github_mirrors/openappsec
3
0
Fork 1
mirror of https://github.com/openappsec/openappsec.git synced 2025-06-28 16:41:02 +03:00
Code Issues Packages Projects Releases Wiki Activity
openappsec/nodes/orchestration/package/orchestration_package.sh
avigailo a9e186b824 Add prometheus support
2025-05-27 17:45:05 +03:00

1347 lines
54 KiB
Bash
Executable File
Raw Blame History

#!/bin/sh
# Copyright Check Point Software Technologies LTD
FILESYSTEM_PATH="/etc/cp"
LOG_FILE_PATH="/var/log"
SMB_LOG_FILE_PATH="/storage"
USR_LIB_PATH="/usr/lib"
USR_SBIN_PATH="/usr/sbin"
INIT_D_PATH="/etc/init.d"
NANO_AGENT_SERVICE_NAME="nano_agent"
NANO_AGENT_SERVICE_FILE="${NANO_AGENT_SERVICE_NAME}.service"
CONF_PATH="conf"
CERTS_PATH="certs"
DATA_PATH="data"
LOG_PATH="nano_agent"
SCRIPTS_PATH="scripts"
WATCHDOG_PATH="watchdog"
SERVICE_PATH="orchestration"
DBG_FILE_PATH="${LOG_PATH}/cp-nano-orchestration.dbg"
ENV_DETAILS_FILE="${CONF_PATH}/environment-details.cfg"
TMP_FOLDER="/tmp"
WATCHDOG_MAX_ROTATIONS=10
WATCHDOG_MAX_FILE_SIZE=4096
FORCE_CLEAN_FLAG='^(--force-clean|-f)$'
VS_ID=""
VS_LIB_SUB_FOLDER=
is_wlp_orchestration="false"
ORCHESTRATION_EXE_SOURCE_PATH="./bin/orchestration_comp"
NGINX_METADAT_EXTRACTOR_PATH="./scripts/cp-nano-makefile-generator.sh"
NGINX_FRESH_METADATA_EXTRACTOR_PATH="./scripts/cp-nano-makefile-generator-fresh.sh"
ORCHESTRATION_FILE_NAME="cp-nano-orchestration"
NGINX_METADDATA_EXTRACTOR_NAME="cp-nano-makefile-generator.sh"
NGINX_FRESH_METADATA_EXTRACTOR_NAME="cp-nano-makefile-generator-fresh.sh"
GET_CLOUD_METADATA_PATH="get-cloud-metadata.sh"
AGENT_UNINSTALL="cp-agent-uninstall.sh"
ORCHESTRATION_NAME="orchestration"
CP_AGENT_INFO_NAME="cp-agent-info"
CP_PACKAGE_LIST_NAME="cp-nano-package-list"
BIN_PATH="bin"
INSTALLATION_LOG_FILE="cp-nano-agent-install.log"
DEBUG_FLAG='^(--debug|-d)$'
FORCE_STDOUT=true
CP_NANO_DEBUG="cpnano_debug"
CP_NANO_BASE64="cpnano_base64"
EGG_MODE=
ORCHESTRATION_CONF_FILE="${CONF_PATH}/cp-nano-orchestration-conf.json"
ORCHESTRATION_DEBUG_CONF_FILE="${CONF_PATH}/cp-nano-orchestration-debug-conf.json"
DEFAULT_SETTINGS_PATH="${CONF_PATH}/settings.json"
var_default_gem_fog_address="https://inext-agents.cloud.ngen.checkpoint.com"
var_default_us_fog_address="https://inext-agents-us.cloud.ngen.checkpoint.com"
var_default_au_fog_address="https://inext-agents-aus1.cloud.ngen.checkpoint.com"
var_default_in_fog_address="https://inext-agents-ind1.cloud.ngen.checkpoint.com"
var_fog_address=
var_certs_dir=
var_public_key=
var_sleep_interval=30
var_error_sleep_interval=30
var_upgrade_mode=
var_token=
var_email=
var_server=
var_installation_debug_mode=false
var_startup_service=
var_arch_flag=
var_arch="x86"
var_offline_mode=false
var_hybrid_mode=false
var_orchestration_mode="online_mode"
var_container_mode=false
var_no_otp=false
var_additional_flags=
var_proxy=
var_compact_mode=false
var_skip_registration=false
var_is_alpine=false
var_gaia_release=1
var_mds_release=1
var_alpine_release=1
var_which_cmd_exists=0
var_cloud_storage=
if [ -f /.dockerenv ]; then
var_container_mode=true
fi
IS_K8S_ENV=false
K8S_TOKEN_PATH="/var/run/secrets/kubernetes.io/serviceaccount/token"
if [ -f $K8S_TOKEN_PATH ]; then
IS_K8S_ENV=true
fi
# Prerequisites for installation
cur_uid=$(id -u)
if [ "${cur_uid}" != "0" ]; then
cp_print "Error, cp-nano-agent service installation requires root permissions, please re-run as root" ${FORCE_STDOUT}
exit 1
fi
ls -l /etc/ | grep release > /dev/null 2>&1
retval=$?
if [ $retval -eq 0 ]; then
cat /etc/*release | grep -q "Gaia"
var_gaia_release=$?
cat /etc/*release | grep -q "Multi-Domain Security Management"
var_mds_release=$?
cat /etc/*release | grep -q alpine
var_alpine_release=$?
fi
if [ $var_gaia_release -eq 0 ] || [ $var_mds_release -eq 0 ]; then
arch=$(uname -a | awk '{print $(NF -1) }')
if test "${arch}" == "aarch64"; then
var_arch="gaia_arm"
var_arch_flag="--gaia_arm"
else
var_arch="gaia"
var_arch_flag="--gaia"
fi
elif [ $var_alpine_release -eq 0 ]; then
var_is_alpine=true
else
var_arch=$(uname -a | awk '{print $(NF -1) }')
if [ -z "${var_arch}" ]; then
var_arch="x86"
fi
if [ -n "$(echo "${var_arch}" | grep -i arm)" ]; then
var_arch="arm"
fi
fi
is_smb=0
if [ -f /pfrm2.0/bin/cposd ]; then
is_smb=1
if [ "$is_smb" = "1" ]; then
if [ `fw_printenv -n sub_hw_ver` = "THX2" ]; then
export LD_LIBRARY_PATH="/lib64:/pfrm2.0/lib64:${LD_LIBRARY_PATH}"
fi
fi
var_arch="smb"
fi
usage()
{
echo "Usage:"
echo "--install : Install Nano Agent"
echo "--uninstall : Remove Nano Agent"
echo "--token <token> : Registration token"
echo "--fog <fog URL> : Fog Address"
echo "--email <email address> : Contact Information"
echo "--certs-dir <Trusted CA directory> : Path to the trusted CA directory"
echo "--public-key <Public key file path> : Path to the SSL certificate's public key file (PEM format)"
echo "--ignore <ignore packages list> : List of ignored packages"
exit 1
}
starts_with() # Initials - sw
{
sw_str=$1
sw_prefix=$2
if [ -z "$(echo "$sw_str" | sed 's|^'"$sw_prefix"'.*||')" ]; then
echo true
else
echo false
fi
}
verify_proxy_config()
{
if [ "$var_proxy" = 'none' ]; then
return
fi
if [ -n "$var_proxy" ]; then
# Check if it is authenticated proxy
without_http="$(echo "$var_proxy" | cut -d'/' -f 3)"
user_pass="$(echo "$without_http" | cut -d'@' -f 1)"
ip_port="$(echo "$without_http" | cut -d'@' -f 2)"
# Authenticated proxy
if [ "$var_proxy" = 'http://'"$user_pass"'@'"$ip_port" ] && [ -n "$user_pass" ] && [ -n "$ip_port" ]; then
user="$(echo "$user_pass" | cut -d':' -f 1)"
pass="$(echo "$user_pass" | cut -d':' -f 2)"
if [ "$user_pass" != "$user"':'"$pass" ] || [ -z "$user" ] || [ -z "$pass" ]; then
echo "Installation Error: Bad proxy syntax. Syntax must be http://[user:pass@]domain[:port]"
exit 1
fi
elif [ "$(starts_with "$var_proxy" 'http://'"$ip_port")" = "false" ]; then
echo "Installation Error: Bad proxy syntax. Syntax must be http://[user:pass@]domain[:port]"
exit 1
fi
fi
}
save_local_policy_config()
{
custom_policy_conf_file=${FILESYSTEM_PATH}/${CONF_PATH}/custom_policy.cfg
var_policy_file=${FILESYSTEM_PATH}/${CONF_PATH}/local_policy.yaml
echo "var_policy_file=${var_policy_file}" > ${custom_policy_conf_file}
echo "last_local_policy_modification_time=$(stat -c %Y ${var_policy_file})" >> ${custom_policy_conf_file}
}
[ -f /etc/environment ] && . "/etc/environment"
if [ -n "${CP_ENV_FILESYSTEM}" ] ; then
export FILESYSTEM_PATH=$CP_ENV_FILESYSTEM
fi
if [ -n "${CP_ENV_LOG_FILE}" ] ; then
LOG_FILE_PATH=$CP_ENV_LOG_FILE
fi
if [ -n "${CP_USR_LIB_PATH}" ]; then
USR_LIB_PATH=$CP_USR_LIB_PATH
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$CP_USR_LIB_PATH/cpnano
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$CP_USR_LIB_PATH
fi
if [ -n "${CP_INIT_D_PATH}" ]; then
INIT_D_PATH=$CP_INIT_D_PATH
mkdir -p $CP_INIT_D_PATH
fi
if [ -n "${CP_USR_SBIN_PATH}" ]; then
USR_SBIN_PATH=$CP_USR_SBIN_PATH
mkdir -p $CP_USR_SBIN_PATH
export PATH=$PATH:$CP_USR_SBIN_PATH
fi
while true; do
if [ "$1" = "--arm32_openwrt" ]; then
var_arch="arm"
var_arch_flag="--arm32_openwrt"
elif [ "$1" = "--wlpOrchestration" ]; then
is_wlp_orchestration="true"
ORCHESTRATION_EXE_SOURCE_PATH="./bin/wlpStandalone"
elif [ "$1" = "--arm32_rpi" ]; then
var_arch="arm"
var_arch_flag="--arm32_rpi"
elif [ "$1" = "--install" ]; then
RUN_MODE="install"
elif [ "$1" = "--egg-install" ]; then
EGG_MODE=true
elif [ "$1" = "--uninstall" ]; then
RUN_MODE="uninstall"
elif [ "$1" = "--pre_install_test" ]; then
RUN_MODE="pre_install_test"
elif [ "$1" = "--post_install_test" ]; then
RUN_MODE="post_install_test"
elif [ "$1" = "--token" ]; then
shift
OTP_TOKEN=$1
elif [ "$1" = "--email" ]; then
shift
var_email=$1
elif [ "$1" = "--server" ]; then
shift
var_server=$1
elif [ "$1" = "--offline_mode" ]; then
var_offline_mode=true
var_orchestration_mode="offline_mode"
elif [ "$1" = "--hybrid_mode" ]; then
var_hybrid_mode=true
var_orchestration_mode="hybrid_mode"
elif [ "$1" = "--container_mode" ]; then
var_container_mode=true
elif [ "$1" = "--no_otp" ]; then
var_no_otp=true
elif [ "$1" = "--fog" ]; then
shift
var_fog_address=$1
elif [ "$1" = "--max-log-size-kb" ]; then
shift
WATCHDOG_MAX_FILE_SIZE=$(($1 * 1024))
elif [ "$1" = "--max-log-rotation" ]; then
shift
WATCHDOG_MAX_ROTATIONS=$1
elif [ "$1" = "--certs-dir" ]; then
shift
var_certs_dir=$1
elif [ "$1" = "--public-key" ]; then
shift
var_public_key=$1
elif [ "$1" = "--ignore" ]; then
shift
ignore_packages=$1
elif [ "$1" = "--support_practices" ]; then
shift
support_practices=$1
elif [ "$1" = "-ia" ]; then
ignore_access=accessControl
elif [ "$1" = "--additional_flags" ]; then
shift
var_additional_flags=$1
elif [ "$1" = "--proxy" ]; then
shift
var_proxy=$1
verify_proxy_config
elif [ "$1" = "--compact_mode" ]; then
var_compact_mode=true
elif [ "$1" = "--filesystem_path" ]; then
shift
var=$1
last_char=${var##${var%%?}}
echo $var
if [ "$last_char" = "/" ]; then
export FILESYSTEM_PATH=${var%?}
else
export FILESYSTEM_PATH=$1
fi
echo "Filesystem paths: ${FILESYSTEM_PATH}"
elif [ "$1" = "--vs_id" ]; then
shift
if [ "$1" != "0" ]; then
VS_ID=$1
export FILESYSTEM_PATH="/etc/cp/vs${VS_ID}"
NANO_AGENT_SERVICE_NAME="nano_agent_${VS_ID}"
NANO_AGENT_SERVICE_FILE="${NANO_AGENT_SERVICE_NAME}.service"
VS_LIB_SUB_FOLDER="/vs${VS_ID}"
LOG_FILE_PATH="${LOG_FILE_PATH}/vs${VS_ID}"
TMP_FOLDER="${TMP_FOLDER}/vs${VS_ID}"
fi
elif [ "$1" = "--log_files_path" ]; then
shift
var=$1
last_char=${var##${var%%?}}
echo $var
if [ "$last_char" = "/" ]; then
LOG_FILE_PATH=${var%?}
else
LOG_FILE_PATH=$1
fi
echo "Log files path: ${LOG_FILE_PATH}"
elif [ "$1" = "--arm64_trustbox" ] || [ "$1" = "--arm64_linaro" ] || [ "$1" = "--arm32_rpi" ] || [ "$1" = "--gaia" ] || [ "$1" = "--gaia_arm" ] || [ "$1" = "--smb_mrv_v1" ] || [ "$1" = "--smb_sve_v2" ] || [ "$1" = "--smb_thx_v3" ] || [ "$1" = "--x86" ] || [ "$1" = "./orchestration_package.sh" ]; then
shift
continue
elif [ "$1" = "--skip_registration" ]; then
var_skip_registration=true
elif [ "$1" = "--cloud-storage" ]; then
shift
var_cloud_storage=$1
elif [ "$1" = "--only_unpack_lib64_path" ]; then
shift
USR_LIB_PATH=$1
var_only_unpack_lib64="set"
elif echo "$1" | grep -q ${FORCE_CLEAN_FLAG}; then
var_upgrade_mode=
elif echo "$1" | grep -q ${DEBUG_FLAG}; then
var_installation_debug_mode=true
elif [ -z "$1" ]; then
break
elif [ "$1" = "--debug_on" ] || [ "$1" = "--debug-on" ]; then
echo "Ignoring deprecated installation flag '$1'"
else
echo "Warning: unsupported option '$1'"
fi
shift
done
# VS ID argument is available only on install, for other actions, extract it from the package location
if [ -z "$VS_ID" ]; then
parent_pid=$PPID
parent_cmdline=$(cat /proc/"$parent_pid"/cmdline | tr '\0' ' ')
parent_dir=$(dirname "$parent_cmdline")
packages_folder=$(dirname "$parent_dir")
vs_folder=$(dirname "$packages_folder")
VS_ID=`echo ${vs_folder} | grep -oE '/etc/cp/vs[0-9]+$' | grep -oE '[0-9]+$'`
if [ -n "$VS_ID" ]; then
export FILESYSTEM_PATH="/etc/cp/vs${VS_ID}"
NANO_AGENT_SERVICE_NAME="nano_agent_${VS_ID}"
NANO_AGENT_SERVICE_FILE="${NANO_AGENT_SERVICE_NAME}.service"
VS_LIB_SUB_FOLDER="/vs${VS_ID}"
LOG_FILE_PATH="${LOG_FILE_PATH}/vs${VS_ID}"
TMP_FOLDER="${TMP_FOLDER}/vs${VS_ID}"
fi
fi
if [ -n "${VS_ID}" ]; then
if [ "$VS_ID" != "$INSTANCE_VSID" ]; then
echo "Error: Incorrect context, switch to VS${VS_ID} context first."
exit 1
fi
elif [ -n "$INSTANCE_VSID" ] && [ "$INSTANCE_VSID" != "0" ]; then
echo "Error: Incorrect context, exit vs${INSTANCE_VSID} first."
exit 1
fi
if [ "$RUN_MODE" = "install" ] && [ $var_offline_mode = false ]; then
if [ -n "$OTP_TOKEN" ] && [ -z "$var_token" ] && [ "$var_no_otp" = "false" ]; then
var_token=$OTP_TOKEN
if [ -z "$var_fog_address" ]; then
gem_prefix="cp-"
gem_prefix_uppercase="CP-"
us_prefix="cp-us-"
us_prefix_uppercase="CP-US-"
au_prefix="cp-au-"
au_prefix_uppercase="CP-AU-"
in_prefix="cp-in-"
in_prefix_uppercase="CP-IN-"
if [ "${var_token#"$us_prefix"}" != "${var_token}" ] || [ "${var_token#"$us_prefix_uppercase"}" != "${var_token}" ]; then
var_fog_address="$var_default_us_fog_address"
elif [ "${var_token#$au_prefix}" != "${var_token}" ] || [ "${var_token#"$au_prefix_uppercase"}" != "${var_token}" ]; then
var_fog_address="$var_default_au_fog_address"
elif [ "${var_token#$in_prefix}" != "${var_token}" ] || [ "${var_token#"$in_prefix_uppercase"}" != "${var_token}" ]; then
var_fog_address="$var_default_in_fog_address"
elif [ "${var_token#"$gem_prefix"}" != "${var_token}" ] || [ "${var_token#"$gem_prefix_uppercase"}" != "${var_token}" ]; then
var_fog_address="$var_default_gem_fog_address"
else
echo "Failed to get fog address from token: ${var_token} - check if token is legal"
fi
fi
fi
if [ $var_hybrid_mode = true ] && [ -z "$var_fog_address" ]; then
var_fog_address="$var_default_gem_fog_address"
fi
if [ -n "$var_proxy" ]; then
if [ "$var_proxy" = 'none' ]; then
echo "Ignoring system proxy"
else
echo "Proxy='$var_proxy'"
fi
fi
echo "Fog address='${var_fog_address}'"
fi
if command -v which &>/dev/null; then
var_which_cmd_exists=1
fi
if [ $var_arch != "gaia" ] && [ $var_arch != "gaia_arm" ] && [ $var_which_cmd_exists -eq 1 ]; then
if [ -n "$(which systemctl)" ]; then
var_startup_service="systemd"
else
var_startup_service="upstart"
fi
fi
cp_print()
{
if [ "$var_installation_debug_mode" = "true" ] || { [ -n "$2" ] && [ "$2" = "true" ]; }; then
printf "%b\n" "$1"
fi
if [ "$is_smb" != "1" ]; then
printf "[%s] %b\n" "$(date +%Y-%m-%dT%H:%M:%S)" "$1" >> ${LOG_FILE_PATH}/${LOG_PATH}/${INSTALLATION_LOG_FILE}
else
printf "[%s] %b\n" "$(date +%Y-%m-%dT%H:%M:%S)" "$1" >> ${SMB_LOG_FILE_PATH}/${LOG_PATH}/${INSTALLATION_LOG_FILE}
fi
}
cp_exec()
{
var_cmd=$1
var_std_out=$2
# Send exec output to RES
RES=$($var_cmd 2>&1)
if [ -n "$RES" ]; then
cp_print "$RES" "$var_std_out"
fi
}
export INSTALL_COMMAND
is_install="$(command -v install)"
if [ -z ${is_install} ]; then
INSTALL_COMMAND="cp -f"
cp_print "[WARNING]: install command not found - using cp instead" ${FORCE_STDOUT}
else
INSTALL_COMMAND=install
fi
cp_copy() # Initials - cc
{
SRC="$1"
DEST="$2"
var_std_out="$3"
status=
SRC_MD5=
DEST_MD5=
DEST_AFTER_COPY=
SRC_MD5=$(find "$SRC" -maxdepth 1 -type f -exec md5sum {} \; 2>&1)
status=$?
