Agent Fails to start and Install Rocky Linux #2189
Comments
sjkeerthi
added
bug
|
I found another strange after when I install it remove all my existing cronjob that what I set :( all the cronjob are gone. |
|
Hi @sjkeerthi. Can you use this script to install the agents on Rocky Linux. While Rocky Linux is not supported yet meanwhile I did little change in script to add rocky. #!/bin/bash
# MGMT_CONSOLE_URL: Example: threatmapper.customer.com or 65.65.65.65
export MGMT_CONSOLE_URL="${MGMT_CONSOLE_URL}"
export DEEPFENCE_KEY="${DEEPFENCE_KEY}"
if [[ -z "$MGMT_CONSOLE_URL" ]]; then
echo "env MGMT_CONSOLE_URL is not set"
exit 1
fi
if [[ -z "$DEEPFENCE_KEY" ]]; then
echo "env DEEPFENCE_KEY is not set"
exit 1
fi
export MGMT_CONSOLE_PORT="443"
export MGMT_CONSOLE_URL_SCHEMA="https"
export DF_HOSTNAME="$(hostname)"
export DF_LOG_LEVEL="info"
MANAGEMENT_CONSOLE_URL="$MGMT_CONSOLE_URL_SCHEMA://$MGMT_CONSOLE_URL:$MGMT_CONSOLE_PORT"
OS_ID=$(grep -oP '(?<=^ID=).+' /etc/os-release | tr -d '"')
if [[ "$OS_ID" == "amzn" || "$OS_ID" == "centos" ]]; then
# Do necessary installs for Amazon Linux
yum -y install logrotate jq curl
if [[ "$?" != "0" ]]; then
echo "Failed to install logrotate"
exit 1
fi
elif [[ "$OS_ID" == "rocky" ]]; then
# Do necessary installs for Rocky Linux
dnf -y install logrotate jq curl --skip-broken
if [[ "$?" != "0" ]]; then
echo "Failed to install logrotate"
exit 1
fi
else
# Do necessary installs for Ubuntu
apt-get -y install logrotate jq curl
if [[ "$?" != "0" ]]; then
echo "Failed to install logrotate"
exit 1
fi
fi
access_token_response=$(curl -m 5 -s -k "$MANAGEMENT_CONSOLE_URL/deepfence/auth/token" \
--header 'Content-Type: application/json' \
--data "{\"api_token\": \"$DEEPFENCE_KEY\"}")
if [[ $access_token_response == "" ]]; then
echo "Failed to connect to the management console"
exit 1
fi
access_token=$(jq -r '.access_token' <<< "$access_token_response")
if [[ $access_token == "" || $access_token == "null" ]]; then
echo "Failed to authenticate"
echo "$access_token_response"
exit 1
fi
download_url_response=$(curl -m 5 -s -k "$MANAGEMENT_CONSOLE_URL/deepfence/agent-deployment/binary/download-url" \
--header "Authorization: Bearer $access_token")
if [[ $download_url_response == "" ]]; then
echo "Failed to get agent binary download url"
exit 1
fi
start_agent_script_download_url=$(jq -r '.start_agent_script_download_url' <<< "$download_url_response")
if [[ $start_agent_script_download_url == "" ]]; then
echo "Failed to get agent binary download url"
echo "$download_url_response"
exit 1
fi
uninstall_agent_script_download_url=$(jq -r '.uninstall_agent_script_download_url' <<< "$download_url_response")
if [[ $uninstall_agent_script_download_url == "" ]]; then
echo "Failed to get agent binary download url"
echo "$download_url_response"
exit 1
fi
curl -k -o uninstall_deepfence.sh "$uninstall_agent_script_download_url"
chmod +x uninstall_deepfence.sh
echo "Uninstalling existing Deepfence agent installation, if any"
systemctl stop deepfence-agent.service
systemctl disable deepfence-agent.service
rm -f /etc/systemd/system/deepfence-agent.service
bash uninstall_deepfence.sh
if [[ ! -d "/opt/deepfence" ]]; then
mkdir -p /opt/deepfence /opt/deepfence/var/log/
fi
architecture=""
case $(uname -m) in
i386) architecture="386" ;;
i686) architecture="386" ;;
x86_64) architecture="amd64" ;;
arm) dpkg --print-architecture | grep -q "arm64" && architecture="arm64" || architecture="arm" ;;
esac
echo "Detected architecture: $architecture"
agent_binary_download_url=$(jq -r --arg architecture "agent_binary_${architecture}_download_url" '.[$architecture]' <<< "$download_url_response")
agent_binary_filename=$(basename "$agent_binary_download_url")
agent_binary_filename=$(cut -f1 -d"?" <<< "$agent_binary_filename")
if [[ $agent_binary_download_url == "" || $agent_binary_filename == "" ]]; then
echo "Failed to get agent binary download url"
echo "$download_url_response"
exit 1
fi
echo "Downloading agent binary from $agent_binary_download_url to /opt/deepfence/$agent_binary_filename"
curl -k -o "/opt/deepfence/$agent_binary_filename" "$agent_binary_download_url"
curl -k -o /opt/deepfence/start_deepfence_agent.sh "$start_agent_script_download_url"
