customer-engineering/wallarm
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
wallarm/wallarm-deploy-ct.sh
cclohmar 66928424a4 chore: auto-commit 2026-03-18 20:56
2026-03-18 20:56:57 +00:00

186 lines
No EOL
6.4 KiB
Bash
Raw Blame History

#!/bin/bash
# ==============================================================================
# WALLARM NODE DEPLOYMENT SCRIPT - V1.6 (LXC & CENTOS COMPATIBILITY)
# ==============================================================================
# Features:
# - Added: LXC-specific Docker Daemon configuration (cgroupfs driver)
# - Added: libseccomp and iptables dependency checks
# - Stealth Binary Pull via ct.sechpoint.app (Proxy to download.docker.com)
# - Stealth Image Pull via hub.ct.sechpoint.app (Proxy to registry-1.docker.io)
# ==============================================================================
# Color definitions
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
CYAN='\033[0;36m'
BOLD='\033[1m'
NC='\033[0m'
# SECHPOINT STEALTH CONFIGURATION
BASE_DOMAIN="ct.sechpoint.app"
HUB_DOMAIN="hub.ct.sechpoint.app"
DOCKER_VERSION="29.2.1"
LOG_FILE="/var/log/wallarm-deployment.log"
# --- HELPER FUNCTIONS ---
log_message() {
local level="$1"
local message="$2"
local timestamp=$(date '+%Y-%m-%d %H:%M:%S')
echo -e "${timestamp} [${level}] ${message}" | sudo tee -a "$LOG_FILE" > /dev/null
case "$level" in
"INFO") echo -e "${BLUE}${BOLD}[INFO]${NC} ${message}" ;;
"SUCCESS") echo -e "${GREEN}${BOLD}[SUCCESS]${NC} ${message}" ;;
"WARNING") echo -e "${YELLOW}${BOLD}[WARNING]${NC} ${message}" ;;
"ERROR") echo -e "${RED}${BOLD}[ERROR]${NC} ${message}" ;;
esac
}
fail_with_remediation() {
local error="$1"
local remediation="$2"
log_message "ERROR" "$error"
echo -e "\n${RED}${BOLD}REMEDIATION:${NC} ${remediation}\n"
exit 1
}
# --- SYSTEM CHECKS ---
check_pre_flight() {
log_message "INFO" "Starting pre-flight checks..."
if [[ $EUID -ne 0 ]]; then
fail_with_remediation "Script must be run as root/sudo" "Try: sudo ./$(basename "$0")"
fi
# Core utilities and Docker runtime dependencies
# iptables is often needed by dockerd even if we disable it in config
for cmd_or_lib in tar gzip curl libseccomp iptables; do
if ! rpm -q $cmd_or_lib >/dev/null 2>&1 && ! command -v $cmd_or_lib >/dev/null 2>&1; then
log_message "WARNING" "Missing dependency: $cmd_or_lib. Attempting auto-fix..."
if command -v yum >/dev/null 2>&1; then
sudo yum install -y $cmd_or_lib
elif command -v dnf >/dev/null 2>&1; then
sudo dnf install -y $cmd_or_lib
fi
fi
done
ARCH=$(uname -m)
case "$ARCH" in
x86_64) D_ARCH="x86_64" ;;
aarch64) D_ARCH="aarch64" ;;
*) fail_with_remediation "Unsupported architecture: $ARCH" "Contact Sechpoint Support." ;;
esac
log_message "INFO" "Verifying connectivity to Stealth Proxy ($BASE_DOMAIN)..."
if ! curl -IsL --connect-timeout 10 "https://$BASE_DOMAIN" > /dev/null; then
fail_with_remediation "Proxy Unreachable" "Check LXC resolver or host-level /etc/hosts for $BASE_DOMAIN"
fi
}
# --- DOCKER ENGINE SETUP ---
setup_docker_engine() {
log_message "INFO" "Deploying Docker Engine via Stealth Proxy..."
if command -v docker >/dev/null 2>&1; then
log_message "SUCCESS" "Docker engine already installed."
return 0
fi
local binary_file="docker-$DOCKER_VERSION.tgz"
local download_url="https://$BASE_DOMAIN/linux/static/stable/$D_ARCH/$binary_file"
log_message "INFO" "Fetching binaries from $download_url"
curl -fL "$download_url" -o "/tmp/$binary_file" || fail_with_remediation "Download failed" "Check Proxy."
log_message "INFO" "Extracting binaries..."
tar xzvf "/tmp/$binary_file" -C /tmp/ > /dev/null 2>&1 || fail_with_remediation "Extraction failed" "Check tar."
sudo cp /tmp/docker/* /usr/bin/
rm -rf /tmp/docker "/tmp/$binary_file"
# --- LXC SPECIFIC CONFIGURATION ---
# We create a daemon.json to force cgroupfs which is more stable in LXC
sudo mkdir -p /etc/docker
sudo tee /etc/docker/daemon.json > /dev/null <<EOF
{
"exec-opts": ["native.cgroupdriver=cgroupfs"],
"storage-driver": "vfs",
"iptables": false,
"bridge": "none"
}
EOF
# Create systemd service
sudo tee /etc/systemd/system/docker.service > /dev/null <<EOF
[Unit]
Description=Docker Engine
After=network.target
[Service]
ExecStart=/usr/bin/dockerd --group docker
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF
sudo systemctl daemon-reload
sudo systemctl enable --now docker
log_message "INFO" "Waiting for Docker daemon (LXC Optimized)..."
local counter=0
while ! docker info >/dev/null 2>&1; do
if [ $counter -gt 20 ]; then
log_message "ERROR" "Docker failed to start in LXC."
echo -e "${YELLOW}Manual Debug:${NC} sudo /usr/bin/dockerd --debug"
fail_with_remediation "Docker Timeout" "Check 'journalctl -u docker' for Cgroup errors."
fi
sleep 1
((counter++))
done
log_message "SUCCESS" "Docker Engine is live in LXC."
}
# --- WALLARM NODE DEPLOYMENT ---
deploy_wallarm_node() {
log_message "INFO" "Fetching Wallarm Filtering Node via Stealth Registry..."
local proxy_img="$HUB_DOMAIN/wallarm/node:latest"
local local_img="wallarm/node:latest"
log_message "INFO" "Pulling $proxy_img..."
if ! sudo docker pull "$proxy_img"; then
fail_with_remediation "Image Pull Failed" "Verify hub.ct.sechpoint.app is reachable."
fi
log_message "INFO" "Normalizing image tags..."
sudo docker tag "$proxy_img" "$local_img"
sudo docker rmi "$proxy_img"
log_message "SUCCESS" "Wallarm Node Image Ready."
}
# --- MAIN EXECUTION ---
main() {
clear
echo -e "${CYAN}${BOLD}╔══════════════════════════════════════════════════════════════╗${NC}"
echo -e "${CYAN}${BOLD}║ SECHPOINT WALLARM STEALTH DEPLOYER V1.6 ║${NC}"
echo -e "${CYAN}${BOLD}╚══════════════════════════════════════════════════════════════╝${NC}\n"
check_pre_flight
setup_docker_engine
deploy_wallarm_node
echo -e "\n${GREEN}${BOLD}STEALTH DEPLOYMENT SUCCESSFUL${NC}"
echo -e "Docker: $(docker --version)"
echo -e "Image: $(docker images wallarm/node --format '{{.Repository}}:{{.Tag}}')"
}
main "$@"
Reference in a new issue View git blame Copy permalink