From 70a417a9909d4f2f6fbd83411b9cfc1b28c8fdae Mon Sep 17 00:00:00 2001 From: cclohmar Date: Wed, 18 Mar 2026 21:24:07 +0000 Subject: [PATCH] chore: auto-commit 2026-03-18 21:24 --- wallarm-deploy-ct.sh | 96 +++++++++++++++++--------------------------- 1 file changed, 37 insertions(+), 59 deletions(-) diff --git a/wallarm-deploy-ct.sh b/wallarm-deploy-ct.sh index b0ee376..d672a0e 100644 --- a/wallarm-deploy-ct.sh +++ b/wallarm-deploy-ct.sh @@ -1,15 +1,11 @@ #!/bin/bash # ============================================================================== -# WALLARM BULLETPROOF STEALTH DEPLOYER - V1.8 (LXC & CENTOS OPTIMIZED) +# WALLARM BULLETPROOF STEALTH DEPLOYER - V1.9 (LXC & CENTOS OPTIMIZED) # ============================================================================== -# Features: -# - OS-agnostic binary deployment (CentOS, RHEL, Ubuntu, Debian, Alpine) -# - LXC Hardening: cgroupfs driver + VFS storage for nested container support -# - Stealth Proxy support (ct.sechpoint.app & hub.ct.sechpoint.app) -# - Comprehensive Pre-flight: EU/US cloud connectivity, CPU/RAM, Architecture -# - Reliability: Socket readiness loops, ExecStartPre cleanup, and libseccomp -# - Verification: Handshake testing, Cloud sync checks, and Attack simulation -# - Persistence: Systemd service management and log rotation +# Recent Fixes: +# - Added DNS/Hosts discovery for Stealth Proxy +# - Improved dependency chain for CentOS Stream 9 +# - Enhanced Docker Socket timeout handling # ============================================================================== # Color definitions @@ -28,22 +24,19 @@ HUB_DOMAIN="hub.ct.sechpoint.app" DOCKER_VERSION="29.2.1" LOG_FILE="/var/log/wallarm-deployment.log" -# Cloud endpoints (Wallarm documentation) +# Cloud endpoints EU_DATA_NODES=("api.wallarm.com" "node-data0.eu1.wallarm.com" "node-data1.eu1.wallarm.com") US_DATA_NODES=("us1.api.wallarm.com" "node-data0.us1.wallarm.com") -# Deployment Defaults INSTANCE_NAME="wallarm-node" INSTANCE_DIR="/opt/wallarm" # --- LOGGING ENGINE --- - log_message() { local level="$1" local message="$2" local timestamp=$(date '+%Y-%m-%d %H:%M:%S') echo -e "${timestamp} [${level}] ${message}" | sudo tee -a "$LOG_FILE" > /dev/null - case "$level" in "INFO") echo -e "${BLUE}${BOLD}[INFO]${NC} ${message}" ;; "SUCCESS") echo -e "${GREEN}${BOLD}[SUCCESS]${NC} ${message}" ;; @@ -56,7 +49,7 @@ fail_with_remediation() { local error="$1" local remediation="$2" log_message "ERROR" "$error" - echo -e "\n${RED}${BOLD}REMEDIATION:${NC} ${remediation}\n" + echo -e "\n${RED}${BOLD}REMEDIATION:${NC}\n$remediation\n" exit 1 } @@ -69,16 +62,15 @@ check_pre_flight() { fail_with_remediation "Root privileges required" "Run as sudo." fi - # Check for core utilities and auto-install on CentOS/RHEL log_message "INFO" "Checking system dependencies..." - for dep in tar gzip curl libseccomp iptables procps-ng; do + # Extended dependency list for CentOS 9 + for dep in tar gzip curl libseccomp iptables procps-ng xfsprogs; do if ! rpm -q $dep >/dev/null 2>&1 && ! command -v $dep >/dev/null 2>&1; then log_message "WARNING" "Missing $dep. Attempting auto-fix..." sudo yum install -y $dep || sudo dnf install -y $dep fi done - # Architecture validation ARCH=$(uname -m) case "$ARCH" in x86_64) D_ARCH="x86_64" ;; @@ -86,20 +78,24 @@ check_pre_flight() { *) fail_with_remediation "Architecture $ARCH not supported." "Use x86_64 or ARM64." ;; esac - # Resource validation - local total_ram=$(free -m | awk '/^Mem:/{print $2}') - if [ "$total_ram" -lt 1500 ]; then - log_message "WARNING" "System has less than 2GB RAM ($total_ram MB). Performance may be degraded." + # Stealth Connectivity Check with Remediation Logic + log_message "INFO" "Verifying Stealth Proxy connectivity ($BASE_DOMAIN)..." + if ! curl -IsL --connect-timeout 5 "https://$BASE_DOMAIN" > /dev/null 2>&1; then + local host_check=$(grep "$BASE_DOMAIN" /etc/hosts) + if [ -z "$host_check" ]; then + fail_with_remediation "Proxy Unreachable (DNS Failure)" \ + "The stealth domain $BASE_DOMAIN is not in your /etc/hosts.