if ! [ $status -eq 0 ]; then SRC_MD5="source '${SRC}' does not exist."; fi
DEST_MD5=$(find "$DEST" -maxdepth 1 -type f -exec md5sum {} \; 2>&1)
status=$?
if ! [ $status -eq 0 ]; then DEST_MD5="destination '${DEST}' does not exist."; fi
cp_print "Copy source md5:\n$SRC_MD5\nCopy destination md5:\n$DEST_MD5"
COPY_RETURN_VAL=$($INSTALL_COMMAND "$SRC" "$DEST" 2>&1)
status=$?
if ! [ $status -eq 0 ]; then
cp_print "Error copying: $COPY_RETURN_VAL" "$var_std_out"
exit 1
fi
DEST_AFTER_COPY=$(find "$DEST" -maxdepth 1 -type f -exec md5sum {} \; 2>&1)
status=$?
if ! [ $status -eq 0 ]; then DEST_AFTER_COPY="destination '${DEST}' does not exist."; fi
cp_print "Destination md5, after the copy:\n$DEST_AFTER_COPY"
}
update_openappsec_manifest()
{
if [ -z ${OPENAPPSEC_NANO_AGENT} ] && { [ -z ${CLOUDGUARD_APPSEC_STANDALONE} ] || [ -z ${DOCKER_RPM_ENABLED} ]; }; then
return
fi
selected_openappsec_manifest_path="${TMP_FOLDER}/openappsec_manifest.json"
if [ "${DOCKER_RPM_ENABLED}" = "false" ] || [ "${OPENAPPSEC_NANO_AGENT}" = "TRUE" ]; then
selected_openappsec_manifest_path="${TMP_FOLDER}/self_managed_openappsec_manifest.json"
fi
if [ ! -f "$selected_openappsec_manifest_path" ]; then
return
fi
openappsec_manifest_path="${selected_openappsec_manifest_path}.used"
mv "$selected_openappsec_manifest_path" "$openappsec_manifest_path"
fog_host=$(echo "$var_fog_address" | sed 's/https\?:\/\///')
fog_host=${fog_host%/}
sed "s/namespace/${fog_host}/g" ${openappsec_manifest_path} > "${FILESYSTEM_PATH}/${CONF_PATH}/manifest.json"
}
set_cloud_storage()
{
CP_NANO_CLOUD_STORAGE_CONFIG_PATH="${TMP_FOLDER}/cp-nano-cloud-storage.conf"
if [ ! -f "${CP_NANO_CLOUD_STORAGE_CONFIG_PATH}" ] && [ -z "${var_cloud_storage}" ]; then
sed -i '/CLOUD_STORAGE_ENABLED/d' ${FILESYSTEM_PATH}/${ENV_DETAILS_FILE}
return
fi
touch ${CP_NANO_CLOUD_STORAGE_CONFIG_PATH}
if [ -n "${var_token}" ]; then
if ! command -v "openssl" 1> /dev/null 2> /dev/null && command -v "cpopenssl" 1> /dev/null 2> /dev/null; then
ln -s "$(command -v cpopenssl)" "$(dirname $(command -v cpopenssl))/openssl"
fi
HASHED_TOKEN=$(openssl passwd -6 -salt cp-cloud-key ${var_token})
if grep -q "HASHED_TOKEN" "${CP_NANO_CLOUD_STORAGE_CONFIG_PATH}"; then
sed -i "/HASHED_TOKEN/c\HASHED_TOKEN='${HASHED_TOKEN}'" "${CP_NANO_CLOUD_STORAGE_CONFIG_PATH}"
else
echo "HASHED_TOKEN='${HASHED_TOKEN}'" >> ${CP_NANO_CLOUD_STORAGE_CONFIG_PATH}
fi
fi
if [ -n "${var_cloud_storage}" ]; then
if grep -q "CLOUD_STORAGE" "${CP_NANO_CLOUD_STORAGE_CONFIG_PATH}"; then
sed -i "/CLOUD_STORAGE/c\CLOUD_STORAGE=${var_cloud_storage}" "${CP_NANO_CLOUD_STORAGE_CONFIG_PATH}"
else
echo "CLOUD_STORAGE=${var_cloud_storage}" >> "${CP_NANO_CLOUD_STORAGE_CONFIG_PATH}"
fi
fi
if grep -q "CLOUD_STORAGE_ENABLED" "${FILESYSTEM_PATH}/${ENV_DETAILS_FILE}"; then
sed -i "/CLOUD_STORAGE_ENABLED/c\export CLOUD_STORAGE_ENABLED=true" "${FILESYSTEM_PATH}/${ENV_DETAILS_FILE}"
else
echo "export CLOUD_STORAGE_ENABLED=true" >> "${FILESYSTEM_PATH}/${ENV_DETAILS_FILE}"
fi
}
install_watchdog_gaia()
{
watchdog_pm_name="cp-nano-watchdog"
if [ -n "$VS_ID" ]; then
watchdog_pm_name="cp-nano-watchdog-vs${VS_ID}"
cp_exec "ln -s ${FILESYSTEM_PATH}/${WATCHDOG_PATH}/cp-nano-watchdog ${FILESYSTEM_PATH}/${WATCHDOG_PATH}/${watchdog_pm_name}"
fi
# verify that DB is clean from cp-nano-watchdog
tellpm ${watchdog_pm_name}
dbset process:${watchdog_pm_name}
dbset process:${watchdog_pm_name}:path
dbset process:${watchdog_pm_name}:arg:1
dbset process:${watchdog_pm_name}:runlevel
# Add cp-nano-watchdog to DB
dbset process:${watchdog_pm_name} t
dbset process:${watchdog_pm_name}:path ${FILESYSTEM_PATH}/${WATCHDOG_PATH}
dbset process:${watchdog_pm_name}:arg:1 ${var_arch_flag}
dbset process:${watchdog_pm_name}:runlevel 1
dbset :save
tellpm ${watchdog_pm_name} t
}
install_watchdog()
{
is_upgrade=$1
# Check if watchdog is updated/new
old_cp_nano_watchdog_md5=""
new_cp_nano_watchdog_md5=$(md5sum watchdog/watchdog | awk '{print$1}')
if [ -f ${FILESYSTEM_PATH}/${WATCHDOG_PATH}/cp-nano-watchdog ]; then
old_cp_nano_watchdog_md5=$(md5sum ${FILESYSTEM_PATH}/${WATCHDOG_PATH}/cp-nano-watchdog | awk '{print$1}')
fi
if [ "$old_cp_nano_watchdog_md5" = "$new_cp_nano_watchdog_md5" ]; then
# Watchdog did not changed
cp_print "There is no update in watchdog. Everything is up to date. Reregistering services to be on the same side."
