chore: auto-commit 2026-03-18 13:06

2026-03-18 13:06:00 +00:00 · 2026-03-18 13:06:00 +00:00 · c2a49724c9
commit c2a49724c9
parent 61b5694d06
1 changed files with 80 additions and 125 deletions
--- a/wallarm-deploy-ct.sh
+++ b/wallarm-deploy-ct.sh
@ -1,6 +1,6 @@
 #!/bin/bash
 # ==============================================================================
-# Sechpoint Wallarm Smart Deployer - Banking POC Edition (Legacy Support)
+# Wallarm Bulletproof Deployer - Banking Hardened Edition
 # ==============================================================================
 YELLOW='\033[1;33m'
@ -8,148 +8,103 @@ GREEN='\033[0;32m'
 RED='\033[0;31m'
 NC='\033[0m'
-LOG_FILE="/var/log/wallarm-deploy.log"
+# --- 1. PRE-FLIGHT: CONNECTIVITY & ENGINE ---
 EU_DATA_NODES=("api.wallarm.com" "node-data0.eu1.wallarm.com" "node-data1.eu1.wallarm.com")
 US_DATA_NODES=("us1.api.wallarm.com" "node-data0.us1.wallarm.com" "node-data1.us1.wallarm.com")
-sudo touch "$LOG_FILE" && sudo chmod 644 "$LOG_FILE"
+check_connectivity() {
-exec > >(tee -a "$LOG_FILE") 2>&1 
+    echo -e "\n${YELLOW}[1/5] Checking Connectivity & Registry...${NC}"
-clear
+    # Cloud Selection
-echo -e "${YELLOW}====================================================${NC}"
+    read -p "Wallarm Cloud (US/EU) [US]: " CLOUD; CLOUD=${CLOUD^^}; CLOUD=${CLOUD:-US}
-echo -e "${YELLOW}      Wallarm Automated Container Deployer          ${NC}"
+    API_HOST=$([[ "$CLOUD" == "EU" ]] && echo "api.wallarm.com" || echo "us1.api.wallarm.com")
 echo -e "${YELLOW}====================================================${NC}"
-# --- 1. DETECTION ---
+    # Test Wallarm API
    curl -skI --connect-timeout 5 "https://$API_HOST" > /dev/null 2>&1 || \
        { echo -e "${RED}[WARN]${NC} Wallarm Cloud unreachable. Ensure proxy is set."; }
-detect_environment() {
+    # Test Docker Hub
-    echo -e "\n${YELLOW}[1/5] Detecting System Environment...${NC}"
+    REGISTRY_REACHABLE=true
-    if command -v dnf &> /dev/null; then
+    curl -skI --connect-timeout 5 "https://registry-1.docker.io/v2/" > /dev/null 2>&1 || REGISTRY_REACHABLE=false
        PKG_MANAGER="dnf"
    elif command -v yum &> /dev/null; then
        PKG_MANAGER="yum"
    elif command -v apt-get &> /dev/null; then
        PKG_MANAGER="apt"
    else
        echo -e "${RED}[FAIL]${NC} No package manager found."; exit 1
    fi
    echo -e "${GREEN}[PASS]${NC} Using $PKG_MANAGER"
 }
-check_sudo() {
+    if [ "$REGISTRY_REACHABLE" = false ]; then
-    sudo -v || { echo -e "${RED}[FAIL]${NC} Sudo denied."; exit 1; }
+        echo -e "${RED}[ALERT]${NC} Docker Hub is CLOSED."
-}
+        if ls *.tar >/dev/null 2>&1; then
-
+            echo -e "${GREEN}[INFO]${NC} Local .tar found. Will attempt 'docker load'."
 check_wallarm_cloud() {
    echo -e "\n${YELLOW}[2/5] Testing Wallarm Cloud (Port 443)...${NC}"
    read -p "Wallarm Cloud (US/EU) [US]: " CLOUD_SEL
    CLOUD_SEL=${CLOUD_SEL^^}
    CLOUD_SEL=${CLOUD_SEL:-US}
    local nodes_to_test=("${US_DATA_NODES[@]}")
    [[ "$CLOUD_SEL" == "EU" ]] && nodes_to_test=("${EU_DATA_NODES[@]}")
    for node in "${nodes_to_test[@]}"; do
        curl -skI --connect-timeout 5 "https://$node" > /dev/null 2>&1 || { echo -e "${RED}[FAIL]${NC} $node unreachable"; exit 1; }
        echo -e "${GREEN}[PASS]${NC} Reached $node"
    done
    API_HOST=$([[ "$CLOUD_SEL" == "EU" ]] && echo "api.wallarm.com" || echo "us1.api.wallarm.com")
 }
 # --- 2. CONFIG ---
 get_user_input() {
    echo -e "\n${YELLOW}[3/5] Configuration...${NC}"
    read -p "Enter Instance Number: " INSTANCE_NUM
    NODE_NAME="wallarm-node-$INSTANCE_NUM"
    INSTANCE_DIR="/opt/wallarm/$INSTANCE_NUM"
    TRAFFIC_PORT=$((8000 + INSTANCE_NUM))
    MONITOR_PORT=$((9000 + INSTANCE_NUM))
    read -p "Enter Upstream IP [127.0.0.1]: " UPSTREAM_IP
    UPSTREAM_IP=${UPSTREAM_IP:-127.0.0.1}
    read -p "Enter Upstream Port [80]: " UPSTREAM_PORT
    UPSTREAM_PORT=${UPSTREAM_PORT:-80}
    read -p "Paste Wallarm Token: " TOKEN
 }
 # --- 3. ENGINE SETUP (The Fix) ---
 setup_engine() {
    echo -e "\n${YELLOW}[4/5] 🛠️ Setting up Container Engine...${NC}"
    if [[ "$PKG_MANAGER" == "dnf" || "$PKG_MANAGER" == "yum" ]]; then
        # Try Podman first, fallback to Docker if Podman isn't in repos
        sudo $PKG_MANAGER install -y podman podman-compose &>/dev/null
        if command -v podman &> /dev/null; then
            ENGINE="podman"
            sudo systemctl enable --now podman.socket &>/dev/null
        else
-            echo -e "${YELLOW}Podman not found. Trying Docker...${NC}"
+            echo -e "${RED}[ERROR]${NC} No internet and no local .tar image found. Cannot proceed."; exit 1
            sudo $PKG_MANAGER install -y docker docker-compose &>/dev/null
            ENGINE="docker"
            sudo systemctl enable --now docker &>/dev/null
        fi
    else
        sudo apt-get update && sudo apt-get install -y docker.io docker-compose &>/dev/null
        ENGINE="docker"
        sudo systemctl enable --now docker &>/dev/null
    fi
    echo -e "${GREEN}[INFO]${NC} Using Engine: $ENGINE"
 }
-# --- 4. DEPLOY ---
+setup_service() {
    echo -e "\n${YELLOW}[2/5] Hardening Docker Service...${NC}"
    # Ensure the systemd unit exists for the manual binaries
    sudo tee /etc/systemd/system/docker.service > /dev/null <<EOF
 [Unit]
 Description=Docker Application Container Engine
 After=network-online.target
 Wants=network-online.target
-execute_deployment() {
+[Service]
-    echo -e "\n${YELLOW}[5/5] 🚀 Deploying...${NC}"
+Type=notify
-    sudo mkdir -p "$INSTANCE_DIR" && cd "$INSTANCE_DIR"
+ExecStart=/usr/bin/dockerd
