shane/odin
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

switch to lxd snap instead of ppa

Browse Source
This commit is contained in:
Shane Peters
2019-01-12 15:50:03 -05:00
parent 1b48e3fed0
commit 41a9162c9c
12 changed files with 53 additions and 73 deletions
Download Patch File Download Diff File Expand all files Collapse all files

0
containers/elasticsearch Normal file → Executable file
View File

0
containers/fouroneone Normal file → Executable file
View File

0
containers/fsf Normal file → Executable file
View File

0
containers/ids Normal file → Executable file
View File

0
containers/kafka Normal file → Executable file
View File

0
containers/kibana Normal file → Executable file
View File

0
containers/logstash Normal file → Executable file
View File

4
containers/prometheus Normal file → Executable file
View File

@@ -31,7 +31,7 @@ global:
scrape_configs: scrape_configs:
- job_name: odin - job_name: odin
target_groups: target_groups:
- targets: ['MGMT:9100'] - targets: ['10.0.2.15:9100']
- targets: ['localhost:9100'] - targets: ['localhost:9100']
- targets: ['bro:9100'] - targets: ['bro:9100']
- targets: ['kafka:9100'] - targets: ['kafka:9100']
@@ -39,8 +39,6 @@ scrape_configs:
- targets: ['logstash:9100'] - targets: ['logstash:9100']
- targets: ['kibana:9100'] - targets: ['kibana:9100']
- targets: ['fsf:9100'] - targets: ['fsf:9100']
#- targets: ['icap:9100']
#- targets: ['squid:9100']
- targets: ['rita:9100'] - targets: ['rita:9100']
- targets: ['fouroneone:9100'] - targets: ['fouroneone:9100']
EOF EOF

