phg
f6785b69ac
- Introduced `crowdsec-configuration.sh` to enable write-ahead logging in SQLite for improved performance. - Added `crowdsec-repo-setup.sh` for automated installation of Crowdsec repositories, handling various Linux distributions and package managers. - Included `tailscale.sh` for detecting the OS and installing Tailscale according to its conventions, supporting multiple package management systems.
370 lines
14 KiB
Bash
370 lines
14 KiB
Bash
#!/bin/sh
|
|
#
|
|
# Inspired from packagecloud installation scripts
|
|
#
|
|
# #MIT License
|
|
#
|
|
# Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
# of this software and associated documentation files (the "Software"), to deal
|
|
# in the Software without restriction, including without limitation the rights
|
|
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
# copies of the Software, and to permit persons to whom the Software is
|
|
# furnished to do so, subject to the following conditions:
|
|
|
|
# The above copyright notice and this permission notice shall be included in all
|
|
# copies or substantial portions of the Software.
|
|
|
|
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
|
# SOFTWARE.
|
|
#
|
|
# Crowdsec repositories installation script
|
|
#
|
|
# This script:
|
|
# - Requires `root` or `sudo` privileges to run
|
|
# - Attempts to detect your Linux distribution and version and configure your
|
|
# package management system for you.
|
|
# - Installs dependencies and recommendations without asking for confirmation.
|
|
# - Is POSIX compliant and can be run using bash or any POSIX-compliant shell
|
|
|
|
|
|
unknown_os() {
|
|
echo "Unfortunately, your operating system distribution and version are not supported by this script."
|
|
echo
|
|
echo "You can override the OS detection by setting os= and dist= prior to running this script."
|
|
echo "You can find a list of supported OSes and distributions on our website: https://packagecloud.io/docs#os_distro_version"
|
|
echo
|
|
echo "For example, to force Ubuntu Trusty: os=ubuntu dist=trusty ./script.sh"
|
|
echo
|
|
echo "Please file an issue at https://github.com/crowdsecurity/crowdsec"
|
|
exit 1
|
|
}
|
|
|
|
detect_os() {
|
|
if [ -z "$os" ] && [ -z "$dist" ]; then
|
|
if [ -e /etc/os-release ]; then
|
|
. /etc/os-release
|
|
os=$ID
|
|
if [ "$os" = "poky" ]; then
|
|
dist="$VERSION_ID"
|
|
elif [ "$os" = "sles" ]; then
|
|
dist="$VERSION_ID"
|
|
os=opensuse
|
|
elif [ "$os" = "opensuse" ]; then
|
|
dist="$VERSION_ID"
|
|
elif [ "$os" = "opensuse-leap" ]; then
|
|
os=opensuse
|
|
dist="$VERSION_ID"
|
|
elif [ "$os" = "amzn" ]; then
|
|
dist="$VERSION_ID"
|
|
else
|
|
dist=$(echo "$VERSION_ID" | awk -F '.' '{ print $1 }')
|
|
fi
|
|
|
|
elif command -v lsb_release >/dev/null; then
|
|
# get major version (e.g. '5' or '6')
|
|
dist=$(lsb_release -r | cut -f2 | awk -F '.' '{ print $1 }')
|
|
|
|
# get os (e.g. 'centos', 'redhatenterpriseserver', etc)
|
|
os=$(lsb_release -i | cut -f2 | awk '{ print tolower($1) }')
|
|
|
|
elif [ -e /etc/oracle-release ]; then
|
|
dist=$(cut -f5 --delimiter=' ' /etc/oracle-release | awk -F '.' '{ print $1 }')
|
|
os='ol'
|
|
|
|
elif [ -e /etc/fedora-release ]; then
|
|
dist=$(cut -f3 --delimiter=' ' /etc/fedora-release)
|
|
os='fedora'
|
|
|
|
elif [ -e /etc/redhat-release ]; then
|
|
os_hint=$(awk '{ print tolower($1) }' /etc/redhat-release)
|
|
if [ "$os_hint" = "centos" ]; then
|
|
dist=$(awk '{ print $3 }' /etc/redhat-release | awk -F '.' '{ print $1 }')
|
|
os='centos'
|
|
elif [ "$os_hint" = "scientific" ]; then
|
|
dist=$(awk '{ print $4 }' /etc/redhat-release | awk -F '.' '{ print $1 }')
|
|
os='scientific'
|
|
else
|
|
dist=$(awk '{ print tolower($7) }' /etc/redhat-release | cut -f1 --delimiter='.')
|
|
os='redhatenterpriseserver'
|
|
fi
|
|
|
|
elif grep -q Amazon /etc/issue; then
|
|
dist='6'
|
|
os='aws'
|
|
else
|
|
unknown_os
|
|
fi
|
|
fi
|
|
|
|
# remove whitespace from OS and dist name and transform to lowercase
|
|
os=$(echo "$os" | tr -d ' ' | tr '[:upper:]' '[:lower:]')
|
|
dist=$(echo "$dist" | tr -d ' ' | tr '[:upper:]' '[:lower:]')
|
|
|
|
if [ -z "$dist" ]; then
|
|
echo "Detected operating system as $os."
|
|
else
|
|
echo "Detected operating system as $os/$dist."
|
|
fi
|
|
|
|
if [ "$os" = "ol" ] || [ "$os" = "el" ] && [ "$dist" -gt 7 ]; then
|
|
_skip_pygpgme=1
|
|
else
|
|
_skip_pygpgme=0
|
|
fi
|
|
|
|
}
|
|
|
|
gpg_check_deb() {
|
|
echo "Checking for gpg..."
|
|
if command -v gpg >/dev/null; then
|
|
echo "Detected gpg..."
|
|
else
|
|
echo "Installing gnupg for GPG verification..."
|
|
if ! apt-get install -y gnupg; then
|
|
echo "Unable to install GPG! Your base system has a problem; please check your default OS's package repositories because GPG should work."
|
|
echo "Repository installation aborted."
|
|
echo
|
|
echo "Please file an issue at https://github.com/crowdsecurity/crowdsec"
|
|
exit 1
|
|
fi
|
|
fi
|
|
}
|
|
|
|
curl_check_deb() {
|
|
echo "Checking for curl..."
|
|
if command -v curl >/dev/null; then
|
|
echo "Detected curl..."
|
|
else
|
|
echo "Installing curl..."
|
|
|
|
if apt-get install -q -y curl; then
|
|
echo "Unable to install curl! Your base system has a problem; please check your default OS's package repositories because curl should work."
|
|
echo "Repository installation aborted."
|
|
echo
|
|
echo "Please file an issue at https://github.com/crowdsecurity/crowdsec"
|
|
exit 1
|
|
fi
|
|
fi
|
|
}
|
|
|
|
curl_check_rpm() {
|
|
echo "Checking for curl..."
|
|
if command -v curl >/dev/null; then
|
|
echo "Detected curl..."
|
|
else
|
|
echo "Installing curl..."
|
|
yum install -d0 -e0 -y curl
|
|
fi
|
|
}
|
|
|
|
curl_check_zypper() {
|
|
echo "Checking for curl..."
|
|
if command -v curl >/dev/null; then
|
|
echo "Detected curl..."
|
|
else
|
|
echo "Installing curl..."
|
|
zypper install curl
|
|
fi
|
|
}
|
|
|
|
finalize_yum_repo() {
|
|
if [ "$_skip_pygpgme" = 0 ]; then
|
|
echo "Installing pygpgme to verify GPG signatures..."
|
|
yum install -y pygpgme --disablerepo="crowdsec_${repo}"
|
|
if ! rpm -qa | grep -qw pygpgme; then
|
|
echo
|
|
echo "WARNING: "
|
|
echo "The pygpgme package could not be installed. This means GPG verification is not possible for any RPM installed on your system. "
|
|
echo "To fix this, add a repository with pygpgme. Usually, the EPEL repository for your system will have this. "
|
|
echo "More information: https://fedoraproject.org/wiki/EPEL#How_can_I_use_these_extra_packages.3F"
|
|
echo
|
|
|
|
# set the repo_gpgcheck option to 0
|
|
sed -i'' 's/repo_gpgcheck=1/repo_gpgcheck=0/' "/etc/yum.repos.d/crowdsec_${repo}.repo"
|
|
fi
|
|
fi
|
|
|
|
echo "Installing yum-utils..."
|
|
yum install -y yum-utils --disablerepo="crowdsec_${repo}"
|
|
if ! rpm -qa | grep -qw yum-utils; then
|
|
echo
|
|
echo "WARNING: "
|
|
echo "The yum-utils package could not be installed. This means you may not be able to install source RPMs or use other yum features."
|
|
echo
|
|
fi
|
|
|
|
echo "Generating yum cache for crowdsec..."
|
|
yum -q makecache -y --disablerepo='*' --enablerepo="crowdsec_${repo}"
|
|
}
|
|
|
|
install_debian_keyring() {
|
|
if [ "$os" = "debian" ]; then
|
|
echo "Installing debian-archive-keyring which is needed for installing "
|
|
echo "apt-transport-https on many Debian systems."
|
|
apt-get install -y debian-archive-keyring >/dev/null 2>&1
|
|
fi
|
|
}
|
|
|
|
detect_apt_version() {
|
|
apt_version_full=$(apt-get -v | head -1 | awk '{ print $2 }')
|
|
apt_version_major=$(echo "$apt_version_full" | cut -d. -f1)
|
|
apt_version_minor=$(echo "$apt_version_full" | cut -d. -f2)
|
|
apt_version_modified="${apt_version_major}${apt_version_minor}0"
|
|
|
|
echo "Detected apt version as $apt_version_full"
|
|
}
|
|
|
|
main() {
|
|
if [ -z "$repo" ]; then
|
|
repo="crowdsec"
|
|
fi
|
|
|
|
detect_os
|
|
case $os in
|
|
ubuntu | debian | raspbian | linuxmint)
|
|
detect_apt_version
|
|
gpg_check_deb
|
|
curl_check_deb
|
|
apt_source_path="/etc/apt/sources.list.d/crowdsec_${repo}.list"
|
|
pre_reqs="apt-transport-https ca-certificates curl"
|
|
if [ -f "$apt_source_path" ]; then
|
|
echo
|
|
echo "The file $apt_source_path already exists: overwriting it."
|
|
echo
|
|
fi
|
|
# needed dependencies
|
|
apt-get update -qq >/dev/null
|
|
#shellcheck disable=SC2086
|
|
DEBIAN_FRONTEND=noninteractive apt-get install -y -qq $pre_reqs >/dev/null
|
|
# gpg keys
|
|
gpg_key_url="https://packagecloud.io/crowdsec/${repo}/gpgkey"
|
|
apt_keyrings_dir="/etc/apt/keyrings"
|
|
gpg_keyring_path="$apt_keyrings_dir/crowdsec_${repo}-archive-keyring.gpg"
|
|
gpg_key_path_old="/etc/apt/trusted.gpg.d/crowdsec_${repo}.gpg"
|
|
echo
|
|
echo "Importing packagecloud gpg key... "
|
|
echo
|
|
|
|
# move gpg key to old path if apt version is older than 1.1
|
|
if [ "$apt_version_modified" -lt 110 ]; then
|
|
curl -fsSL "$gpg_key_url" | gpg --dearmor >"$gpg_key_path_old"
|
|
# grant 644 permisions to gpg key path old
|
|
chmod 0644 "$gpg_key_path_old"
|
|
|
|
# deletes the keyrings directory if it is empty
|
|
echo "Packagecloud gpg key imported to $gpg_key_path_old"
|
|
else
|
|
if [ ! -d "$apt_keyrings_dir" ]; then
|
|
install -d -m 0755 "$apt_keyrings_dir"
|
|
fi
|
|
# import the gpg key
|
|
curl -fsSL "$gpg_key_url" | gpg --dearmor >"$gpg_keyring_path"
|
|
# grant 644 permisions to gpg keyring path
|
|
chmod 0644 "$gpg_keyring_path"
|
|
|
|
echo "Packagecloud gpg key imported to $gpg_keyring_path"
|
|
fi
|
|
echo
|
|
echo "Installing ${apt_source_path}..."
|
|
echo
|
|
echo "deb [signed-by=/etc/apt/keyrings/crowdsec_${repo}-archive-keyring.gpg] https://packagecloud.io/crowdsec/${repo}/any/ any main" >"$apt_source_path"
|
|
echo "deb-src [signed-by=/etc/apt/keyrings/crowdsec_${repo}-archive-keyring.gpg] https://packagecloud.io/crowdsec/${repo}/any/ any main" >>"$apt_source_path"
|
|
apt-get update -qq >/dev/null
|
|
|
|
;;
|
|
centos | rhel | fedora | redhatentrepriseserver | amzn | cloudlinux | almalinux | rocky | opensuse | ol)
|
|
if [ "$os" = "ol" ] && [ "$dist" = "7" ] || [ "$os" = "amzn" ] && [ "$dist" = "2" ]; then
|
|
rpm_repo_config_url="https://packagecloud.io/install/repositories/crowdsec/${repo}/config_file.repo?os=${os}&dist=${dist}&source=script"
|
|
else
|
|
rpm_repo_config_url="https://packagecloud.io/install/repositories/crowdsec/${repo}/config_file.repo?os=rpm_any&dist=rpm_any&source=script"
|
|
fi
|
|
if [ "$os" = "opensuse" ]; then
|
|
curl_check_zypper
|
|
rpm_repo_path=/etc/zypp/repos.d/crowdsec_${repo}.repo
|
|
else
|
|
curl_check_rpm
|
|
rpm_repo_path=/etc/yum.repos.d/crowdsec_${repo}.repo
|
|
fi
|
|
|
|
echo "Downloading repository file: $rpm_repo_config_url"
|
|
|
|
curl -sSf "$rpm_repo_config_url" >"$rpm_repo_path"
|
|
curl_exit_code=$?
|
|
if [ "$curl_exit_code" = "22" ]; then
|
|
echo
|
|
echo
|
|
echo "Unable to download repo config from: "
|
|
echo "$rpm_repo_config_url"
|
|
echo
|
|
echo "This usually happens if your operating system is not supported by "
|
|
echo "packagecloud.io, or this script's OS detection failed."
|
|
echo
|
|
echo "You can override the OS detection by setting os= and dist= prior to running this script."
|
|
echo "You can find a list of supported OSes and distributions on our website: https://packagecloud.io/docs#os_distro_version"
|
|
echo
|
|
echo "For example, to force CentOS 6: os=el dist=6 ./script.sh"
|
|
echo
|
|
echo "If you are running a supported OS, please file an issue at https://github.com/crowdsecurity/crowdsec."
|
|
[ -e "$rpm_repo_path" ] && rm "$rpm_repo_path"
|
|
exit 1
|
|
elif [ "$curl_exit_code" = "35" ] || [ "$curl_exit_code" = "60" ]; then
|
|
echo
|
|
echo "curl is unable to connect to packagecloud.io over TLS when running: "
|
|
echo " curl $rpm_repo_config_url"
|
|
echo
|
|
echo "This is usually due to one of two things:"
|
|
echo
|
|
echo " 1.) Missing CA root certificates (make sure the ca-certificates package is installed)"
|
|
echo " 2.) An old version of libssl. Try upgrading libssl on your system to a more recent version"
|
|
echo
|
|
echo "Contact support@crowdsec.net with information about your system for help."
|
|
[ -e "$rpm_repo_path" ] && rm "$rpm_repo_path"
|
|
exit 1
|
|
elif [ "$curl_exit_code" -gt "0" ]; then
|
|
echo
|
|
echo "Unable to run: "
|
|
echo " curl $rpm_repo_config_url"
|
|
echo
|
|
echo "Double check your curl installation and try again."
|
|
echo
|
|
echo "Please file an issue at https://github.com/crowdsecurity/crowdsec if you think the behavior is not intended"
|
|
[ -e "$rpm_repo_path" ] && rm "$rpm_repo_path"
|
|
exit 1
|
|
else
|
|
echo "done."
|
|
fi
|
|
if [ "$os" = "opensuse" ]; then
|
|
zypper --gpg-auto-import-keys refresh "crowdsec_${repo}"
|
|
zypper --gpg-auto-import-keys refresh "crowdsec_${repo}-source"
|
|
else
|
|
echo "$os"
|
|
finalize_yum_repo
|
|
fi
|
|
;;
|
|
*)
|
|
echo "Error This system is not supported (yet) by this script."
|
|
echo "Please have a look at documentation https://docs.crowdsec.net/ or"
|
|
echo "file an issue at https://github.com/crowdsecurity/crowdsec if you think"
|
|
echo "the behavior is not intended"
|
|
|
|
exit 1
|
|
;;
|
|
esac
|
|
|
|
echo
|
|
}
|
|
|
|
if [ "$(id -u)" -ne 0 ]; then
|
|
echo "This script must be run as root"
|
|
echo
|
|
echo "file an issue at https://github.com/crowdsecurity/crowdsec if you think"
|
|
echo "the behavior is not intended"
|
|
exit 1
|
|
fi
|
|
|
|
main
|