226 lines
No EOL
8 KiB
Bash
226 lines
No EOL
8 KiB
Bash
#!/bin/bash
|
|
# ==============================================================================
|
|
# WALLARM BULLETPROOF STEALTH DEPLOYER - V1.9 (LXC & CENTOS OPTIMIZED)
|
|
# ==============================================================================
|
|
# Recent Fixes:
|
|
# - Added DNS/Hosts discovery for Stealth Proxy
|
|
# - Improved dependency chain for CentOS Stream 9
|
|
# - Enhanced Docker Socket timeout handling
|
|
# ==============================================================================
|
|
|
|
# Color definitions
|
|
RED='\033[0;31m'
|
|
GREEN='\033[0;32m'
|
|
YELLOW='\033[1;33m'
|
|
BLUE='\033[0;34m'
|
|
CYAN='\033[0;36m'
|
|
MAGENTA='\033[0;35m'
|
|
BOLD='\033[1m'
|
|
NC='\033[0m'
|
|
|
|
# SECHPOINT STEALTH CONFIGURATION
|
|
BASE_DOMAIN="ct.sechpoint.app"
|
|
HUB_DOMAIN="hub.ct.sechpoint.app"
|
|
DOCKER_VERSION="29.2.1"
|
|
LOG_FILE="/var/log/wallarm-deployment.log"
|
|
|
|
# Cloud endpoints
|
|
EU_DATA_NODES=("api.wallarm.com" "node-data0.eu1.wallarm.com" "node-data1.eu1.wallarm.com")
|
|
US_DATA_NODES=("us1.api.wallarm.com" "node-data0.us1.wallarm.com")
|
|
|
|
INSTANCE_NAME="wallarm-node"
|
|
INSTANCE_DIR="/opt/wallarm"
|
|
|
|
# --- LOGGING ENGINE ---
|
|
log_message() {
|
|
local level="$1"
|
|
local message="$2"
|
|
local timestamp=$(date '+%Y-%m-%d %H:%M:%S')
|
|
echo -e "${timestamp} [${level}] ${message}" | sudo tee -a "$LOG_FILE" > /dev/null
|
|
case "$level" in
|
|
"INFO") echo -e "${BLUE}${BOLD}[INFO]${NC} ${message}" ;;
|
|
"SUCCESS") echo -e "${GREEN}${BOLD}[SUCCESS]${NC} ${message}" ;;
|
|
"WARNING") echo -e "${YELLOW}${BOLD}[WARNING]${NC} ${message}" ;;
|
|
"ERROR") echo -e "${RED}${BOLD}[ERROR]${NC} ${message}" ;;
|
|
esac
|
|
}
|
|
|
|
fail_with_remediation() {
|
|
local error="$1"
|
|
local remediation="$2"
|
|
log_message "ERROR" "$error"
|
|
echo -e "\n${RED}${BOLD}REMEDIATION:${NC}\n$remediation\n"
|
|
exit 1
|
|
}
|
|
|
|
# --- PHASE 1: PRE-FLIGHT & DEPENDENCIES ---
|
|
|
|
check_pre_flight() {
|
|
log_message "INFO" "=== PHASE 1: PRE-FLIGHT CHECKS ==="
|
|
|
|
if [[ $EUID -ne 0 ]]; then
|
|
fail_with_remediation "Root privileges required" "Run as sudo."
|
|
fi
|
|
|
|
log_message "INFO" "Checking system dependencies..."
|
|
# Extended dependency list for CentOS 9
|
|
for dep in tar gzip curl libseccomp iptables procps-ng xfsprogs; do
|
|
if ! rpm -q $dep >/dev/null 2>&1 && ! command -v $dep >/dev/null 2>&1; then
|
|
log_message "WARNING" "Missing $dep. Attempting auto-fix..."
