customer-engineering/wallarm
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

chore: auto-commit 2026-03-18 21:24

Browse source
This commit is contained in:
cclohmar 2026-03-18 21:24:07 +00:00
parent 9441ee4fb3
commit 70a417a990
1 changed files with 37 additions and 59 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

96
wallarm-deploy-ct.sh
View file

@ -1,15 +1,11 @@
#!/bin/bash #!/bin/bash
# ============================================================================== # ==============================================================================
# WALLARM BULLETPROOF STEALTH DEPLOYER - V1.8 (LXC & CENTOS OPTIMIZED) # WALLARM BULLETPROOF STEALTH DEPLOYER - V1.9 (LXC & CENTOS OPTIMIZED)
# ============================================================================== # ==============================================================================
# Features: # Recent Fixes:
# - OS-agnostic binary deployment (CentOS, RHEL, Ubuntu, Debian, Alpine) # - Added DNS/Hosts discovery for Stealth Proxy
# - LXC Hardening: cgroupfs driver + VFS storage for nested container support # - Improved dependency chain for CentOS Stream 9
# - Stealth Proxy support (ct.sechpoint.app & hub.ct.sechpoint.app) # - Enhanced Docker Socket timeout handling
# - Comprehensive Pre-flight: EU/US cloud connectivity, CPU/RAM, Architecture
# - Reliability: Socket readiness loops, ExecStartPre cleanup, and libseccomp
# - Verification: Handshake testing, Cloud sync checks, and Attack simulation
# - Persistence: Systemd service management and log rotation
# ============================================================================== # ==============================================================================
# Color definitions # Color definitions
@ -28,22 +24,19 @@ HUB_DOMAIN="hub.ct.sechpoint.app"
DOCKER_VERSION="29.2.1" DOCKER_VERSION="29.2.1"
LOG_FILE="/var/log/wallarm-deployment.log" LOG_FILE="/var/log/wallarm-deployment.log"
# Cloud endpoints (Wallarm documentation) # Cloud endpoints
EU_DATA_NODES=("api.wallarm.com" "node-data0.eu1.wallarm.com" "node-data1.eu1.wallarm.com") EU_DATA_NODES=("api.wallarm.com" "node-data0.eu1.wallarm.com" "node-data1.eu1.wallarm.com")
US_DATA_NODES=("us1.api.wallarm.com" "node-data0.us1.wallarm.com") US_DATA_NODES=("us1.api.wallarm.com" "node-data0.us1.wallarm.com")
# Deployment Defaults
INSTANCE_NAME="wallarm-node" INSTANCE_NAME="wallarm-node"
INSTANCE_DIR="/opt/wallarm" INSTANCE_DIR="/opt/wallarm"
# --- LOGGING ENGINE --- # --- LOGGING ENGINE ---
log_message() { log_message() {
local level="$1" local level="$1"
local message="$2" local message="$2"
local timestamp=$(date '+%Y-%m-%d %H:%M:%S') local timestamp=$(date '+%Y-%m-%d %H:%M:%S')
echo -e "${timestamp} [${level}] ${message}" | sudo tee -a "$LOG_FILE" > /dev/null echo -e "${timestamp} [${level}] ${message}" | sudo tee -a "$LOG_FILE" > /dev/null
case "$level" in case "$level" in
"INFO") echo -e "${BLUE}${BOLD}[INFO]${NC} ${message}" ;; "INFO") echo -e "${BLUE}${BOLD}[INFO]${NC} ${message}" ;;
"SUCCESS") echo -e "${GREEN}${BOLD}[SUCCESS]${NC} ${message}" ;; "SUCCESS") echo -e "${GREEN}${BOLD}[SUCCESS]${NC} ${message}" ;;
@ -56,7 +49,7 @@ fail_with_remediation() {
local error="$1" local error="$1"
local remediation="$2" local remediation="$2"
log_message "ERROR" "$error" log_message "ERROR" "$error"
echo -e "\n${RED}${BOLD}REMEDIATION:${NC} ${remediation}\n" echo -e "\n${RED}${BOLD}REMEDIATION:${NC}\n$remediation\n"
exit 1 exit 1
} }
@ -69,16 +62,15 @@ check_pre_flight() {
fail_with_remediation "Root privileges required" "Run as sudo." fail_with_remediation "Root privileges required" "Run as sudo."
