provision.sh is the provisioning script for osctrl in Ubuntu 20.04. It uses several functions from lib.sh.
Its purpose is to install all necessary components to deploy osctrl in an Ubuntu 20.04 system, although it could be easily adapted to work in CentOS 7.
Execute ./deploy/provision.sh [-h|--help]
to show the usage of the script:
$ ./deploy/provision.sh -h
Usage: ./deploy/provision.sh [-h|--help] [PARAMETER [ARGUMENT]] [PARAMETER [ARGUMENT]] ...
Parameters:
-h, --help Shows this help message and exit.
-m MODE, --mode MODE Mode of operation. Default value is dev
-t TYPE, --type TYPE Type of certificate to use. Default value is self
-p PART, --part PART Part of the service. Default is all
Arguments for MODE:
dev Provision will run in development mode. Certificate will be self-signed.
prod Provision will run in production mode.
Arguments for TYPE:
self Provision will use a self-signed TLS certificate that will be generated.
own Provision will use the TLS certificate provided by the user.
certbot Provision will generate a TLS certificate using letsencrypt/certbot. More info here: https://certbot.eff.org/
Arguments for PART:
admin Provision will deploy only the admin interface.
tls Provision will deploy only the TLS endpoint.
api Provision will deploy only the API endpoint.
all Provision will deploy both the admin and the TLS endpoint.
Optional Parameters:
--public-tls-port PORT Port for the TLS endpoint service. Default is 443
--public-admin-port PORT Port for the admin service. Default is 8443
--public-api-port PORT Port for the API service. Default is 8444
--private-tls-port PORT Port for the TLS endpoint service. Default is 9000
--private-admin-port PORT Port for the admin service. Default is 9001
--private-api-port PORT Port for the API service. Default is 9002
--all-hostname HOSTNAME Hostname for all the services. Default is 127.0.0.1
--tls-hostname HOSTNAME Hostname for the TLS endpoint service. Default is 127.0.0.1
--admin-hostname HOSTNAME Hostname for the admin service. Default is 127.0.0.1
--api-hostname HOSTNAME Hostname for the API service. Default is 127.0.0.1
-X PASS --password Force the admin password for the admin interface. Default is random
-c PATH --certfile PATH Path to supplied TLS server PEM certificate(s) bundle
-d DOMAIN --domain DOMAIN Domain for the TLS certificate to be generated using letsencrypt
-e EMAIL --email EMAIL Domain for the TLS certificate to be generated using letsencrypt
-s PATH --source PATH Path to code. Default is /vagrant
-S PATH --dest PATH Path to binaries. Default is /opt/osctrl
-n --nginx Install and configure nginx as TLS termination
-P --postgres Install and configure PostgreSQL as backend
-M --metrics Install and configure all services for metrics (InfluxDB + Telegraf + Grafana)
-R --redis Install and configure Redis as cache
-E --enroll Enroll the serve into itself using osquery. Default is disabled
-N NAME --env NAME Initial environment name to be created. Default is the mode (dev or prod)
-U --upgrade Keep osctrl upgraded with the latest code from Github
Examples:
Provision service in development mode, code is in /vagrant and all components (admin, tls, api):
./deploy/provision.sh -m dev -s /vagrant -p all
Provision service in production mode using my own certificate and only with TLS endpoint:
./deploy/provision.sh -m prod -t own -k /etc/certs/my.key -c /etc/certs/cert.crt -p tls
Upgrade service with the latest code from Github. Does not create services nor certificates:
./deploy/provision.sh -U -s /code/osctrl -S /srv/osctrl