Last active
January 29, 2018 21:49
-
-
Save kwilson7770/6fcb58cd94f01b851ceac310ebdf15c0 to your computer and use it in GitHub Desktop.
Install and Setup Docket on CentOS 7
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| if [[ $EUID -ne 0 ]]; then | |
| echo "This code must be run as root" | |
| else | |
| ### UPDATE THIS SECTION ### | |
| # Configure your sensor interface for stenographer (will be configured for this role) | |
| sensor_if=ens160 | |
| ### UPDATE THIS SECTION ### | |
| # Don't copy and paste more than 75-100 lines at a time when using ssh/putty. This will cause data to get corrupted and it will not install properly | |
| # you should just wget https://gist.githubusercontent.com/kwilson7770/6fcb58cd94f01b851ceac310ebdf15c0/raw/install_docket.sh and edit the interface name to be on the safe side | |
| ### Software and Updates ### | |
| # installing updates and software | |
| yum update -y -q | |
| yum install git epel-release wget -y -q | |
| # Downloading repo for docket software | |
| wget --directory-prefix=/tmp https://copr.fedorainfracloud.org/coprs/g/rocknsm/rocknsm-2.1/repo/epel-7/group_rocknsm-rocknsm-2.1-epel-7.repo | |
| /usr/bin/mv /tmp/group_rocknsm-rocknsm-2.1-epel-7.repo /etc/yum.repos.d/ | |
| # Installing remaining software | |
| yum install nginx docket stenographer -y -q | |
| ### Configuring Sensor Interface ### | |
| # Creating/overwriting interface configuration files for sensor interface | |
| cat << EOF > /etc/sysconfig/network-scripts/ifcfg-$sensor_if | |
| TYPE="Ethernet" | |
| BOOTPROTO="static" | |
| NAME="$sensor_if" | |
| DEVICE="$sensor_if" | |
| ONBOOT="yes" | |
| EOF | |
| # Reloading sensor interface configuration | |
| ifdown $sensor_if && ifup $sensor_if | |
| # Disabling IPv6 for sensor interface | |
| if ! grep -q "net.ipv6.conf.$sensor_if.disable_ipv6 = 1" /etc/sysctl.conf; then | |
| echo "net.ipv6.conf.$sensor_if.disable_ipv6 = 1" >> /etc/sysctl.conf | |
| fi | |
| sysctl -p | |
| # Turning on promiscuous mode for the sensor interface | |
| ip link set dev $sensor_if promisc on | |
| # Making this change persistent | |
| if ! grep -Fxq "ip link set dev $sensor_if promisc on" /etc/rc.local; then | |
| echo "ip link set dev $sensor_if promisc on" >> /etc/rc.local | |
| fi | |
| # Displaying current settings | |
| ip addr show dev $sensor_if | |
| ### Configuring/Starting Stenographer ### | |
| # Updating stenographer configuration file | |
| sed -i 's|"PacketsDirectory": "/path/to/thread0/packets/directory"|"PacketsDirectory": "/data/stenographer/thread0/packets"|g' /etc/stenographer/config | |
| sed -i 's|"IndexDirectory": "/path/to/thread0/index/directory"|"IndexDirectory": "/data/stenographer/thread0/index"|g' /etc/stenographer/config | |
| sed -i "s/\"Interface\": \"em1\"/\"Interface\": \"$sensor_if\"/g" /etc/stenographer/config | |
| # Generating stenographer keys | |
| /usr/bin/stenokeys.sh stenographer stenographer | |
| # Creating and changing permissions on stenographer directory | |
| if [ ! -d /data ]; then | |
| mkdir /data | |
| fi | |
| if [ ! -d /data/stenographer ]; then | |
| mkdir /data/stenographer | |
| fi | |
| chown stenographer:stenographer /data/stenographer | |
| # Starting and enabling stenographer | |
| systemctl enable stenographer | |
| systemctl start stenographer | |
| ### Generating packets for stenographer to capture ### | |
| # Making some noise for stenographer to capture | |
| sleep 5 | |
| ping -b 255.255.255.255 -I ens34 -c 10 | |
| # Displaying output from stenoread | |
| sleep 5 | |
| stenoread icmp -n | |
| ### Setting up JeffKwasha's docket-concurrency ### | |
| # cloning code from Github | |