fi fi
# Check for core utilities and auto-install on CentOS/RHEL
log_message "INFO" "Checking system dependencies..." log_message "INFO" "Checking system dependencies..."
for dep in tar gzip curl libseccomp iptables procps-ng; do # Extended dependency list for CentOS 9
for dep in tar gzip curl libseccomp iptables procps-ng xfsprogs; do
if ! rpm -q $dep >/dev/null 2>&1 && ! command -v $dep >/dev/null 2>&1; then if ! rpm -q $dep >/dev/null 2>&1 && ! command -v $dep >/dev/null 2>&1; then
log_message "WARNING" "Missing $dep. Attempting auto-fix..." log_message "WARNING" "Missing $dep. Attempting auto-fix..."
sudo yum install -y $dep || sudo dnf install -y $dep sudo yum install -y $dep || sudo dnf install -y $dep
fi fi
done done
# Architecture validation
ARCH=$(uname -m) ARCH=$(uname -m)
case "$ARCH" in case "$ARCH" in
x86_64) D_ARCH="x86_64" ;; x86_64) D_ARCH="x86_64" ;;
@ -86,20 +78,24 @@ check_pre_flight() {
*) fail_with_remediation "Architecture $ARCH not supported." "Use x86_64 or ARM64." ;; *) fail_with_remediation "Architecture $ARCH not supported." "Use x86_64 or ARM64." ;;
esac esac
# Resource validation # Stealth Connectivity Check with Remediation Logic
local total_ram=$(free -m | awk '/^Mem:/{print $2}') log_message "INFO" "Verifying Stealth Proxy connectivity ($BASE_DOMAIN)..."
if [ "$total_ram" -lt 1500 ]; then if ! curl -IsL --connect-timeout 5 "https://$BASE_DOMAIN" > /dev/null 2>&1; then
log_message "WARNING" "System has less than 2GB RAM ($total_ram MB). Performance may be degraded." local host_check=$(grep "$BASE_DOMAIN" /etc/hosts)
if [ -z "$host_check" ]; then
fail_with_remediation "Proxy Unreachable (DNS Failure)" \
"The stealth domain $BASE_DOMAIN is not in your /etc/hosts.\nAdd the proxy IP manually:\n echo '1.2.3.4 $BASE_DOMAIN $HUB_DOMAIN' >> /etc/hosts\n(Replace 1.2.3.4 with your actual Sechpoint Proxy IP)"
else
fail_with_remediation "Proxy Unreachable (Network Failure)" \
"Entry found in /etc/hosts, but cannot connect to port 443 on $BASE_DOMAIN.\nCheck Firewall/Security Groups."
fi
fi fi
# Stealth Connectivity Check log_message "SUCCESS" "Stealth Proxy is reachable."
log_message "INFO" "Verifying Stealth Proxy connectivity ($BASE_DOMAIN)..."
if ! curl -IsL --connect-timeout 10 "https://$BASE_DOMAIN" > /dev/null; then
fail_with_remediation "Proxy Unreachable" "Check /etc/hosts or DNS resolver for $BASE_DOMAIN"
fi
# Wallarm Cloud Connectivity Check # Wallarm Cloud Connectivity Check
log_message "INFO" "Checking Wallarm Cloud reachability..." log_message "INFO" "Checking Wallarm Cloud reachability..."
