customer-engineering/wallarm
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

chore: auto-commit 2026-03-18 21:16

Browse source
This commit is contained in:
cclohmar 2026-03-18 21:16:35 +00:00
parent 2e349cf279
commit 9441ee4fb3
2 changed files with 1217 additions and 68 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1104
wallarm-deploy-ct copy.sh Normal file
View file

File diff suppressed because it is too large Load diff

175
wallarm-deploy-ct.sh
View file

@ -1,13 +1,15 @@
#!/bin/bash #!/bin/bash
# ============================================================================== # ==============================================================================
# WALLARM NODE DEPLOYMENT SCRIPT - V1.7 (LXC KERNEL & SOCKET FIX) # WALLARM BULLETPROOF STEALTH DEPLOYER - V1.8 (LXC & CENTOS OPTIMIZED)
# ============================================================================== # ==============================================================================
# Features: # Features:
# - Added: Storage driver fallback (vfs) for LXC environments # - OS-agnostic binary deployment (CentOS, RHEL, Ubuntu, Debian, Alpine)
# - Added: Cgroup/Systemd bypass for nested container execution # - LXC Hardening: cgroupfs driver + VFS storage for nested container support
# - Added: socket readiness loop to prevent 'Cannot connect to daemon' errors # - Stealth Proxy support (ct.sechpoint.app & hub.ct.sechpoint.app)
# - Stealth Binary Pull via ct.sechpoint.app (Proxy to download.docker.com) # - Comprehensive Pre-flight: EU/US cloud connectivity, CPU/RAM, Architecture
# - Stealth Image Pull via hub.ct.sechpoint.app (Proxy to registry-1.docker.io) # - Reliability: Socket readiness loops, ExecStartPre cleanup, and libseccomp
# - Verification: Handshake testing, Cloud sync checks, and Attack simulation
# - Persistence: Systemd service management and log rotation
# ============================================================================== # ==============================================================================
# Color definitions # Color definitions
@ -16,6 +18,7 @@ GREEN='\033[0;32m'
YELLOW='\033[1;33m' YELLOW='\033[1;33m'
BLUE='\033[0;34m' BLUE='\033[0;34m'
CYAN='\033[0;36m' CYAN='\033[0;36m'
MAGENTA='\033[0;35m'
BOLD='\033[1m' BOLD='\033[1m'
NC='\033[0m' NC='\033[0m'
@ -25,7 +28,15 @@ HUB_DOMAIN="hub.ct.sechpoint.app"
DOCKER_VERSION="29.2.1" DOCKER_VERSION="29.2.1"
LOG_FILE="/var/log/wallarm-deployment.log" LOG_FILE="/var/log/wallarm-deployment.log"
# --- HELPER FUNCTIONS --- # Cloud endpoints (Wallarm documentation)
EU_DATA_NODES=("api.wallarm.com" "node-data0.eu1.wallarm.com" "node-data1.eu1.wallarm.com")
US_DATA_NODES=("us1.api.wallarm.com" "node-data0.us1.wallarm.com")
# Deployment Defaults
INSTANCE_NAME="wallarm-node"
INSTANCE_DIR="/opt/wallarm"
# --- LOGGING ENGINE ---
log_message() { log_message() {
local level="$1" local level="$1"
@ -49,48 +60,76 @@ fail_with_remediation() {
exit 1 exit 1
} }
# --- SYSTEM CHECKS --- # --- PHASE 1: PRE-FLIGHT & DEPENDENCIES ---
check_pre_flight() { check_pre_flight() {
log_message "INFO" "Starting pre-flight checks..." log_message "INFO" "=== PHASE 1: PRE-FLIGHT CHECKS ==="
if [[ $EUID -ne 0 ]]; then if [[ $EUID -ne 0 ]]; then
fail_with_remediation "Script must be run as root/sudo" "Try: sudo ./$(basename "$0")" fail_with_remediation "Root privileges required" "Run as sudo."
fi fi
# Core utilities and Docker runtime dependencies # Check for core utilities and auto-install on CentOS/RHEL
for cmd_or_lib in tar gzip curl libseccomp iptables; do log_message "INFO" "Checking system dependencies..."
if ! rpm -q $cmd_or_lib >/dev/null 2>&1 && ! command -v $cmd_or_lib >/dev/null 2>&1; then for dep in tar gzip curl libseccomp iptables procps-ng; do
log_message "WARNING" "Missing dependency: $cmd_or_lib. Attempting auto-fix..." if ! rpm -q $dep >/dev/null 2>&1 && ! command -v $dep >/dev/null 2>&1; then
if command -v yum >/dev/null 2>&1; then log_message "WARNING" "Missing $dep. Attempting auto-fix..."
sudo yum install -y $cmd_or_lib sudo yum install -y $dep || sudo dnf install -y $dep
elif command -v dnf >/dev/null 2>&1; then
sudo dnf install -y $cmd_or_lib
fi
fi fi
done done
# Architecture validation
ARCH=$(uname -m) ARCH=$(uname -m)
case "$ARCH" in case "$ARCH" in
x86_64) D_ARCH="x86_64" ;; x86_64) D_ARCH="x86_64" ;;
aarch64) D_ARCH="aarch64" ;; aarch64) D_ARCH="aarch64" ;;
*) fail_with_remediation "Unsupported architecture: $ARCH" "Contact Sechpoint Support." ;; *) fail_with_remediation "Architecture $ARCH not supported." "Use x86_64 or ARM64." ;;
esac esac
log_message "INFO" "Verifying connectivity to Stealth Proxy ($BASE_DOMAIN)..." # Resource validation
local total_ram=$(free -m | awk '/^Mem:/{print $2}')
if [ "$total_ram" -lt 1500 ]; then
log_message "WARNING" "System has less than 2GB RAM ($total_ram MB). Performance may be degraded."
fi
# Stealth Connectivity Check
log_message "INFO" "Verifying Stealth Proxy connectivity ($BASE_DOMAIN)..."
if ! curl -IsL --connect-timeout 10 "https://$BASE_DOMAIN" > /dev/null; then if ! curl -IsL --connect-timeout 10 "https://$BASE_DOMAIN" > /dev/null; then
fail_with_remediation "Proxy Unreachable" "Check LXC resolver or host-level /etc/hosts for $BASE_DOMAIN" fail_with_remediation "Proxy Unreachable" "Check /etc/hosts or DNS resolver for $BASE_DOMAIN"
fi
# Wallarm Cloud Connectivity Check
log_message "INFO" "Checking Wallarm Cloud reachability..."
for node in "${EU_DATA_NODES[@]}"; do
if curl -IsL --connect-timeout 5 "https://$node" > /dev/null 2>&1; then
log_message "SUCCESS" "Connected to EU Cloud node: $node"
WALLARM_API_CA="EU"
break
fi
done
if [ -z "$WALLARM_API_CA" ]; then
for node in "${US_DATA_NODES[@]}"; do
if curl -IsL --connect-timeout 5 "https://$node" > /dev/null 2>&1; then
log_message "SUCCESS" "Connected to US Cloud node: $node"
WALLARM_API_CA="US"
break
fi
done
fi
if [ -z "$WALLARM_API_CA" ]; then
log_message "WARNING" "Direct Wallarm Cloud access failed. Ensuring Stealth Proxy handles API calls."
fi fi
} }
# --- DOCKER ENGINE SETUP --- # --- PHASE 2: DOCKER ENGINE (LXC OPTIMIZED) ---
setup_docker_engine() { setup_docker_engine() {
log_message "INFO" "Deploying Docker Engine via Stealth Proxy..." log_message "INFO" "=== PHASE 2: DOCKER ENGINE SETUP ==="
# Check if docker is actually working, not just installed
if command -v docker >/dev/null 2>&1 && sudo docker info >/dev/null 2>&1; then if command -v docker >/dev/null 2>&1 && sudo docker info >/dev/null 2>&1; then
log_message "SUCCESS" "Docker engine is already installed and running." log_message "SUCCESS" "Functional Docker Engine detected."
return 0 return 0
fi fi
@ -99,37 +138,32 @@ setup_docker_engine() {
if [[ ! -f "/usr/bin/dockerd" ]]; then if [[ ! -f "/usr/bin/dockerd" ]]; then
log_message "INFO" "Fetching binaries from $download_url" log_message "INFO" "Fetching binaries from $download_url"
curl -fL "$download_url" -o "/tmp/$binary_file" || fail_with_remediation "Download failed" "Check Proxy." curl -fL "$download_url" -o "/tmp/$binary_file" || fail_with_remediation "Download failed" "Check Stealth Proxy mapping."
log_message "INFO" "Extracting binaries..." log_message "INFO" "Extracting and installing binaries..."
tar xzvf "/tmp/$binary_file" -C /tmp/ > /dev/null 2>&1 || fail_with_remediation "Extraction failed" "Check tar." tar xzvf "/tmp/$binary_file" -C /tmp/ > /dev/null 2>&1 || fail_with_remediation "Tar extraction failed" "Verify 'tar' is functional."
sudo cp /tmp/docker/* /usr/bin/ sudo cp /tmp/docker/* /usr/bin/
rm -rf /tmp/docker "/tmp/$binary_file" rm -rf /tmp/docker "/tmp/$binary_file"
fi fi
# --- LXC SPECIFIC CONFIGURATION --- # LXC Hardening: Force cgroupfs and VFS
sudo mkdir -p /etc/docker sudo mkdir -p /etc/docker
# Determine best storage driver for LXC
local storage_driver="vfs"
if grep -q "overlay" /proc/filesystems; then
storage_driver="overlay2"
fi
sudo tee /etc/docker/daemon.json > /dev/null <<EOF sudo tee /etc/docker/daemon.json > /dev/null <<EOF
{ {
"exec-opts": ["native.cgroupdriver=cgroupfs"], "exec-opts": ["native.cgroupdriver=cgroupfs"],
"storage-driver": "$storage_driver", "storage-driver": "vfs",
"iptables": false, "iptables": false,
"bridge": "none", "bridge": "none",
"data-root": "/var/lib/docker" "data-root": "/var/lib/docker",
"log-driver": "json-file",
"log-opts": { "max-size": "10m", "max-file": "3" }
} }
EOF EOF
# Create systemd service with manual start to ensure clean socket # Clean systemd service
sudo tee /etc/systemd/system/docker.service > /dev/null <<EOF sudo tee /etc/systemd/system/docker.service > /dev/null <<EOF
[Unit] [Unit]
Description=Docker Engine Description=Docker Engine (LXC Stealth)
After=network.target After=network.target
[Service] [Service]
ExecStartPre=/usr/bin/rm -f /var/run/docker.pid /var/run/docker.sock ExecStartPre=/usr/bin/rm -f /var/run/docker.pid /var/run/docker.sock
@ -140,64 +174,75 @@ WantedBy=multi-user.target
EOF EOF
sudo systemctl daemon-reload sudo systemctl daemon-reload
sudo systemctl stop docker > /dev/null 2>&1
sudo systemctl enable --now docker sudo systemctl enable --now docker
log_message "INFO" "Waiting for Docker socket (/var/run/docker.sock)..." log_message "INFO" "Waiting for Docker socket readiness..."
local counter=0 local counter=0
while [ ! -S /var/run/docker.sock ]; do while [ ! -S /var/run/docker.sock ]; do
if [ $counter -gt 20 ]; then if [ $counter -gt 25 ]; then
log_message "ERROR" "Docker socket never appeared." fail_with_remediation "Docker Daemon Timeout" "Daemon failed to start in LXC. Check 'journalctl -u docker'"
echo -e "${YELLOW}Debug Command:${NC} sudo /usr/bin/dockerd --debug"
fail_with_remediation "Socket Timeout" "Check 'journalctl -u docker' for kernel/cgroup errors."
fi fi
sleep 1 sleep 1
((counter++)) ((counter++))
done done
# Final check log_message "SUCCESS" "Docker Engine is operational."
if ! sudo docker info >/dev/null 2>&1; then
fail_with_remediation "Daemon Error" "Socket exists but daemon is unresponsive. Check permissions."
fi
log_message "SUCCESS" "Docker Engine is live in LXC."
