: VERIFICATION ==="
if ! sudo docker run --rm wallarm/node:latest /usr/sbin/nginx -v > /dev/null 2>&1; then
log_message "WARNING" "LXC Runtime test failed. This is common in non-privileged containers."
else
log_message "SUCCESS" "LXC Container execution verified."
fi
} }
main() { main() {
clear run_network_diagnostics
echo -e "${CYAN}${BOLD}╔══════════════════════════════════════════════════════════════╗${NC}"
echo -e "${CYAN}${BOLD}║ SECHPOINT WALLARM BULLETPROOF DEPLOYER ║${NC}"
echo -e "${CYAN}${BOLD}║ VERSION 1.9 (LXC) ║${NC}"
echo -e "${CYAN}${BOLD}╚══════════════════════════════════════════════════════════════╝${NC}\n"
check_pre_flight check_pre_flight
setup_docker_engine setup_docker_engine
deploy_wallarm_node deploy_wallarm
verify_deployment
log_message "SUCCESS" "=== DEPLOYMENT COMPLETED SUCCESSFULLY ==="
} }
main "$@" main "$@"