WALLARM_API_CA=""
for node in "${EU_DATA_NODES[@]}"; do for node in "${EU_DATA_NODES[@]}"; do
if curl -IsL --connect-timeout 5 "https://$node" > /dev/null 2>&1; then if curl -IsL --connect-timeout 5 "https://$node" > /dev/null 2>&1; then
log_message "SUCCESS" "Connected to EU Cloud node: $node" log_message "SUCCESS" "Connected to EU Cloud node: $node"
@ -117,10 +113,6 @@ check_pre_flight() {
fi fi
done done
fi fi
if [ -z "$WALLARM_API_CA" ]; then
log_message "WARNING" "Direct Wallarm Cloud access failed. Ensuring Stealth Proxy handles API calls."
fi
} }
# --- PHASE 2: DOCKER ENGINE (LXC OPTIMIZED) --- # --- PHASE 2: DOCKER ENGINE (LXC OPTIMIZED) ---
@ -141,7 +133,7 @@ setup_docker_engine() {
curl -fL "$download_url" -o "/tmp/$binary_file" || fail_with_remediation "Download failed" "Check Stealth Proxy mapping." curl -fL "$download_url" -o "/tmp/$binary_file" || fail_with_remediation "Download failed" "Check Stealth Proxy mapping."
log_message "INFO" "Extracting and installing binaries..." log_message "INFO" "Extracting and installing binaries..."
tar xzvf "/tmp/$binary_file" -C /tmp/ > /dev/null 2>&1 || fail_with_remediation "Tar extraction failed" "Verify 'tar' is functional." tar xzvf "/tmp/$binary_file" -C /tmp/ > /dev/null 2>&1
sudo cp /tmp/docker/* /usr/bin/ sudo cp /tmp/docker/* /usr/bin/
rm -rf /tmp/docker "/tmp/$binary_file" rm -rf /tmp/docker "/tmp/$binary_file"
fi fi
@ -153,14 +145,11 @@ setup_docker_engine() {
"exec-opts": ["native.cgroupdriver=cgroupfs"], "exec-opts": ["native.cgroupdriver=cgroupfs"],
"storage-driver": "vfs", "storage-driver": "vfs",
"iptables": false, "iptables": false,
"bridge": "none",
"data-root": "/var/lib/docker", "data-root": "/var/lib/docker",
"log-driver": "json-file", "log-driver": "json-file"
"log-opts": { "max-size": "10m", "max-file": "3" }
} }
EOF EOF
# Clean systemd service
sudo tee /etc/systemd/system/docker.service > /dev/null <<EOF sudo tee /etc/systemd/system/docker.service > /dev/null <<EOF
[Unit] [Unit]
Description=Docker Engine (LXC Stealth) Description=Docker Engine (LXC Stealth)
@ -169,6 +158,8 @@ After=network.target
ExecStartPre=/usr/bin/rm -f /var/run/docker.pid /var/run/docker.sock ExecStartPre=/usr/bin/rm -f /var/run/docker.pid /var/run/docker.sock
ExecStart=/usr/bin/dockerd --group docker ExecStart=/usr/bin/dockerd --group docker
Restart=on-failure Restart=on-failure
LimitNOFILE=infinity
LimitNPROC=infinity
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target
EOF EOF
@ -179,8 +170,8 @@ EOF
log_message "INFO" "Waiting for Docker socket readiness..." log_message "INFO" "Waiting for Docker socket readiness..."
local counter=0 local counter=0
while [ ! -S /var/run/docker.sock ]; do while [ ! -S /var/run/docker.sock ]; do
if [ $counter -gt 25 ]; then if [ $counter -gt 30 ]; then
fail_with_remediation "Docker Daemon Timeout" "Daemon failed to start in LXC. Check 'journalctl -u docker'" fail_with_remediation "Docker Daemon Timeout" "Daemon failed to start. Run 'journalctl -u docker -n 50' for logs."
fi fi
sleep 1 sleep 1
((counter++)) ((counter++))
@ -189,40 +180,31 @@ EOF
log_message "SUCCESS" "Docker Engine is operational." log_message "SUCCESS" "Docker Engine is operational."