0
containers/rita Normal file → Executable file
View File

68
deploy
View File

@@ -9,37 +9,31 @@ log() {
} }
if [ "$#" -lt 2 ]; then if [ "$#" -lt 2 ]; then
log "If you want deploy SSL-inspection proxy, provide ICAP_INTERFACE." log "usage: sudo ${0} ZFS_DATASET TAP_INTERFACE MGMT_INTERFACE"
log "Make sure your switch is configured to mirror traffic from this port "
log "to the TAP_INTERFACE so Bro can see and utilize it's icap analyzer."
log " ** MUST USE SUDO ** "
log "usage: sudo ${0} ZFS_DATASET TAP_INTERFACE MGMT_INTERFACE [ICAP_INTERFACE]"
exit 1 exit 1
fi fi
export ZPOOL=${1} export ZPOOL=${1}
export TAP=${2} export TAP=${2}
export MGMT=${3} export MGMT=${3}
export ICAP=${4}
export MGMT_IP=$(ip -o -4 a show ${MGMT} | awk '{print $4}' |cut -d '/' -f 1) export MGMT_IP=$(ip -o -4 a show ${MGMT} | awk '{print $4}' |cut -d '/' -f 1)
export LXC='/snap/bin/lxc'
source limits source limits
zfs get all ${ZPOOL} >/dev/null || need_zfs ${ZPOOL}
need_zfs() { need_zfs() {
log "ZFS dataset \"${1}\" wasn't found. I suggest you create it and restart the deploy." log "ZFS dataset \"${1}\" wasn't found. I suggest you create it and restart the deploy."
log "Here are the available disks. *** DON'T OVERWRITE YOUR OS! *** :" log "Here are the available disks. *** DON'T OVERWRITE YOUR OS! *** :"
ls -l /dev/disk/by-path/ |egrep -v "total|ata|part" |awk '{print $9, " ===> ", $11}' ls -l /dev/disk/by-path/ |egrep -v "total|part" |awk '{print $9, " ===> ", $11}'
exit 1 exit 1
} }
setup_packages() { setup_packages() {
apt-get remove -y snapd apt-get --purge remove -y lxd lxc-common lxcfs lxd-client
apt-add-repository -y ppa:ubuntu-lxc/stable
apt-get update apt-get update
apt-get upgrade -y apt-get install -y zfsutils-linux htop unzip vim jq httpie prometheus-node-exporter
apt-get install -y lxd zfsutils-linux htop unzip vim jq httpie prometheus-node-exporter apt-get clean
snap install lxd
} }
@@ -47,10 +41,11 @@ setup_limits_on_profile() {
cCPU=CPU_${1} cCPU=CPU_${1}
cMEM=MEM_${1} cMEM=MEM_${1}
cDISK=DISK_${1} cDISK=DISK_${1}
set -x
lxc profile set ${1} limits.cpu ${!cCPU} ${LXC} profile set ${1} limits.cpu ${!cCPU}
lxc profile set ${1} limits.memory ${!cMEM} ${LXC} profile set ${1} limits.memory ${!cMEM}
lxc profile device set ${1} root size ${!cDISK} ${LXC} profile device set ${1} root size ${!cDISK}
set +x
return return
} }
@@ -58,37 +53,34 @@ setup_limits_on_profile() {
setup_lxd() { setup_lxd() {
ZPOOL=${1} ZPOOL=${1}
log "Deploying lxd on ${ZPOOL}." log "Deploying lxd on ${ZPOOL}."
sed -i 's/Restart=on-failure/Restart=on-failure\nLimitMEMLOCK=infinity/g' /lib/systemd/system/lxd.service
systemctl daemon-reload
systemctl restart lxd.service
lxd init --auto --storage-backend=zfs --storage-pool="${ZPOOL}" lxd init --auto --storage-backend=zfs --storage-pool="${ZPOOL}"
lxc network create odinbr0 dns.domain="odin" ipv4.address="10.13.37.1/24" ipv4.nat=true ipv6.address=none ${LXC} network create odinbr0 dns.domain="odin" ipv4.address="10.13.37.1/24" ipv4.nat=true ipv6.address=none
lxc network attach-profile odinbr0 default eth0 ${LXC} network attach-profile odinbr0 default eth0
chown -R ${SUDO_USER}:${SUDO_USER} ${HOME}/.config/lxc chown -R ${SUDO_USER}:${SUDO_USER} ${HOME}/.config/lxc
} }
setup_containers() { setup_containers() {
export BROFACE=${1} export BROFACE=${1}
