customer-engineering/wallarm
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

chore: auto-commit 2026-03-24 14:16

Browse source
This commit is contained in:
cclohmar 2026-03-24 14:16:47 +00:00
parent b48777d0b4
commit abdaea3e76
11 changed files with 2245 additions and 25 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
README.md
View file

@ -1,13 +1 @@
# 🛡️ Wallarm Deployment Toolkit test
This repository contains automated scripts to deploy the Wallarm Filtering Node in various environments. Whether you are using a virtual machine (NGINX Dynamic Module) or a containerized environment (Docker/Podman), these scripts ensure a "Bank-Grade" configuration.
**Repository:** `https://git.sechpoint.app/customer-engineering/wallarm`
## Download and run the Deployment Script
### for Container (Docker) deployments:
```bash
curl -sL "https://git.sechpoint.app/customer-engineering/wallarm/-/raw/main/wallarm-deploy-ct.sh" > wallarm-deploy-ct.sh
chmod +x wallarm-deploy-ct.sh
./wallarm-deploy-ct.sh
```

16
binaries/README.md Normal file
View file

@ -0,0 +1,16 @@
# Docker Static Binaries
This directory contains Docker static binaries for offline installation.
- `docker-29.2.1.tgz`: Docker 29.2.1 static binary for x86_64
- `docker-29.2.1.tgz.sha256`: SHA256 checksum for verification
## Usage
```bash
# Verify integrity
sha256sum -c docker-29.2.1.tgz.sha256
# Extract and install
tar xzvf docker-29.2.1.tgz
sudo cp docker/* /usr/bin/
```

BIN
binaries/docker-29.2.1.tgz Normal file
View file

Binary file not shown.

1
binaries/docker-29.2.1.tgz.sha256 Normal file
View file

@ -0,0 +1 @@
995b1d0b51e96d551a3b49c552c0170bc6ce9f8b9e0866b8c15bbc67d1cf93a3 binaries/docker-29.2.1.tgz

15
images/README.md Normal file
View file

@ -0,0 +1,15 @@
# Wallarm Docker Images
This directory contains Wallarm node Docker images for offline deployment.
- `wallarm-node-6.11.0-rc1.tar.gz`: Wallarm node version 6.11.0-rc1
- `wallarm-node-6.11.0-rc1.tar.gz.sha256`: SHA256 checksum for verification
## Usage
```bash
# Verify integrity
sha256sum -c wallarm-node-6.11.0-rc1.tar.gz.sha256
# Load into Docker
gunzip -c wallarm-node-6.11.0-rc1.tar.gz | docker load
```

BIN
images/wallarm-node-6.11.0-rc1.tar.gz Normal file
View file

Binary file not shown.

1
images/wallarm-node-6.11.0-rc1.tar.gz.sha256 Normal file
View file

@ -0,0 +1 @@
ab4d9c6d2fdde6a855a0a1dc2db8cce6168926a39a45d715dc3dcf2ff0de85c5 images/wallarm-node-6.11.0-rc1.tar.gz

29
wallarm-ct-check.sh
View file

@ -54,7 +54,7 @@ else
CURL_INSECURE_FLAG="" CURL_INSECURE_FLAG=""
fi fi
# Internal registry endpoints (from stealth deployment) new # Internal registry endpoints (from stealth deployment)
INTERNAL_DOCKER_REGISTRY="https://deployment:elqXBsyT4BGXPYPeD07or8hT0Lb9Lpf@hub.ct.sechpoint.app" INTERNAL_DOCKER_REGISTRY="https://deployment:elqXBsyT4BGXPYPeD07or8hT0Lb9Lpf@hub.ct.sechpoint.app"
INTERNAL_DOCKER_DOWNLOAD="https://deployment:elqXBsyT4BGXPYPeD07or8hT0Lb9Lpf@ct.sechpoint.app" INTERNAL_DOCKER_DOWNLOAD="https://deployment:elqXBsyT4BGXPYPeD07or8hT0Lb9Lpf@ct.sechpoint.app"
# Extracted hostnames (without credentials) for logging and error messages # Extracted hostnames (without credentials) for logging and error messages
@ -187,6 +187,7 @@ validate_required_commands() {
"getent" # Required for checking group existence "getent" # Required for checking group existence
"groupadd" # Required for creating docker group (sudo) "groupadd" # Required for creating docker group (sudo)
"usermod" # Required for adding user to docker group (sudo) "usermod" # Required for adding user to docker group (sudo)
"iptables" # Required for Docker network bridge creation (Docker static binaries v1.4+)
) )
# Helper function to check if a command exists (including system directories) # Helper function to check if a command exists (including system directories)
@ -257,6 +258,32 @@ validate_required_commands() {
return 1 return 1
fi fi
# Special check: iptables version must be 1.4 or higher for Docker static binaries
log_message "INFO" "Checking iptables version (requires 1.4+ for Docker)..."
if command_exists iptables; then
local iptables_version
iptables_version=$(iptables --version 2>/dev/null | head -1 | grep -o '[0-9]\+\.[0-9]\+' | head -1)
if [ -n "$iptables_version" ]; then
log_message "INFO" "Found iptables version $iptables_version"
# Compare version numbers (basic check for 1.4 or higher)
local major_version minor_version
major_version=$(echo "$iptables_version" | cut -d. -f1)
minor_version=$(echo "$iptables_version" | cut -d. -f2)
if [ "$major_version" -lt 1 ] || ([ "$major_version" -eq 1 ] && [ "$minor_version" -lt 4 ]); then
add_error "iptables version $iptables_version is too old. Docker requires iptables 1.4 or higher."
log_message "ERROR" "Please upgrade iptables to version 1.4 or higher."
return 1
fi
else
log_message "WARNING" "Could not determine iptables version, continuing anyway"
fi
else
# Should not happen since iptables is in required commands, but just in case
add_error "iptables command not found (required for Docker network bridge)"
return 1
fi
log_message "SUCCESS" "All required system commands are available" log_message "SUCCESS" "All required system commands are available"
return 0 return 0
} }

