nickfox-taterli · October 3, 2025 05:53
diff --git a/one_key_gobgp.sh b/one_key_gobgp.sh
 #!/usr/bin/env bash
 # 一键安装 & 布署 GoBGP(Debian 系)
 # - 自动抓取 GitHub Releases 最新版(除非手动指定 GOBGP_VERSION)
 # - 安装 gobgpd/gobgp 到 /usr/local/bin
 # - 放置 /etc/gobgp 目录与示例
 # - 创建最小权限 systemd 服务(启用但不启动,等你改配置)
 # - 提供一个"从文件注入 IPv6前缀"的小脚本 /usr/local/libexec/gobgp-origin.sh
 # 使用:
 #   GOBGP_VERSION=3.37.0 /root/setup-gobgp.sh     # 固定版本(可带或不带前缀 v)
 #   /root/setup-gobgp.sh                           # 自动取最新

 set -euo pipefail

 need_root() {
  if [[ ${EUID} -ne 0 ]]; then
    echo "请以 root 运行." >&2
    exit 1
  fi
 }

 log() { printf "\033[1;32m[+] %s\033[0m\n" "$*"; }
 warn(){ printf "\033[1;33m[!] %s\033[0m\n" "$*"; }
 err() { printf "\033[1;31m[×] %s\033[0m\n" "$*"; }

 detect_arch() {
  local deb_arch; deb_arch="$(dpkg --print-architecture)"
  case "$deb_arch" in
    amd64) echo "amd64" ;;
    arm64) echo "arm64" ;;
    armhf|armel) echo "armv6" ;;   # 官方发布是 armv6 通用包
    i386) echo "386" ;;
    *) err "未支持的架构: $deb_arch"; exit 1 ;;
  esac
 }

 latest_version() {
  # 取 GitHub 最新 tag,失败则回退到一个已知稳定版(当前 3.37.0)
  local tag
  tag="$(curl -fsSL https://api.github.com/repos/osrg/gobgp/releases/latest \
        | grep -oP '"tag_name":\s*"\Kv[0-9.]+' || true)"
  if [[ -n "${tag:-}" ]]; then
    echo "${tag#v}"
  else
    warn "获取最新版本失败,回退到 3.37.0"
    echo "3.37.0"
  fi
 }

 install_deps() {
  export DEBIAN_FRONTEND=noninteractive
  log "安装依赖(curl ca-certificates libcap2-bin tar)"
  apt-get update -y
  apt-get install -y --no-install-recommends curl ca-certificates libcap2-bin tar
 }

 download_and_install() {
  local ver="$1" goarch="$2"
  local base="gobgp_${ver}_linux_${goarch}"
  local url="https://github.com/osrg/gobgp/releases/download/v${ver}/${base}.tar.gz"

  log "下载 GoBGP v${ver} (${goarch})"
  tmpdir="$(mktemp -d)"
  trap 'rm -rf "$tmpdir"' EXIT
  curl -fL "$url" -o "${tmpdir}/${base}.tar.gz"

  log "解压并安装到 /usr/local/bin"
  tar -xzf "${tmpdir}/${base}.tar.gz" -C "$tmpdir"
  install -Dm755 "${tmpdir}/gobgpd" /usr/local/bin/gobgpd
  install -Dm755 "${tmpdir}/gobgp"  /usr/local/bin/gobgp

  # 方便手工运行时绑定 179;注意:在 systemd 服务里我们用 AmbientCapabilities,更可靠.
  if command -v setcap >/dev/null 2>&1; then
    setcap 'cap_net_bind_service=+ep' /usr/local/bin/gobgpd || true
  fi
 }

 make_layout_and_examples() {
  log "创建配置与示例"
  install -d /etc/gobgp
  # 空的主配置文件(你来改)
  install -m0644 /dev/null /etc/gobgp/gobgpd.toml

  # 示例:一个 IPv6 前缀文件
  cat >/etc/gobgp/origin-v6.txt <<'EOF'
 2a12:f8c0:10FF::/48
 # 支持空行与以 # ; 开头的注释
 EOF

  # 示例:提供可参考的 TOML 骨架(不启用)
  cat >/etc/gobgp/gobgpd.toml.example <<'EOF'
 # 这是示例骨架,复制到 gobgpd.toml 后按需修改
 [global.config]
  as = 65000
  router-id = "192.0.2.1"