export ICAPFACE=${2}
# Order is important - start the pipeline (kafka) first, fsf is before bro because it bro submits files to it, etc... # Order is important - start the pipeline (kafka) first, fsf is before bro because it bro submits files to it, etc...
export CONTAINERS="kafka elasticsearch logstash fsf ids rita prometheus fouroneone" export CONTAINERS="kafka elasticsearch logstash kibana fsf ids rita prometheus fouroneone"
for CON in ${CONTAINERS}; do for CON in ${CONTAINERS}; do
lxc profile copy default ${CON} ${LXC} profile copy default ${CON}
if [[ "${CON}" == "ids" ]]; then if [[ "${CON}" == "ids" ]]; then
lxc profile device add ${CON} eth1 nic nictype=physical parent=${BROFACE} echo "ids here"
lxc profile set ${CON} security.privileged true ${LXC} profile device add ${CON} eth1 nic nictype=physical parent=${BROFACE}
${LXC} profile set ${CON} security.privileged true
elif [[ "${CON}" == "rita" ]]; then elif [[ "${CON}" == "rita" ]]; then
echo "rita here"
mkdir -p /var/lib/lxd/storage-pools/default/containers/ids/rootfs/opt/bro/logs mkdir -p /var/lib/lxd/storage-pools/default/containers/ids/rootfs/opt/bro/logs
lxc profile device add ${CON} brologs disk source=/var/lib/lxd/storage-pools/default/containers/ids/rootfs/opt/bro/logs path=/opt/bro/logs ${LXC} profile device add ${CON} brologs disk source=/var/lib/lxd/storage-pools/default/containers/ids/rootfs/opt/bro/logs path=/opt/bro/logs
fi fi
setup_limits_on_profile ${CON} setup_limits_on_profile ${CON}
lxc launch ubuntu:xenial ${CON} -p ${CON} ${LXC} launch ubuntu:xenial ${CON} -p ${CON}
lxc file push containers/${CON} ${CON}/ ${LXC} file push containers/${CON} ${CON}/
done done
@@ -96,16 +88,17 @@ setup_containers() {
for CON in ${CONTAINERS}; do for CON in ${CONTAINERS}; do
log "Installing ${CON}" log "Installing ${CON}"
lxc exec ${CON} -- /${CON} ${LXC} exec ${CON} -- /${CON}
done done
lxc list -c 4n |egrep -v "NAME|\+" | awk '{print $2, $5}' |tr ' ' '\t' >> /etc/hosts ${LXC} list -c 4n |egrep -v "NAME|\+" | awk '{print $2, $5}' |tr ' ' '\t' >> /etc/hosts
} }
setup_firewall() { setup_firewall() {
kibana_ip=$(lxc list -c n4 |awk '/kibana/{print $4}') kibana_ip=$(${LXC} list -c n4 |awk '/kibana/{print $4}')
fouroneone_ip=$(lxc list -c n4 |awk '/fouroneone/{print $4}') fouroneone_ip=$(${LXC} list -c n4 |awk '/fouroneone/{print $4}')
prometheus_ip=$(lxc list -c n4 |awk '/prometheus/{print $4}') prometheus_ip=$(${LXC} list -c n4 |awk '/prometheus/{print $4}')
echo $kibana_ip
iptables -t nat -A PREROUTING -i ${MGMT} -p tcp -m tcp --dport 443 -j DNAT --to-destination ${fouroneone_ip} iptables -t nat -A PREROUTING -i ${MGMT} -p tcp -m tcp --dport 443 -j DNAT --to-destination ${fouroneone_ip}
iptables -t nat -A PREROUTING -i ${MGMT} -p tcp -m tcp --dport 9090 -j DNAT --to-destination ${prometheus_ip} iptables -t nat -A PREROUTING -i ${MGMT} -p tcp -m tcp --dport 9090 -j DNAT --to-destination ${prometheus_ip}
@@ -150,6 +143,7 @@ EOF
sed -i "s/MGMT/${MGMT_IP}/g" containers/prometheus sed -i "s/MGMT/${MGMT_IP}/g" containers/prometheus
setup_system setup_system
setup_packages setup_packages
zfs get all ${ZPOOL} >/dev/null || need_zfs ${ZPOOL}
setup_lxd ${ZPOOL} setup_lxd ${ZPOOL}
setup_containers ${TAP} ${ICAP} setup_containers ${TAP}
setup_firewall setup_firewall