284
wallarm-ct-deploy.sh
View file

@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
# ============================================================================== # ==============================================================================
# WALLARM DEPLOYMENT SCRIPT - V1.1 # WALLARM DEPLOYMENT SCRIPT - V1.2
# ============================================================================== # ==============================================================================
# Purpose: Deploy Wallarm filtering node after preflight check # Purpose: Deploy Wallarm filtering node after preflight check
# Features: # Features:
@ -688,8 +688,132 @@ Check disk space and permissions, then try manual extraction:
sudo cp docker/* /usr/bin/" sudo cp docker/* /usr/bin/"
} }
# Ensure binaries are executable
log_message "INFO" "Setting executable permissions on Docker binaries..."
sudo chmod +x /usr/bin/dockerd /usr/bin/docker 2>/dev/null || {
log_message "WARNING" "Could not set executable permissions on Docker binaries"
}
# Verify Docker binaries work
log_message "INFO" "Verifying Docker binaries..."
if ! sudo /usr/bin/dockerd --version 2>/dev/null; then
fail_with_remediation "Docker binary verification failed" \
"Docker binary (/usr/bin/dockerd) appears to be corrupted or incompatible.
The binary was extracted from $binary_path but doesn't run.
Check the binary:
sudo file /usr/bin/dockerd
sudo ls -la /usr/bin/dockerd
sudo /usr/bin/dockerd --version
The Docker static binary might be for wrong architecture or corrupted.
Try downloading manually:
curl -L '$DOCKER_STATIC_BASE_URL/$ARCHITECTURE/docker-$DOCKER_VERSION.tgz' -o docker.tgz
tar xzvf docker.tgz
sudo cp docker/* /usr/bin/"
else
local docker_version
docker_version=$(sudo /usr/bin/dockerd --version 2>&1 | head -1)
log_message "SUCCESS" "Docker binary verified: $docker_version"
fi
# Cleanup extracted directory # Cleanup extracted directory
log_message "INFO" "Cleaning up extracted Docker binaries directory..."
rm -rf docker rm -rf docker
log_message "INFO" "Cleanup completed"
# DEBUG: Mark start of docker group section
log_message "INFO" "=== Starting docker group creation ==="
# Create docker group (required for systemd socket configuration and dockerd --group)
log_message "INFO" "Creating docker group for Docker socket access..."
# Check if group already exists
log_message "INFO" "Checking if docker group exists..."
local getent_output
if getent_output=$(getent group docker 2>&1); then
getent_exit=0
else
getent_exit=$?
fi
log_message "INFO" "getent group docker result: exit=$getent_exit, output='$getent_output'"
if [ $getent_exit -eq 0 ]; then
log_message "SUCCESS" "Docker group already exists: $getent_output"
else
# Attempt to create docker group with error capture
log_message "INFO" "Attempting to create docker group with sudo groupadd docker..."
local groupadd_output
if groupadd_output=$(sudo groupadd docker 2>&1); then
groupadd_exit=0
else
groupadd_exit=$?
fi
if [ $groupadd_exit -eq 0 ]; then
log_message "SUCCESS" "Created docker group"
else
log_message "ERROR" "Failed to create docker group (exit code: $groupadd_exit)"
log_message "INFO" "groupadd command output: $groupadd_output"
# Check if group was somehow created despite error
log_message "INFO" "Checking if docker group was created despite groupadd failure..."
local check_getent_output
if check_getent_output=$(getent group docker 2>&1); then
check_getent_exit=0
else
check_getent_exit=$?
fi
log_message "INFO" "Post-failure check: exit=$check_getent_exit, output='$check_getent_output'"
if [ $check_getent_exit -eq 0 ]; then
log_message "WARNING" "Docker group exists despite groupadd failure, continuing..."
else
fail_with_remediation "Cannot create docker group" \
"The docker group is required for Docker socket access. Please create it manually:
1. Check if groupadd command is available: which groupadd
2. Check permissions: sudo -v
3. Manual group creation: sudo groupadd docker
4. Verify: getent group docker
If groupadd fails, you may need to:
- Check system user/group database
- Use alternative: sudo addgroup docker (Debian/Ubuntu)
- Edit /etc/group manually (advanced users only)"
fi
fi
fi
# Final verification that docker group exists
log_message "INFO" "Final verification of docker group existence..."
local final_getent_output
if final_getent_output=$(getent group docker 2>&1); then
final_getent_exit=0
else
final_getent_exit=$?
fi
log_message "INFO" "Final getent result: exit=$final_getent_exit, output='$final_getent_output'"