chmod +x "/opt/deepfence/start_deepfence_agent.sh"
tar -xzf "/opt/deepfence/$agent_binary_filename" -C /opt/deepfence/
echo "MGMT_CONSOLE_URL: $MGMT_CONSOLE_URL"
echo "MGMT_CONSOLE_PORT: $MGMT_CONSOLE_PORT"
echo "DF_HOSTNAME: $DF_HOSTNAME"
echo "Installing Deepfence agent as daemon service"
cat << EOF > /etc/systemd/system/deepfence-agent.service
[Unit]
Description=Deepfence Agent Service
After=network.target
[Service]
Environment=MGMT_CONSOLE_URL="$MGMT_CONSOLE_URL"
Environment=DEEPFENCE_KEY="$DEEPFENCE_KEY"
Environment=MGMT_CONSOLE_PORT="$MGMT_CONSOLE_PORT"
Environment=MGMT_CONSOLE_URL_SCHEMA="$MGMT_CONSOLE_URL_SCHEMA"
Environment=DF_HOSTNAME="$(hostname)"
Environment=DF_LOG_LEVEL="$DF_LOG_LEVEL"
User=root
Group=root
Restart=on-failure
Type=forking
ExecStart=/opt/deepfence/start_deepfence_agent.sh
WorkingDirectory=/opt/deepfence
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable deepfence-agent.service
systemctl start deepfence-agent.service
systemctl status deepfence-agent.service |
|
Thank you so much it works now. |
|
There is one problem while we run this script it remove all my existing cronjob that I had in the VM. |
|
I tried installing the agent on CentOS Linux release 7.5.1804 |
|
` In the logs which I could see But if I run the same instead of the systemctl I run manually it works
|
|
|
Do we expecting podman to be there on any agent machine |
|
@ramanan-ravi I am trying to scan my Linux VM which is CentOS during that I found these issue after the agent is been setup. The one which you gave seems to be for the docker setup. I am trying to scan my CentOS 7.5 VM for vulnerability scan after the agent installed by following below url Then the service started the linux VM agent is not updating to the deepfencer threadmapper |
|
When I tried in the Linux VM manually the ./package-scanner |
No podman is not expected! It's just a warning, you can ignore. Package Scanner runs a standby service that receives calls from other agent services when to scan. |
You have followed the right docs to install agents on VM. Can you confirm if you are able to see the VM in topology after you have installed Deepfence binaries in the VM? |
Looking at this, there seems to be extra double quotes in URL and PORT. Please check. |
|
@ibreakthecloud if the question is for me as per instruction I followed by exporting the Variables and I installed. As mention below screenshot
you mean to say that when I do export the Variables should I need to avoid the double quotes. |
|
I hope as per your shell script of install_deepfence.sh
either one of that pass as double quotes into the url that my conclusion as per screenshot that while I do export I should avoid double quotes. If in that case the UI should avoid the quotes most of the users might copy and paste as per instruction. or should remove the quotes in shall script since we pass quotes in export |
With reference to the document below I am trying to install the sensor-agent on my Rocky Linux VM
https://community.deepfence.io/threatmapper/docs/sensors/linux-host
Basically it fails to install because as per the script your script fails at this point
On rocky linux they mention /etc/os-release
NAME="Rocky Linux"VERSION="9.4 (Blue Onyx)"ID="rocky"ID_LIKE="rhel centos fedora"VERSION_ID="9.4"PLATFORM_ID="platform:el9"PRETTY_NAME="Rocky Linux 9.4 (Blue Onyx)"ANSI_COLOR="0;32"LOGO="fedora-logo-icon"CPE_NAME="cpe:/o:rocky:rocky:9::baseos"HOME_URL="https://rockylinux.org/"BUG_REPORT_URL="https://bugs.rockylinux.org/"SUPPORT_END="2032-05-31"ROCKY_SUPPORT_PRODUCT="Rocky-Linux-9"ROCKY_SUPPORT_PRODUCT_VERSION="9.4"REDHAT_SUPPORT_PRODUCT="Rocky Linux"REDHAT_SUPPORT_PRODUCT_VERSION="9.4"I bypass the issue and installed by after that the startup script fails with systemctl
the host shows in only when I start manually under the path
/opt/deepfence/df-agents/rocky-vue-php74/home/deepfence/start_deepfenced.shAfter that when I tried to scan vulnerability it scan and I get the result.
But when I do other scan like malware / posture / secret it fails
In the malware log I could see as mention below.
For secret scan log
The text was updated successfully, but these errors were encountered: