chore: auto-commit 2026-03-18 20:54
This commit is contained in:
cclohmar
parent
0d56c63c3c
commit
9005d8c79e
1 changed files with 46 additions and 32 deletions
|
|
@ -1,16 +1,15 @@
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
# ==============================================================================
|
# ==============================================================================
|
||||||
# WALLARM NODE DEPLOYMENT SCRIPT - V1.1 (STEALTH PROXY EDITION)
|
# WALLARM NODE DEPLOYMENT SCRIPT - V1.4 (CENTOS COMPATIBILITY)
|
||||||
# ==============================================================================
|
# ==============================================================================
|
||||||
# Features:
|
# Features:
|
||||||
|
# - Added: Dependency check for 'tar' and 'gzip'
|
||||||
|
# - Fixed: Extraction failure handling (prevents false 'Live' status)
|
||||||
# - Stealth Binary Pull via ct.sechpoint.app (Proxy to download.docker.com)
|
# - Stealth Binary Pull via ct.sechpoint.app (Proxy to download.docker.com)
|
||||||
# - Stealth Image Pull via hub.ct.sechpoint.app (Proxy to registry-1.docker.io)
|
# - Stealth Image Pull via hub.ct.sechpoint.app (Proxy to registry-1.docker.io)
|
||||||
# - Automatic Architecture Detection & Path Mapping
|
|
||||||
# - Image Normalization (Re-tagging for internal compatibility)
|
|
||||||
# - OS-agnostic deployment (Ubuntu, Debian, CentOS, RHEL, Alpine, etc.)
|
|
||||||
# ==============================================================================
|
# ==============================================================================
|
||||||
|
|
||||||
# Color definitions for better UX
|
# Color definitions
|
||||||
RED='\033[0;31m'
|
RED='\033[0;31m'
|
||||||
GREEN='\033[0;32m'
|
GREEN='\033[0;32m'
|
||||||
YELLOW='\033[1;33m'
|
YELLOW='\033[1;33m'
|
||||||
|
|
@ -22,12 +21,7 @@ NC='\033[0m'
|
||||||
# SECHPOINT STEALTH CONFIGURATION
|
# SECHPOINT STEALTH CONFIGURATION
|
||||||
BASE_DOMAIN="ct.sechpoint.app"
|
BASE_DOMAIN="ct.sechpoint.app"
|
||||||
HUB_DOMAIN="hub.ct.sechpoint.app"
|
HUB_DOMAIN="hub.ct.sechpoint.app"
|
||||||
DOCKER_VERSION="29.2.1" # Verified stable via Proxy
|
DOCKER_VERSION="29.2.1"
|
||||||
|
|
||||||
# Cloud endpoints (from Wallarm documentation)
|
|
||||||
EU_DATA_NODES=("api.wallarm.com" "node-data0.eu1.wallarm.com")
|
|
||||||
US_DATA_NODES=("us1.api.wallarm.com" "node-data.us1.wallarm.com")
|
|
||||||
|
|
||||||
LOG_FILE="/var/log/wallarm-deployment.log"
|
LOG_FILE="/var/log/wallarm-deployment.log"
|
||||||
|
|
||||||
# --- HELPER FUNCTIONS ---
|
# --- HELPER FUNCTIONS ---
|
||||||
|
|
@ -59,23 +53,34 @@ fail_with_remediation() {
|
||||||
check_pre_flight() {
|
check_pre_flight() {
|
||||||
log_message "INFO" "Starting pre-flight checks..."
|
log_message "INFO" "Starting pre-flight checks..."
|
||||||
|
|
||||||
# Root check
|
|
||||||
if [[ $EUID -ne 0 ]]; then
|
if [[ $EUID -ne 0 ]]; then
|
||||||
fail_with_remediation "Script must be run as root/sudo" "Try: sudo ./$(basename "$0")"
|
fail_with_remediation "Script must be run as root/sudo" "Try: sudo ./$(basename "$0")"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Architecture check & mapping
|
# Check for core utilities (tar/gzip)
|
||||||
|
for cmd in tar gzip curl; do
|
||||||
|
if ! command -v $cmd >/dev/null 2>&1; then
|
||||||
|
log_message "WARNING" "Missing core dependency: $cmd. Attempting auto-fix..."