cp_exec "${FILESYSTEM_PATH}/${WATCHDOG_PATH}/cp-nano-watchdog --register $is_upgrade ${FILESYSTEM_PATH}/${SERVICE_PATH}/cp-nano-orchestration $var_arch_flag"
if [ "$IS_K8S_ENV" = "true" ]; then
cp_exec "${FILESYSTEM_PATH}/${WATCHDOG_PATH}/cp-nano-watchdog --register ${FILESYSTEM_PATH}/${SERVICE_PATH}/k8s-check-update-listener.sh"
fi
return
fi
cp_print "Installing the watchdog" ${FORCE_STDOUT}
cp_exec "mkdir -p ${FILESYSTEM_PATH}/${WATCHDOG_PATH}"
cp_copy watchdog/watchdog ${FILESYSTEM_PATH}/${WATCHDOG_PATH}/cp-nano-watchdog
cp_copy watchdog/wait-for-networking-inspection-modules.sh ${FILESYSTEM_PATH}/${WATCHDOG_PATH}/wait-for-networking-inspection-modules.sh
cp_copy watchdog/revert_orchestrator_version.sh ${FILESYSTEM_PATH}/${WATCHDOG_PATH}/revert_orchestrator_version.sh
cp_exec "chmod 700 ${FILESYSTEM_PATH}/${WATCHDOG_PATH}/cp-nano-watchdog"
cp_exec "chmod 700 ${FILESYSTEM_PATH}/${WATCHDOG_PATH}/wait-for-networking-inspection-modules.sh"
cp_exec "chmod 700 ${FILESYSTEM_PATH}/${WATCHDOG_PATH}/revert_orchestrator_version.sh"
cp_exec "touch ${FILESYSTEM_PATH}/${WATCHDOG_PATH}/wd.services"
cp_exec "${FILESYSTEM_PATH}/${WATCHDOG_PATH}/cp-nano-watchdog --register $is_upgrade ${FILESYSTEM_PATH}/${SERVICE_PATH}/cp-nano-orchestration $var_arch_flag"
if [ "$IS_K8S_ENV" = "true" ]; then
cp_exec "${FILESYSTEM_PATH}/${WATCHDOG_PATH}/cp-nano-watchdog --register ${FILESYSTEM_PATH}/${SERVICE_PATH}/k8s-check-update-listener.sh"
fi
cp_print "Install cp-nano-agent service file"
if [ $var_arch = "arm" ]; then
cp_print "Install for init.d"
cp_copy service/arm32_openwrt/nano_agent.init $INIT_D_PATH/nano_agent.init
cp_exec "chmod +x $INIT_D_PATH/nano_agent.init"
cp_exec "ln -s $INIT_D_PATH/nano_agent.init /etc/rc.d/S99nano_agent"
elif [ "$is_smb" = "1" ]; then
mkdir -p /storage/nano_agent/etc
cp_copy service/smb/nano_agent.init /storage/nano_agent/etc/nano_agent.init
chmod +rx /storage/nano_agent/etc/nano_agent.init
elif [ $var_container_mode = false ]; then
if [ $var_arch = "gaia" ] || [ $var_arch = "gaia_arm" ]; then
cp_exec "ln -s ${FWDIR}/bin/curl_cli ${FWDIR}/bin/curl"
cp_exec "ln -s ${CPDIR}/bin/cpopenssl ${CPDIR}/bin/openssl"
cp_copy watchdog/access_pre_init $INIT_D_PATH/access_pre_init
chkconfig --add $INIT_D_PATH/access_pre_init
install_watchdog_gaia
elif [ "$is_smb" = "1" ]; then
cp_exec "ln -s ${FWDIR}/bin/curl_cli ${FWDIR}/bin/curl"
cp_exec "ln -s ${CPDIR}/bin/cpopenssl ${CPDIR}/bin/openssl"
elif [ $var_startup_service = "systemd" ]; then
cp_print "Install for systemd"
cp_copy service/x86/ubuntu16/nano_agent.service /etc/systemd/system/${NANO_AGENT_SERVICE_FILE}
if [ -z "$VS_ID" ]; then
echo "ExecStart=${FILESYSTEM_PATH}/${WATCHDOG_PATH}/cp-nano-watchdog" >> /etc/systemd/system/${NANO_AGENT_SERVICE_FILE}
echo "ExecStartPost=${FILESYSTEM_PATH}/${WATCHDOG_PATH}/wait-for-networking-inspection-modules.sh" >> /etc/systemd/system/${NANO_AGENT_SERVICE_FILE}
else
echo "ExecStart=ip netns exec CTX0000${VS_ID} ${FILESYSTEM_PATH}/${WATCHDOG_PATH}/cp-nano-watchdog" >> /etc/systemd/system/${NANO_AGENT_SERVICE_FILE}
fi
echo "Environment=\"FILESYSTEM_PATH=${FILESYSTEM_PATH}\"" >> /etc/systemd/system/${NANO_AGENT_SERVICE_FILE}
if [ -n "${PROMETHEUS}" ] ; then
echo "Environment=\"PROMETHEUS=${PROMETHEUS}\"" >> /etc/systemd/system/${NANO_AGENT_SERVICE_FILE}
fi
cp_exec "systemctl daemon-reload"
cp_exec "systemctl enable nano_agent"
else
cp_print "Install for init.d"
cp_copy service/x86/ubuntu14/nano_agent.conf /etc/init/nano_agent.conf
cp_copy service/x86/ubuntu14/nano_agent.init $INIT_D_PATH/nano_agent
cp_exec "chmod +x $INIT_D_PATH/nano_agent"
cp_exec "update-rc.d nano_agent defaults"
cp_exec "update-rc.d nano_agent enable"
fi
fi
if [ -n "${var_upgrade_mode}" ]; then
touch ${FILESYSTEM_PATH}/${SERVICE_PATH}/restart_watchdog
cp_print "Restart cp-nano-agent service" ${FORCE_STDOUT}
else
cp_print "Start cp-nano-agent service" ${FORCE_STDOUT}
if [ $var_arch = "arm" ]; then
cp_exec "$INIT_D_PATH/nano_agent.init start"
elif [ "$is_smb" = "1" ]; then
cp_exec "/storage/nano_agent/etc/nano_agent.init start"
elif [ $var_arch = "gaia" ] || [ $var_arch = "gaia_arm" ]; then
install_watchdog_gaia
else
cp_exec "service $NANO_AGENT_SERVICE_NAME start"
fi
fi
}
if [ -f ${FILESYSTEM_PATH}/${CONF_PATH}/${ORCHESTRATION_NAME}/${ORCHESTRATION_NAME}.policy ]; then
var_upgrade_mode=true
fi
upgrade_orchestration_policy()
{
# This function help with upgrading the new orchestration policy syntax
# Updating sleep-interval to pulling-interval
sed -i "s/sleep/pulling/g" ${FILESYSTEM_PATH}/${CONF_PATH}/${ORCHESTRATION_NAME}/${ORCHESTRATION_NAME}.policy
sed -i "s/sleep/pulling/g" ${FILESYSTEM_PATH}/${CONF_PATH}/${ORCHESTRATION_NAME}/${ORCHESTRATION_NAME}.policy
}
add_uninstall_script()
{
cp_exec "cp -f $AGENT_UNINSTALL ${FILESYSTEM_PATH}/${SCRIPTS_PATH}/$AGENT_UNINSTALL"
cp_exec "chmod 700 ${FILESYSTEM_PATH}/${SCRIPTS_PATH}/$AGENT_UNINSTALL"
}
install_cp_nano_ctl()
{
CP_NANO_AGENT_CTL="cp-nano-agent-ctl.sh"
CP_NANO_CTL_DEPRECATED="cp-ctl"
CP_NANO_AGENT_CTL_DEPRECATED="cp-nano-agent-ctl-deprecated.sh"
CP_NANO_CLI="cp-nano-cli.sh"
CP_NANO_JSON="cpnano_json"
CP_NANO_CTL="cpnano"
OPEN_APPSEC_CTL="open-appsec-ctl"
CP_NANO_YQ_LOCATION="./scripts/yq"
CP_NANO_YQ="yq"
if [ -f $USR_SBIN_PATH/${CP_NANO_CTL_DEPRECATED} ]; then
cp_exec "rm -rf $USR_SBIN_PATH/${CP_NANO_CTL_DEPRECATED}"
fi
# Removing old CP-CTL
if [ -f ${FILESYSTEM_PATH}/${CONF_PATH}/$CP_NANO_AGENT_CTL ]; then
cp_exec "rm -rf ${FILESYSTEM_PATH}/${CONF_PATH}/$CP_NANO_AGENT_CTL"
fi
if [ -f ${FILESYSTEM_PATH}/${SCRIPTS_PATH}/${CP_NANO_AGENT_CTL_DEPRECATED} ]; then
cp_exec "rm -f ${FILESYSTEM_PATH}/${SCRIPTS_PATH}/${CP_NANO_AGENT_CTL_DEPRECATED} $USR_SBIN_PATH/${CP_NANO_CTL_DEPRECATED}"
fi
cp_exec "cp -f $CP_NANO_CLI ${FILESYSTEM_PATH}/${SCRIPTS_PATH}/$CP_NANO_AGENT_CTL"
cp_exec "chmod 700 ${FILESYSTEM_PATH}/${SCRIPTS_PATH}/$CP_NANO_AGENT_CTL"
if [ -n "$VS_ID" ]; then
CP_NANO_CTL="${CP_NANO_CTL}-vs${VS_ID}"
fi
cp_exec "ln -s ${FILESYSTEM_PATH}/${SCRIPTS_PATH}/$CP_NANO_AGENT_CTL $USR_SBIN_PATH/${CP_NANO_CTL}"
cp_exec "ln -s ${FILESYSTEM_PATH}/${SCRIPTS_PATH}/${OPEN_APPSEC_CTL}.sh $USR_SBIN_PATH/${OPEN_APPSEC_CTL}"