if [ $final_getent_exit -ne 0 ]; then
fail_with_remediation "Docker group verification failed" \
"The docker group does not exist after creation attempts. This will cause Docker startup to fail.
Please create the docker group manually and re-run the script:
1. sudo groupadd docker
2. Verify: getent group docker | grep docker
3. Re-run this script"
fi
# Log group details for debugging
local docker_gid
docker_gid=$(echo "$final_getent_output" | cut -d: -f3)
log_message "INFO" "Docker group details: GID=$docker_gid"
log_message "SUCCESS" "Docker group verified and ready (GID: $docker_gid)"
# DEBUG: Mark end of docker group section
log_message "INFO" "=== Finished docker group creation ==="
# Configure Docker daemon for LXC (VFS storage driver, cgroupfs) # Configure Docker daemon for LXC (VFS storage driver, cgroupfs)
log_message "INFO" "Configuring Docker daemon for LXC (VFS storage driver, cgroupfs)..." log_message "INFO" "Configuring Docker daemon for LXC (VFS storage driver, cgroupfs)..."
@ -715,6 +839,9 @@ EOF
case "$INIT_SYSTEM" in case "$INIT_SYSTEM" in
"systemd") "systemd")
# DEBUG: Mark start of systemd configuration
log_message "INFO" "=== Starting systemd configuration ==="
# Create systemd service files # Create systemd service files
sudo tee /etc/systemd/system/docker.service > /dev/null <<'EOF' sudo tee /etc/systemd/system/docker.service > /dev/null <<'EOF'
[Unit] [Unit]
@ -758,8 +885,82 @@ WantedBy=sockets.target
EOF EOF
sudo systemctl daemon-reload sudo systemctl daemon-reload
sudo systemctl enable docker
sudo systemctl start docker log_message "INFO" "Enabling Docker service to start on boot..."
if ! sudo systemctl enable docker; then
log_message "ERROR" "systemctl enable docker failed with exit code: $?"
fail_with_remediation "Failed to enable Docker service" \
"Docker service could not be enabled to start on boot. Common causes:
1. Docker socket unit (docker.socket) has configuration errors
2. The docker group may not exist
3. Systemd unit file has syntax errors
Check docker.socket status:
sudo systemctl status docker.socket --no-pager
Verify docker group exists:
getent group docker
Check systemd unit files:
sudo systemctl cat docker.socket
sudo systemctl cat docker.service"
fi
log_message "INFO" "Starting Docker service (systemd)..."
# Start the service and capture exit code
if sudo systemctl start docker; then
start_exit=0
else
start_exit=$?
fi
# Give Docker a moment to start or fail
sleep 2
# Check if service is actually active
if ! sudo systemctl is-active docker --quiet; then
log_message "ERROR" "Docker service failed to start (systemctl start exit: $start_exit)"
log_message "INFO" "Checking docker.socket status..."
sudo systemctl status docker.socket --no-pager 2>&1 | head -20 || true
log_message "INFO" "Checking docker.service status..."
sudo systemctl status docker.service --no-pager 2>&1 | head -30 || true
log_message "INFO" "Checking Docker daemon logs..."
sudo journalctl -u docker --no-pager -n 30 2>&1 | head -50 || true
log_message "INFO" "Checking Docker socket logs..."
sudo journalctl -u docker.socket --no-pager -n 20 2>&1 | head -30 || true
fail_with_remediation "Failed to start Docker service" \
"Docker service failed to start. Common causes:
1. Missing iptables (Docker static binaries require iptables v1.4+ for network bridge)
2. Docker daemon configuration error (check /etc/docker/daemon.json)
3. Storage driver issues (VFS may not be compatible)
4. Cgroup configuration problems
5. Port conflicts or resource limits
Latest Docker daemon logs:
$(sudo journalctl -u docker --no-pager -n 30 2>&1 | tail -20)
Check Docker configuration:
sudo cat /etc/docker/daemon.json
Verify iptables is installed:
which iptables || echo 'iptables not found'
iptables --version 2>/dev/null || echo 'Cannot check version'
Install iptables if missing:
# Debian/Ubuntu: sudo apt-get update && sudo apt-get install -y iptables
# RHEL/CentOS: sudo yum install -y iptables
# Alpine: sudo apk add iptables
Verify docker group exists:
getent group docker
Manual start attempt for debugging:
sudo dockerd --group docker --debug"
fi
;; ;;
"openrc") "openrc")
@ -780,7 +981,36 @@ EOF
sudo chmod +x /etc/init.d/docker sudo chmod +x /etc/init.d/docker
sudo rc-update add docker default sudo rc-update add docker default
sudo rc-service docker start
log_message "INFO" "Starting Docker service (OpenRC)..."
if ! sudo rc-service docker start; then
log_message "ERROR" "rc-service docker start failed with exit code: $?"
