#!/bin/bash # ============================================================================== # WALLARM NODE DEPLOYMENT SCRIPT - V1.7 (LXC KERNEL & SOCKET FIX) # ============================================================================== # Features: # - Added: Storage driver fallback (vfs) for LXC environments # - Added: Cgroup/Systemd bypass for nested container execution # - Added: socket readiness loop to prevent 'Cannot connect to daemon' errors # - Stealth Binary Pull via ct.sechpoint.app (Proxy to download.docker.com) # - Stealth Image Pull via hub.ct.sechpoint.app (Proxy to registry-1.docker.io) # ============================================================================== # Color definitions RED='\033[0;31m' GREEN='\033[0;32m' YELLOW='\033[1;33m' BLUE='\033[0;34m' CYAN='\033[0;36m' BOLD='\033[1m' NC='\033[0m' # SECHPOINT STEALTH CONFIGURATION BASE_DOMAIN="ct.sechpoint.app" HUB_DOMAIN="hub.ct.sechpoint.app" DOCKER_VERSION="29.2.1" LOG_FILE="/var/log/wallarm-deployment.log" # --- HELPER FUNCTIONS --- log_message() { local level="$1" local message="$2" local timestamp=$(date '+%Y-%m-%d %H:%M:%S') echo -e "${timestamp} [${level}] ${message}" | sudo tee -a "$LOG_FILE" > /dev/null case "$level" in "INFO") echo -e "${BLUE}${BOLD}[INFO]${NC} ${message}" ;; "SUCCESS") echo -e "${GREEN}${BOLD}[SUCCESS]${NC} ${message}" ;; "WARNING") echo -e "${YELLOW}${BOLD}[WARNING]${NC} ${message}" ;; "ERROR") echo -e "${RED}${BOLD}[ERROR]${NC} ${message}" ;; esac } fail_with_remediation() { local error="$1" local remediation="$2" log_message "ERROR" "$error" echo -e "\n${RED}${BOLD}REMEDIATION:${NC} ${remediation}\n" exit 1 } # --- SYSTEM CHECKS --- check_pre_flight() { log_message "INFO" "Starting pre-flight checks..." if [[ $EUID -ne 0 ]]; then fail_with_remediation "Script must be run as root/sudo" "Try: sudo ./$(basename "$0")" fi # Core utilities and Docker runtime dependencies for cmd_or_lib in tar gzip curl libseccomp iptables; do if ! rpm -q $cmd_or_lib >/dev/null 2>&1 && ! command -v $cmd_or_lib >/dev/null 2>&1; then log_message "WARNING" "Missing dependency: $cmd_or_lib. Attempting auto-fix..." if command -v yum >/dev/null 2>&1; then sudo yum install -y $cmd_or_lib elif command -v dnf >/dev/null 2>&1; then sudo dnf install -y $cmd_or_lib fi fi done ARCH=$(uname -m) case "$ARCH" in x86_64) D_ARCH="x86_64" ;; aarch64) D_ARCH="aarch64" ;; *) fail_with_remediation "Unsupported architecture: $ARCH" "Contact Sechpoint Support." ;; esac log_message "INFO" "Verifying connectivity to Stealth Proxy ($BASE_DOMAIN)..." if ! curl -IsL --connect-timeout 10 "https://$BASE_DOMAIN" > /dev/null; then fail_with_remediation "Proxy Unreachable" "Check LXC resolver or host-level /etc/hosts for $BASE_DOMAIN" fi } # --- DOCKER ENGINE SETUP --- setup_docker_engine() { log_message "INFO" "Deploying Docker Engine via Stealth Proxy..." # Check if docker is actually working, not just installed if command -v docker >/dev/null 2>&1 && sudo docker info >/dev/null 2>&1; then log_message "SUCCESS" "Docker engine is already installed and running." return 0 fi local binary_file="docker-$DOCKER_VERSION.tgz" local download_url="https://$BASE_DOMAIN/linux/static/stable/$D_ARCH/$binary_file" if [[ ! -f "/usr/bin/dockerd" ]]; then log_message "INFO" "Fetching binaries from $download_url" curl -fL "$download_url" -o "/tmp/$binary_file" || fail_with_remediation "Download failed" "Check Proxy." log_message "INFO" "Extracting binaries..." tar xzvf "/tmp/$binary_file" -C /tmp/ > /dev/null 2>&1 || fail_with_remediation "Extraction failed" "Check tar." sudo cp /tmp/docker/* /usr/bin/ rm -rf /tmp/docker "/tmp/$binary_file" fi # --- LXC SPECIFIC CONFIGURATION --- sudo mkdir -p /etc/docker # Determine best storage driver for LXC local storage_driver="vfs" if grep -q "overlay" /proc/filesystems; then storage_driver="overlay2" fi sudo tee /etc/docker/daemon.json > /dev/null < /dev/null < /dev/null 2>&1 sudo systemctl enable --now docker log_message "INFO" "Waiting for Docker socket (/var/run/docker.sock)..." local counter=0 while [ ! -S /var/run/docker.sock ]; do if [ $counter -gt 20 ]; then log_message "ERROR" "Docker socket never appeared." echo -e "${YELLOW}Debug Command:${NC} sudo /usr/bin/dockerd --debug" fail_with_remediation "Socket Timeout" "Check 'journalctl -u docker' for kernel/cgroup errors." fi sleep 1 ((counter++)) done # Final check if ! sudo docker info >/dev/null 2>&1; then fail_with_remediation "Daemon Error" "Socket exists but daemon is unresponsive. Check permissions." fi log_message "SUCCESS" "Docker Engine is live in LXC." } # --- WALLARM NODE DEPLOYMENT --- deploy_wallarm_node() { log_message "INFO" "Fetching Wallarm Filtering Node via Stealth Registry..." local proxy_img="$HUB_DOMAIN/wallarm/node:latest" local local_img="wallarm/node:latest" log_message "INFO" "Pulling $proxy_img..." if ! sudo docker pull "$proxy_img"; then fail_with_remediation "Image Pull Failed" "Docker daemon is running but pull failed. Check Zoraxy registry logs." fi log_message "INFO" "Normalizing image tags..." sudo docker tag "$proxy_img" "$local_img" sudo docker rmi "$proxy_img" log_message "SUCCESS" "Wallarm Node Image Ready." } # --- MAIN EXECUTION --- main() { clear echo -e "${CYAN}${BOLD}╔══════════════════════════════════════════════════════════════╗${NC}" echo -e "${CYAN}${BOLD}║ SECHPOINT WALLARM STEALTH DEPLOYER V1.7 ║${NC}" echo -e "${CYAN}${BOLD}╚══════════════════════════════════════════════════════════════╝${NC}\n" check_pre_flight setup_docker_engine deploy_wallarm_node echo -e "\n${GREEN}${BOLD}STEALTH DEPLOYMENT SUCCESSFUL${NC}" echo -e "Docker: $(docker --version)" echo -e "Image: $(docker images wallarm/node --format '{{.Repository}}:{{.Tag}}')" } main "$@"