cp_exec "cp -f ${CP_NANO_DEBUG} ${FILESYSTEM_PATH}/${SCRIPTS_PATH}/${CP_NANO_DEBUG}"
cp_exec "chmod 700 ${FILESYSTEM_PATH}/${SCRIPTS_PATH}/${CP_NANO_DEBUG}"
cp_exec "cp -f ./cpnano_json ${FILESYSTEM_PATH}/${BIN_PATH}/$CP_NANO_JSON" ${FORCE_STDOUT}
cp_exec "chmod 700 ${FILESYSTEM_PATH}/${BIN_PATH}/$CP_NANO_JSON"
cp_exec "cp -f ${CP_NANO_BASE64} ${FILESYSTEM_PATH}/${BIN_PATH}/${CP_NANO_BASE64}" ${FORCE_STDOUT}
cp_exec "chmod 700 ${FILESYSTEM_PATH}/${BIN_PATH}/${CP_NANO_BASE64}"
cp_exec "cp -f ${CP_NANO_YQ_LOCATION} ${FILESYSTEM_PATH}/${BIN_PATH}/${CP_NANO_YQ}" ${FORCE_STDOUT}
cp_exec "chmod 700 ${FILESYSTEM_PATH}/${BIN_PATH}/${CP_NANO_YQ}"
}
set_conf_temp_location()
{
if [ -n "${CP_ENV_FILESYSTEM}" ]; then
prefix_filesystem=$(echo $CP_ENV_FILESYSTEM | sed 's|\(.*\)/.*|\1|')
temp_location=$prefix_filesystem/temp/orchestration_download
escaped_temp_location=$(echo $temp_location | sed -e 's/\//\\\//g')
mkdir -p $temp_location
if ! cat ${FILESYSTEM_PATH}/${ORCHESTRATION_CONF_FILE} | grep -q "\"orchestration\":"; then
sed -i -e "1 s/{/{\n\"orchestration\": {\"Default file download path\": [{\"value\":\""${escaped_temp_location}"\"}]},/" ${FILESYSTEM_PATH}/${ORCHESTRATION_CONF_FILE}
else
sed -i -e "/\"orchestration\"/ s/\"orchestration\".*:.*{/\"orchestration\":{\"Default file download path\": [{\"value\":\""${escaped_temp_location}"\"}],/" ${FILESYSTEM_PATH}/${ORCHESTRATION_CONF_FILE}
fi
fi
}
set_conf_additional_flags()
{
if [ -z "$var_additional_flags" ] || cat ${FILESYSTEM_PATH}/${ORCHESTRATION_CONF_FILE} | grep -q '\"additional flags\"'; then
return
fi
var_additional_flags="\"$(echo "$var_additional_flags" | sed 's/,/\",\"/g')\""
if ! cat ${FILESYSTEM_PATH}/${ORCHESTRATION_CONF_FILE} | grep -q "\"orchestration\":"; then
sed -i -e "0,/{/ s/{/{\"orchestration\": {\n\"additional flags\": [{\"flags\": [${var_additional_flags}]}]},/" ${FILESYSTEM_PATH}/${ORCHESTRATION_CONF_FILE}
else
sed -i -e "0,/\"orchestration\"/ s/\"orchestration\".*:.*{/\"orchestration\": {\n\"additional flags\": [{\"flags\": [${var_additional_flags}]}],/" ${FILESYSTEM_PATH}/${ORCHESTRATION_CONF_FILE}
fi
}
upgrade_conf_if_needed()
{
if [ -f ${FILESYSTEM_PATH}/${ORCHESTRATION_DEBUG_CONF_FILE} ]; then
sed -i "s|STDOUT|${LOG_FILE_PATH}/${DBG_FILE_PATH}|g" ${FILESYSTEM_PATH}/${ORCHESTRATION_DEBUG_CONF_FILE}
else
if [ -f ${FILESYSTEM_PATH}/${CONF_PATH}/orchestration_conf.json ]; then
cp_exec "mv ${FILESYSTEM_PATH}/${CONF_PATH}/orchestration_conf.json ${FILESYSTEM_PATH}/${ORCHESTRATION_CONF_FILE}"
cp_exec "chmod 600 ${FILESYSTEM_PATH}/${ORCHESTRATION_CONF_FILE}"
fi
cp_copy configuration/cp-nano-orchestration-debug-conf.json ${FILESYSTEM_PATH}/${ORCHESTRATION_DEBUG_CONF_FILE}
cp_exec "chmod 600 ${FILESYSTEM_PATH}/${ORCHESTRATION_DEBUG_CONF_FILE}"
[ -f "${FILESYSTEM_PATH}/${SERVICE_PATH}/${ORCHESTRATION_FILE_NAME}.cfg" ] && . "${FILESYSTEM_PATH}/${SERVICE_PATH}/${ORCHESTRATION_FILE_NAME}.cfg"
[ -f "${FILESYSTEM_PATH}/${SERVICE_PATH}/${ORCHESTRATION_FILE_NAME}.cfg" ] && \
previous_mode=$(cat ${FILESYSTEM_PATH}/${SERVICE_PATH}/${ORCHESTRATION_FILE_NAME}.cfg | grep "orchestration-mode" | cut -d = -f 3 | sed 's/"//')
if ! [ -z "$previous_mode" ]; then
var_orchestration_mode=${previous_mode}
fi
if [ ${var_orchestration_mode} = "hybrid_mode" ]; then
save_local_policy_config
fi
cp_exec "cp -f configuration/orchestration.cfg ${FILESYSTEM_PATH}/${SERVICE_PATH}/${ORCHESTRATION_FILE_NAME}.cfg"
execution_flags="execution_flags=\"--orchestration-mode=${var_orchestration_mode}\""
echo $execution_flags >> ${FILESYSTEM_PATH}/${SERVICE_PATH}/${ORCHESTRATION_FILE_NAME}.cfg
if [ $var_arch = "gaia" -o $var_arch = "gaia_arm" -o "$is_smb" = "1" ]; then
if [ -z "${gaia_ld_path}" ]; then
gaia_ld_path="${LD_LIBRARY_PATH}"
fi
sed -i '1i gaia_ld_path='"$gaia_ld_path"'' ${FILESYSTEM_PATH}/${SERVICE_PATH}/${ORCHESTRATION_FILE_NAME}.cfg
fi
fi
CP_ENV_FILESYSTEM=${FILESYSTEM_PATH} CP_ENV_LOG_FILE=${LOG_FILE_PATH} cp_exec "${FILESYSTEM_PATH}/${SCRIPTS_PATH}/${CP_NANO_DEBUG} --default --service orchestration"
if [ ! -f "${FILESYSTEM_PATH}/${ENV_DETAILS_FILE}" ]; then
cp_print "Creating env details file" ${FORCE_STDOUT}
if [ $var_container_mode = true ]; then
echo 'IS_CONTAINER_ENV=true' >> "${FILESYSTEM_PATH}/${ENV_DETAILS_FILE}"
fi
fi
if cat ${FILESYSTEM_PATH}/${ORCHESTRATION_CONF_FILE} | grep -q '"/agents/log'; then
sed -i 's|"/agents/log|"/api/v1/agents/events|' ${FILESYSTEM_PATH}/${ORCHESTRATION_CONF_FILE}
fi
set_conf_additional_flags
}
copy_orchestration_executable()
{
cp_print "Copying cp-nano-agent binary file to folder: ${FILESYSTEM_PATH}/${SERVICE_PATH}/${ORCHESTRATION_FILE_NAME}" $FORCE_STDOUT
cp_copy "$ORCHESTRATION_EXE_SOURCE_PATH" ${FILESYSTEM_PATH}/${SERVICE_PATH}/${ORCHESTRATION_FILE_NAME}
cp_exec "chmod 700 ${FILESYSTEM_PATH}/${SERVICE_PATH}/${ORCHESTRATION_FILE_NAME}"
cp_copy open-appsec-cloud-mgmt ${FILESYSTEM_PATH}/${SCRIPTS_PATH}/open-appsec-cloud-mgmt
cp_copy open-appsec-cloud-mgmt-k8s ${FILESYSTEM_PATH}/${SCRIPTS_PATH}/open-appsec-cloud-mgmt-k8s
cp_copy open-appsec-ctl.sh ${FILESYSTEM_PATH}/${SCRIPTS_PATH}/open-appsec-ctl.sh
if [ -f /ext/appsec/local_policy.yaml ]; then
cp_exec "ln -s /ext/appsec/local_policy.yaml ${FILESYSTEM_PATH}/${CONF_PATH}/local_policy.yaml"
else
if [ ! -f ${FILESYSTEM_PATH}/${CONF_PATH}/local_policy.yaml ]; then
cp_copy local-default-policy.yaml ${FILESYSTEM_PATH}/${CONF_PATH}/local_policy.yaml
fi
fi
}
copy_k8s_executable()
{
if [ "$IS_K8S_ENV" = "true" ]; then
cp -f k8s-check-update-listener.sh ${FILESYSTEM_PATH}/${SERVICE_PATH}/k8s-check-update-listener.sh
chmod +x ${FILESYSTEM_PATH}/${SERVICE_PATH}/k8s-check-update-listener.sh
cp -f k8s-check-update-trigger.sh ${FILESYSTEM_PATH}/${SERVICE_PATH}/k8s-check-update-trigger.sh
chmod +x ${FILESYSTEM_PATH}/${SERVICE_PATH}/k8s-check-update-trigger.sh
fi
}
copy_nginx_metadata_script()
{
cp_copy "$NGINX_METADAT_EXTRACTOR_PATH" ${FILESYSTEM_PATH}/${SCRIPTS_PATH}/${NGINX_METADDATA_EXTRACTOR_NAME}
cp_exec "chmod 700 ${FILESYSTEM_PATH}/${SCRIPTS_PATH}/${NGINX_METADDATA_EXTRACTOR_NAME}"
cp_exec "chmod +x ${FILESYSTEM_PATH}/${SCRIPTS_PATH}/${NGINX_METADDATA_EXTRACTOR_NAME}"
}
copy_nginx_fresh_metadata_script()
{
cp_copy "$NGINX_FRESH_METADATA_EXTRACTOR_PATH" ${FILESYSTEM_PATH}/${SCRIPTS_PATH}/${NGINX_FRESH_METADATA_EXTRACTOR_NAME}
cp_exec "chmod 700 ${FILESYSTEM_PATH}/${SCRIPTS_PATH}/${NGINX_FRESH_METADATA_EXTRACTOR_NAME}"
cp_exec "chmod +x ${FILESYSTEM_PATH}/${SCRIPTS_PATH}/${NGINX_FRESH_METADATA_EXTRACTOR_NAME}"
}
copy_and_run_cloud_metadata_script()
{
cp_copy "${SCRIPTS_PATH}/$GET_CLOUD_METADATA_PATH" ${FILESYSTEM_PATH}/${SCRIPTS_PATH}/${GET_CLOUD_METADATA_PATH}
cp_exec "chmod +x ${FILESYSTEM_PATH}/${SCRIPTS_PATH}/${GET_CLOUD_METADATA_PATH}"
cp_exec "${FILESYSTEM_PATH}/${SCRIPTS_PATH}/${GET_CLOUD_METADATA_PATH}"
}
install_public_key()
{
return
if [ -f ${FILESYSTEM_PATH}/${CERTS_PATH}/public-key.pem ]; then
# Public key is already installed
return
fi
fog_address=${var_fog_address}
if [ -n "${var_upgrade_mode}" ]; then
# Upgrade - look in policy.json
fog_address=$(cat ${FILESYSTEM_PATH}/${CONF_PATH}/${SERVICE_PATH}/orchestration.policy)
fi
if [ -z ${var_fog_address} ] || echo "${fog_address}" | grep -q "\"fog-address\":\"\""; then
# Offline mode - exit from function
return
fi
cp_exec "mkdir -p ${FILESYSTEM_PATH}/${CERTS_PATH}"
cp_copy certificate/cloud-ngen.pem ${FILESYSTEM_PATH}/${CERTS_PATH}/cloud-ngen.pem
cp_copy certificate/dev-i2.pem ${FILESYSTEM_PATH}/${CERTS_PATH}/dev-i2.pem
cp_copy certificate/i2.pem ${FILESYSTEM_PATH}/${CERTS_PATH}/i2.pem
cp_copy certificate/stg-i2.pem ${FILESYSTEM_PATH}/${CERTS_PATH}/stg-i2.pem
if [ -n "${var_public_key}" ]; then
if [ -f "${var_public_key}" ]; then
# Use private public key (in case of SSL inspection)
ln -sf "${var_public_key}" ${FILESYSTEM_PATH}/${CERTS_PATH}/public-key.pem
return
else
cp_print "Ignoring non existing public key file '${var_public_key}'" ${FORCE_STDOUT}
fi
fi
if echo "$fog_address" | grep -q "cloud.ngen.checkpoint.com"; then
ln -sf ${FILESYSTEM_PATH}/${CERTS_PATH}/cloud-ngen.pem ${FILESYSTEM_PATH}/${CERTS_PATH}/public-key.pem
elif echo "$fog_address" | grep -q "dev.i2.checkpoint.com"; then
ln -sf ${FILESYSTEM_PATH}/${CERTS_PATH}/dev-i2.pem ${FILESYSTEM_PATH}/${CERTS_PATH}/public-key.pem
elif echo "$fog_address" | grep -q "stg.i2.checkpoint.com"; then
ln -sf ${FILESYSTEM_PATH}/${CERTS_PATH}/stg-i2.pem ${FILESYSTEM_PATH}/${CERTS_PATH}/public-key.pem
elif echo "$fog_address" | grep -q "i2.checkpoint.com"; then
ln -sf ${FILESYSTEM_PATH}/${CERTS_PATH}/i2.pem ${FILESYSTEM_PATH}/${CERTS_PATH}/public-key.pem
else
cp_print "Cannot find certificate for $fog_address" ${FORCE_STDOUT}
exit 1
fi
}
uninstall_messaging_proxy_if_needed()
{
messaging_exec_path="${FILESYSTEM_PATH}/packages/messagingProxy/messagingProxy"
if [ -f ${messaging_exec_path} ]; then
chmod +x ${messaging_exec_path}
${messaging_exec_path} --uninstall
rm -rf ${FILESYSTEM_PATH}/packages/messagingProxy
fi
}
get_status_content()
{
gsc_temp_old_status=$(sed -e 's/{\|}\|,\|"//g' -e '/^\s*$/d' -e 's/^ //' ${FILESYSTEM_PATH}/conf/orchestration_status.json 2>1)
echo ${gsc_temp_old_status}
}
install_orchestration()
{
INSTALLATION_TIME=$(date)
if [ "$var_only_unpack_lib64" = "set" ]; then
cp_exec "mkdir ${USR_LIB_PATH}"
if [ ! -d "$USR_LIB_PATH" ]; then
cp_print "No valid path: ${USR_LIB_PATH}. please do --only_unpack_lib64_path <Path>" ${FORCE_STDOUT}
exit 1
fi
${INSTALL_COMMAND} lib/*.so* ${USR_LIB_PATH}/
${INSTALL_COMMAND} lib/boost/*.so* ${USR_LIB_PATH}/
cp_print "Done successfully doing only unpacking lib64 to Path: ${USR_LIB_PATH}" ${FORCE_STDOUT}
exit 0
fi
if [ "$is_smb" != "1" ]; then
cp_exec "mkdir -p ${USR_LIB_PATH}/cpnano${VS_LIB_SUB_FOLDER}"
else
cp_exec "mkdir -p /storage/nano_agent${USR_LIB_PATH}/cpnano"
cp_exec "ln -sf /storage/nano_agent${USR_LIB_PATH}/cpnano ${USR_LIB_PATH}/cpnano"
cp_exec "mkdir -p /storage/nano_agent/${FILESYSTEM_PATH}"
cp_exec "ln -sf /storage/nano_agent/${FILESYSTEM_PATH} ${FILESYSTEM_PATH}"
cp_copy smb_egg/nano-egg-internal /opt/fw1/bin/nano-egg-internal
chmod +x /opt/fw1/bin/nano-egg-internal
fi
${INSTALL_COMMAND} lib/*.so* ${USR_LIB_PATH}/cpnano${VS_LIB_SUB_FOLDER}/
${INSTALL_COMMAND} lib/boost/*.so* ${USR_LIB_PATH}/cpnano${VS_LIB_SUB_FOLDER}/
if [ $var_compact_mode = true ]; then
[ -f /etc/environment ] && . "/etc/environment"
if [ -z "${CP_ENV_FILESYSTEM}" ] ; then
echo "CP_ENV_FILESYSTEM=$FILESYSTEM_PATH" >> "/etc/environment"
fi
if [ -z "${CP_ENV_LOG_FILE}"] ; then
echo "CP_ENV_LOG_FILE=$LOG_FILE_PATH" >> "/etc/environment"
fi
fi
if [ -f "$FILESYSTEM_PATH/$CONF_PATH/custom_policy.cfg" ]; then
cp_exec "rm -f $FILESYSTEM_PATH/$CONF_PATH/custom_policy.cfg"
fi
if command -v ldconfig &>/dev/null; then
cp_exec "ldconfig" ${FORCE_STDOUT}
fi
cp_print "Copy cp-agent-info tool"
cp_exec "mkdir -p ${FILESYSTEM_PATH}/${SCRIPTS_PATH}"
cp_exec "mkdir -p ${FILESYSTEM_PATH}/${BIN_PATH}"
cp_exec "mkdir -p ${FILESYSTEM_PATH}/${SERVICE_PATH}"
cp_exec "cp ./cp-agent-info.sh ${FILESYSTEM_PATH}/${SCRIPTS_PATH}/${CP_AGENT_INFO_NAME}"
cp_exec "chmod +x ${FILESYSTEM_PATH}/${SCRIPTS_PATH}/${CP_AGENT_INFO_NAME}"
cp_print "Copy ${CP_PACKAGE_LIST_NAME}"
cp_exec "cp ${CP_PACKAGE_LIST_NAME} ${FILESYSTEM_PATH}/${SCRIPTS_PATH}/${CP_PACKAGE_LIST_NAME}"
cp_exec "chmod +x ${FILESYSTEM_PATH}/${SCRIPTS_PATH}/${CP_PACKAGE_LIST_NAME}"
cp_exec "cp -f EULA.txt ${FILESYSTEM_PATH}/EULA.txt"
cp_exec "cp -f Licenses-for-Third-Party-Components.txt ${FILESYSTEM_PATH}/Licenses-for-Third-Party-Components.txt"
install_public_key
cp_exec "mkdir -p ${FILESYSTEM_PATH}/${CERTS_PATH}"
if [ -n "$var_upgrade_mode" ]; then
upgrade_orchestration_policy
cp_print "\nStarting upgrading of open-appsec Nano Agent [$INSTALLATION_TIME]" ${FORCE_STDOUT}
install_cp_nano_ctl
add_uninstall_script
cp_exec "cp -f certificate/ngen.body.crt ${FILESYSTEM_PATH}/${CERTS_PATH}/fog.pem"
if [ -n "${OTP_TOKEN}" ]; then
cp_print "Saving authentication token to file"
printf '{\n "registration type": "token",\n "registration data": "%b"\n}' "$OTP_TOKEN" | ${FILESYSTEM_PATH}/${BIN_PATH}/${CP_NANO_BASE64} -e > ${FILESYSTEM_PATH}/${CONF_PATH}/registration-data.json
previous_mode=$(awk -F\" '/Orchestration mode/{print $4}' /etc/cp/conf/agent_details.json)
if [ "$previous_mode" = "hybrid_mode" ]; then
rm ${FILESYSTEM_PATH}/${CONF_PATH}/agent_details.json
rm ${FILESYSTEM_PATH}/${CONF_PATH}/orchestration_status.json
echo '{}'>${FILESYSTEM_PATH}/${CONF_PATH}/policy.json
if [ -f ${FILESYSTEM_PATH}/data/data5.a ]; then
rm ${FILESYSTEM_PATH}/data/data5.a
fi
fi
fi
[ -f "${FILESYSTEM_PATH}/${SERVICE_PATH}/${ORCHESTRATION_FILE_NAME}.cfg" ] && . "${FILESYSTEM_PATH}/${SERVICE_PATH}/${ORCHESTRATION_FILE_NAME}.cfg"
[ -f "${FILESYSTEM_PATH}/${SERVICE_PATH}/${ORCHESTRATION_FILE_NAME}.cfg" ] && \
previous_mode=$(cat ${FILESYSTEM_PATH}/${SERVICE_PATH}/${ORCHESTRATION_FILE_NAME}.cfg | grep "orchestration-mode" | cut -d = -f 3 | sed 's/"//')
if ! [ -z "$previous_mode" ]; then
var_orchestration_mode=${previous_mode}
fi
if [ ${var_orchestration_mode} = "hybrid_mode" ]; then
save_local_policy_config
fi
cp_exec "cp -f configuration/orchestration.cfg ${FILESYSTEM_PATH}/${SERVICE_PATH}/${ORCHESTRATION_FILE_NAME}.cfg"
execution_flags="execution_flags=\"--orchestration-mode=${var_orchestration_mode}\""
echo $execution_flags >> ${FILESYSTEM_PATH}/${SERVICE_PATH}/${ORCHESTRATION_FILE_NAME}.cfg
if [ $var_arch = "gaia" -o $var_arch = "gaia_arm" -o "$is_smb" = "1" ]; then
if [ -z "${gaia_ld_path}" ]; then
gaia_ld_path="${LD_LIBRARY_PATH}"
fi
sed -i '1i gaia_ld_path='"$gaia_ld_path"'' ${FILESYSTEM_PATH}/${SERVICE_PATH}/${ORCHESTRATION_FILE_NAME}.cfg
fi
if [ -f "${FILESYSTEM_PATH}/${CONF_PATH}/default_orchestration_flags" ]; then
rm -f "${FILESYSTEM_PATH}/${CONF_PATH}/default_orchestration_flags"
fi
update_openappsec_manifest
upgrade_conf_if_needed
cp_exec "${FILESYSTEM_PATH}/${WATCHDOG_PATH}/cp-nano-watchdog --un-register ${FILESYSTEM_PATH}/${SERVICE_PATH}/cp-nano-orchestration $var_arch_flag"
if [ "$IS_K8S_ENV" = "true" ]; then
cp_exec "${FILESYSTEM_PATH}/${WATCHDOG_PATH}/cp-nano-watchdog --un-register ${FILESYSTEM_PATH}/${SERVICE_PATH}/k8s-check-update-listener.sh"
fi
set_cloud_storage
cp_print "Upgrade to latest"
uninstall_messaging_proxy_if_needed
if [ ! -f ${FILESYSTEM_PATH}/${DEFAULT_SETTINGS_PATH} ]; then
echo "{\"agentSettings\": []}" > ${FILESYSTEM_PATH}/${DEFAULT_SETTINGS_PATH}
fi
copy_orchestration_executable
copy_k8s_executable
copy_nginx_metadata_script
copy_nginx_fresh_metadata_script
copy_and_run_cloud_metadata_script
install_watchdog "--upgrade"
cp_print "Upgrade completed successfully" ${FORCE_STDOUT}
if [ -f /etc/systemd/system/${NANO_AGENT_SERVICE_FILE} ]; then
cat "/etc/systemd/system/${NANO_AGENT_SERVICE_FILE}" | grep -q "EnvironmentFile=/etc/environment"
result=$?
if [ $var_container_mode = false ] && [ $result -eq 0 ]; then
sed -i "$ d" /etc/systemd/system/${NANO_AGENT_SERVICE_FILE}
echo "EnvironmentFile=/etc/environment" >> /etc/systemd/system/${NANO_AGENT_SERVICE_FILE}
echo >> /etc/systemd/system/${NANO_AGENT_SERVICE_FILE}
cp_exec "systemctl daemon-reload"
cp_exec "systemctl restart nano_agent"
fi
fi
exit 0
fi
cp_print "\nStarting installation of open-appsec Nano Agent [$INSTALLATION_TIME]" ${FORCE_STDOUT}
cp_exec "rm -rf ${FILESYSTEM_PATH}/${SERVICE_PATH}"
cp_exec "rm -rf ${FILESYSTEM_PATH}/${WATCHDOG_PATH}"
if [ -z ${EGG_MODE} ]; then
cp_exec "rm -rf ${FILESYSTEM_PATH}/${CONF_PATH}"
cp_exec "rm -rf ${FILESYSTEM_PATH}/${DATA_PATH}"
fi
cp_exec "mkdir -p ${FILESYSTEM_PATH}/${SERVICE_PATH}"
cp_exec "mkdir -p ${FILESYSTEM_PATH}/${CONF_PATH}"
cp_exec "mkdir -p ${LOG_FILE_PATH}/${LOG_PATH}"
cp_exec "mkdir -p ${FILESYSTEM_PATH}/${DATA_PATH}"
update_openappsec_manifest
if [ ! -f ${FILESYSTEM_PATH}/${DEFAULT_SETTINGS_PATH} ]; then
echo "{\"agentSettings\": []}" > ${FILESYSTEM_PATH}/${DEFAULT_SETTINGS_PATH}
fi
if [ ! -f ${FILESYSTEM_PATH}/${ENV_DETAILS_FILE} ]; then
cp_print "Creating env details file" ${FORCE_STDOUT}
if [ $var_container_mode = true ]; then
echo 'IS_CONTAINER_ENV=true' >> ${FILESYSTEM_PATH}/${ENV_DETAILS_FILE}
fi
echo "MAX_FILE_SIZE=${WATCHDOG_MAX_FILE_SIZE}" >> ${FILESYSTEM_PATH}/${ENV_DETAILS_FILE}
echo "MAX_ROTATION=${WATCHDOG_MAX_ROTATIONS}" >> ${FILESYSTEM_PATH}/${ENV_DETAILS_FILE}
if [ -n "${FILESYSTEM_PATH}" ]; then
echo "CP_ENV_FILESYSTEM=${FILESYSTEM_PATH}" >> ${FILESYSTEM_PATH}/${ENV_DETAILS_FILE}
fi
if [ -n "${VS_ID}" ]; then
echo "CP_VS_ID=${VS_ID}" >> ${FILESYSTEM_PATH}/${ENV_DETAILS_FILE}
fi
if [ -n "${LOG_FILE_PATH}" ]; then
echo "CP_ENV_LOG_FILE=${LOG_FILE_PATH}" >> ${FILESYSTEM_PATH}/${ENV_DETAILS_FILE}
fi
if [ -n "${USR_LIB_PATH}" ]; then
echo "CP_USR_LIB_PATH=${USR_LIB_PATH}" >> ${FILESYSTEM_PATH}/${ENV_DETAILS_FILE}
fi
if [ -n "${INIT_D_PATH}" ]; then
echo "CP_INIT_D_PATH=${INIT_D_PATH}" >> ${FILESYSTEM_PATH}/${ENV_DETAILS_FILE}
fi
fi
if [ -z "${var_token}" ] && [ ${var_hybrid_mode} = false ] && [ ${var_offline_mode} = false ] && [ -z ${EGG_MODE} ] && [ ${var_no_otp} = false ]; then
cp_print "Please enter OTP token []:" ${FORCE_STDOUT}
read -r var_token
attempts=0
max_attempts=3
while [ -z "$var_token" ]; do
attempts=$((attempts + 1))
if [ "$attempts" -gt "$max_attempts" ]; then
cp_print "Maximum attempts exceeded. open-appsec Nano Agent registration failed. Failed to get token" ${FORCE_STDOUT}
exit 1
fi
cp_print "You must enter OTP token[]:" ${FORCE_STDOUT}
read -r var_token
done
fi
if [ ! -f ${FILESYSTEM_PATH}/${CONF_PATH}/policy.json ] ; then
cp_print "Building the default policy json"
echo '{"'$ORCHESTRATION_NAME'": { "fog-address":"'$var_fog_address'", ' > ${FILESYSTEM_PATH}/${CONF_PATH}/policy.json
echo '"pulling-interval":'$var_sleep_interval', ' >> ${FILESYSTEM_PATH}/${CONF_PATH}/policy.json
echo '"error-pulling-interval":'$var_error_sleep_interval'},' >> ${FILESYSTEM_PATH}/${CONF_PATH}/policy.json
echo '"registration-data": { "email-address": "'$var_email'", "registered-server": "'$var_server'"}}' >> ${FILESYSTEM_PATH}/${CONF_PATH}/policy.json
fi
set_cloud_storage
copy_orchestration_executable
copy_k8s_executable
copy_nginx_metadata_script
copy_nginx_fresh_metadata_script
copy_and_run_cloud_metadata_script
install_cp_nano_ctl
if [ ${var_no_otp} = false ]; then
cp_print "Saving authentication token to file"
printf '{\n "registration type": "token",\n "registration data": "%b"\n}' "$var_token" | ${FILESYSTEM_PATH}/${BIN_PATH}/${CP_NANO_BASE64} -e > ${FILESYSTEM_PATH}/${CONF_PATH}/registration-data.json
fi
add_uninstall_script
if [ $var_offline_mode = true ]; then
cp_print "Run Orchestration nano service in offline mode" ${FORCE_STDOUT}
elif [ $var_hybrid_mode = true ]; then
cp_print "Run Orchestration nano service in hybrid mode" ${FORCE_STDOUT}
cp_copy certificate/ngen.body.crt ${FILESYSTEM_PATH}/${CERTS_PATH}/fog.pem
save_local_policy_config
else
cp_copy certificate/ngen.body.crt ${FILESYSTEM_PATH}/${CERTS_PATH}/fog.pem
fi
cp_exec "chmod 600 ${FILESYSTEM_PATH}/${ORCHESTRATION_CONF_FILE}"
cp_copy configuration/cp-nano-orchestration-conf.json ${FILESYSTEM_PATH}/${ORCHESTRATION_CONF_FILE}
cp_copy configuration/cp-nano-orchestration-debug-conf.json ${FILESYSTEM_PATH}/${ORCHESTRATION_DEBUG_CONF_FILE}
cp_exec "chmod 600 ${FILESYSTEM_PATH}/${ORCHESTRATION_DEBUG_CONF_FILE}"
CP_ENV_FILESYSTEM=${FILESYSTEM_PATH} CP_ENV_LOG_FILE=${LOG_FILE_PATH} cp_exec "${FILESYSTEM_PATH}/${SCRIPTS_PATH}/${CP_NANO_DEBUG} --default --service orchestration"
set_conf_additional_flags
if [ -n "${var_certs_dir}" ]; then
if [ -d "${var_certs_dir}" ]; then
if ! cat ${FILESYSTEM_PATH}/${ORCHESTRATION_CONF_FILE} | grep -q "\"message\""; then
sed -i -e "0,/{/ s|{|{\"message\": {\"Trusted CA directory\": [{\"value\": \"${var_certs_dir}\"}]},|" ${FILESYSTEM_PATH}/${ORCHESTRATION_CONF_FILE}
else
sed -i -e "0,/\"message\"/ s|\"message\".*:.*{|\"message\": {\"Trusted CA directory\": [{\"value\": \"${var_certs_dir}\"}],|" ${FILESYSTEM_PATH}/${ORCHESTRATION_CONF_FILE}
fi
else
cp_print "Ignoring non existing certs directory '${var_certs_dir}'" ${FORCE_STDOUT}
fi
fi
set_conf_temp_location
if [ -n "${var_proxy}" ]; then
{
echo '{'
echo ' "Fog domain": "",'
echo ' "Agent ID": "",'
echo ' "Fog port": 0,'
echo ' "Tenant ID": "",'
echo ' "Profile ID": "",'
echo ' "Encrypted connection": false,'
echo ' "OpenSSL certificates directory": "",'
echo ' "Proxy": "'"${var_proxy}"'"'
echo '}'
} >> "${FILESYSTEM_PATH}/${CONF_PATH}/agent_details.json"
fi
if [ -n "$ignore_access" ]; then
if [ -n "$ignore_packages" ]; then
ignore_packages=${ignore_packages},${ignore_access}
else
ignore_packages=${ignore_access}
fi
fi
if [ -n "$support_practices" ]; then
echo "$support_practices" | tr ',' '\n' >> ${FILESYSTEM_PATH}/${CONF_PATH}/support-practices.txt
fi
if [ -n "$ignore_packages" ]; then
cp_print "The following packages will be ignored: $ignore_packages" ${FORCE_STDOUT}
echo "$ignore_packages" | tr ',' '\n' >> ${FILESYSTEM_PATH}/${CONF_PATH}/ignore-packages.txt
fi
cp_exec "cp -f configuration/orchestration.cfg ${FILESYSTEM_PATH}/${SERVICE_PATH}/${ORCHESTRATION_FILE_NAME}.cfg"
execution_flags="execution_flags=\"--orchestration-mode=${var_orchestration_mode}\""
echo $execution_flags >> ${FILESYSTEM_PATH}/${SERVICE_PATH}/${ORCHESTRATION_FILE_NAME}.cfg
if [ $var_arch = "gaia" -o $var_arch = "gaia_arm" -o "$is_smb" = "1" ]; then
sed -i '1i gaia_ld_path='"$LD_LIBRARY_PATH"'' ${FILESYSTEM_PATH}/${SERVICE_PATH}/${ORCHESTRATION_FILE_NAME}.cfg
fi
install_watchdog
cp_print "Note: in order for the agent to remain active and effective it must connect to the Fog/Cloud at least every 45 days" ${FORCE_STDOUT}
cp_print "open-appsec Orchestration Nano Service installation completed successfully" ${FORCE_STDOUT}
if [ $var_hybrid_mode = false ] && [ $var_offline_mode = false ] && [ $var_no_otp = false ] && [ $var_skip_registration = false ]; then
time_sleep=2
time_out=60
cp_print "Registering open-appsec Nano Agent to Fog.." ${FORCE_STDOUT}
until get_status_content | grep -q "Registration status: Succeeded"; do
time_out=$(( time_out - time_sleep ))
if [ $time_out -le 0 ]; then
cp_print "open-appsec Nano Agent registration failed. Failed to register to Fog: $var_fog_address" ${FORCE_STDOUT}
exit 1
fi
sleep ${time_sleep}
done
cp_print "open-appsec Nano Agent is registered to $var_fog_address" ${FORCE_STDOUT}
fi
}
run_pre_install_test()
{
cp_print "Pre installation tests completed successfully" ${FORCE_STDOUT}
}
run_post_install_test()
{
if [ $var_is_alpine = false ]; then
if [ ! -f ${USR_LIB_PATH}/cpnano${VS_LIB_SUB_FOLDER}/libboost_chrono.so* ]; then
cp_print "Error, libboost_chrono .so file is missing" ${FORCE_STDOUT}
exit 1
fi
if [ ! -f ${USR_LIB_PATH}/cpnano${VS_LIB_SUB_FOLDER}/libboost_context.so* ]; then
cp_print "Error, libboost_context .so file is missing" ${FORCE_STDOUT}
exit 1
fi
if [ ! -f ${USR_LIB_PATH}/cpnano${VS_LIB_SUB_FOLDER}/libboost_system.so* ]; then
cp_print "Error, libboost_system .so file is missing" ${FORCE_STDOUT}
exit 1
fi
if [ ! -f ${USR_LIB_PATH}/cpnano${VS_LIB_SUB_FOLDER}/libboost_thread.so* ]; then
cp_print "Error, libboost_thread .so file is missing" ${FORCE_STDOUT}
exit 1
fi
fi
if [ ! -f ${FILESYSTEM_PATH}/${SERVICE_PATH}/${ORCHESTRATION_FILE_NAME} ]; then
cp_print "Error, cp-nano-agent service file is missing" ${FORCE_STDOUT}
exit 1
fi
cp_print "Post installation tests completed successfully" ${FORCE_STDOUT}
}
uninstall_orchestration()
{
uninstall_script="${FILESYSTEM_PATH}/$SCRIPTS_PATH/$AGENT_UNINSTALL"
if [ ! -f "$uninstall_script" ]; then
cp_dir="${FILESYSTEM_PATH}"
if [ ! -d "$cp_dir" ]; then
echo "open-appsec Nano Agent is not installed"
exit 1
fi
echo "Failed to uninstall Orchestration Nano Service, uninstall script was not found in: $uninstall_script "
exit 1
fi
cp_exec "${uninstall_script}"
if test "$?" = "0"; then
cp_print "open-appsec Nano Agent successfully uninstalled" ${FORCE_STDOUT}
else
cp_print "open-appsec Nano Agent failed to uninstall" ${FORCE_STDOUT}
exit 1
fi
}
cp_exec "mkdir -p ${LOG_FILE_PATH}/${LOG_PATH}/default_debugs_output"
cp_exec "mkdir -p ${LOG_FILE_PATH}/${LOG_PATH}/trace_export_files"
cp_exec "touch ${LOG_FILE_PATH}/${LOG_PATH}/${INSTALLATION_LOG_FILE}"
if [ "$RUN_MODE" = "install" ]; then
install_orchestration
elif [ "$RUN_MODE" = "uninstall" ]; then
uninstall_orchestration
elif [ "$RUN_MODE" = "pre_install_test" ]; then
run_pre_install_test
elif [ "$RUN_MODE" = "post_install_test" ]; then
run_post_install_test
else
usage
exit 1
fi
exit 0
Reference in New Issue View Git Blame Copy Permalink