fail_with_remediation "Failed to start Docker service (OpenRC)" \
"Docker service failed to start under OpenRC. Common causes:
1. Missing iptables (Docker static binaries require iptables v1.4+ for network bridge)
2. Docker socket or port conflicts
3. Missing dependencies
4. Docker configuration errors
Check OpenRC logs:
sudo rc-service docker status
sudo cat /var/log/docker.log 2>/dev/null || echo "No docker.log found"
Verify iptables is installed:
which iptables || echo 'iptables not found'
iptables --version 2>/dev/null || echo 'Cannot check version'
Install iptables if missing:
# Alpine: sudo apk add iptables
# Debian/Ubuntu: sudo apt-get update && sudo apt-get install -y iptables
# RHEL/CentOS: sudo yum install -y iptables
Verify docker group exists:
getent group docker
Manual start attempt:
sudo dockerd --group docker --debug"
fi
;; ;;
"sysvinit") "sysvinit")
@ -838,7 +1068,35 @@ EOF
sudo chmod +x /etc/init.d/docker sudo chmod +x /etc/init.d/docker
sudo update-rc.d docker defaults sudo update-rc.d docker defaults
sudo service docker start
log_message "INFO" "Starting Docker service (SysV init)..."
if ! sudo service docker start; then
log_message "ERROR" "service docker start failed with exit code: $?"
fail_with_remediation "Failed to start Docker service (SysV init)" \
"Docker service failed to start under SysV init. Common causes:
1. Missing iptables (Docker static binaries require iptables v1.4+ for network bridge)
2. Docker socket or port conflicts
3. Missing dependencies or configuration errors
4. The docker group may not exist or be accessible
Check service status:
sudo service docker status
Verify iptables is installed:
which iptables || echo 'iptables not found'
iptables --version 2>/dev/null || echo 'Cannot check version'
Install iptables if missing:
# Debian/Ubuntu: sudo apt-get update && sudo apt-get install -y iptables
# RHEL/CentOS: sudo yum install -y iptables
# Alpine: sudo apk add iptables
Verify docker group exists:
getent group docker
Check for Docker logs:
sudo dockerd --group docker --debug 2>&1 | head -50"
fi
;; ;;
*) *)
@ -861,8 +1119,15 @@ EOF
fail_with_remediation "Docker failed to start" \ fail_with_remediation "Docker failed to start" \
"Docker installation completed but service failed to start: "Docker installation completed but service failed to start:
1. Check Docker logs: journalctl -u docker (systemd) or /var/log/docker.log 1. Check Docker logs: journalctl -u docker (systemd) or /var/log/docker.log
2. Verify configuration: sudo dockerd --debug 2. Verify iptables is installed (Docker static binaries require iptables v1.4+):
3. Manual start: sudo dockerd --group docker &" which iptables || echo 'iptables not found'
iptables --version 2>/dev/null || echo 'Cannot check version'
3. Install iptables if missing:
# Debian/Ubuntu: sudo apt-get update && sudo apt-get install -y iptables
# RHEL/CentOS: sudo yum install -y iptables
# Alpine: sudo apk add iptables
4. Verify configuration: sudo dockerd --debug
5. Manual start: sudo dockerd --group docker &"
fi fi
# Verify Docker is using VFS storage driver # Verify Docker is using VFS storage driver
@ -886,9 +1151,6 @@ EOF
read -r -p "$(echo -e "${YELLOW}Add $(whoami) to docker group? (Y/n): ${NC}")" -n 1 read -r -p "$(echo -e "${YELLOW}Add $(whoami) to docker group? (Y/n): ${NC}")" -n 1
echo echo
if [[ ! $REPLY =~ ^[Nn]$ ]]; then if [[ ! $REPLY =~ ^[Nn]$ ]]; then
if ! getent group docker >/dev/null; then
sudo groupadd docker 2>/dev/null || log_message "WARNING" "Failed to create docker group (may already exist)"
fi
sudo usermod -aG docker "$(whoami)" 2>/dev/null && \ sudo usermod -aG docker "$(whoami)" 2>/dev/null && \
log_message "SUCCESS" "Added $(whoami) to docker group (log out and back in for changes)" log_message "SUCCESS" "Added $(whoami) to docker group (log out and back in for changes)"
else else
@ -1277,7 +1539,7 @@ main() {
clear clear
echo -e "${BLUE}${BOLD}" echo -e "${BLUE}${BOLD}"
echo "╔══════════════════════════════════════════════════════════════╗" echo "╔══════════════════════════════════════════════════════════════╗"
echo "║ WALLARM DEPLOYMENT SCRIPT - V1.1 ║" echo "║ WALLARM DEPLOYMENT SCRIPT - V1.2 ║"
echo "║ LXC-Optimized Filtering Node Deployment ║" echo "║ LXC-Optimized Filtering Node Deployment ║"
echo "╚══════════════════════════════════════════════════════════════╝${NC}" echo "╚══════════════════════════════════════════════════════════════╝${NC}"
echo -e "\n${YELLOW}Starting deployment at: $(date)${NC}" echo -e "\n${YELLOW}Starting deployment at: $(date)${NC}"