16
destroy
View File

@@ -19,13 +19,13 @@ kibana_ip=$(lxc list -c n4 |awk '/kibana/{print $4}')
fouroneone_ip=$(lxc list -c n4 |awk '/fouroneone/{print $4}') fouroneone_ip=$(lxc list -c n4 |awk '/fouroneone/{print $4}')
prometheus_ip=$(lxc list -c n4 |awk '/prometheus/{print $4}') prometheus_ip=$(lxc list -c n4 |awk '/prometheus/{print $4}')
iptables -t nat -D PREROUTING -i MGMT -p tcp -m tcp --dport 443 -j DNAT --to-destination ${fouroneone_ip} iptables -t nat -D PREROUTING -i enp0s3 -p tcp -m tcp --dport 443 -j DNAT --to-destination ${fouroneone_ip}
iptables -t nat -D PREROUTING -i MGMT -p tcp -m tcp --dport 9090 -j DNAT --to-destination ${prometheus_ip} iptables -t nat -D PREROUTING -i enp0s3 -p tcp -m tcp --dport 9090 -j DNAT --to-destination ${prometheus_ip}
iptables -t nat -D PREROUTING -i MGMT -p tcp -m tcp --dport 3000 -j DNAT --to-destination ${prometheus_ip} iptables -t nat -D PREROUTING -i enp0s3 -p tcp -m tcp --dport 3000 -j DNAT --to-destination ${prometheus_ip}
iptables -t nat -D PREROUTING -i MGMT -p tcp -m tcp --dport 5601 -j DNAT --to-destination ${kibana_ip} iptables -t nat -D PREROUTING -i enp0s3 -p tcp -m tcp --dport 5601 -j DNAT --to-destination ${kibana_ip}
iptables-save > /etc/network/iptables.up.rules iptables-save > /etc/network/iptables.up.rules
export CONTAINERS=" bro kafka elasticsearch logstash kibana fouroneone icap squid rita fsf prometheus" export CONTAINERS=" bro kafka elasticsearch logstash kibana fouroneone rita fsf prometheus"
for CONT in ${CONTAINERS}; do for CONT in ${CONTAINERS}; do
echo "Destroying ${CONT}" echo "Destroying ${CONT}"
lxc stop ${CONT} 2>/dev/null lxc stop ${CONT} 2>/dev/null
@@ -34,13 +34,7 @@ done
sudo kill -9 `ps ax |awk '/odinbr0/{print $1}' | head -1` sudo kill -9 `ps ax |awk '/odinbr0/{print $1}' | head -1`
ip link del dev odinbr0 ip link del dev odinbr0
systemctl stop lxd.socket
systemctl stop lxd.service
zfs destroy -r tank/lxd zfs destroy -r tank/lxd
rm -rf /var/lib/lxd
sed -i 's/LimitMEMLOCK=infinity//g' /lib/systemd/system/lxd.service
systemctl daemon-reload
echo -e "\e[0m" echo -e "\e[0m"

38
limits
View File

@@ -1,36 +1,30 @@
export CPU_bro="6" export CPU_ids="2"
export CPU_kafka="2" export CPU_kafka="2"
export CPU_elasticsearch="4" export CPU_elasticsearch="2"
export CPU_logstash="1" export CPU_logstash="2"
export CPU_kibana="2" export CPU_kibana="2"
export CPU_fouroneone="2" export CPU_fouroneone="2"
export CPU_icap="2" export CPU_rita="2"
export CPU_squid="2" export CPU_fsf="2"
export CPU_rita="4"
export CPU_fsf="4"
export CPU_prometheus="2" export CPU_prometheus="2"
export MEM_bro="8192MB" export MEM_ids="1024MB"
export MEM_kafka="1024MB" export MEM_kafka="1024MB"
export MEM_elasticsearch="16384MB" export MEM_elasticsearch="4192MB"
export MEM_logstash="1024MB" export MEM_logstash="1024MB"
export MEM_kibana="1024MB" export MEM_kibana="1024MB"
export MEM_fouroneone="2048MB" export MEM_fouroneone="2048MB"
export MEM_icap="512MB" export MEM_rita="2048MB"
export MEM_squid="4096MB" export MEM_fsf="1024MB"
export MEM_rita="8192MB" export MEM_prometheus="1024MB"
export MEM_fsf="4096MB"
export MEM_prometheus="2048MB"
export DISK_bro="20GB" export DISK_ids="10GB"
export DISK_kafka="20GB" export DISK_kafka="10GB"
export DISK_elasticsearch="250GB" export DISK_elasticsearch="20GB"
export DISK_logstash="10GB" export DISK_logstash="10GB"
export DISK_kibana="10GB" export DISK_kibana="10GB"
export DISK_fouroneone="10GB" export DISK_fouroneone="10GB"
export DISK_icap="10GB" export DISK_rita="10GB"
export DISK_squid="20GB" export DISK_fsf="10GB"
export DISK_rita="120GB" export DISK_prometheus="10GB"
export DISK_fsf="80GB"
export DISK_prometheus="60GB"