|
||||||
|
if command -v yum >/dev/null 2>&1; then
|
||||||
|
sudo yum install -y $cmd
|
||||||
|
elif command -v dnf >/dev/null 2>&1; then
|
||||||
|
sudo dnf install -y $cmd
|
||||||
|
else
|
||||||
|
fail_with_remediation "Missing $cmd" "Install $cmd manually (yum install $cmd)"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
ARCH=$(uname -m)
|
ARCH=$(uname -m)
|
||||||
case "$ARCH" in
|
case "$ARCH" in
|
||||||
x86_64) D_ARCH="x86_64" ;;
|
x86_64) D_ARCH="x86_64" ;;
|
||||||
aarch64) D_ARCH="aarch64" ;;
|
aarch64) D_ARCH="aarch64" ;;
|
||||||
*) fail_with_remediation "Unsupported architecture: $ARCH" "Contact Sechpoint Support for custom binaries." ;;
|
*) fail_with_remediation "Unsupported architecture: $ARCH" "Contact Sechpoint Support." ;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
# Internet / Proxy check
|
log_message "INFO" "Verifying connectivity to Stealth Proxy ($BASE_DOMAIN)..."
|
||||||
log_message "INFO" "Checking connectivity to Stealth Proxy ($BASE_DOMAIN)..."
|
if ! curl -IsL --connect-timeout 10 "https://$BASE_DOMAIN" > /dev/null; then
|
||||||
if ! curl -Is --connect-timeout 5 "https://$BASE_DOMAIN" > /dev/null; then
|
fail_with_remediation "Proxy Unreachable" "Check LXC resolver for $BASE_DOMAIN"
|
||||||
fail_with_remediation "Proxy Unreachable" "Check firewall rules for outbound HTTPS to $BASE_DOMAIN"
|
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -90,21 +95,27 @@ setup_docker_engine() {
|
||||||
fi
|
fi
|
||||||
|
|
||||||
local binary_file="docker-$DOCKER_VERSION.tgz"
|
local binary_file="docker-$DOCKER_VERSION.tgz"
|
||||||
# Target Path on Zoraxy maps /linux/ to download.docker.com/linux/
|
|
||||||
local download_url="https://$BASE_DOMAIN/linux/static/stable/$D_ARCH/$binary_file"
|
local download_url="https://$BASE_DOMAIN/linux/static/stable/$D_ARCH/$binary_file"
|
||||||
|
|
||||||
log_message "INFO" "Fetching binaries from $download_url"
|
log_message "INFO" "Fetching binaries from $download_url"
|
||||||
|
|
||||||
curl -fL "$download_url" -o "/tmp/$binary_file"
|
curl -fL "$download_url" -o "/tmp/$binary_file"
|
||||||
if [[ $? -ne 0 ]]; then
|
if [[ $? -ne 0 ]]; then
|
||||||
fail_with_remediation "Binary download failed" "Verify Zoraxy mapping for /linux/ to download.docker.com"
|
fail_with_remediation "Binary download failed" "Verify Zoraxy mapping for /linux/"
|
||||||
|
fi
|
||||||
|
|
||||||
|
log_message "INFO" "Extracting binaries..."
|
||||||
|
if ! tar xzvf "/tmp/$binary_file" -C /tmp/ > /dev/null 2>&1; then
|
||||||
|
fail_with_remediation "Extraction failed" "Tar command failed. Ensure 'tar' is installed and working."
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [[ ! -d "/tmp/docker" ]]; then
|
||||||
|
fail_with_remediation "Binary folder missing" "Extraction did not produce /tmp/docker folder."
|
||||||
fi
|
fi
|
||||||
|
|
||||||
tar xzvf "/tmp/$binary_file" -C /tmp/ > /dev/null
|
|
||||||
sudo cp /tmp/docker/* /usr/bin/
|
sudo cp /tmp/docker/* /usr/bin/
|
||||||
rm -rf /tmp/docker "/tmp/$binary_file"
|
rm -rf /tmp/docker "/tmp/$binary_file"
|
||||||
|
|
||||||
# Create stealth systemd service
|
|
||||||
sudo tee /etc/systemd/system/docker.service > /dev/null <<EOF
|
sudo tee /etc/systemd/system/docker.service > /dev/null <<EOF
|
||||||
[Unit]
|
[Unit]
|
||||||
Description=Docker Engine
|
Description=Docker Engine
|
||||||
|
|
@ -118,6 +129,17 @@ EOF
|
||||||
|
|
||||||
sudo systemctl daemon-reload
|
sudo systemctl daemon-reload
|
||||||
sudo systemctl enable --now docker
|
sudo systemctl enable --now docker
|
||||||
|
|
||||||
|
# Wait for daemon to be ready
|
||||||
|
local counter=0
|
||||||
|
while ! docker info >/dev/null 2>&1; do
|
||||||
|
if [ $counter -gt 10 ]; then
|
||||||
|
fail_with_remediation "Docker Timeout" "Daemon failed to start. Check 'journalctl -u docker'"
|
||||||
|
fi
|
||||||
|
sleep 1
|
||||||
|
((counter++))
|
||||||
|
done
|
||||||
|
|
||||||
log_message "SUCCESS" "Docker Engine is live."