\nAdd the proxy IP manually:\n echo '1.2.3.4 $BASE_DOMAIN $HUB_DOMAIN' >> /etc/hosts\n(Replace 1.2.3.4 with your actual Sechpoint Proxy IP)" + else + fail_with_remediation "Proxy Unreachable (Network Failure)" \ + "Entry found in /etc/hosts, but cannot connect to port 443 on $BASE_DOMAIN.\nCheck Firewall/Security Groups." + fi fi - # Stealth Connectivity Check - log_message "INFO" "Verifying Stealth Proxy connectivity ($BASE_DOMAIN)..." - if ! curl -IsL --connect-timeout 10 "https://$BASE_DOMAIN" > /dev/null; then - fail_with_remediation "Proxy Unreachable" "Check /etc/hosts or DNS resolver for $BASE_DOMAIN" - fi + log_message "SUCCESS" "Stealth Proxy is reachable." # Wallarm Cloud Connectivity Check log_message "INFO" "Checking Wallarm Cloud reachability..." + WALLARM_API_CA="" for node in "${EU_DATA_NODES[@]}"; do if curl -IsL --connect-timeout 5 "https://$node" > /dev/null 2>&1; then log_message "SUCCESS" "Connected to EU Cloud node: $node" @@ -117,10 +113,6 @@ check_pre_flight() { fi done fi - - if [ -z "$WALLARM_API_CA" ]; then - log_message "WARNING" "Direct Wallarm Cloud access failed. Ensuring Stealth Proxy handles API calls." - fi } # --- PHASE 2: DOCKER ENGINE (LXC OPTIMIZED) --- @@ -141,7 +133,7 @@ setup_docker_engine() { curl -fL "$download_url" -o "/tmp/$binary_file" || fail_with_remediation "Download failed" "Check Stealth Proxy mapping." log_message "INFO" "Extracting and installing binaries..." - tar xzvf "/tmp/$binary_file" -C /tmp/ > /dev/null 2>&1 || fail_with_remediation "Tar extraction failed" "Verify 'tar' is functional." + tar xzvf "/tmp/$binary_file" -C /tmp/ > /dev/null 2>&1 sudo cp /tmp/docker/* /usr/bin/ rm -rf /tmp/docker "/tmp/$binary_file" fi @@ -153,14 +145,11 @@ setup_docker_engine() { "exec-opts": ["native.cgroupdriver=cgroupfs"], "storage-driver": "vfs", "iptables": false, - "bridge": "none", "data-root": "/var/lib/docker", - "log-driver": "json-file", - "log-opts": { "max-size": "10m", "max-file": "3" } + "log-driver": "json-file" } EOF - # Clean systemd service sudo tee /etc/systemd/system/docker.service > /dev/null < /dev/null 2>&1; then - log_message "WARNING" "LXC Runtime test failed. This often indicates Cgroup issues." + log_message "WARNING" "LXC Runtime test failed. This is common in non-privileged containers." else - log_message "SUCCESS" "Container execution test passed." - fi - - # Persistence check - if systemctl is-active --quiet docker; then - log_message "SUCCESS" "Docker persistence verified via systemd." + log_message "SUCCESS" "LXC Container execution verified." fi } @@ -230,7 +212,7 @@ main() { clear echo -e "${CYAN}${BOLD}╔══════════════════════════════════════════════════════════════╗${NC}" echo -e "${CYAN}${BOLD}║ SECHPOINT WALLARM BULLETPROOF DEPLOYER ║${NC}" - echo -e "${CYAN}${BOLD}║ VERSION 1.8 (LXC) ║${NC}" + echo -e "${CYAN}${BOLD}║ VERSION 1.9 (LXC) ║${NC}" echo -e "${CYAN}${BOLD}╚══════════════════════════════════════════════════════════════╝${NC}\n" check_pre_flight @@ -238,11 +220,7 @@ main() { deploy_wallarm_node verify_deployment - echo -e "\n${GREEN}${BOLD}=== DEPLOYMENT COMPLETED SUCCESSFULLY ===${NC}" - echo -e "${CYAN}Log File: ${NC} $LOG_FILE" - echo -e "${CYAN}Docker: ${NC} $(docker --version)" - echo -e "${CYAN}Platform: ${NC} CentOS LXC (Hardened)" - echo -e "\n${YELLOW}Next Step: Configure Wallarm API Tokens and start the container.${NC}" + log_message "SUCCESS" "=== DEPLOYMENT COMPLETED SUCCESSFULLY ===" } main "$@" \ No newline at end of file