 ExecReload=/bin/kill -s HUP \$MAINPID
 TimeoutStartSec=0
 Restart=on-failure
 StartLimitBurst=3
 StartLimitInterval=60s
 LimitNOFILE=infinity
 LimitNPROC=infinity
-    sudo tee "nginx.conf" > /dev/null <<EOF
+[Install]
 WantedBy=multi-user.target
 EOF
    sudo systemctl daemon-reload
    sudo systemctl enable --now docker
    sudo docker info > /dev/null 2>&1 || { echo -e "${RED}[FAIL]${NC} Docker Engine failed."; exit 1; }
 }
 # --- 2. CONFIGURATION ---
 get_params() {
    echo -e "\n${YELLOW}[3/5] Instance Setup...${NC}"
    read -p "Wallarm Token: " TOKEN
    read -p "Instance ID [1]: " ID; ID=${ID:-1}
    read -p "App IP [127.0.0.1]: " APP_IP; APP_IP=${APP_IP:-127.0.0.1}
    read -p "App Port [80]: " APP_PORT; APP_PORT=${APP_PORT:-80}
    INSTANCE_DIR="/opt/wallarm/$ID"
    sudo mkdir -p "$INSTANCE_DIR"
 }
 # --- 3. ARTIFACTS & REBOOT SURVIVAL ---
 generate_artifacts() {
    echo -e "\n${YELLOW}[4/5] Building Persistence Layers...${NC}"
    # Nginx Conf
    sudo tee "$INSTANCE_DIR/nginx.conf" > /dev/null <<EOF
 server {
    listen 80;
    wallarm_mode monitoring;
    location / {
-        proxy_pass http://$UPSTREAM_IP:$UPSTREAM_PORT;
+        proxy_pass http://$APP_IP:$APP_PORT;
        proxy_set_header Host \$host;
        proxy_set_header X-Real-IP \$remote_addr;
        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
    }
 }
 server { listen 90; location /wallarm-status { wallarm_status on; } }
 EOF
-    sudo tee "compose.yml" > /dev/null <<EOF
+    # The "Always-Up" Start Script
-version: '3'
+    sudo tee "$INSTANCE_DIR/start.sh" > /dev/null <<EOF
-services:
+#!/bin/bash
-  node:
+# Force cleanup of zombie containers
-    image: docker.io/wallarm/node:latest
+sudo docker rm -f wallarm-node-$ID 2>/dev/null
    container_name: $NODE_NAME
    ports: ["$TRAFFIC_PORT:80", "$MONITOR_PORT:90"]
    environment:
      - WALLARM_API_TOKEN=$TOKEN
      - WALLARM_API_HOST=$API_HOST
    volumes: ["./nginx.conf:/etc/nginx/http.d/default.conf:ro,Z"]
 EOF
-    sudo $ENGINE rm -f "$NODE_NAME" &>/dev/null
+# Start with 'always' restart policy for reboot survival
-    
+sudo docker run -d \\
-    if command -v $ENGINE-compose &> /dev/null; then
+  --name wallarm-node-$ID \\
-        sudo $ENGINE-compose up -d
+  --restart always \\
-    else
+  -p 80:80 -p 90
        # Direct run fallback if compose is missing
        sudo $ENGINE run -d --name "$NODE_NAME" -p "$TRAFFIC_PORT:80" -p "$MONITOR_PORT:90" \
            -e WALLARM_API_TOKEN="$TOKEN" -e WALLARM_API_HOST="$API_HOST" \
            -v "$INSTANCE_DIR/nginx.conf:/etc/nginx/http.d/default.conf:ro,Z" docker.io/wallarm/node:latest
    fi
 }
 verify_health() {
    echo -e "\n${YELLOW}Checking status...${NC}"
    sleep 15
    curl -s "http://localhost:$MONITOR_PORT/wallarm-status" | grep -q "requests" && echo -e "${GREEN}SUCCESS${NC}" || echo -e "${RED}FAILED${NC}"
 }
 detect_environment
 check_sudo
 check_wallarm_cloud
 get_user_input
 setup_engine
 execute_deployment
 verify_health