From 41a9162c9c72e8877344a3f9f2010444e821f044 Mon Sep 17 00:00:00 2001 From: Shane Peters Date: Sat, 12 Jan 2019 15:50:03 -0500 Subject: [PATCH] switch to lxd snap instead of ppa --- containers/elasticsearch | 0 containers/fouroneone | 0 containers/fsf | 0 containers/ids | 0 containers/kafka | 0 containers/kibana | 0 containers/logstash | 0 containers/prometheus | 4 +-- containers/rita | 0 deploy | 68 ++++++++++++++++++---------------------- destroy | 16 +++------- limits | 38 ++++++++++------------ 12 files changed, 53 insertions(+), 73 deletions(-) mode change 100644 => 100755 containers/elasticsearch mode change 100644 => 100755 containers/fouroneone mode change 100644 => 100755 containers/fsf mode change 100644 => 100755 containers/ids mode change 100644 => 100755 containers/kafka mode change 100644 => 100755 containers/kibana mode change 100644 => 100755 containers/logstash mode change 100644 => 100755 containers/prometheus mode change 100644 => 100755 containers/rita diff --git a/containers/elasticsearch b/containers/elasticsearch old mode 100644 new mode 100755 diff --git a/containers/fouroneone b/containers/fouroneone old mode 100644 new mode 100755 diff --git a/containers/fsf b/containers/fsf old mode 100644 new mode 100755 diff --git a/containers/ids b/containers/ids old mode 100644 new mode 100755 diff --git a/containers/kafka b/containers/kafka old mode 100644 new mode 100755 diff --git a/containers/kibana b/containers/kibana old mode 100644 new mode 100755 diff --git a/containers/logstash b/containers/logstash old mode 100644 new mode 100755 diff --git a/containers/prometheus b/containers/prometheus old mode 100644 new mode 100755 index 28d96ec..4723120 --- a/containers/prometheus +++ b/containers/prometheus @@ -31,7 +31,7 @@ global: scrape_configs: - job_name: odin target_groups: - - targets: ['MGMT:9100'] + - targets: ['10.0.2.15:9100'] - targets: ['localhost:9100'] - targets: ['bro:9100'] - targets: ['kafka:9100'] @@ -39,8 +39,6 @@ scrape_configs: - targets: ['logstash:9100'] - targets: ['kibana:9100'] - targets: ['fsf:9100'] - #- targets: ['icap:9100'] - #- targets: ['squid:9100'] - targets: ['rita:9100'] - targets: ['fouroneone:9100'] EOF diff --git a/containers/rita b/containers/rita old mode 100644 new mode 100755 diff --git a/deploy b/deploy index f5f75c5..c5d6a41 100755 --- a/deploy +++ b/deploy @@ -9,37 +9,31 @@ log() { } if [ "$#" -lt 2 ]; then - log "If you want deploy SSL-inspection proxy, provide ICAP_INTERFACE." - log "Make sure your switch is configured to mirror traffic from this port " - log "to the TAP_INTERFACE so Bro can see and utilize it's icap analyzer." - log " ** MUST USE SUDO ** " - log "usage: sudo ${0} ZFS_DATASET TAP_INTERFACE MGMT_INTERFACE [ICAP_INTERFACE]" + log "usage: sudo ${0} ZFS_DATASET TAP_INTERFACE MGMT_INTERFACE" exit 1 fi export ZPOOL=${1} export TAP=${2} export MGMT=${3} -export ICAP=${4} export MGMT_IP=$(ip -o -4 a show ${MGMT} | awk '{print $4}' |cut -d '/' -f 1) - +export LXC='/snap/bin/lxc' source limits -zfs get all ${ZPOOL} >/dev/null || need_zfs ${ZPOOL} need_zfs() { log "ZFS dataset \"${1}\" wasn't found. I suggest you create it and restart the deploy." log "Here are the available disks. *** DON'T OVERWRITE YOUR OS! *** :" - ls -l /dev/disk/by-path/ |egrep -v "total|ata|part" |awk '{print $9, " ===> ", $11}' + ls -l /dev/disk/by-path/ |egrep -v "total|part" |awk '{print $9, " ===> ", $11}' exit 1 } setup_packages() { - apt-get remove -y snapd - apt-add-repository -y ppa:ubuntu-lxc/stable + apt-get --purge remove -y lxd lxc-common lxcfs lxd-client apt-get update - apt-get upgrade -y - apt-get install -y lxd zfsutils-linux htop unzip vim jq httpie prometheus-node-exporter + apt-get install -y zfsutils-linux htop unzip vim jq httpie prometheus-node-exporter + apt-get clean + snap install lxd } @@ -47,10 +41,11 @@ setup_limits_on_profile() { cCPU=CPU_${1} cMEM=MEM_${1} cDISK=DISK_${1} - - lxc profile set ${1} limits.cpu ${!cCPU} - lxc profile set ${1} limits.memory ${!cMEM} - lxc profile device set ${1} root size ${!cDISK} + set -x + ${LXC} profile set ${1} limits.cpu ${!cCPU} + ${LXC} profile set ${1} limits.memory ${!cMEM} + ${LXC} profile device set ${1} root size ${!cDISK} + set +x return } @@ -58,37 +53,34 @@ setup_limits_on_profile() { setup_lxd() { ZPOOL=${1} log "Deploying lxd on ${ZPOOL}." - sed -i 's/Restart=on-failure/Restart=on-failure\nLimitMEMLOCK=infinity/g' /lib/systemd/system/lxd.service - systemctl daemon-reload - systemctl restart lxd.service - lxd init --auto --storage-backend=zfs --storage-pool="${ZPOOL}" - lxc network create odinbr0 dns.domain="odin" ipv4.address="10.13.37.1/24" ipv4.nat=true ipv6.address=none - lxc network attach-profile odinbr0 default eth0 + ${LXC} network create odinbr0 dns.domain="odin" ipv4.address="10.13.37.1/24" ipv4.nat=true ipv6.address=none + ${LXC} network attach-profile odinbr0 default eth0 chown -R ${SUDO_USER}:${SUDO_USER} ${HOME}/.config/lxc } setup_containers() { export BROFACE=${1} - export ICAPFACE=${2} # Order is important - start the pipeline (kafka) first, fsf is before bro because it bro submits files to it, etc... - export CONTAINERS="kafka elasticsearch logstash fsf ids rita prometheus fouroneone" + export CONTAINERS="kafka elasticsearch logstash kibana fsf ids rita prometheus fouroneone" for CON in ${CONTAINERS}; do - lxc profile copy default ${CON} + ${LXC} profile copy default ${CON} if [[ "${CON}" == "ids" ]]; then - lxc profile device add ${CON} eth1 nic nictype=physical parent=${BROFACE} - lxc profile set ${CON} security.privileged true + echo "ids here" + ${LXC} profile device add ${CON} eth1 nic nictype=physical parent=${BROFACE} + ${LXC} profile set ${CON} security.privileged true elif [[ "${CON}" == "rita" ]]; then + echo "rita here" mkdir -p /var/lib/lxd/storage-pools/default/containers/ids/rootfs/opt/bro/logs - lxc profile device add ${CON} brologs disk source=/var/lib/lxd/storage-pools/default/containers/ids/rootfs/opt/bro/logs path=/opt/bro/logs + ${LXC} profile device add ${CON} brologs disk source=/var/lib/lxd/storage-pools/default/containers/ids/rootfs/opt/bro/logs path=/opt/bro/logs fi setup_limits_on_profile ${CON} - lxc launch ubuntu:xenial ${CON} -p ${CON} - lxc file push containers/${CON} ${CON}/ + ${LXC} launch ubuntu:xenial ${CON} -p ${CON} + ${LXC} file push containers/${CON} ${CON}/ done @@ -96,16 +88,17 @@ setup_containers() { for CON in ${CONTAINERS}; do log "Installing ${CON}" - lxc exec ${CON} -- /${CON} + ${LXC} exec ${CON} -- /${CON} done - lxc list -c 4n |egrep -v "NAME|\+" | awk '{print $2, $5}' |tr ' ' '\t' >> /etc/hosts + ${LXC} list -c 4n |egrep -v "NAME|\+" | awk '{print $2, $5}' |tr ' ' '\t' >> /etc/hosts } setup_firewall() { - kibana_ip=$(lxc list -c n4 |awk '/kibana/{print $4}') - fouroneone_ip=$(lxc list -c n4 |awk '/fouroneone/{print $4}') - prometheus_ip=$(lxc list -c n4 |awk '/prometheus/{print $4}') + kibana_ip=$(${LXC} list -c n4 |awk '/kibana/{print $4}') + fouroneone_ip=$(${LXC} list -c n4 |awk '/fouroneone/{print $4}') + prometheus_ip=$(${LXC} list -c n4 |awk '/prometheus/{print $4}') + echo $kibana_ip iptables -t nat -A PREROUTING -i ${MGMT} -p tcp -m tcp --dport 443 -j DNAT --to-destination ${fouroneone_ip} iptables -t nat -A PREROUTING -i ${MGMT} -p tcp -m tcp --dport 9090 -j DNAT --to-destination ${prometheus_ip} @@ -150,6 +143,7 @@ EOF sed -i "s/MGMT/${MGMT_IP}/g" containers/prometheus setup_system setup_packages +zfs get all ${ZPOOL} >/dev/null || need_zfs ${ZPOOL} setup_lxd ${ZPOOL} -setup_containers ${TAP} ${ICAP} +setup_containers ${TAP} setup_firewall diff --git a/destroy b/destroy index cfb5653..58543d8 100755 --- a/destroy +++ b/destroy @@ -19,13 +19,13 @@ kibana_ip=$(lxc list -c n4 |awk '/kibana/{print $4}') fouroneone_ip=$(lxc list -c n4 |awk '/fouroneone/{print $4}') prometheus_ip=$(lxc list -c n4 |awk '/prometheus/{print $4}') -iptables -t nat -D PREROUTING -i MGMT -p tcp -m tcp --dport 443 -j DNAT --to-destination ${fouroneone_ip} -iptables -t nat -D PREROUTING -i MGMT -p tcp -m tcp --dport 9090 -j DNAT --to-destination ${prometheus_ip} -iptables -t nat -D PREROUTING -i MGMT -p tcp -m tcp --dport 3000 -j DNAT --to-destination ${prometheus_ip} -iptables -t nat -D PREROUTING -i MGMT -p tcp -m tcp --dport 5601 -j DNAT --to-destination ${kibana_ip} +iptables -t nat -D PREROUTING -i enp0s3 -p tcp -m tcp --dport 443 -j DNAT --to-destination ${fouroneone_ip} +iptables -t nat -D PREROUTING -i enp0s3 -p tcp -m tcp --dport 9090 -j DNAT --to-destination ${prometheus_ip} +iptables -t nat -D PREROUTING -i enp0s3 -p tcp -m tcp --dport 3000 -j DNAT --to-destination ${prometheus_ip} +iptables -t nat -D PREROUTING -i enp0s3 -p tcp -m tcp --dport 5601 -j DNAT --to-destination ${kibana_ip} iptables-save > /etc/network/iptables.up.rules -export CONTAINERS=" bro kafka elasticsearch logstash kibana fouroneone icap squid rita fsf prometheus" +export CONTAINERS=" bro kafka elasticsearch logstash kibana fouroneone rita fsf prometheus" for CONT in ${CONTAINERS}; do echo "Destroying ${CONT}" lxc stop ${CONT} 2>/dev/null @@ -34,13 +34,7 @@ done sudo kill -9 `ps ax |awk '/odinbr0/{print $1}' | head -1` ip link del dev odinbr0 -systemctl stop lxd.socket -systemctl stop lxd.service zfs destroy -r tank/lxd -rm -rf /var/lib/lxd - -sed -i 's/LimitMEMLOCK=infinity//g' /lib/systemd/system/lxd.service -systemctl daemon-reload echo -e "\e[0m" diff --git a/limits b/limits index 8d18d15..d3c0661 100644 --- a/limits +++ b/limits @@ -1,36 +1,30 @@ -export CPU_bro="6" +export CPU_ids="2" export CPU_kafka="2" -export CPU_elasticsearch="4" -export CPU_logstash="1" +export CPU_elasticsearch="2" +export CPU_logstash="2" export CPU_kibana="2" export CPU_fouroneone="2" -export CPU_icap="2" -export CPU_squid="2" -export CPU_rita="4" -export CPU_fsf="4" +export CPU_rita="2" +export CPU_fsf="2" export CPU_prometheus="2" -export MEM_bro="8192MB" +export MEM_ids="1024MB" export MEM_kafka="1024MB" -export MEM_elasticsearch="16384MB" +export MEM_elasticsearch="4192MB" export MEM_logstash="1024MB" export MEM_kibana="1024MB" export MEM_fouroneone="2048MB" -export MEM_icap="512MB" -export MEM_squid="4096MB" -export MEM_rita="8192MB" -export MEM_fsf="4096MB" -export MEM_prometheus="2048MB" +export MEM_rita="2048MB" +export MEM_fsf="1024MB" +export MEM_prometheus="1024MB" -export DISK_bro="20GB" -export DISK_kafka="20GB" -export DISK_elasticsearch="250GB" +export DISK_ids="10GB" +export DISK_kafka="10GB" +export DISK_elasticsearch="20GB" export DISK_logstash="10GB" export DISK_kibana="10GB" export DISK_fouroneone="10GB" -export DISK_icap="10GB" -export DISK_squid="20GB" -export DISK_rita="120GB" -export DISK_fsf="80GB" -export DISK_prometheus="60GB" +export DISK_rita="10GB" +export DISK_fsf="10GB" +export DISK_prometheus="10GB"