1373
wallarm-ct-deploy.sh.backup Executable file
View file

File diff suppressed because it is too large Load diff

537
wallarm-ct-uninstall.sh Normal file
View file

@ -0,0 +1,537 @@
#!/bin/bash
# ==============================================================================
# WALLARM UNINSTALL SCRIPT - V1.0
# ==============================================================================
# Purpose: Safely remove Wallarm filtering node and cleanup Docker installation
# Features:
# - Interactive confirmation with safety checks
# - Stops and removes Wallarm container and image
# - Removes Docker service files created by deployment script
# - Optional cleanup of Docker binaries (if no other containers exist)
# - Preserves user data and logs (with option to remove)
# - DAU-friendly warnings and confirmations
# ==============================================================================
# Color definitions for better UX
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[1;34m'
CYAN='\033[0;36m'
MAGENTA='\033[0;35m'
BOLD='\033[1m'
NC='\033[0m' # No Color
# Strict error handling
set -euo pipefail
# Simple error handler for early failures (before log_message is defined)
early_error_handler() {
echo -e "${RED}${BOLD}[ERROR]${NC} Script failed at line $LINENO. Command: $BASH_COMMAND" >&2
exit 1
}
trap early_error_handler ERR
# Logging function
log_message() {
local level="$1"
local message="$2"
local timestamp
timestamp=$(date '+%Y-%m-%d %H:%M:%S')
case "$level" in
"INFO") color="${BLUE}" ;;
"SUCCESS") color="${GREEN}" ;;
"WARNING") color="${YELLOW}" ;;
"ERROR") color="${RED}" ;;
"DEBUG") color="${CYAN}" ;;
*) color="${NC}" ;;
esac
echo -e "${color}[${timestamp}] ${level}: ${message}${NC}" >&2
}
# Ask for confirmation
confirm() {
local prompt="$1"
local default="${2:-n}"
local options="[y/N]"
if [ "$default" = "y" ]; then
options="[Y/n]"
fi
echo -e -n "${YELLOW}${prompt} ${options}${NC} "
read -r response
case "$response" in
[yY][eE][sS]|[yY])
return 0
;;
[nN][oO]|[nN])
return 1
;;
"")
# Use default
if [ "$default" = "y" ]; then
return 0
else
return 1
fi
;;
*)
# Invalid input, treat as no
return 1
;;
esac
}
# Check if running as root or with sudo
check_sudo() {
if [ "$EUID" -ne 0 ]; then
log_message "INFO" "This script requires sudo privileges"
if ! sudo -n true 2>/dev/null; then
log_message "INFO" "Please enter your sudo password when prompted"
sudo -v
fi
fi
}
# Detect init system
detect_init_system() {
if command -v systemctl >/dev/null 2>&1 && systemctl --version >/dev/null 2>&1; then
echo "systemd"
elif [ -d /run/openrc ]; then
echo "openrc"
elif [ -f /etc/init.d/docker ]; then
echo "sysvinit"
else
echo "unknown"
fi
}
# Check if Docker is installed and running
check_docker() {
if ! command -v docker >/dev/null 2>&1; then
log_message "WARNING" "Docker command not found"
return 1
fi
if ! sudo docker info >/dev/null 2>&1; then
log_message "WARNING" "Docker is not running"
return 1
fi
return 0
}
# Check for other Docker containers (besides Wallarm)
check_other_containers() {
local wallarm_container="wallarm-node"
local all_containers
all_containers=$(sudo docker ps -a -q 2>/dev/null | wc -l)
local wallarm_containers
wallarm_containers=$(sudo docker ps -a --filter "name=${wallarm_container}" -q 2>/dev/null | wc -l)
if [ "$all_containers" -gt "$wallarm_containers" ]; then
log_message "WARNING" "Found other Docker containers besides Wallarm"
sudo docker ps -a --format "table {{.Names}}\t{{.Image}}\t{{.Status}}" | grep -v "$wallarm_container" || true
return 0 # Other containers exist
fi
return 1 # Only Wallarm containers or no containers
}
# Stop and remove Wallarm container
remove_wallarm_container() {
local container_name="wallarm-node"
log_message "INFO" "Looking for Wallarm container..."
if sudo docker ps -a --filter "name=${container_name}" --format "{{.Names}}" | grep -q "${container_name}"; then
log_message "INFO" "Found Wallarm container: ${container_name}"
# Stop container if running
if sudo docker ps --filter "name=${container_name}" --filter "status=running" --format "{{.Names}}" | grep -q "${container_name}"; then
log_message "INFO" "Stopping Wallarm container..."
sudo docker stop "${container_name}" || {
log_message "WARNING" "Failed to stop container, attempting force stop"
sudo docker kill "${container_name}" 2>/dev/null || true
}
fi
# Remove container
log_message "INFO" "Removing Wallarm container..."
sudo docker rm -f "${container_name}" 2>/dev/null || {
log_message "WARNING" "Failed to remove container, it may already be removed"
}
log_message "SUCCESS" "Wallarm container removed"
else
log_message "INFO" "No Wallarm container found"
fi
}
# Remove Wallarm image
remove_wallarm_image() {
local image_name="wallarm/node"
log_message "INFO" "Looking for Wallarm image..."
if sudo docker images --format "{{.Repository}}" | grep -q "^${image_name}"; then
log_message "INFO" "Found Wallarm image: ${image_name}"
# Check if image is used by any containers
local used_by
used_by=$(sudo docker ps -a --filter "ancestor=${image_name}" -q 2>/dev/null | wc -l)
if [ "$used_by" -gt 0 ]; then
log_message "WARNING" "Image ${image_name} is still in use by containers, skipping removal"
return
fi
# Remove image
log_message "INFO" "Removing Wallarm image..."
sudo docker rmi "${image_name}:latest" 2>/dev/null || {
log_message "WARNING" "Failed to remove image, it may be in use or already removed"
}
# Also try to remove by ID if tag removal failed
local image_id
image_id=$(sudo docker images --filter "reference=${image_name}" --format "{{.ID}}" 2>/dev/null | head -1)
if [ -n "$image_id" ]; then
sudo docker rmi -f "$image_id" 2>/dev/null || true
fi
log_message "SUCCESS" "Wallarm image removed"
else
log_message "INFO" "No Wallarm image found"
fi
}
# Remove Docker service files (created by deployment script)
remove_docker_service_files() {
local init_system
init_system=$(detect_init_system)
log_message "INFO" "Removing Docker service files for init system: ${init_system}"
case "$init_system" in
"systemd")
# Stop and disable Docker service
if sudo systemctl is-active docker --quiet 2>/dev/null; then
log_message "INFO" "Stopping Docker service..."
sudo systemctl stop docker 2>/dev/null || true
fi
if sudo systemctl is-enabled docker --quiet 2>/dev/null; then
log_message "INFO" "Disabling Docker service..."
sudo systemctl disable docker 2>/dev/null || true
fi
# Remove systemd unit files (if they exist and were created by our script)
local systemd_files=(
"/etc/systemd/system/docker.socket"
"/etc/systemd/system/docker.service"
"/usr/lib/systemd/system/docker.socket"
"/usr/lib/systemd/system/docker.service"
)
for file in "${systemd_files[@]}"; do
if [ -f "$file" ]; then
log_message "INFO" "Removing systemd file: $file"
sudo rm -f "$file"
fi
done
sudo systemctl daemon-reload 2>/dev/null || true
;;
"openrc")
# Stop and remove from runlevels
if sudo rc-service docker status 2>/dev/null | grep -q "started"; then
log_message "INFO" "Stopping Docker service (OpenRC)..."
sudo rc-service docker stop 2>/dev/null || true
fi
if [ -f /etc/init.d/docker ]; then
log_message "INFO" "Removing OpenRC init script..."
sudo rc-update del docker default 2>/dev/null || true
sudo rm -f /etc/init.d/docker
fi
;;
"sysvinit")
# Stop service
if [ -f /etc/init.d/docker ]; then
log_message "INFO" "Stopping Docker service (SysV init)..."
sudo service docker stop 2>/dev/null || true
# Remove from startup
if command -v update-rc.d >/dev/null 2>&1; then
sudo update-rc.d -f docker remove 2>/dev/null || true
elif command -v chkconfig >/dev/null 2>&1; then
sudo chkconfig --del docker 2>/dev/null || true