|
log_message "SUCCESS" "Docker Engine is live."
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -126,17 +148,14 @@ EOF
|
||||||
deploy_wallarm_node() {
|
deploy_wallarm_node() {
|
||||||
log_message "INFO" "Fetching Wallarm Filtering Node via Stealth Registry..."
|
log_message "INFO" "Fetching Wallarm Filtering Node via Stealth Registry..."
|
||||||
|
|
||||||
# Source through our proxy subdomain
|
|
||||||
local proxy_img="$HUB_DOMAIN/wallarm/node:latest"
|
local proxy_img="$HUB_DOMAIN/wallarm/node:latest"
|
||||||
# Destination name expected by standard configs
|
|
||||||
local local_img="wallarm/node:latest"
|
local local_img="wallarm/node:latest"
|
||||||
|
|
||||||
log_message "INFO" "Pulling $proxy_img..."
|
log_message "INFO" "Pulling $proxy_img..."
|
||||||
if ! sudo docker pull "$proxy_img"; then
|
if ! sudo docker pull "$proxy_img"; then
|
||||||
fail_with_remediation "Image Pull Failed" "Verify hub.ct.sechpoint.app points to registry-1.docker.io"
|
fail_with_remediation "Image Pull Failed" "Verify hub.ct.sechpoint.app is reachable."
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Normalize Image Tag
|
|
||||||
log_message "INFO" "Normalizing image tags..."
|
log_message "INFO" "Normalizing image tags..."
|
||||||
sudo docker tag "$proxy_img" "$local_img"
|
sudo docker tag "$proxy_img" "$local_img"
|
||||||
sudo docker rmi "$proxy_img"
|
sudo docker rmi "$proxy_img"
|
||||||
|
|
@ -149,18 +168,13 @@ deploy_wallarm_node() {
|
||||||
main() {
|
main() {
|
||||||
clear
|
clear
|
||||||
echo -e "${CYAN}${BOLD}╔══════════════════════════════════════════════════════════════╗${NC}"
|
echo -e "${CYAN}${BOLD}╔══════════════════════════════════════════════════════════════╗${NC}"
|
||||||
echo -e "${CYAN}${BOLD}║ SECHPOINT WALLARM STEALTH DEPLOYER V1.1 ║${NC}"
|
echo -e "${CYAN}${BOLD}║ SECHPOINT WALLARM STEALTH DEPLOYER V1.4 ║${NC}"
|
||||||
echo -e "${CYAN}${BOLD}╚══════════════════════════════════════════════════════════════╝${NC}\n"
|
echo -e "${CYAN}${BOLD}╚══════════════════════════════════════════════════════════════╝${NC}\n"
|
||||||
|
|
||||||
check_pre_flight
|
check_pre_flight
|
||||||
setup_docker_engine
|
setup_docker_engine
|
||||||
deploy_wallarm_node
|
deploy_wallarm_node
|
||||||
|
|
||||||
log_message "INFO" "Deployment complete. Finalizing environment..."
|
|
||||||
|
|
||||||
# Create the persistent start script (Optional logic based on your previous file)
|
|
||||||
# Ensure it uses the normalized 'wallarm/node:latest' name
|
|
||||||
|
|
||||||
echo -e "\n${GREEN}${BOLD}STEALTH DEPLOYMENT SUCCESSFUL${NC}"
|
echo -e "\n${GREEN}${BOLD}STEALTH DEPLOYMENT SUCCESSFUL${NC}"
|
||||||
echo -e "Docker: $(docker --version)"
|
echo -e "Docker: $(docker --version)"
|
||||||
echo -e "Image: $(docker images wallarm/node --format '{{.Repository}}:{{.Tag}}')"
|
echo -e "Image: $(docker images wallarm/node --format '{{.Repository}}:{{.Tag}}')"
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue