BlueChI Automated Installation: Enterprise-Ready Scripts for Multi-Node Orchestration

Table of Contents#

Introduction#

BlueChI is a systemd-based multi-node orchestration framework that provides deterministic service control across distributed systems. This guide presents production-ready automation scripts for deploying BlueChI in various configurations, from single-node setups to complex multi-node deployments.

The scripts featured here emphasize security, reliability, and ease of deployment, making them suitable for enterprise environments where predictable behavior and minimal overhead are critical requirements.

Script Overview#

We’ll cover three main deployment scenarios:

All-in-One Installation: Single script for quick deployments
Multi-Node Installation: Flexible script supporting controller and agent roles
Production Deployment: Enhanced scripts with monitoring, HA, and security features

All-in-One BlueChI Installation Script#

This script installs all BlueChI components on a single node, ideal for development and testing:

1
#!/bin/bash
2

3
# BlueChI All-in-One Installation Script
4
# Supports: Rocky Linux, AlmaLinux, RHEL, Amazon Linux
5
# Version: 1.0
6

7
# Secure script setup
8
set -e          # Exit immediately if a command exits with a non-zero status
9
set -u          # Treat unset variables as an error
10
set -o pipefail # Return value of a pipeline is the value of the last command
11

12
# Global variables
13
TEMP_DIRS=()
14
LOG_FILE="/var/log/bluechi_install.log"
15

16
# Function for logging with colors
17
log() {
18
  local message="[$(date +'%Y-%m-%d %H:%M:%S')] $1"
19
  echo -e "\e[0;32m${message}\e[0m"
20
  echo "${message}" >> "$LOG_FILE"
21
}
22

23
warn() {
24
  local message="[$(date +'%Y-%m-%d %H:%M:%S')] WARNING: $1"
25
  echo -e "\e[0;33m${message}\e[0m"
26
  echo "${message}" >> "$LOG_FILE"
27
}
28

29
# Function for error handling
30
error_exit() {
31
  local message="[$(date +'%Y-%m-%d %H:%M:%S')] ERROR: $1"
32
  echo -e "\e[0;31m${message}\e[0m"
33
  echo "${message}" >> "$LOG_FILE"
34
  cleanup
35
  exit 1
36
}
37

38
# Cleanup function
39
cleanup() {
40
  log "Cleaning up temporary files..."
41
  for dir in "${TEMP_DIRS[@]}"; do
42
    if [ -d "$dir" ]; then
43
      rm -rf "$dir"
44
    fi
45
  done
46
}
47

48
# Set trap for cleanup
49
trap cleanup EXIT INT TERM
50

51
# Function to check if running as root
52
check_root() {
53
  if [ "$(id -u)" -ne 0 ]; then
54
    error_exit "This script must be run as root"
55
  fi
56
}
57

58
# Function to detect OS
59
detect_os() {
60
  if [ -f /etc/os-release ]; then
61
    . /etc/os-release
62
    OS=$ID
63
    VERSION=$VERSION_ID
64
    log "Detected OS: $OS $VERSION"
65
  else
66
    error_exit "Cannot detect OS, /etc/os-release file not found"
67
  fi
68
}
69

70
# Function to install wget
71
install_wget() {
72
  log "Installing wget..."
73

74
  case $OS in
75
    "rocky" | "almalinux" | "rhel" | "centos")
76
      dnf install -y wget || error_exit "Failed to install wget on $OS"
77
      ;;
78
    "amzn")
79
      yum install -y wget || error_exit "Failed to install wget on Amazon Linux"
80
      ;;
81
    *)
82
      error_exit "Unsupported OS: $OS"
83
      ;;
84
  esac
85

86
  log "wget installed successfully"
87
}
88

89
# Function to handle dependencies for BlueChI
90
install_dependencies() {
91
  log "Installing dependencies..."
92

93
  # Dependencies for BlueChI
94
  DEPENDENCIES=(
95
    "dbus"
96
    "systemd"
97
    "python3"
98
    "dbus-broker"
99
    "device-mapper"
100
    "device-mapper-libs"
101
    "libfdisk"
102
    "util-linux"
103
    "systemd-pam"
104
  )
105

106
  case $OS in
107
    "rocky" | "almalinux" | "rhel" | "centos")
108
      for dep in "${DEPENDENCIES[@]}"; do
109
        log "Installing dependency: $dep"
110
        dnf install -y "$dep" || warn "Could not install $dep, but continuing"
111
      done
112
      ;;
113
    "amzn")
114
      for dep in "${DEPENDENCIES[@]}"; do
115
        log "Installing dependency: $dep"
116
        yum install -y "$dep" || warn "Could not install $dep, but continuing"
117
      done
118
      ;;
119
    *)
120
      error_exit "Unsupported OS: $OS"
121
      ;;
122
  esac
123

124
  log "Dependencies installation completed"
125
}
126

127
# Function to download file with proper security validation
128
secure_download() {
129
  local url=$1
130
  local output_file=$2
131

132
  # Use wget with proper SSL/TLS security
133
  wget --https-only --secure-protocol=TLSv1_2 "$url" -O "$output_file" || return 1
134

135
  # Verify file exists and is not empty
136
  if [ ! -s "$output_file" ]; then
137
    return 1
138
  fi
139

140
  return 0
141
}
142

143
# Function to download and install a package
144
download_and_install() {
145
  local url=$1
146
  local filename=$(basename "$url")
147
  local temp_dir=$(mktemp -d)
148
  TEMP_DIRS+=("$temp_dir")
149
  local output_file="$temp_dir/$filename"
150

151
  log "Downloading $filename..."
152
  if ! secure_download "$url" "$output_file"; then
153
    error_exit "Failed to download $filename securely"
154
  fi
155

156
  log "Installing $filename..."
157
  if ! rpm -Uvh --nodeps "$output_file"; then
158
    warn "Failed to install $filename with standard options, trying with --force"
159
    rpm -Uvh --nodeps --force "$output_file" || error_exit "Failed to install $filename even with --force"
160
  fi
161

162
  log "$filename installed successfully"
163
}
164

165
# Function to check if all required commands are available
166
check_requirements() {
167
  log "Checking if required commands are available..."
168

169
  local missing_commands=()
170

171
  # Commands to check
172
  local commands=("rpm")
173

174
  for cmd in "${commands[@]}"; do
175
    if ! command -v "$cmd" &> /dev/null; then
176
      missing_commands+=("$cmd")
177
    fi
178
  done
179

180
  if [ ${#missing_commands[@]} -gt 0 ]; then
181
    error_exit "Required commands not found: ${missing_commands[*]}"
182
  fi
183

184
  log "All required commands are available"
185
}
186

187
# Function to verify service status
188
verify_services() {
189
  log "Verifying BlueChI services..."
190

191
  if systemctl is-active --quiet bluechi-controller; then
192
    log "BlueChI controller service is active"
193
  else
194
    warn "BlueChI controller service is not active"
195
  fi
196

197
  if systemctl is-active --quiet bluechi-agent; then
198
    log "BlueChI agent service is active"
199
  else
200
    warn "BlueChI agent service is not active"
201
  fi
202
}
203

204
# Main function
205
main() {
206
  log "Starting BlueChI installation script"
207

208
  check_root
209
  detect_os
210
  check_requirements
211

212
  # Check if wget is already installed, if not install it
213
  if ! command -v wget &> /dev/null; then
214
    install_wget
215
  else
216
    log "wget is already installed"
217
  fi
218

219
  # Install dependencies
220
  install_dependencies
221

222
  # BlueChI package URLs
223
  PACKAGES=(
224
    "https://dl.fedoraproject.org/pub/epel/9/Everything/x86_64/Packages/b/bluechi-agent-0.10.2-1.el9.x86_64.rpm"
225
    "https://dl.fedoraproject.org/pub/epel/9/Everything/x86_64/Packages/b/bluechi-controller-0.10.2-1.el9.x86_64.rpm"
226
    "https://dl.fedoraproject.org/pub/epel/9/Everything/x86_64/Packages/b/bluechi-ctl-0.10.2-1.el9.x86_64.rpm"
227
    "https://dl.fedoraproject.org/pub/epel/9/Everything/x86_64/Packages/b/bluechi-is-online-0.10.2-1.el9.x86_64.rpm"
228
    "https://dl.fedoraproject.org/pub/epel/9/Everything/x86_64/Packages/b/bluechi-selinux-0.10.2-1.el9.noarch.rpm"
229
    "https://dl.fedoraproject.org/pub/epel/9/Everything/x86_64/Packages/p/python3-bluechi-0.10.2-1.el9.noarch.rpm"
230
  )
231

232
  # Install each package
233
  for package in "${PACKAGES[@]}"; do
234
    download_and_install "$package"
235
  done
236

237
  log "BlueChI packages installed successfully"
238

239
  # Configure BlueChI for all-in-one setup
240
  log "Configuring BlueChI..."
241

242
  # Create configuration directories
243
  mkdir -p /etc/bluechi/controller.conf.d
244
  mkdir -p /etc/bluechi/agent.conf.d
245

246
  # Create controller configuration
247
  cat > /etc/bluechi/controller.conf.d/1.conf << EOF
248
[bluechi-controller]
249
ControllerPort=2020
250
AllowedNodeNames=$(hostname)
251
EOF
252

253
  # Create agent configuration for local connection
254
  cat > /etc/bluechi/agent.conf.d/1.conf << EOF
255
[bluechi-agent]
256
ControllerAddress=unix:path=/run/bluechi/bluechi.sock
257
NodeName=$(hostname)
258
EOF
259

260
  # Enable and start BlueChI services
261
  log "Enabling and starting BlueChI services..."
262
  systemctl enable --now bluechi-controller bluechi-agent || warn "Failed to enable and start BlueChI services"
263

264
  # Verify services
265
  verify_services
266

267
  # Display summary
268
  log "BlueChI installation and configuration completed"
269
  log "Installation log available at: $LOG_FILE"
270

271
  echo ""
272
  echo "========================================"
273
  echo "BlueChI Installation Complete!"
274
  echo "========================================"
275
  echo ""
276
  echo "Verify installation with:"
277
  echo "  bluechictl list-nodes"
278
  echo "  bluechictl list-units $(hostname)"
279
  echo ""
280
  echo "Service status:"
281
  systemctl status bluechi-controller --no-pager | grep Active
282
  systemctl status bluechi-agent --no-pager | grep Active
283
  echo ""
284
}
285

286
# Execute main function
287
main

Multi-Node BlueChI Installation Script#

This enhanced script supports both controller and agent installations with flexible configurations:

1
#!/bin/bash
2

3
# BlueChI Multi-Node Installation Script
4
# Supports: Rocky Linux, AlmaLinux, RHEL, Amazon Linux
5
# Version: 2.0
6

7
# Secure script setup
8
set -e          # Exit immediately if a command exits with a non-zero status
9
set -u          # Treat unset variables as an error
10
set -o pipefail # Return value of a pipeline is the value of the last command
11

12
# Global variables
13
TEMP_DIRS=()
14
LOG_FILE="/var/log/bluechi_install.log"
15
CONTROLLER_PORT="2020"  # Non-privileged port for easier testing/deployment
16
BLUECHI_VERSION="0.10.2"
17
INSTALL_MODE=""
18
CONTROLLER_IP=""
19
ALLOWED_NODES=""
20
NODE_NAME=""
21

22
# Function for logging with colors
23
log() {
24
  local message="[$(date +'%Y-%m-%d %H:%M:%S')] $1"
25
  echo -e "\e[0;32m${message}\e[0m"
26
  echo "${message}" >> "$LOG_FILE"
27
}
28

29
warn() {
30
  local message="[$(date +'%Y-%m-%d %H:%M:%S')] WARNING: $1"
31
  echo -e "\e[0;33m${message}\e[0m"
32
  echo "${message}" >> "$LOG_FILE"
33
}
34

35
# Function for error handling
36
error_exit() {
37
  local message="[$(date +'%Y-%m-%d %H:%M:%S')] ERROR: $1"
38
  echo -e "\e[0;31m${message}\e[0m"
39
  echo "${message}" >> "$LOG_FILE"
40
  cleanup
41
  exit 1
42
}
43

44
# Cleanup function
45
cleanup() {
46
  log "Cleaning up temporary files..."
47
  for dir in "${TEMP_DIRS[@]}"; do
48
    if [ -d "$dir" ]; then
49
      rm -rf "$dir"
50
    fi
51
  done
52
}
53

54
# Set trap for cleanup
55
trap cleanup EXIT INT TERM
56

57
# Function to check if running as root
58
check_root() {
59
  if [ "$(id -u)" -ne 0 ]; then
60
    error_exit "This script must be run as root"
61
  fi
62
}
63

64
# Function to detect OS
65
detect_os() {
66
  if [ -f /etc/os-release ]; then
67
    . /etc/os-release
68
    OS=$ID
69
    VERSION=$VERSION_ID
70
    log "Detected OS: $OS $VERSION"
71
  else
72
    error_exit "Cannot detect OS, /etc/os-release file not found"
73
  fi
74
}
75

76
# Function to install wget
77
install_wget() {
78
  log "Installing wget..."
79

80
  case $OS in
81
    "rocky" | "almalinux" | "rhel" | "centos")
82
      dnf install -y wget || error_exit "Failed to install wget on $OS"
83
      ;;
84
    "amzn")
85
      yum install -y wget || error_exit "Failed to install wget on Amazon Linux"
86
      ;;
87
    *)
88
      error_exit "Unsupported OS: $OS"
89
      ;;
90
  esac
91

92
  log "wget installed successfully"
93
}
94

95
# Function to handle dependencies for BlueChI
96
install_dependencies() {
97
  log "Installing dependencies..."
98

99
  DEPENDENCIES=(
100
    "dbus"
101
    "systemd"
102
    "python3"
103
    "dbus-broker"
104
    "device-mapper"
105
    "device-mapper-libs"
106
    "libfdisk"
107
    "util-linux"
108
    "systemd-pam"
109
  )
110

111
  case $OS in
112
    "rocky" | "almalinux" | "rhel" | "centos")
113
      for dep in "${DEPENDENCIES[@]}"; do
114
        log "Installing dependency: $dep"
115
        dnf install -y "$dep" || warn "Could not install $dep, but continuing"
116
      done
117
      ;;
118
    "amzn")
119
      for dep in "${DEPENDENCIES[@]}"; do
120
        log "Installing dependency: $dep"
121
        yum install -y "$dep" || warn "Could not install $dep, but continuing"
122
      done
123
      ;;
124
    *)
125
      error_exit "Unsupported OS: $OS"
126
      ;;
127
  esac
128

129
  log "Dependencies installation completed"
130
}
131

132
# Function to download file with proper security validation
133
secure_download() {
134
  local url=$1
135
  local output_file=$2
136

137
  # Use wget with proper SSL/TLS security
138
  wget --https-only --secure-protocol=TLSv1_2 "$url" -O "$output_file" || return 1
139

140
  # Verify file exists and is not empty
141
  if [ ! -s "$output_file" ]; then
142
    return 1
143
  fi
144

145
  return 0
146
}
147

148
# Function to download and install a package
149
download_and_install() {
150
  local url=$1
151
  local filename=$(basename "$url")
152
  local temp_dir=$(mktemp -d)
153
  TEMP_DIRS+=("$temp_dir")
154
  local output_file="$temp_dir/$filename"
155

156
  log "Downloading $filename..."
157
  if ! secure_download "$url" "$output_file"; then
158
    error_exit "Failed to download $filename securely"
159
  fi
160

161
  log "Installing $filename..."
162
  if ! rpm -Uvh --nodeps "$output_file"; then
163
    warn "Failed to install $filename with standard options, trying with --force"
164
    rpm -Uvh --nodeps --force "$output_file" || error_exit "Failed to install $filename even with --force"
165
  fi
166

167
  log "$filename installed successfully"
168
}
169

170
# Function to check if all required commands are available
171
check_requirements() {
172
  log "Checking if required commands are available..."
173

174
  local missing_commands=()
175
  local commands=("rpm" "hostname" "systemctl")
176

177
  for cmd in "${commands[@]}"; do
178
    if ! command -v "$cmd" &> /dev/null; then
179
      missing_commands+=("$cmd")
180
    fi
181
  done
182

183
  if [ ${#missing_commands[@]} -gt 0 ]; then
184
    error_exit "Required commands not found: ${missing_commands[*]}"
185
  fi
186

187
  log "All required commands are available"
188
}
189

190
# Function to ensure config directories exist
191
ensure_config_dirs() {
192
  log "Ensuring configuration directories exist..."
193

194
  mkdir -p /etc/bluechi/controller.conf.d
195
  mkdir -p /etc/bluechi/agent.conf.d
196

197
  log "Configuration directories created"
198
}
199

200
# Function to configure controller
201
configure_controller() {
202
  log "Configuring BlueChI controller..."
203

204
  # Create configuration
205
  cat > /etc/bluechi/controller.conf.d/1.conf << EOF
206
[bluechi-controller]
207
ControllerPort=${CONTROLLER_PORT}
208
AllowedNodeNames=${ALLOWED_NODES}
209
LogLevel=info
210
LogTarget=journald
211
EOF
212

213
  log "Controller configuration written to /etc/bluechi/controller.conf.d/1.conf"
214

215
  # Configure local agent to use Unix Domain Socket
216
  cat > /etc/bluechi/agent.conf.d/1.conf << EOF
217
[bluechi-agent]
218
ControllerAddress=unix:path=/run/bluechi/bluechi.sock
219
NodeName=$(hostname)
220
LogLevel=info
221
LogTarget=journald
222
EOF
223

224
  log "Local agent configuration written to /etc/bluechi/agent.conf.d/1.conf"
225
}
226

227
# Function to configure agent
228
configure_agent() {
229
  log "Configuring BlueChI agent..."
230

231
  # Create configuration
232
  cat > /etc/bluechi/agent.conf.d/1.conf << EOF
233
[bluechi-agent]
234
ControllerHost=${CONTROLLER_IP}
235
ControllerPort=${CONTROLLER_PORT}
236
NodeName=${NODE_NAME}
237
LogLevel=info
238
LogTarget=journald
239
HeartbeatInterval=5
240
EOF
241

242
  log "Agent configuration written to /etc/bluechi/agent.conf.d/1.conf"
243
}
244

245
# Function to verify service status
246
verify_services() {
247
  log "Verifying BlueChI services..."
248

249
  if [ "$INSTALL_MODE" = "controller" ]; then
250
    if systemctl is-active --quiet bluechi-controller; then
251
      log "BlueChI controller service is active"
252
    else
253
      warn "BlueChI controller service is not active"
254
    fi
255
  fi
256

257
  if systemctl is-active --quiet bluechi-agent; then
258
    log "BlueChI agent service is active"
259
  else
260
    warn "BlueChI agent service is not active"
261
  fi
262
}
263

264
# Function to open firewall port for controller
265
configure_firewall() {
266
  log "Configuring firewall for BlueChI..."
267

268
  if command -v firewall-cmd &> /dev/null; then
269
    log "Using firewalld..."
270
    if systemctl is-active --quiet firewalld; then
271
      log "Opening port ${CONTROLLER_PORT} for BlueChI controller"
272
      firewall-cmd --permanent --add-port=${CONTROLLER_PORT}/tcp
273
      firewall-cmd --reload
274
    else
275
      warn "Firewalld is installed but not running, skipping firewall configuration"
276
    fi
277
  else
278
    warn "firewall-cmd not found, unable to configure firewall automatically"
279
    log "Please ensure port ${CONTROLLER_PORT} is open in your firewall for BlueChI to function properly"
280
  fi
281
}
282

283
# Function to install controller
284
install_controller() {
285
  log "Installing BlueChI controller components..."
286

287
  # Controller packages
288
  PACKAGES=(
289
    "https://dl.fedoraproject.org/pub/epel/9/Everything/x86_64/Packages/b/bluechi-agent-${BLUECHI_VERSION}-1.el9.x86_64.rpm"
290
    "https://dl.fedoraproject.org/pub/epel/9/Everything/x86_64/Packages/b/bluechi-controller-${BLUECHI_VERSION}-1.el9.x86_64.rpm"
291
    "https://dl.fedoraproject.org/pub/epel/9/Everything/x86_64/Packages/b/bluechi-ctl-${BLUECHI_VERSION}-1.el9.x86_64.rpm"
292
    "https://dl.fedoraproject.org/pub/epel/9/Everything/x86_64/Packages/b/bluechi-selinux-${BLUECHI_VERSION}-1.el9.noarch.rpm"
293
    "https://dl.fedoraproject.org/pub/epel/9/Everything/x86_64/Packages/p/python3-bluechi-${BLUECHI_VERSION}-1.el9.noarch.rpm"
294
  )
295

296
  # Install each package
297
  for package in "${PACKAGES[@]}"; do
298
    download_and_install "$package"
299
  done
300

301
  # If online component was requested, install it
302
  if [[ "$*" == *"--with-online"* ]]; then
303
    download_and_install "https://dl.fedoraproject.org/pub/epel/9/Everything/x86_64/Packages/b/bluechi-is-online-${BLUECHI_VERSION}-1.el9.x86_64.rpm"
304
  fi
305

306
  ensure_config_dirs
307
  configure_controller
308

309
  if [[ "$*" == *"--configure-firewall"* ]]; then
310
    configure_firewall
311
  fi
312

313
  log "BlueChI controller installation completed"
314
}
315

316
# Function to install agent
317
install_agent() {
318
  log "Installing BlueChI agent components..."
319

320
  # Agent packages
321
  PACKAGES=(
322
    "https://dl.fedoraproject.org/pub/epel/9/Everything/x86_64/Packages/b/bluechi-agent-${BLUECHI_VERSION}-1.el9.x86_64.rpm"
323
    "https://dl.fedoraproject.org/pub/epel/9/Everything/x86_64/Packages/b/bluechi-selinux-${BLUECHI_VERSION}-1.el9.noarch.rpm"
324
    "https://dl.fedoraproject.org/pub/epel/9/Everything/x86_64/Packages/p/python3-bluechi-${BLUECHI_VERSION}-1.el9.noarch.rpm"
325
  )
326

327
  # Install each package
328
  for package in "${PACKAGES[@]}"; do
329
    download_and_install "$package"
330
  done
331

332
  # If online component was requested, install it
333
  if [[ "$*" == *"--with-online"* ]]; then
334
    download_and_install "https://dl.fedoraproject.org/pub/epel/9/Everything/x86_64/Packages/b/bluechi-is-online-${BLUECHI_VERSION}-1.el9.x86_64.rpm"
335
  fi
336

337
  ensure_config_dirs
338
  configure_agent
339

340
  log "BlueChI agent installation completed"
341
}
342

343
# Function to start services
344
start_services() {
345
  log "Starting BlueChI services..."
346

347
  if [ "$INSTALL_MODE" = "controller" ]; then
348
    log "Starting controller and agent services..."
349
    systemctl enable --now bluechi-controller bluechi-agent || warn "Failed to enable and start BlueChI services"
350
  else
351
    log "Starting agent service..."
352
    systemctl enable --now bluechi-agent || warn "Failed to enable and start BlueChI agent service"
353
  fi
354

355
  verify_services
356
}
357

358
# Function to show usage
359
usage() {
360
  cat << EOF
361
Usage: $0 [OPTIONS]
362

363
BlueChI Multi-Node Installation Script
364

365
OPTIONS:
366
  -m, --mode MODE            Installation mode (controller or agent)
367
  -i, --controller-ip IP     IP address of the controller node (required for agent mode)
368
  -n, --node-name NAME       Name of this node (required for agent mode)
369
  -a, --allowed-nodes NODES  Comma-separated list of allowed node names (required for controller mode)
370
  -p, --port PORT            Controller port (default: 2020)
371
  -v, --version VERSION      BlueChI version to install (default: ${BLUECHI_VERSION})
372
  --with-online              Install bluechi-is-online package
373
  --configure-firewall       Configure firewall to allow BlueChi traffic (controller only)
374
  -h, --help                 Show this help message and exit
375

376
EXAMPLES:
377
  # Install controller with local hostname and pi as allowed nodes
378
  $0 --mode controller --allowed-nodes \$(hostname),pi
379

380
  # Install agent to connect to controller at 192.168.1.10
381
  $0 --mode agent --controller-ip 192.168.1.10 --node-name pi
382

383
  # Install controller with firewall configuration
384
  $0 --mode controller --allowed-nodes node1,node2,node3 --configure-firewall
385

386
  # Install agent with custom port
387
  $0 --mode agent --controller-ip 192.168.1.10 --node-name worker1 --port 2021
388

389
NOTES:
390
  - This script must be run as root
391
  - Supported OS: Rocky Linux, AlmaLinux, RHEL, Amazon Linux
392
  - Logs are written to: $LOG_FILE
393
  - Configuration files are in: /etc/bluechi/
394

395
For more information, visit: https://github.com/eclipse-bluechi/bluechi
396
EOF
397
  exit 0
398
}
399

400
# Parse command line arguments
401
parse_args() {
402
  while [[ $# -gt 0 ]]; do
403
    case $1 in
404
      -m|--mode)
405
        INSTALL_MODE="$2"
406
        shift 2
407
        ;;
408
      -i|--controller-ip)
409
        CONTROLLER_IP="$2"
410
        shift 2
411
        ;;
412
      -n|--node-name)
413
        NODE_NAME="$2"
414
        shift 2
415
        ;;
416
      -a|--allowed-nodes)
417
        ALLOWED_NODES="$2"
418
        shift 2
419
        ;;
420
      -p|--port)
421
        CONTROLLER_PORT="$2"
422
        shift 2
423
        ;;
424
      -v|--version)
425
        BLUECHI_VERSION="$2"
426
        shift 2
427
        ;;
428
      --with-online)
429
        # This is a flag, no value needed
430
        shift
431
        ;;
432
      --configure-firewall)
433
        # This is a flag, no value needed
434
        shift
435
        ;;
436
      -h|--help)
437
        usage
438
        ;;
439
      *)
440
        warn "Unknown option: $1"
441
        usage
442
        ;;
443
    esac
444
  done
445

446
  # Validate required arguments
447
  if [ -z "$INSTALL_MODE" ]; then
448
    error_exit "Installation mode (--mode) must be specified"
449
  fi
450

451
  if [ "$INSTALL_MODE" != "controller" ] && [ "$INSTALL_MODE" != "agent" ]; then
452
    error_exit "Installation mode must be either 'controller' or 'agent'"
453
  fi
454

455
  if [ "$INSTALL_MODE" = "controller" ] && [ -z "$ALLOWED_NODES" ]; then
456
    error_exit "Allowed nodes (--allowed-nodes) must be specified for controller mode"
457
  fi
458

459
  if [ "$INSTALL_MODE" = "agent" ]; then
460
    if [ -z "$CONTROLLER_IP" ]; then
461
      error_exit "Controller IP (--controller-ip) must be specified for agent mode"
462
    fi
463

464
    if [ -z "$NODE_NAME" ]; then
465
      error_exit "Node name (--node-name) must be specified for agent mode"
466
    fi
467
  fi
468
}
469

470
# Main function
471
main() {
472
  log "Starting BlueChI installation script in $INSTALL_MODE mode"
473

474
  check_root
475
  detect_os
476
  check_requirements
477

478
  # Check if wget is already installed, if not install it
479
  if ! command -v wget &> /dev/null; then
480
    install_wget
481
  else
482
    log "wget is already installed"
483
  fi
484

485
  # Install dependencies
486
  install_dependencies
487

488
  # Install either controller or agent based on mode
489
  if [ "$INSTALL_MODE" = "controller" ]; then
490
    install_controller "$@"
491
  else
492
    install_agent "$@"
493
  fi
494

495
  # Start services
496
  start_services
497

498
  # Display summary
499
  echo ""
500
  echo "========================================"
501
  echo "BlueChI Installation Complete!"
502
  echo "========================================"
503
  echo ""
504

505
  if [ "$INSTALL_MODE" = "controller" ]; then
506
    echo "Controller installation summary:"
507
    echo "  - Listening on port: $CONTROLLER_PORT"
508
    echo "  - Allowed nodes: $ALLOWED_NODES"
509
    echo "  - Configuration: /etc/bluechi/controller.conf.d/"
510
    echo ""
511
    echo "Verify with: bluechictl list-nodes"
512
  else
513
    echo "Agent installation summary:"
514
    echo "  - Node name: $NODE_NAME"
515
    echo "  - Controller: $CONTROLLER_IP:$CONTROLLER_PORT"
516
    echo "  - Configuration: /etc/bluechi/agent.conf.d/"
517
    echo ""
518
    echo "Check logs: journalctl -u bluechi-agent -f"
519
  fi
520

521
  echo ""
522
  echo "Service status:"
523
  if [ "$INSTALL_MODE" = "controller" ]; then
524
    systemctl status bluechi-controller --no-pager | grep Active || true
525
  fi
526
  systemctl status bluechi-agent --no-pager | grep Active || true
527
  echo ""
528
  echo "Installation log: $LOG_FILE"
529
  echo ""
530
}
531

532
# Parse arguments first
533
parse_args "$@"
534

535
# Execute main function with all arguments
536
main "$@"

Production Deployment Script#

This comprehensive script includes monitoring, high availability, and enhanced security features:

1
#!/bin/bash
2

3
# BlueChI Production Deployment Script
4
# Enterprise-ready installation with monitoring and HA support
5
# Version: 3.0
6

7
set -euo pipefail
8

9
# Configuration
10
readonly SCRIPT_VERSION="3.0"
11
readonly LOG_DIR="/var/log/bluechi"
12
readonly BACKUP_DIR="/var/backups/bluechi"
13
readonly CONFIG_DIR="/etc/bluechi"
14
readonly MONITORING_DIR="/opt/bluechi-monitoring"
15
readonly HA_CONFIG_DIR="/etc/bluechi-ha"
16

17
# Create necessary directories
18
mkdir -p "$LOG_DIR" "$BACKUP_DIR" "$CONFIG_DIR" "$MONITORING_DIR" "$HA_CONFIG_DIR"
19

20
# Logging setup
21
readonly LOG_FILE="$LOG_DIR/deployment_$(date +%Y%m%d_%H%M%S).log"
22
exec 1> >(tee -a "$LOG_FILE")
23
exec 2>&1
24

25
# Color codes
26
readonly RED='\033[0;31m'
27
readonly GREEN='\033[0;32m'
28
readonly YELLOW='\033[1;33m'
29
readonly BLUE='\033[0;34m'
30
readonly NC='\033[0m'
31

32
# Functions
33
log() {
34
    echo -e "${GREEN}[$(date +'%Y-%m-%d %H:%M:%S')]${NC} $*"
35
}
36

37
warn() {
38
    echo -e "${YELLOW}[$(date +'%Y-%m-%d %H:%M:%S')] WARNING:${NC} $*"
39
}
40

41
error() {
42
    echo -e "${RED}[$(date +'%Y-%m-%d %H:%M:%S')] ERROR:${NC} $*"
43
    exit 1
44
}
45

46
info() {
47
    echo -e "${BLUE}[$(date +'%Y-%m-%d %H:%M:%S')] INFO:${NC} $*"
48
}
49

50
# Check prerequisites
51
check_prerequisites() {
52
    log "Checking prerequisites..."
53

54
    # Check if running as root
55
    if [[ $EUID -ne 0 ]]; then
56
        error "This script must be run as root"
57
    fi
58

59
    # Check OS
60
    if [[ ! -f /etc/os-release ]]; then
61
        error "Cannot detect OS version"
62
    fi
63

64
    # Check required tools
65
    local required_tools=("systemctl" "firewall-cmd" "sestatus" "python3")
66
    for tool in "${required_tools[@]}"; do
67
        if ! command -v "$tool" &> /dev/null; then
68
            warn "$tool is not installed"
69
        fi
70
    done
71

72
    log "Prerequisites check completed"
73
}
74

75
# Install BlueChI with enhanced security
76
install_bluechi_secure() {
77
    local mode=$1
78
    local controller_ip=${2:-}
79
    local node_name=${3:-$(hostname)}
80

81
    log "Installing BlueChI in $mode mode with enhanced security..."
82

83
    # Create dedicated user for BlueChI
84
    if ! id -u bluechi &>/dev/null; then
85
        useradd -r -s /sbin/nologin -d /var/lib/bluechi -m bluechi
86
        log "Created bluechi user"
87
    fi
88

89
    # Install packages
90
    local packages=(
91
        "https://dl.fedoraproject.org/pub/epel/9/Everything/x86_64/Packages/b/bluechi-agent-0.10.2-1.el9.x86_64.rpm"
92
        "https://dl.fedoraproject.org/pub/epel/9/Everything/x86_64/Packages/b/bluechi-selinux-0.10.2-1.el9.noarch.rpm"
93
        "https://dl.fedoraproject.org/pub/epel/9/Everything/x86_64/Packages/p/python3-bluechi-0.10.2-1.el9.noarch.rpm"
94
    )
95

96
    if [[ "$mode" == "controller" ]]; then
97
        packages+=(
98
            "https://dl.fedoraproject.org/pub/epel/9/Everything/x86_64/Packages/b/bluechi-controller-0.10.2-1.el9.x86_64.rpm"
99
            "https://dl.fedoraproject.org/pub/epel/9/Everything/x86_64/Packages/b/bluechi-ctl-0.10.2-1.el9.x86_64.rpm"
100
        )
101
    fi
102

103
    for package in "${packages[@]}"; do
104
        local pkg_name=$(basename "$package")
105
        log "Downloading $pkg_name..."
106
        wget -q --https-only "$package" -O "/tmp/$pkg_name"
107
        rpm -Uvh "/tmp/$pkg_name" || warn "Package $pkg_name might already be installed"
108
        rm -f "/tmp/$pkg_name"
109
    done
110

111
    # Secure configuration
112
    setup_secure_config "$mode" "$controller_ip" "$node_name"
113

114
    # SELinux configuration
115
    setup_selinux
116

117
    # Firewall configuration
118
    setup_firewall "$mode"
119

120
    log "BlueChI secure installation completed"
121
}
122

123
# Setup secure configuration
124
setup_secure_config() {
125
    local mode=$1
126
    local controller_ip=$2
127
    local node_name=$3
128

129
    log "Setting up secure configuration..."
130

131
    # Create config directories with proper permissions
132
    mkdir -p "$CONFIG_DIR"/{controller.conf.d,agent.conf.d}
133
    chown -R bluechi:bluechi "$CONFIG_DIR"
134
    chmod 750 "$CONFIG_DIR"
135

136
    if [[ "$mode" == "controller" ]]; then
137
        # Controller configuration with security settings
138
        cat > "$CONFIG_DIR/controller.conf.d/security.conf" << EOF
139
[bluechi-controller]
140
ControllerPort=2020
141
AllowedNodeNames=${ALLOWED_NODES:-$node_name}
142
LogLevel=info
143
LogTarget=journald
144

145
# Security settings
146
MaxConnections=100
147
ConnectionTimeout=30
148
AuthenticationMethod=certificate
149
CertificateFile=/etc/bluechi/certs/controller.crt
150
KeyFile=/etc/bluechi/certs/controller.key
151
CAFile=/etc/bluechi/certs/ca.crt
152
EOF
153

154
        # Local agent config
155
        cat > "$CONFIG_DIR/agent.conf.d/local.conf" << EOF
156
[bluechi-agent]
157
ControllerAddress=unix:path=/run/bluechi/bluechi.sock
158
NodeName=$node_name
159
LogLevel=info
160
LogTarget=journald
161
EOF
162
    else
163
        # Agent configuration
164
        cat > "$CONFIG_DIR/agent.conf.d/remote.conf" << EOF
165
[bluechi-agent]
166
ControllerHost=$controller_ip
167
ControllerPort=2020
168
NodeName=$node_name
169
LogLevel=info
170
LogTarget=journald
171
HeartbeatInterval=5
172
ReconnectInterval=10
173

174
# Security settings
175
CertificateFile=/etc/bluechi/certs/agent.crt
176
KeyFile=/etc/bluechi/certs/agent.key
177
CAFile=/etc/bluechi/certs/ca.crt
178
EOF
179
    fi
180

181
    # Set proper permissions
182
    chmod 640 "$CONFIG_DIR"/*/*.conf
183
    chown -R root:bluechi "$CONFIG_DIR"
184
}
185

186
# Setup monitoring
187
setup_monitoring() {
188
    log "Setting up monitoring..."
189

190
    # Create monitoring scripts
191
    cat > "$MONITORING_DIR/bluechi-monitor.py" << 'EOF'
192
#!/usr/bin/env python3
193

194
import subprocess
195
import json
196
import time
197
import socket
198
from datetime import datetime
199

200
class BlueChiMonitor:
201
    def __init__(self):
202
        self.metrics = {
203
            'nodes': {},
204
            'services': {},
205
            'errors': []
206
        }
207

208
    def collect_metrics(self):
209
        # Collect node metrics
210
        try:
211
            result = subprocess.run(['bluechictl', 'list-nodes'],
212
                                  capture_output=True, text=True)
213
            if result.returncode == 0:
214
                self.parse_nodes(result.stdout)
215
        except Exception as e:
216
            self.metrics['errors'].append(f"Failed to collect nodes: {e}")
217

218
        # Collect service metrics for each node
219
        for node in self.metrics['nodes']:
220
            try:
221
                result = subprocess.run(['bluechictl', 'list-units', node],
222
                                      capture_output=True, text=True)
223
                if result.returncode == 0:
224
                    self.parse_services(node, result.stdout)
225
            except Exception as e:
226
                self.metrics['errors'].append(f"Failed to collect services for {node}: {e}")
227

228
    def parse_nodes(self, output):
229
        lines = output.strip().split('\n')[1:]  # Skip header
230
        for line in lines:
231
            parts = line.split()
232
            if len(parts) >= 3:
233
                node_name = parts[0]
234
                state = parts[1]
235
                last_seen = ' '.join(parts[2:])
236
                self.metrics['nodes'][node_name] = {
237
                    'state': state,
238
                    'last_seen': last_seen,
239
                    'timestamp': datetime.now().isoformat()
240
                }
241

242
    def parse_services(self, node, output):
243
        if node not in self.metrics['services']:
244
            self.metrics['services'][node] = {}
245

246
        lines = output.strip().split('\n')[1:]  # Skip header
247
        for line in lines:
248
            parts = line.split(None, 3)
249
            if len(parts) >= 3:
250
                service_name = parts[0]
251
                state = parts[1]
252
                self.metrics['services'][node][service_name] = {
253
                    'state': state,
254
                    'timestamp': datetime.now().isoformat()
255
                }
256

257
    def export_prometheus(self):
258
        # Export metrics in Prometheus format
259
        output = []
260

261
        # Node metrics
262
        for node, data in self.metrics['nodes'].items():
263
            state_value = 1 if data['state'] == 'online' else 0
264
            output.append(f'bluechi_node_online{{node="{node}"}} {state_value}')
265

266
        # Service metrics
267
        for node, services in self.metrics['services'].items():
268
            running = sum(1 for s in services.values() if s['state'] == 'running')
269
            failed = sum(1 for s in services.values() if s['state'] == 'failed')
270
            output.append(f'bluechi_services_running{{node="{node}"}} {running}')
271
            output.append(f'bluechi_services_failed{{node="{node}"}} {failed}')
272

273
        # Error count
274
        output.append(f'bluechi_monitor_errors {len(self.metrics["errors"])}')
275

276
        return '\n'.join(output)
277

278
    def serve_metrics(self, port=9101):
279
        # Simple HTTP server for Prometheus scraping
280
        server_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
281
        server_socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
282
        server_socket.bind(('0.0.0.0', port))
283
        server_socket.listen(5)
284

285
        print(f"Serving metrics on port {port}")
286

287
        while True:
288
            client_socket, addr = server_socket.accept()
289

290
            # Collect fresh metrics
291
            self.collect_metrics()
292
            metrics = self.export_prometheus()
293

294
            # Send HTTP response
295
            response = f"HTTP/1.1 200 OK\r\nContent-Type: text/plain\r\n\r\n{metrics}"
296
            client_socket.send(response.encode())
297
            client_socket.close()
298

299
if __name__ == '__main__':
300
    monitor = BlueChiMonitor()
301
    monitor.serve_metrics()
302
EOF
303

304
    chmod +x "$MONITORING_DIR/bluechi-monitor.py"
305

306
    # Create systemd service for monitoring
307
    cat > /etc/systemd/system/bluechi-monitor.service << EOF
308
[Unit]
309
Description=BlueChI Monitoring Service
310
After=network.target bluechi-controller.service
311

312
[Service]
313
Type=simple
314
ExecStart=$MONITORING_DIR/bluechi-monitor.py
315
Restart=always
316
User=bluechi
317
Group=bluechi
318

319
[Install]
320
WantedBy=multi-user.target
321
EOF
322

323
    # Create alert rules
324
    cat > "$MONITORING_DIR/alerts.yaml" << EOF
325
groups:
326
  - name: bluechi_alerts
327
    rules:
328
      - alert: BlueChiNodeDown
329
        expr: bluechi_node_online == 0
330
        for: 5m
331
        labels:
332
          severity: critical
333
        annotations:
334
          summary: "BlueChI node {{ \$labels.node }} is down"
335
          description: "Node {{ \$labels.node }} has been offline for more than 5 minutes"
336

337
      - alert: BlueChiServicesFailed
338
        expr: bluechi_services_failed > 0
339
        for: 10m
340
        labels:
341
          severity: warning
342
        annotations:
343
          summary: "Failed services on node {{ \$labels.node }}"
344
          description: "{{ \$value }} services are in failed state on {{ \$labels.node }}"
345

346
      - alert: BlueChiMonitorErrors
347
        expr: bluechi_monitor_errors > 0
348
        for: 5m
349
        labels:
350
          severity: warning
351
        annotations:
352
          summary: "BlueChI monitoring errors detected"
353
          description: "The monitoring system has encountered {{ \$value }} errors"
354
EOF
355

356
    systemctl daemon-reload
357
    systemctl enable bluechi-monitor.service
358

359
    log "Monitoring setup completed"
360
}
361

362
# Setup High Availability
363
setup_ha() {
364
    local role=$1  # master or backup
365
    local vip=$2
366
    local interface=$3
367

368
    log "Setting up High Availability as $role..."
369

370
    # Install keepalived
371
    dnf install -y keepalived || yum install -y keepalived
372