 # [[neighbors]]
 #   [neighbors.config]
 #     neighbor-address = "203.0.113.2"
 #     peer-as = 65001
 #
 #   [neighbors.transport.config]
 #     local-address = "203.0.113.1"
 #
 #   [neighbors.ebgp-multihop.config]
 #     enabled = false
 #
 # [address-family.ipv4-unicast]
 #   [address-family.ipv4-unicast.config]
 #     enabled = true
 #
 # [address-family.ipv6-unicast]
 #   [address-family.ipv6-unicast.config]
 #     enabled = true
 EOF

  # 注入脚本
  install -d /usr/local/libexec
  install -Dm755 /dev/stdin /usr/local/libexec/gobgp-origin.sh <<'BASH'
 #!/usr/bin/env bash
 # Inject IPv6 origins to GoBGP from a prefix list file.
 set -euo pipefail

 API="${GOBGP_API:-127.0.0.1:50051}"
 FILE="${1:-/etc/gobgp/origin-v6.txt}"
 WAIT="${WAIT_SECONDS:-20}"   # 最多等 gRPC 20s

 [ -f "$FILE" ] || exit 0

 # 等 gobgpd 的 gRPC 端口就绪
 until /usr/local/bin/gobgp --target "$API" neighbor >/dev/null 2>&1; do
  if (( WAIT-- <= 0 )); then
    echo "[gobgp-origin] ERROR: gobgpd API $API 未就绪" >&2
    exit 1
  fi
  sleep 1
 done

 # 清洗 + 注入
 awk '
  BEGIN { RS = "\n" }
  {
    gsub(/\r/, "");                        # 去 CRLF 的 \r
    sub(/^\xEF\xBB\xBF/, "");              # 去 UTF-8 BOM
    sub(/^[ \t]+/, ""); sub(/[ \t]+$/, "");# trim
    if ($0 ~ /^$/) next;                   # 空行
    if ($0 ~ /^[#;]/) next;                # 注释
    print
  }
 ' "$FILE" | while IFS= read -r pfx; do
  echo "[gobgp-origin] announce $pfx"
  /usr/local/bin/gobgp --target "$API" global rib -a ipv6 add "$pfx" origin igp nexthop :: || true
 done

 echo "[gobgp-origin] done"
 BASH
 }

 make_user_and_service() {
  log "创建最小权限运行用户"
  if ! id gobgp >/dev/null 2>&1; then
    adduser --system --group --home /var/lib/gobgp --shell /usr/sbin/nologin gobgp
  fi

  log "写入 systemd unit:/etc/systemd/system/gobgpd.service"
  cat >/etc/systemd/system/gobgpd.service <<'EOF'
 [Unit]
 Description=GoBGP daemon
 After=network-online.target
 Wants=network-online.target

 [Service]
 User=gobgp
 Group=gobgp
 ExecStart=/usr/local/bin/gobgpd -f /etc/gobgp/gobgpd.toml -t toml \
  --api-hosts=127.0.0.1:50051 --config-auto-reload -l info
 # 开机就把永久前缀注入
 ExecStartPost=/usr/local/libexec/gobgp-origin.sh

 Restart=always
 RestartSec=2
 LimitNOFILE=1048576

 # 能力最小化:只允许绑定 179
 AmbientCapabilities=CAP_NET_BIND_SERVICE
 CapabilityBoundingSet=CAP_NET_BIND_SERVICE
 NoNewPrivileges=yes

 ProtectSystem=strict
 ProtectHome=true
 ReadWritePaths=/etc/gobgp /var/lib/gobgp
 PrivateTmp=true
 RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
 RestrictNamespaces=yes
 LockPersonality=yes
 MemoryDenyWriteExecute=yes

 [Install]
 WantedBy=multi-user.target
 EOF

  systemctl daemon-reload
  systemctl enable gobgpd
 }

 main() {
  need_root
  install_deps

  local ver="${GOBGP_VERSION:-}"
  ver="${ver#v}" # 去掉可能的前缀 v
  if [[ -z "$ver" ]]; then ver="$(latest_version)"; fi
  local goarch; goarch="$(detect_arch)"

  download_and_install "$ver" "$goarch"
  make_layout_and_examples
  make_user_and_service

  cat <<TIP

 ====================================================
 GoBGP 已安装好并启用了开机自启(未启动).
 下一步:
  1) 编辑配置:  nano /etc/gobgp/gobgpd.toml
     (可参考:   /etc/gobgp/gobgpd.toml.example)
  2) 启动/重启: systemctl start gobgpd
                 systemctl restart gobgpd
  3) 看日志:    journalctl -u gobgpd -f
  4) 看状态:    gobgp --target 127.0.0.1:50051 global
                 gobgp --target 127.0.0.1:50051 neighbor
 ====================================================
 TIP
 }

 main "$@"
	#!/usr/bin/env bash
	# 一键安装 & 布署 GoBGP(Debian 系)
	# - 自动抓取 GitHub Releases 最新版(除非手动指定 GOBGP_VERSION)
	# - 安装 gobgpd/gobgp 到 /usr/local/bin
	# - 放置 /etc/gobgp 目录与示例
	# - 创建最小权限 systemd 服务(启用但不启动,等你改配置)
	# - 提供一个"从文件注入 IPv6前缀"的小脚本 /usr/local/libexec/gobgp-origin.sh
	# 使用:
	# GOBGP_VERSION=3.37.0 /root/setup-gobgp.sh # 固定版本(可带或不带前缀 v)
	# /root/setup-gobgp.sh # 自动取最新

	set -euo pipefail

	need_root() {
	if [[ ${EUID} -ne 0 ]]; then
	echo "请以 root 运行." >&2
	exit 1
	fi
	}

	log() { printf "\033[1;32m[+] %s\033[0m\n" "$*"; }
	warn(){ printf "\033[1;33m[!] %s\033[0m\n" "$*"; }
	err() { printf "\033[1;31m[×] %s\033[0m\n" "$*"; }

	detect_arch() {
	local deb_arch; deb_arch="$(dpkg --print-architecture)"
	case "$deb_arch" in
	amd64) echo "amd64" ;;
	arm64) echo "arm64" ;;
	armhf\|armel) echo "armv6" ;; # 官方发布是 armv6 通用包
	i386) echo "386" ;;
	*) err "未支持的架构: $deb_arch"; exit 1 ;;
	esac
	}

	latest_version() {
	# 取 GitHub 最新 tag,失败则回退到一个已知稳定版(当前 3.37.0)
	local tag
	tag="$(curl -fsSL https://api.github.com/repos/osrg/gobgp/releases/latest \
	\| grep -oP '"tag_name":\s*"\Kv[0-9.]+' \|\| true)"
	if [[ -n "${tag:-}" ]]; then
	echo "${tag#v}"
	else
	warn "获取最新版本失败,回退到 3.37.0"
	echo "3.37.0"
	fi
	}

	install_deps() {
	export DEBIAN_FRONTEND=noninteractive
	log "安装依赖(curl ca-certificates libcap2-bin tar)"
	apt-get update -y
	apt-get install -y --no-install-recommends curl ca-certificates libcap2-bin tar
	}

	download_and_install() {
	local ver="$1" goarch="$2"
	local base="gobgp_${ver}_linux_${goarch}"
	local url="https://github.com/osrg/gobgp/releases/download/v${ver}/${base}.tar.gz"

	log "下载 GoBGP v${ver} (${goarch})"
	tmpdir="$(mktemp -d)"
	trap 'rm -rf "$tmpdir"' EXIT
	curl -fL "$url" -o "${tmpdir}/${base}.tar.gz"

	log "解压并安装到 /usr/local/bin"
	tar -xzf "${tmpdir}/${base}.tar.gz" -C "$tmpdir"
	install -Dm755 "${tmpdir}/gobgpd" /usr/local/bin/gobgpd
	install -Dm755 "${tmpdir}/gobgp" /usr/local/bin/gobgp

	# 方便手工运行时绑定 179;注意:在 systemd 服务里我们用 AmbientCapabilities,更可靠.
	if command -v setcap >/dev/null 2>&1; then
	setcap 'cap_net_bind_service=+ep' /usr/local/bin/gobgpd \|\| true
	fi
	}

	make_layout_and_examples() {
	log "创建配置与示例"
	install -d /etc/gobgp
	# 空的主配置文件(你来改)
	install -m0644 /dev/null /etc/gobgp/gobgpd.toml

	# 示例:一个 IPv6 前缀文件
	cat >/etc/gobgp/origin-v6.txt <<'EOF'
	2a12:f8c0:10FF::/48
	# 支持空行与以 # ; 开头的注释
	EOF

	# 示例:提供可参考的 TOML 骨架(不启用)
	cat >/etc/gobgp/gobgpd.toml.example <<'EOF'
	# 这是示例骨架,复制到 gobgpd.toml 后按需修改
	[global.config]
	as = 65000
	router-id = "192.0.2.1"

	# [[neighbors]]
	# [neighbors.config]
	# neighbor-address = "203.0.113.2"
	# peer-as = 65001
	#
	# [neighbors.transport.config]
	# local-address = "203.0.113.1"
	#
	# [neighbors.ebgp-multihop.config]
	# enabled = false
	#
	# [address-family.ipv4-unicast]
	# [address-family.ipv4-unicast.config]
	# enabled = true
	#
	# [address-family.ipv6-unicast]
	# [address-family.ipv6-unicast.config]
	# enabled = true
	EOF

	# 注入脚本
	install -d /usr/local/libexec
	install -Dm755 /dev/stdin /usr/local/libexec/gobgp-origin.sh <<'BASH'
	#!/usr/bin/env bash
	# Inject IPv6 origins to GoBGP from a prefix list file.
	set -euo pipefail

	API="${GOBGP_API:-127.0.0.1:50051}"
	FILE="${1:-/etc/gobgp/origin-v6.txt}"
	WAIT="${WAIT_SECONDS:-20}" # 最多等 gRPC 20s

	[ -f "$FILE" ] \|\| exit 0

	# 等 gobgpd 的 gRPC 端口就绪
	until /usr/local/bin/gobgp --target "$API" neighbor >/dev/null 2>&1; do
	if (( WAIT-- <= 0 )); then
	echo "[gobgp-origin] ERROR: gobgpd API $API 未就绪" >&2
	exit 1
	fi
	sleep 1
	done

	# 清洗 + 注入
	awk '
	BEGIN { RS = "\n" }
	{
	gsub(/\r/, ""); # 去 CRLF 的 \r
	sub(/^\xEF\xBB\xBF/, ""); # 去 UTF-8 BOM
	sub(/^[ \t]+/, ""); sub(/[ \t]+$/, "");# trim
	if ($0 ~ /^$/) next; # 空行
	if ($0 ~ /^[#;]/) next; # 注释
	print
	}
	' "$FILE" \| while IFS= read -r pfx; do
	echo "[gobgp-origin] announce $pfx"
	/usr/local/bin/gobgp --target "$API" global rib -a ipv6 add "$pfx" origin igp nexthop :: \|\| true
	done

	echo "[gobgp-origin] done"
	BASH
	}

	make_user_and_service() {
	log "创建最小权限运行用户"
	if ! id gobgp >/dev/null 2>&1; then
	adduser --system --group --home /var/lib/gobgp --shell /usr/sbin/nologin gobgp
	fi

	log "写入 systemd unit:/etc/systemd/system/gobgpd.service"
	cat >/etc/systemd/system/gobgpd.service <<'EOF'
	[Unit]
	Description=GoBGP daemon
	After=network-online.target
	Wants=network-online.target

	[Service]
	User=gobgp
	Group=gobgp
	ExecStart=/usr/local/bin/gobgpd -f /etc/gobgp/gobgpd.toml -t toml \
	--api-hosts=127.0.0.1:50051 --config-auto-reload -l info
	# 开机就把永久前缀注入
	ExecStartPost=/usr/local/libexec/gobgp-origin.sh

	Restart=always
	RestartSec=2
	LimitNOFILE=1048576

	# 能力最小化:只允许绑定 179
	AmbientCapabilities=CAP_NET_BIND_SERVICE
	CapabilityBoundingSet=CAP_NET_BIND_SERVICE
	NoNewPrivileges=yes

	ProtectSystem=strict
	ProtectHome=true
	ReadWritePaths=/etc/gobgp /var/lib/gobgp
	PrivateTmp=true
	RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
	RestrictNamespaces=yes
	LockPersonality=yes
	MemoryDenyWriteExecute=yes

	[Install]
	WantedBy=multi-user.target
	EOF

	systemctl daemon-reload
	systemctl enable gobgpd
	}

	main() {
	need_root
	install_deps

	local ver="${GOBGP_VERSION:-}"
	ver="${ver#v}" # 去掉可能的前缀 v
	if [[ -z "$ver" ]]; then ver="$(latest_version)"; fi
	local goarch; goarch="$(detect_arch)"

	download_and_install "$ver" "$goarch"
	make_layout_and_examples
	make_user_and_service

	cat <<TIP

	====================================================
	GoBGP 已安装好并启用了开机自启(未启动).
	下一步:
	1) 编辑配置: nano /etc/gobgp/gobgpd.toml
	(可参考: /etc/gobgp/gobgpd.toml.example)
	2) 启动/重启: systemctl start gobgpd
	systemctl restart gobgpd
	3) 看日志: journalctl -u gobgpd -f
	4) 看状态: gobgp --target 127.0.0.1:50051 global
	gobgp --target 127.0.0.1:50051 neighbor
	====================================================
	TIP
	}

	main "$@"
No results found