odin/deploy

#!/bin/bash
# Odin install script.
# From bare metal to complete monitoring.

exec > >(tee -i odin_log.txt)

log() {
    echo -en "\t\e[96m[*] ${1}\e[0m\n"
}

if [ "$#" -lt 2 ]; then
    log "If you want deploy SSL-inspection proxy, provide ICAP_INTERFACE."
    log "Make sure your switch is configured to mirror traffic from this port "
    log "to the TAP_INTERFACE so Bro can see and utilize it's icap analyzer."
    log " ** MUST USE SUDO ** "
    log "usage: sudo ${0} ZFS_DATASET TAP_INTERFACE MGMT_INTERFACE [ICAP_INTERFACE]"
    exit 1
fi

export ZPOOL=${1}
export TAP=${2}
export MGMT=${3}
export ICAP=${4}
export MGMT_IP=$(ip -o -4 a show ${MGMT} | awk '{print $4}' |cut -d '/' -f 1)

source limits
zfs get all ${ZPOOL} >/dev/null || need_zfs ${ZPOOL}

need_zfs() {
    log "ZFS dataset \"${1}\" wasn't found. I suggest you create it and restart the deploy."
    log "Here are the available disks. *** DON'T OVERWRITE YOUR OS! *** :"
    ls -l /dev/disk/by-path/ |egrep -v "total|ata|part" |awk '{print $9, "  ===>  ", $11}'
    exit 1
}


setup_packages() {
    apt-get remove -y snapd
    apt-add-repository -y ppa:ubuntu-lxc/stable
    apt-get update
    apt-get upgrade -y
    apt-get install -y lxd zfsutils-linux htop unzip vim jq httpie prometheus-node-exporter
}


setup_limits_on_profile() {
    cCPU=CPU_${1}
    cMEM=MEM_${1}
    cDISK=DISK_${1}

    lxc profile set ${1} limits.cpu ${!cCPU}
    lxc profile set ${1} limits.memory ${!cMEM}
    lxc profile device set ${1} root size ${!cDISK}
    return
}


setup_lxd() {
    ZPOOL=${1}
    log "Deploying lxd on ${ZPOOL}."
    sed -i 's/Restart=on-failure/Restart=on-failure\nLimitMEMLOCK=infinity/g' /lib/systemd/system/lxd.service
    systemctl daemon-reload
    systemctl restart lxd.service

    lxd init --auto --storage-backend=zfs --storage-pool="${ZPOOL}"
    lxc network create odinbr0 dns.domain="odin" ipv4.address="10.13.37.1/24" ipv4.nat=true ipv6.address=none
    lxc network attach-profile odinbr0 default eth0
    chown -R ${SUDO_USER}:${SUDO_USER} ${HOME}/.config/lxc
}


setup_containers() {
    export BROFACE=${1}
    export ICAPFACE=${2}
    # Order is important - start the pipeline (kafka) first, fsf is before bro because it bro submits files to it, etc...
    export CONTAINERS="kafka elasticsearch graylog fsf ids rita prometheus fouroneone"

    for CON in ${CONTAINERS}; do
        lxc profile copy default ${CON}

        if [[ "${CON}" == "ids" ]]; then
            lxc profile device add ${CON} eth1 nic nictype=physical parent=${BROFACE}
            lxc profile set ${CON} security.privileged true
        elif [[ "${CON}" == "rita" ]]; then
            mkdir -p /var/lib/lxd/storage-pools/default/containers/ids/rootfs/opt/bro/logs
            lxc profile device add ${CON} brologs disk source=/var/lib/lxd/storage-pools/default/containers/ids/rootfs/opt/bro/logs path=/opt/bro/logs
        fi

        setup_limits_on_profile ${CON}
        lxc launch ubuntu:xenial ${CON} -p ${CON}
        lxc file push containers/${CON} ${CON}/

    done

    sleep 10 #startup and DHCP

    for CON in ${CONTAINERS}; do
        log "Installing ${CON}"
        lxc exec ${CON} -- /${CON}
    done

    lxc list -c 4n |egrep -v "NAME|\+" | awk '{print $2, $5}' |tr ' ' '\t' >> /etc/hosts
}

setup_firewall() {
    kibana_ip=$(lxc list -c n4 |awk '/kibana/{print $4}')
    fouroneone_ip=$(lxc list -c n4 |awk '/fouroneone/{print $4}')
    prometheus_ip=$(lxc list -c n4 |awk '/prometheus/{print $4}')

    iptables -t nat -A PREROUTING -i ${MGMT} -p tcp -m tcp --dport 443  -j DNAT --to-destination ${fouroneone_ip}
    iptables -t nat -A PREROUTING -i ${MGMT} -p tcp -m tcp --dport 9090 -j DNAT --to-destination ${prometheus_ip}
    iptables -t nat -A PREROUTING -i ${MGMT} -p tcp -m tcp --dport 3000 -j DNAT --to-destination ${prometheus_ip}
    iptables -t nat -A PREROUTING -i ${MGMT} -p tcp -m tcp --dport 5601 -j DNAT --to-destination ${kibana_ip}
    iptables -t nat -A INPUT      -i ${MGMT} -p tcp -m tcp --dport 22   -j ACCEPT
    iptables-save > /etc/network/iptables.up.rules
    cat > /etc/network/if-pre-up.d/iptablesload <<EOF
#!/bin/sh
iptables-apply
exit 0
EOF
    chmod +x /etc/network/if-pre-up.d/iptablesload
    sed -i "s/MGMT/${MGMT}/g" destroy
}


setup_system() {
    cat >> /etc/sysctl.conf <<EOF
net.ipv4.ip_forward=1
net.ipv4.tcp_mem=182757 243679 365514
net.core.netdev_max_backlog=182757
fs.inotify.max_queued_events=1048576
fs.inotify.max_user_instances=1048576
fs.inotify.max_user_watches=1048576
vm.max_map_count=262144
kernel.dmesg_restrict=1
EOF
    sysctl -p
    cat >> /etc/security/limits.conf <<EOF
# LXD
*           soft 	nofile 	1048576
*           hard 	nofile 	1048576
root        soft 	nofile 	1048576
root        hard 	nofile 	1048576
*           soft 	memlock unlimited
*           hard 	memlock unlimited
EOF

}

sed -i "s/MGMT/${MGMT_IP}/g" containers/prometheus
setup_system
setup_packages
setup_lxd ${ZPOOL}
setup_containers ${TAP} ${ICAP}
setup_firewall