|
|
sudo yum install -y $dep || sudo dnf install -y $dep
|
|
fi
|
|
done
|
|
|
|
ARCH=$(uname -m)
|
|
case "$ARCH" in
|
|
x86_64) D_ARCH="x86_64" ;;
|
|
aarch64) D_ARCH="aarch64" ;;
|
|
*) fail_with_remediation "Architecture $ARCH not supported." "Use x86_64 or ARM64." ;;
|
|
esac
|
|
|
|
# Stealth Connectivity Check with Remediation Logic
|
|
log_message "INFO" "Verifying Stealth Proxy connectivity ($BASE_DOMAIN)..."
|
|
if ! curl -IsL --connect-timeout 5 "https://$BASE_DOMAIN" > /dev/null 2>&1; then
|
|
local host_check=$(grep "$BASE_DOMAIN" /etc/hosts)
|
|
if [ -z "$host_check" ]; then
|
|
fail_with_remediation "Proxy Unreachable (DNS Failure)" \
|
|
"The stealth domain $BASE_DOMAIN is not in your /etc/hosts.\nAdd the proxy IP manually:\n echo '1.2.3.4 $BASE_DOMAIN $HUB_DOMAIN' >> /etc/hosts\n(Replace 1.2.3.4 with your actual Sechpoint Proxy IP)"
|
|
else
|
|
fail_with_remediation "Proxy Unreachable (Network Failure)" \
|
|
"Entry found in /etc/hosts, but cannot connect to port 443 on $BASE_DOMAIN.\nCheck Firewall/Security Groups."
|
|
fi
|
|
fi
|
|
|
|
log_message "SUCCESS" "Stealth Proxy is reachable."
|
|
|
|
# Wallarm Cloud Connectivity Check
|
|
log_message "INFO" "Checking Wallarm Cloud reachability..."
|
|
WALLARM_API_CA=""
|
|
for node in "${EU_DATA_NODES[@]}"; do
|
|
if curl -IsL --connect-timeout 5 "https://$node" > /dev/null 2>&1; then
|
|
log_message "SUCCESS" "Connected to EU Cloud node: $node"
|
|
WALLARM_API_CA="EU"
|
|
break
|
|
fi
|
|
done
|
|
|
|
if [ -z "$WALLARM_API_CA" ]; then
|
|
for node in "${US_DATA_NODES[@]}"; do
|
|
if curl -IsL --connect-timeout 5 "https://$node" > /dev/null 2>&1; then
|
|
log_message "SUCCESS" "Connected to US Cloud node: $node"
|
|
WALLARM_API_CA="US"
|
|
break
|
|
fi
|
|
done
|
|
fi
|
|
}
|
|
|
|
# --- PHASE 2: DOCKER ENGINE (LXC OPTIMIZED) ---
|
|
|
|
setup_docker_engine() {
|
|
log_message "INFO" "=== PHASE 2: DOCKER ENGINE SETUP ==="
|
|
|
|
if command -v docker >/dev/null 2>&1 && sudo docker info >/dev/null 2>&1; then
|
|
log_message "SUCCESS" "Functional Docker Engine detected."
|
|
return 0
|
|
fi
|
|
|
|
local binary_file="docker-$DOCKER_VERSION.tgz"
|
|
local download_url="https://$BASE_DOMAIN/linux/static/stable/$D_ARCH/$binary_file"
|
|
|
|
if [[ ! -f "/usr/bin/dockerd" ]]; then
|
|
log_message "INFO" "Fetching binaries from $download_url"
|
|
curl -fL "$download_url" -o "/tmp/$binary_file" || fail_with_remediation "Download failed" "Check Stealth Proxy mapping."
|
|
|
|
log_message "INFO" "Extracting and installing binaries..."
