153 lines
No EOL
4.5 KiB
Bash
153 lines
No EOL
4.5 KiB
Bash
#!/bin/bash
|
|
# ==============================================================================
|
|
# Wallarm Bulletproof Deployer - Banking Hardened (Manual Binary Support)
|
|
# ==============================================================================
|
|
|
|
YELLOW='\033[1;33m'
|
|
GREEN='\033[0;32m'
|
|
RED='\033[0;31m'
|
|
NC='\033[0m'
|
|
|
|
# --- 1. PRE-FLIGHT: CONNECTIVITY & ENGINE ---
|
|
|
|
check_connectivity() {
|
|
echo -e "\n${YELLOW}[1/5] Checking Connectivity & Registry...${NC}"
|
|
|
|
# Cloud Selection
|
|
read -p "Wallarm Cloud (US/EU) [US]: " CLOUD; CLOUD=${CLOUD^^}; CLOUD=${CLOUD:-US}
|
|
API_HOST=$([[ "$CLOUD" == "EU" ]] && echo "api.wallarm.com" || echo "us1.api.wallarm.com")
|
|
|
|
# Test Docker Hub Reachability
|
|
REGISTRY_REACHABLE=true
|
|
curl -skI --connect-timeout 5 "https://registry-1.docker.io/v2/" > /dev/null 2>&1 || REGISTRY_REACHABLE=false
|
|
|
|
if [ "$REGISTRY_REACHABLE" = false ]; then
|
|
echo -e "${RED}[ALERT]${NC} Docker Hub is CLOSED."
|
|
if ls *.tar >/dev/null 2>&1; then
|
|
echo -e "${GREEN}[INFO]${NC} Local .tar found. Will attempt 'docker load'."
|
|
else
|
|
echo -e "${RED}[ERROR]${NC} No internet and no local .tar image found. Please upload the wallarm-node image."; exit 1
|
|
fi
|
|
else
|
|
echo -e "${GREEN}[PASS]${NC} Docker Hub is reachable."
|
|
fi
|
|
}
|
|
|
|
setup_engine() {
|
|
echo -e "\n${YELLOW}[2/5] Hardening Container Engine...${NC}"
|
|
|
|
# Check if Docker or Podman is already running
|
|
if sudo docker info > /dev/null 2>&1; then
|
|
ENGINE="docker"
|
|
echo -e "${GREEN}[INFO]${NC} Existing Docker Engine detected."
|
|
elif sudo podman info > /dev/null 2>&1; then
|
|
ENGINE="podman"
|
|
echo -e "${GREEN}[INFO]${NC} Existing Podman Engine detected."
|
|
else
|
|
# No engine found, configure the manual Docker binaries
|
|
echo "No engine active. Setting up manual Docker Service..."
|
|
if [ ! -f "/usr/bin/dockerd" ]; then
|
|
echo -e "${RED}[FAIL]${NC} /usr/bin/dockerd not found. Ensure binaries were moved."; exit 1
|
|
fi
|
|
|
|
sudo tee /etc/systemd/system/docker.service > /dev/null <<EOF
|
|
[Unit]
|
|
Description=Docker Engine
|
|
After=network-online.target
|
|
[Service]
|
|
Type=notify
|
|
ExecStart=/usr/bin/dockerd
|
|
Restart=on-failure
|
|
StartLimitBurst=3
|
|
StartLimitInterval=60s
|
|
LimitNOFILE=infinity
|
|
[Install]
|
|
WantedBy=multi-user.target
|
|
EOF
|
|
sudo systemctl daemon-reload
|
|
sudo systemctl enable --now docker
|
|
ENGINE="docker"
|
|
fi
|
|
}
|
|
|
|
# --- 2. CONFIGURATION ---
|
|
|
|
get_params() {
|
|
echo -e "\n${YELLOW}[3/5] Instance Configuration...${NC}"
|
|
read -p "Wallarm Token: " TOKEN
|
|
read -p "Instance ID [1]: " ID; ID=${ID:-1}
|
|
read -p "App IP [127.0.0.1]: " APP_IP; APP_IP=${APP_IP:-127.0.0.1}
|
|
read -p "App Port [80]: " APP_PORT; APP_PORT=${APP_PORT:-80}
|
|
|
|
INSTANCE_DIR="/opt/wallarm/$ID"
|
|
sudo mkdir -p "$INSTANCE_DIR"
|
|
}
|
|
|
|
# --- 3. PERSISTENCE ARTIFACTS ---
|
|
|
|
generate_artifacts() {
|
|
echo -e "\n${YELLOW}[4/5] Building Persistence Layers...${NC}"
|
|
|
|
# Nginx Conf
|
|
sudo tee "$INSTANCE_DIR/nginx.conf" > /dev/null <<EOF
|
|
server {
|
|
listen 80;
|
|
wallarm_mode monitoring;
|
|
location / {
|
|
proxy_pass http://$APP_IP:$APP_PORT;
|
|
proxy_set_header Host \$host;
|
|
proxy_set_header X-Real-IP \$remote_addr;
|
|
}
|
|
}
|
|
server { listen 90; location /wallarm-status { wallarm_status on; } }
|
|
EOF
|
|
|
|
# Shell Start Script (The Persistence Logic)
|
|
sudo tee "$INSTANCE_DIR/start.sh" > /dev/null <<EOF
|
|
#!/bin/bash
|
|
echo "Cleaning old containers..."
|
|
sudo $ENGINE rm -f wallarm-node-$ID 2>/dev/null
|
|
|
|
echo "Launching Wallarm Node..."
|
|
sudo $ENGINE run -d \\
|
|
--name wallarm-node-$ID \\
|
|
--restart always \\
|
|
-p 80:80 -p 90:90 \\
|
|
-e WALLARM_API_TOKEN=$TOKEN \\
|
|
-e WALLARM_API_HOST=$API_HOST \\
|
|
-v "$INSTANCE_DIR/nginx.conf:/etc/nginx/http.d/default.conf:ro" \\
|
|
wallarm/node:latest
|
|
EOF
|
|
sudo chmod +x "$INSTANCE_DIR/start.sh"
|
|
}
|
|
|
|
# --- 4. EXECUTION ---
|
|
|
|
run_poc() {
|
|
echo -e "\n${YELLOW}[5/5] Executing Deployment...${NC}"
|
|
|
|
if [ "$REGISTRY_REACHABLE" = true ]; then
|
|
echo "Pulling latest image..."
|
|
sudo $ENGINE pull wallarm/node:latest
|
|
else
|
|
echo "Loading image from local storage..."
|
|
sudo $ENGINE load < *.tar
|
|
fi
|
|
|
|
sudo "$INSTANCE_DIR/start.sh"
|
|
|
|
sleep 15
|
|
echo -n "Verifying Node Status... "
|
|
if curl -s http://localhost:90/wallarm-status | grep -q "requests"; then
|
|
echo -e "${GREEN}✅ POC ACTIVE${NC}"
|
|
else
|
|
echo -e "${RED}❌ FAILED${NC}. Check logs: sudo $ENGINE logs wallarm-node-$ID"
|
|
fi
|
|
}
|
|
|
|
# --- RUN ---
|
|
check_connectivity
|
|
setup_engine
|
|
get_params
|
|
generate_artifacts
|
|
run_poc |