fi
log_message "INFO" "Removing SysV init script..."
sudo rm -f /etc/init.d/docker
fi
;;
*)
log_message "WARNING" "Unknown init system, skipping service file cleanup"
;;
esac
log_message "SUCCESS" "Docker service files removed"
}
# Remove Docker binaries (optional, only if no other containers exist)
remove_docker_binaries() {
local docker_binaries=(
"/usr/bin/docker"
"/usr/bin/dockerd"
"/usr/bin/docker-init"
"/usr/bin/docker-proxy"
"/usr/bin/containerd"
"/usr/bin/containerd-shim"
"/usr/bin/containerd-shim-runc-v1"
"/usr/bin/containerd-shim-runc-v2"
"/usr/bin/runc"
)
log_message "INFO" "Checking Docker binaries..."
local binaries_found=0
for binary in "${docker_binaries[@]}"; do
if [ -f "$binary" ]; then
binaries_found=$((binaries_found + 1))
fi
done
if [ "$binaries_found" -eq 0 ]; then
log_message "INFO" "No Docker binaries found in /usr/bin/"
return
fi
if confirm "Remove Docker binaries from /usr/bin/? (Only do this if Docker was installed by wallarm-ct-deploy.sh)" "n"; then
log_message "WARNING" "Removing Docker binaries..."
for binary in "${docker_binaries[@]}"; do
if [ -f "$binary" ]; then
log_message "INFO" "Removing $binary"
sudo rm -f "$binary"
fi
done
# Also remove CNI plugins if they exist
if [ -d "/opt/cni/bin" ]; then
log_message "INFO" "Removing CNI plugins from /opt/cni/bin/"
sudo rm -rf /opt/cni/bin/*
fi
log_message "SUCCESS" "Docker binaries removed"
else
log_message "INFO" "Skipping Docker binary removal"
fi
}
# Remove Docker configuration files
remove_docker_config() {
local config_files=(
"/etc/docker/daemon.json"
"/etc/containerd/config.toml"
"/var/lib/docker" # Warning: This removes all Docker data!
)
log_message "INFO" "Checking Docker configuration files..."
# Only remove daemon.json if it was created by our script
if [ -f "/etc/docker/daemon.json" ]; then
log_message "INFO" "Found /etc/docker/daemon.json"
if grep -q "storage-driver.*vfs" "/etc/docker/daemon.json" 2>/dev/null; then
log_message "INFO" "This appears to be the VFS configuration from wallarm-ct-deploy.sh"
if confirm "Remove /etc/docker/daemon.json?" "n"; then
sudo rm -f "/etc/docker/daemon.json"
log_message "SUCCESS" "Docker configuration removed"
fi
else
log_message "WARNING" "/etc/docker/daemon.json doesn't appear to be from wallarm-ct-deploy.sh, skipping"
fi
fi
# Warn about Docker data directory
if [ -d "/var/lib/docker" ]; then
log_message "WARNING" "/var/lib/docker contains Docker data (images, containers, volumes)"
log_message "WARNING" "Removing this directory will delete ALL Docker data on the system"
if confirm "Remove /var/lib/docker? (WARNING: Deletes ALL Docker data)" "n"; then
log_message "WARNING" "Removing /var/lib/docker - this may take a while..."
sudo rm -rf /var/lib/docker
log_message "SUCCESS" "Docker data directory removed"
fi
fi
}
# Remove docker group (if empty)
remove_docker_group() {
log_message "INFO" "Checking docker group..."
if getent group docker >/dev/null; then
local group_users
group_users=$(getent group docker | cut -d: -f4)
if [ -z "$group_users" ]; then
log_message "INFO" "Docker group exists and has no users"
if confirm "Remove docker group?" "n"; then
sudo groupdel docker 2>/dev/null || {
log_message "WARNING" "Failed to remove docker group (may be system group)"
}
log_message "SUCCESS" "Docker group removed"
fi
else
log_message "WARNING" "Docker group has users: $group_users"
log_message "INFO" "Skipping docker group removal (users still present)"
fi
else
log_message "INFO" "Docker group not found"
fi
}
# Remove Wallarm-specific files and logs
remove_wallarm_files() {
local wallarm_files=(
"$HOME/wallarm-start.sh"
"$HOME/wallarm-stop.sh"
"$HOME/wallarm-status.sh"
"/usr/local/bin/wallarm-start"
"/usr/local/bin/wallarm-stop"
"/usr/local/bin/wallarm-status"
)
log_message "INFO" "Removing Wallarm scripts and logs..."