| cd /tmp | |
| rm -rf /tmp/docket-concurrency | |
| git clone -b concurrency https://github.com/JeffKwasha/docket /tmp/docket-concurrency | |
| # Setting up services in /usr/lib/systemd/system/ | |
| /usr/bin/cp /tmp/docket-concurrency/systemd/docket-celery-io.service /usr/lib/systemd/system/ | |
| /usr/bin/cp /tmp/docket-concurrency/systemd/docket-celery-query.service /usr/lib/systemd/system/ | |
| /usr/bin/cp /tmp/docket-concurrency/systemd/docket.service /usr/lib/systemd/system/ | |
| /usr/bin/cp /tmp/docket-concurrency/systemd/docket.socket /usr/lib/systemd/system/ | |
| # Setting up docket environment | |
| /usr/bin/cp /tmp/docket-concurrency/systemd/docket.sysconfig /etc/sysconfig/docket | |
| # Remove service from other install | |
| systemctl stop docket-celery.service | |
| rm -f /usr/lib/systemd/system/docket-celery.service | |
| # Setting up uwsg | |
| /usr/bin/cp /tmp/docket-concurrency/systemd/docket-uwsgi.ini /etc/docket/ | |
| # Setting up systemd tmpfiles | |
| /usr/bin/cp /tmp/docket-concurrency/systemd/docket-tmpfiles.conf /etc/tmpfiles.d/docket.conf | |
| # Setting up docket config | |
| /usr/bin/cp /tmp/docket-concurrency/conf/prod.yaml /etc/docket/docket.yaml | |
| # Setting up web server | |
| /usr/bin/cp /tmp/docket-concurrency/contrib/nginx-example.conf /etc/nginx/conf.d/docket.conf | |
| # Making sure the spool directory exists | |
| if [ ! -d /var/spool/docket ]; then | |
| mkdir /var/spool/docket | |
| fi | |
| chown docket:docket /var/spool/docket | |
| # Making sure socket directory exists | |
| if [ ! -d /run/docket ]; then | |
| mkdir /run/docket | |
| fi | |
| chown docket:docket /run/docket | |
| # Updating socket permissions | |
| chown docket:docket /run/docket/docket.socket | |
| # Adding nginx user to docket group | |
| gpasswd --add nginx docket | |
| # Making /etc/rc.local executable | |
| chmod +x /etc/rc.local | |
| # Granted read rights to all to stenographer private key (at least until I can find a better way to give the celery process access to it) | |
| chmod +r /etc/stenographer/certs/client_127.0.0.1_client_key.pem | |
| # Updating the firewall to allow 8080 | |
| firewall-cmd --add-port 8080/tcp --permanent # this is for persistence | |
| firewall-cmd --add-port 8080/tcp # this is so it take effect immediately | |
| # Creating /tmp/docket/pcap directory with the correct permissions | |
| if [ ! -d /tmp/docket ]; then | |
| mkdir /tmp/docket | |
| fi | |
| if [ ! -d /tmp/docket/pcap ]; then | |
| mkdir /tmp/docket/pcap | |
| fi | |
| chown -R docket:docket /tmp/docket | |
| # Reloading the systemctl daemon due to service file modifications | |
| systemctl daemon-reload | |
| # Stopping all services | |
| systemctl stop nginx docket.socket docket.service | |
| # Starting and enable all services | |
| systemctl enable nginx docket.socket docket.service | |
| systemctl start nginx docket.socket docket.service | |
| ### Testing and log time ### | |
| # Testing docket | |
| curl -s localhost:8080/uri/after/5m | |
| curl -s -XPOST localhost:8080/api/ -d 'proto-name=icmp' -v | tcpdump -nr - | |
| # Checking spool and logs | |
| ls /var/spool/docket | |
| # Checking messages | |
| tail /var/log/messages | |
| echo "Try running curl -s -XPOST localhost:8080/api/ -d 'proto-name=icmp' -v | tcpdump -nr - in 30-45 seconds and see if stenographer stored captured packets to disk" | |
| echo "You might need to generate some more pings for stenographer in case stenographer wasn't ready when the script did some pings" | |
| echo "Run this: ping -b 255.255.255.255 -I ens34 -c 10" | |
| fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment