chore: auto-commit 2026-03-18 20:56

wallarm-deploy-ct.sh

@@ -1,10 +1,10 @@
 #!/bin/bash
 # ==============================================================================
-# WALLARM NODE DEPLOYMENT SCRIPT - V1.4 (CENTOS COMPATIBILITY)
+# WALLARM NODE DEPLOYMENT SCRIPT - V1.6 (LXC & CENTOS COMPATIBILITY)
 # ==============================================================================
 # Features:
-# - Added: Dependency check for 'tar' and 'gzip'
+# - Added: LXC-specific Docker Daemon configuration (cgroupfs driver)
-# - Fixed: Extraction failure handling (prevents false 'Live' status)
+# - Added: libseccomp and iptables dependency checks
 # - Stealth Binary Pull via ct.sechpoint.app (Proxy to download.docker.com)
 # - Stealth Image Pull via hub.ct.sechpoint.app (Proxy to registry-1.docker.io)
 # ==============================================================================
@@ -57,16 +57,15 @@ check_pre_flight() {
         fail_with_remediation "Script must be run as root/sudo" "Try: sudo ./$(basename "$0")"
     fi
 
-    # Check for core utilities (tar/gzip)
+    # Core utilities and Docker runtime dependencies
-    for cmd in tar gzip curl; do
+    # iptables is often needed by dockerd even if we disable it in config
-        if ! command -v $cmd >/dev/null 2>&1; then
+    for cmd_or_lib in tar gzip curl libseccomp iptables; do
-            log_message "WARNING" "Missing core dependency: $cmd. Attempting auto-fix..."
+        if ! rpm -q $cmd_or_lib >/dev/null 2>&1 && ! command -v $cmd_or_lib >/dev/null 2>&1; then
+            log_message "WARNING" "Missing dependency: $cmd_or_lib. Attempting auto-fix..."
             if command -v yum >/dev/null 2>&1; then
-                sudo yum install -y $cmd
+                sudo yum install -y $cmd_or_lib
             elif command -v dnf >/dev/null 2>&1; then
-                sudo dnf install -y $cmd
+                sudo dnf install -y $cmd_or_lib
-            else
-                fail_with_remediation "Missing $cmd" "Install $cmd manually (yum install $cmd)"
             fi
         fi
     done
@@ -80,7 +79,7 @@ check_pre_flight() {
     
     log_message "INFO" "Verifying connectivity to Stealth Proxy ($BASE_DOMAIN)..."
     if ! curl -IsL --connect-timeout 10 "https://$BASE_DOMAIN" > /dev/null; then
-        fail_with_remediation "Proxy Unreachable" "Check LXC resolver for $BASE_DOMAIN"
+        fail_with_remediation "Proxy Unreachable" "Check LXC resolver or host-level /etc/hosts for $BASE_DOMAIN"
     fi
 }
 
@@ -98,24 +97,26 @@ setup_docker_engine() {
     local download_url="https://$BASE_DOMAIN/linux/static/stable/$D_ARCH/$binary_file"
 
     log_message "INFO" "Fetching binaries from $download_url"
-    
+    curl -fL "$download_url" -o "/tmp/$binary_file" || fail_with_remediation "Download failed" "Check Proxy."
-    curl -fL "$download_url" -o "/tmp/$binary_file"
-    if [[ $? -ne 0 ]]; then
-        fail_with_remediation "Binary download failed" "Verify Zoraxy mapping for /linux/"
-    fi
 
     log_message "INFO" "Extracting binaries..."
-    if ! tar xzvf "/tmp/$binary_file" -C /tmp/ > /dev/null 2>&1; then
+    tar xzvf "/tmp/$binary_file" -C /tmp/ > /dev/null 2>&1 || fail_with_remediation "Extraction failed" "Check tar."
-        fail_with_remediation "Extraction failed" "Tar command failed. Ensure 'tar' is installed and working."
-    fi
-
-    if [[ ! -d "/tmp/docker" ]]; then
-        fail_with_remediation "Binary folder missing" "Extraction did not produce /tmp/docker folder."
-    fi
-
     sudo cp /tmp/docker/* /usr/bin/
     rm -rf /tmp/docker "/tmp/$binary_file"
 
+    # --- LXC SPECIFIC CONFIGURATION ---
+    # We create a daemon.json to force cgroupfs which is more stable in LXC
+    sudo mkdir -p /etc/docker
+    sudo tee /etc/docker/daemon.json > /dev/null <<EOF
+{
+  "exec-opts": ["native.cgroupdriver=cgroupfs"],
+  "storage-driver": "vfs",
+  "iptables": false,
+  "bridge": "none"
+}
+EOF
+
+    # Create systemd service
     sudo tee /etc/systemd/system/docker.service > /dev/null <<EOF
 [Unit]
 Description=Docker Engine
@@ -130,17 +131,19 @@ EOF
     sudo systemctl daemon-reload
     sudo systemctl enable --now docker
     
-    # Wait for daemon to be ready
+    log_message "INFO" "Waiting for Docker daemon (LXC Optimized)..."
     local counter=0
     while ! docker info >/dev/null 2>&1; do
-        if [ $counter -gt 10 ]; then
+        if [ $counter -gt 20 ]; then
-            fail_with_remediation "Docker Timeout" "Daemon failed to start. Check 'journalctl -u docker'"
+            log_message "ERROR" "Docker failed to start in LXC."
+            echo -e "${YELLOW}Manual Debug:${NC} sudo /usr/bin/dockerd --debug"
+            fail_with_remediation "Docker Timeout" "Check 'journalctl -u docker' for Cgroup errors."
         fi
         sleep 1
         ((counter++))
     done
 
-    log_message "SUCCESS" "Docker Engine is live."
+    log_message "SUCCESS" "Docker Engine is live in LXC."
 }
 
 # --- WALLARM NODE DEPLOYMENT ---
@@ -168,7 +171,7 @@ deploy_wallarm_node() {
 main() {
     clear
     echo -e "${CYAN}${BOLD}╔══════════════════════════════════════════════════════════════╗${NC}"
-    echo -e "${CYAN}${BOLD}║           SECHPOINT WALLARM STEALTH DEPLOYER V1.4          ║${NC}"
+    echo -e "${CYAN}${BOLD}║           SECHPOINT WALLARM STEALTH DEPLOYER V1.6          ║${NC}"
     echo -e "${CYAN}${BOLD}╚══════════════════════════════════════════════════════════════╝${NC}\n"
 
     check_pre_flight