155 lines
4.5 KiB
Bash
Executable File
155 lines
4.5 KiB
Bash
Executable File
#!/bin/bash
|
|
# Odin install script.
|
|
# From bare metal to complete monitoring.
|
|
|
|
exec > >(tee -i odin_log.txt)
|
|
|
|
log() {
|
|
echo -en "\t\e[96m[*] ${1}\e[0m\n"
|
|
}
|
|
|
|
if [ "$#" -lt 2 ]; then
|
|
log "usage: sudo ${0} <zfs_dataset> <tap_interface> <mgmt_interface> <prod|dev>"
|
|
exit 1
|
|
fi
|
|
|
|
set -x
|
|
|
|
export ZPOOL=${1}
|
|
export TAP=${2}
|
|
export MGMT=${3}
|
|
export PROD=${4}
|
|
export MGMT_IP=$(ip -o -4 a show ${MGMT} | awk '{print $4}' |cut -d '/' -f 1)
|
|
export LXC='/snap/bin/lxc'
|
|
if [ ! -z $PROD ]; then
|
|
source limits.prod
|
|
else
|
|
source limits.dev
|
|
fi
|
|
|
|
need_zfs() {
|
|
log "ZFS dataset \"${1}\" wasn't found. I suggest you create it and restart the deploy."
|
|
log "Here are the available disks. *** DON'T OVERWRITE YOUR OS! *** :"
|
|
ls -l /dev/disk/by-path/ |egrep -v "total|part" |awk '{print $9, " ===> ", $11}'
|
|
exit 1
|
|
}
|
|
|
|
|
|
setup_packages() {
|
|
apt-get --purge remove -y lxd lxc-common lxcfs lxd-client
|
|
apt-get update
|
|
apt-get install -y zfsutils-linux htop unzip vim jq httpie prometheus-node-exporter
|
|
apt-get clean
|
|
snap install lxd
|
|
}
|
|
|
|
|
|
setup_limits_on_profile() {
|
|
cCPU=CPU_${1}
|
|
cMEM=MEM_${1}
|
|
cDISK=DISK_${1}
|
|
set -x
|
|
${LXC} profile set ${1} limits.cpu ${!cCPU}
|
|
${LXC} profile set ${1} limits.memory ${!cMEM}
|
|
${LXC} profile device set ${1} root size ${!cDISK}
|
|
set +x
|
|
return
|
|
}
|
|
|
|
|
|
setup_lxd() {
|
|
ZPOOL=${1}
|
|
log "Deploying lxd on ${ZPOOL}."
|
|
lxd init --auto --storage-backend=zfs --storage-pool="${ZPOOL}"
|
|
chown -R ${SUDO_USER}:${SUDO_USER} ${HOME}/.config/lxc
|
|
}
|
|
|
|
|
|
setup_containers() {
|
|
export BROFACE=${1}
|
|
# Order is important - start the pipeline (kafka) first, fsf is before ids because it bro submits files to it, etc...
|
|
export CONTAINERS="kafka elasticsearch logstash kibana fsf ids rita prometheus fouroneone"
|
|
|
|
for CON in ${CONTAINERS}; do
|
|
${LXC} profile copy default ${CON}
|
|
|
|
if [[ "${CON}" == "ids" ]]; then
|
|
echo "ids here"
|
|
${LXC} profile device add ${CON} eth1 nic nictype=physical parent=${BROFACE}
|
|
${LXC} profile set ${CON} security.privileged true
|
|
elif [[ "${CON}" == "rita" ]]; then
|
|
echo "rita here"
|
|
mkdir -p /var/lib/lxd/storage-pools/default/containers/ids/rootfs/opt/bro/logs
|
|
${LXC} profile device add ${CON} brologs disk source=/var/lib/lxd/storage-pools/default/containers/ids/rootfs/opt/bro/logs path=/opt/bro/logs
|
|
fi
|
|
|
|
setup_limits_on_profile ${CON}
|
|
${LXC} launch ubuntu:xenial ${CON} -p ${CON}
|
|
${LXC} file push containers/${CON} ${CON}/
|
|
|
|
done
|
|
|
|
sleep 10 #startup and DHCP
|
|
|
|
for CON in ${CONTAINERS}; do
|
|
log "Installing ${CON}"
|
|
${LXC} exec ${CON} -- /${CON}
|
|
done
|
|
|
|
${LXC} list -c 4n |egrep -v "NAME|\+" | awk '{print $2, $5}' |tr ' ' '\t' >> /etc/hosts
|
|
}
|
|
|
|
setup_firewall() {
|
|
kibana_ip=$(${LXC} list -c n4 |awk '/kibana/{print $4}')
|
|
fouroneone_ip=$(${LXC} list -c n4 |awk '/fouroneone/{print $4}')
|
|
prometheus_ip=$(${LXC} list -c n4 |awk '/prometheus/{print $4}')
|
|
echo $kibana_ip
|
|
|
|
iptables -t nat -A PREROUTING -i ${MGMT} -p tcp -m tcp --dport 443 -j DNAT --to-destination ${fouroneone_ip}
|
|
iptables -t nat -A PREROUTING -i ${MGMT} -p tcp -m tcp --dport 9090 -j DNAT --to-destination ${prometheus_ip}
|
|
iptables -t nat -A PREROUTING -i ${MGMT} -p tcp -m tcp --dport 3000 -j DNAT --to-destination ${prometheus_ip}
|
|
iptables -t nat -A PREROUTING -i ${MGMT} -p tcp -m tcp --dport 5601 -j DNAT --to-destination ${kibana_ip}
|
|
iptables -t nat -A INPUT -i ${MGMT} -p tcp -m tcp --dport 22 -j ACCEPT
|
|
iptables-save > /etc/network/iptables.up.rules
|
|
cat > /etc/network/if-pre-up.d/iptablesload <<EOF
|
|
#!/bin/sh
|
|
iptables-apply
|
|
exit 0
|
|
EOF
|
|
chmod +x /etc/network/if-pre-up.d/iptablesload
|
|
sed -i "s/MGMT/${MGMT}/g" destroy
|
|
}
|
|
|
|
|
|
setup_system() {
|
|
cat >> /etc/sysctl.conf <<EOF
|
|
net.ipv4.ip_forward=1
|
|
net.ipv4.tcp_mem=182757 243679 365514
|
|
net.core.netdev_max_backlog=182757
|
|
fs.inotify.max_queued_events=1048576
|
|
fs.inotify.max_user_instances=1048576
|
|
fs.inotify.max_user_watches=1048576
|
|
vm.max_map_count=262144
|
|
kernel.dmesg_restrict=1
|
|
EOF
|
|
sysctl -p
|
|
cat >> /etc/security/limits.conf <<EOF
|
|
# LXD
|
|
* soft nofile 1048576
|
|
* hard nofile 1048576
|
|
root soft nofile 1048576
|
|
root hard nofile 1048576
|
|
* soft memlock unlimited
|
|
* hard memlock unlimited
|
|
EOF
|
|
|
|
}
|
|
|
|
sed -i "s/MGMT/${MGMT_IP}/g" containers/prometheus
|
|
setup_system
|
|
setup_packages
|
|
zfs get all ${ZPOOL} >/dev/null || need_zfs ${ZPOOL}
|
|
setup_lxd ${ZPOOL}
|
|
setup_containers ${TAP}
|
|
setup_firewall
|