# Remove scripts
for file in "${wallarm_files[@]}"; do
if [ -f "$file" ]; then
log_message "INFO" "Removing $file"
sudo rm -f "$file"
fi
done
# Remove log directory (if empty)
local log_dir="$HOME/logs"
if [ -d "$log_dir" ]; then
log_message "INFO" "Found log directory: $log_dir"
if [ -z "$(ls -A "$log_dir" 2>/dev/null)" ]; then
log_message "INFO" "Log directory is empty, removing..."
sudo rmdir "$log_dir" 2>/dev/null || true
else
log_message "INFO" "Log directory contains files, preserving..."
fi
fi
# Remove .env file if it exists
if [ -f ".env" ]; then
log_message "INFO" "Removing .env file..."
rm -f ".env"
fi
log_message "SUCCESS" "Wallarm files cleaned up"
}
# Main uninstall function
main() {
echo -e "${CYAN}${BOLD}"
echo "╔══════════════════════════════════════════════════════════════╗"
echo "║ WALLARM UNINSTALLATION ║"
echo "╚══════════════════════════════════════════════════════════════╝"
echo -e "${NC}"
echo -e "${YELLOW}This script will remove Wallarm filtering node and cleanup Docker installation.${NC}"
echo -e "${YELLOW}You will be asked for confirmation before each destructive operation.${NC}"
echo ""
if ! confirm "Do you want to continue with the uninstallation?" "n"; then
log_message "INFO" "Uninstallation cancelled by user"
exit 0
fi
# Check sudo
check_sudo
# Check Docker
if check_docker; then
log_message "INFO" "Docker is installed and running"
# Check for other containers
if check_other_containers; then
log_message "WARNING" "Other Docker containers exist on this system"
echo -e "${YELLOW}Warning: Removing Docker may affect other containers.${NC}"
echo -e "${YELLOW}Consider leaving Docker installed if you need it for other purposes.${NC}"
echo ""
fi
else
log_message "WARNING" "Docker is not running or not installed"
fi
# Step 1: Remove Wallarm container and image
echo ""
echo -e "${CYAN}${BOLD}Step 1: Remove Wallarm container and image${NC}"
if confirm "Stop and remove Wallarm container and image?" "y"; then
remove_wallarm_container
remove_wallarm_image
else
log_message "INFO" "Skipping Wallarm container/image removal"
fi
# Step 2: Remove Docker service files
echo ""
echo -e "${CYAN}${BOLD}Step 2: Remove Docker service files${NC}"
if confirm "Remove Docker service files (systemd/OpenRC/SysV init scripts)?" "y"; then
remove_docker_service_files
else
log_message "INFO" "Skipping Docker service file removal"
fi
# Step 3: Optional Docker binary removal
echo ""
echo -e "${CYAN}${BOLD}Step 3: Docker binaries and configuration${NC}"
remove_docker_binaries
remove_docker_config
# Step 4: Remove docker group
echo ""
echo -e "${CYAN}${BOLD}Step 4: System cleanup${NC}"
remove_docker_group
# Step 5: Remove Wallarm files
echo ""
echo -e "${CYAN}${BOLD}Step 5: Wallarm files and logs${NC}"
if confirm "Remove Wallarm scripts and log files?" "y"; then
remove_wallarm_files
else
log_message "INFO" "Skipping Wallarm file cleanup"
fi
# Final message
echo ""
echo -e "${GREEN}${BOLD}╔══════════════════════════════════════════════════════════════╗${NC}"
echo -e "${GREEN}${BOLD}║ UNINSTALLATION COMPLETE ║${NC}"
echo -e "${GREEN}${BOLD}╚══════════════════════════════════════════════════════════════╝${NC}"
echo ""
echo -e "${GREEN}Wallarm filtering node has been removed.${NC}"
echo ""
echo -e "${YELLOW}Note:${NC}"
echo -e " • Docker may still be installed on your system"
echo -e " • Docker data in /var/lib/docker may still exist"
echo -e " • User may still be in docker group (check with 'groups')"
echo ""
echo -e "To completely remove Docker, you may need to:"
echo -e " 1. Remove Docker package using your system's package manager"
echo -e " 2. Remove /var/lib/docker directory (contains all Docker data)"
echo -e " 3. Remove user from docker group: sudo gpasswd -d \$USER docker"
echo ""
}
# Run main function
main "$@"