} }
# --- PHASE 3: IMAGE PULL & NORMALIZATION --- # --- PHASE 3: IMAGE PULL ---
deploy_wallarm_node() { deploy_wallarm_node() {
log_message "INFO" "=== PHASE 3: IMAGE RETRIEVAL ===" log_message "INFO" "=== PHASE 3: IMAGE RETRIEVAL ==="
local proxy_img="$HUB_DOMAIN/wallarm/node:latest" local proxy_img="$HUB_DOMAIN/wallarm/node:latest"
local local_img="wallarm/node:latest" local local_img="wallarm/node:latest"
log_message "INFO" "Pulling Wallarm Node via Stealth Registry..." log_message "INFO" "Pulling Wallarm Node via $HUB_DOMAIN..."
if ! sudo docker pull "$proxy_img"; then if ! sudo docker pull "$proxy_img"; then
fail_with_remediation "Image Pull Failed" "Registry $HUB_DOMAIN unreachable from inside Docker." fail_with_remediation "Image Pull Failed" "Docker cannot reach $HUB_DOMAIN. Ensure /etc/hosts is mirrored in the container if using custom DNS."
fi fi
sudo docker tag "$proxy_img" "$local_img" sudo docker tag "$proxy_img" "$local_img"
sudo docker rmi "$proxy_img" sudo docker rmi "$proxy_img"
log_message "SUCCESS" "Image pulled and tagged: $local_img" log_message "SUCCESS" "Image ready: $local_img"
} }
# --- PHASE 4: VERIFICATION & POST-DEPLOY --- # --- PHASE 4: VERIFICATION ---
verify_deployment() { verify_deployment() {
log_message "INFO" "=== PHASE 4: VERIFICATION ===" log_message "INFO" "=== PHASE 4: VERIFICATION ==="
# Check if we can run a basic container (LXC Kernel test)
log_message "INFO" "Testing LXC container execution capability..."
if ! sudo docker run --rm wallarm/node:latest /usr/sbin/nginx -v > /dev/null 2>&1; then if ! sudo docker run --rm wallarm/node:latest /usr/sbin/nginx -v > /dev/null 2>&1; then
log_message "WARNING" "LXC Runtime test failed. This often indicates Cgroup issues." log_message "WARNING" "LXC Runtime test failed. This is common in non-privileged containers."
else else
log_message "SUCCESS" "Container execution test passed." log_message "SUCCESS" "LXC Container execution verified."
fi
# Persistence check
if systemctl is-active --quiet docker; then
log_message "SUCCESS" "Docker persistence verified via systemd."
fi fi
} }
@ -230,7 +212,7 @@ main() {
clear clear
echo -e "${CYAN}${BOLD}╔══════════════════════════════════════════════════════════════╗${NC}" echo -e "${CYAN}${BOLD}╔══════════════════════════════════════════════════════════════╗${NC}"
echo -e "${CYAN}${BOLD}║ SECHPOINT WALLARM BULLETPROOF DEPLOYER ║${NC}" echo -e "${CYAN}${BOLD}║ SECHPOINT WALLARM BULLETPROOF DEPLOYER ║${NC}"
echo -e "${CYAN}${BOLD}║ VERSION 1.8 (LXC) ║${NC}" echo -e "${CYAN}${BOLD}║ VERSION 1.9 (LXC) ║${NC}"
echo -e "${CYAN}${BOLD}╚══════════════════════════════════════════════════════════════╝${NC}\n" echo -e "${CYAN}${BOLD}╚══════════════════════════════════════════════════════════════╝${NC}\n"
check_pre_flight check_pre_flight
@ -238,11 +220,7 @@ main() {
deploy_wallarm_node deploy_wallarm_node
verify_deployment verify_deployment
echo -e "\n${GREEN}${BOLD}=== DEPLOYMENT COMPLETED SUCCESSFULLY ===${NC}" log_message "SUCCESS" "=== DEPLOYMENT COMPLETED SUCCESSFULLY ==="
echo -e "${CYAN}Log File: ${NC} $LOG_FILE"
echo -e "${CYAN}Docker: ${NC} $(docker --version)"
echo -e "${CYAN}Platform: ${NC} CentOS LXC (Hardened)"
echo -e "\n${YELLOW}Next Step: Configure Wallarm API Tokens and start the container.${NC}"
} }
main "$@" main "$@"