|
|
tar xzvf "/tmp/$binary_file" -C /tmp/ > /dev/null 2>&1
|
|
sudo cp /tmp/docker/* /usr/bin/
|
|
rm -rf /tmp/docker "/tmp/$binary_file"
|
|
fi
|
|
|
|
# LXC Hardening: Force cgroupfs and VFS
|
|
sudo mkdir -p /etc/docker
|
|
sudo tee /etc/docker/daemon.json > /dev/null <<EOF
|
|
{
|
|
"exec-opts": ["native.cgroupdriver=cgroupfs"],
|
|
"storage-driver": "vfs",
|
|
"iptables": false,
|
|
"data-root": "/var/lib/docker",
|
|
"log-driver": "json-file"
|
|
}
|
|
EOF
|
|
|
|
sudo tee /etc/systemd/system/docker.service > /dev/null <<EOF
|
|
[Unit]
|
|
Description=Docker Engine (LXC Stealth)
|
|
After=network.target
|
|
[Service]
|
|
ExecStartPre=/usr/bin/rm -f /var/run/docker.pid /var/run/docker.sock
|
|
ExecStart=/usr/bin/dockerd --group docker
|
|
Restart=on-failure
|
|
LimitNOFILE=infinity
|
|
LimitNPROC=infinity
|
|
[Install]
|
|
WantedBy=multi-user.target
|
|
EOF
|
|
|
|
sudo systemctl daemon-reload
|
|
sudo systemctl enable --now docker
|
|
|
|
log_message "INFO" "Waiting for Docker socket readiness..."
|
|
local counter=0
|
|
while [ ! -S /var/run/docker.sock ]; do
|
|
if [ $counter -gt 30 ]; then
|
|
fail_with_remediation "Docker Daemon Timeout" "Daemon failed to start. Run 'journalctl -u docker -n 50' for logs."
|
|
fi
|
|
sleep 1
|
|
((counter++))
|
|
done
|
|
|
|
log_message "SUCCESS" "Docker Engine is operational."
|
|
}
|
|
|
|
# --- PHASE 3: IMAGE PULL ---
|
|
|
|
deploy_wallarm_node() {
|
|
log_message "INFO" "=== PHASE 3: IMAGE RETRIEVAL ==="
|
|
local proxy_img="$HUB_DOMAIN/wallarm/node:latest"
|
|
local local_img="wallarm/node:latest"
|
|
|
|
log_message "INFO" "Pulling Wallarm Node via $HUB_DOMAIN..."
|
|
if ! sudo docker pull "$proxy_img"; then
|
|
fail_with_remediation "Image Pull Failed" "Docker cannot reach $HUB_DOMAIN. Ensure /etc/hosts is mirrored in the container if using custom DNS."
|
|
fi
|
|
|
|
sudo docker tag "$proxy_img" "$local_img"
|
|
sudo docker rmi "$proxy_img"
|
|
log_message "SUCCESS" "Image ready: $local_img"
|
|
}
|
|
|
|
# --- PHASE 4: VERIFICATION ---
|
|
|
|
verify_deployment() {
|
|
log_message "INFO" "=== PHASE 4: VERIFICATION ==="
|
|
if ! sudo docker run --rm wallarm/node:latest /usr/sbin/nginx -v > /dev/null 2>&1; then
|
|
log_message "WARNING" "LXC Runtime test failed. This is common in non-privileged containers."
|
|
else
|
|
log_message "SUCCESS" "LXC Container execution verified."
|
|
fi
|
|
}
|
|
|
|
main() {
|
|
clear
|
|
echo -e "${CYAN}${BOLD}╔══════════════════════════════════════════════════════════════╗${NC}"
|
|
echo -e "${CYAN}${BOLD}║ SECHPOINT WALLARM BULLETPROOF DEPLOYER ║${NC}"
|
|
echo -e "${CYAN}${BOLD}║ VERSION 1.9 (LXC) ║${NC}"
|
|
echo -e "${CYAN}${BOLD}╚══════════════════════════════════════════════════════════════╝${NC}\n"
|
|
|
|
check_pre_flight
|
|
setup_docker_engine
|
|
deploy_wallarm_node
|
|
verify_deployment
|
|
|
|
log_message "SUCCESS" "=== DEPLOYMENT COMPLETED SUCCESSFULLY ==="
|
|
}
|
|
|
|
main "$@" |