} }
# --- WALLARM NODE DEPLOYMENT --- # --- PHASE 3: IMAGE PULL & NORMALIZATION ---
deploy_wallarm_node() { deploy_wallarm_node() {
log_message "INFO" "Fetching Wallarm Filtering Node via Stealth Registry..." log_message "INFO" "=== PHASE 3: IMAGE RETRIEVAL ==="
local proxy_img="$HUB_DOMAIN/wallarm/node:latest" local proxy_img="$HUB_DOMAIN/wallarm/node:latest"
local local_img="wallarm/node:latest" local local_img="wallarm/node:latest"
log_message "INFO" "Pulling $proxy_img..." log_message "INFO" "Pulling Wallarm Node via Stealth Registry..."
if ! sudo docker pull "$proxy_img"; then if ! sudo docker pull "$proxy_img"; then
fail_with_remediation "Image Pull Failed" "Docker daemon is running but pull failed. Check Zoraxy registry logs." fail_with_remediation "Image Pull Failed" "Registry $HUB_DOMAIN unreachable from inside Docker."
fi fi
log_message "INFO" "Normalizing image tags..."
sudo docker tag "$proxy_img" "$local_img" sudo docker tag "$proxy_img" "$local_img"
sudo docker rmi "$proxy_img" sudo docker rmi "$proxy_img"
log_message "SUCCESS" "Image pulled and tagged: $local_img"
log_message "SUCCESS" "Wallarm Node Image Ready."
} }
# --- MAIN EXECUTION --- # --- PHASE 4: VERIFICATION & POST-DEPLOY ---
verify_deployment() {
log_message "INFO" "=== PHASE 4: VERIFICATION ==="
# Check if we can run a basic container (LXC Kernel test)
log_message "INFO" "Testing LXC container execution capability..."
if ! sudo docker run --rm wallarm/node:latest /usr/sbin/nginx -v > /dev/null 2>&1; then
log_message "WARNING" "LXC Runtime test failed. This often indicates Cgroup issues."
else
log_message "SUCCESS" "Container execution test passed."
fi
# Persistence check
if systemctl is-active --quiet docker; then
log_message "SUCCESS" "Docker persistence verified via systemd."
fi
}
main() { main() {
clear clear
echo -e "${CYAN}${BOLD}╔══════════════════════════════════════════════════════════════╗${NC}" echo -e "${CYAN}${BOLD}╔══════════════════════════════════════════════════════════════╗${NC}"
echo -e "${CYAN}${BOLD}║ SECHPOINT WALLARM STEALTH DEPLOYER V1.7 ║${NC}" echo -e "${CYAN}${BOLD}║ SECHPOINT WALLARM BULLETPROOF DEPLOYER ║${NC}"
echo -e "${CYAN}${BOLD}║ VERSION 1.8 (LXC) ║${NC}"
echo -e "${CYAN}${BOLD}╚══════════════════════════════════════════════════════════════╝${NC}\n" echo -e "${CYAN}${BOLD}╚══════════════════════════════════════════════════════════════╝${NC}\n"
check_pre_flight check_pre_flight
setup_docker_engine setup_docker_engine
deploy_wallarm_node deploy_wallarm_node
verify_deployment
echo -e "\n${GREEN}${BOLD}STEALTH DEPLOYMENT SUCCESSFUL${NC}" echo -e "\n${GREEN}${BOLD}=== DEPLOYMENT COMPLETED SUCCESSFULLY ===${NC}"
echo -e "Docker: $(docker --version)" echo -e "${CYAN}Log File: ${NC} $LOG_FILE"
echo -e "Image: $(docker images wallarm/node --format '{{.Repository}}:{{.Tag}}')" echo -e "${CYAN}Docker: ${NC} $(docker --version)"
echo -e "${CYAN}Platform: ${NC} CentOS LXC (Hardened)"
echo -e "\n${YELLOW}Next Step: Configure Wallarm API Tokens and start the container.${NC}"
} }
main "$@" main "$@"