373
    # Configure keepalived
374
    local priority=100
375
    if [[ "$role" == "backup" ]]; then
376
        priority=90
377
    fi
378

379
    cat > /etc/keepalived/keepalived.conf << EOF
380
global_defs {
381
    notification_email {
382
        admin@example.com
383
    }
384
    notification_email_from bluechi@$(hostname)
385
    smtp_server localhost
386
    smtp_connect_timeout 30
387
}
388

389
vrrp_script check_bluechi {
390
    script "/usr/local/bin/check_bluechi_health.sh"
391
    interval 5
392
    weight -10
393
    fall 2
394
    rise 2
395
}
396

397
vrrp_instance BLUECHI_VIP {
398
    state $role
399
    interface $interface
400
    virtual_router_id 51
401
    priority $priority
402
    advert_int 1
403
    authentication {
404
        auth_type PASS
405
        auth_pass $(openssl rand -hex 16)
406
    }
407
    virtual_ipaddress {
408
        $vip/24
409
    }
410
    track_script {
411
        check_bluechi
412
    }
413
    notify_master "/usr/local/bin/bluechi_ha_notify.sh master"
414
    notify_backup "/usr/local/bin/bluechi_ha_notify.sh backup"
415
    notify_fault "/usr/local/bin/bluechi_ha_notify.sh fault"
416
}
417
EOF
418

419
    # Create health check script
420
    cat > /usr/local/bin/check_bluechi_health.sh << 'EOF'
421
#!/bin/bash
422

423
# Check if BlueChI controller is running
424
if systemctl is-active --quiet bluechi-controller; then
425
    # Check if we can list nodes
426
    if bluechictl list-nodes &>/dev/null; then
427
        exit 0
428
    fi
429
fi
430

431
exit 1
432
EOF
433

434
    chmod +x /usr/local/bin/check_bluechi_health.sh
435

436
    # Create notification script
437
    cat > /usr/local/bin/bluechi_ha_notify.sh << 'EOF'
438
#!/bin/bash
439

440
STATE=$1
441
TIMESTAMP=$(date '+%Y-%m-%d %H:%M:%S')
442

443
case $STATE in
444
    master)
445
        logger -t bluechi-ha "[$TIMESTAMP] Became MASTER - starting services"
446
        systemctl start bluechi-controller
447
        # Notify monitoring system
448
        curl -X POST http://monitoring.example.com/api/alerts \
449
             -H "Content-Type: application/json" \
450
             -d "{\"alert\": \"BlueChI HA failover\", \"host\": \"$(hostname)\", \"state\": \"master\"}"
451
        ;;
452
    backup)
453
        logger -t bluechi-ha "[$TIMESTAMP] Became BACKUP - stopping controller"
454
        systemctl stop bluechi-controller
455
        ;;
456
    fault)
457
        logger -t bluechi-ha "[$TIMESTAMP] Entered FAULT state"
458
        ;;
459
esac
460
EOF
461

462
    chmod +x /usr/local/bin/bluechi_ha_notify.sh
463

464
    # Enable and start keepalived
465
    systemctl enable --now keepalived
466

467
    log "High Availability setup completed"
468
}
469

470
# Setup backup and recovery
471
setup_backup() {
472
    log "Setting up backup and recovery..."
473

474
    # Create backup script
475
    cat > /usr/local/bin/bluechi_backup.sh << 'EOF'
476
#!/bin/bash
477

478
BACKUP_DIR="/var/backups/bluechi"
479
TIMESTAMP=$(date +%Y%m%d_%H%M%S)
480
BACKUP_FILE="$BACKUP_DIR/bluechi_backup_$TIMESTAMP.tar.gz"
481

482
# Create backup directory
483
mkdir -p "$BACKUP_DIR"
484

485
# Backup components
486
tar -czf "$BACKUP_FILE" \
487
    /etc/bluechi/ \
488
    /var/lib/bluechi/ \
489
    /etc/systemd/system/bluechi*.service \
490
    /usr/local/bin/bluechi*.sh \
491
    2>/dev/null
492

493
# Backup node states
494
bluechictl list-nodes > "$BACKUP_DIR/nodes_$TIMESTAMP.txt"
495
for node in $(bluechictl list-nodes | tail -n +2 | awk '{print $1}'); do
496
    bluechictl list-units "$node" > "$BACKUP_DIR/units_${node}_$TIMESTAMP.txt"
497
done
498

499
# Rotate old backups (keep last 30 days)
500
find "$BACKUP_DIR" -name "bluechi_backup_*.tar.gz" -mtime +30 -delete
501
find "$BACKUP_DIR" -name "*.txt" -mtime +30 -delete
502

503
echo "Backup completed: $BACKUP_FILE"
504

505
# Upload to remote storage (optional)
506
# aws s3 cp "$BACKUP_FILE" s3://backup-bucket/bluechi/
507
EOF
508

509
    chmod +x /usr/local/bin/bluechi_backup.sh
510

511
    # Create recovery script
512
    cat > /usr/local/bin/bluechi_recover.sh << 'EOF'
513
#!/bin/bash
514

515
if [ $# -ne 1 ]; then
516
    echo "Usage: $0 <backup_file>"
517
    exit 1
518
fi
519

520
BACKUP_FILE=$1
521

522
if [ ! -f "$BACKUP_FILE" ]; then
523
    echo "Backup file not found: $BACKUP_FILE"
524
    exit 1
525
fi
526

527
# Stop services
528
systemctl stop bluechi-controller bluechi-agent
529

530
# Extract backup
531
tar -xzf "$BACKUP_FILE" -C /
532

533
# Restore permissions
534
chown -R root:bluechi /etc/bluechi
535
chmod 750 /etc/bluechi
536
chmod 640 /etc/bluechi/*/*.conf
537

538
# Restart services
539
systemctl daemon-reload
540
systemctl start bluechi-controller bluechi-agent
541

542
echo "Recovery completed from: $BACKUP_FILE"
543
EOF
544

545
    chmod +x /usr/local/bin/bluechi_recover.sh
546

547
    # Schedule daily backups
548
    cat > /etc/cron.d/bluechi-backup << EOF
549
0 2 * * * root /usr/local/bin/bluechi_backup.sh >> $LOG_DIR/backup.log 2>&1
550
EOF
551

552
    log "Backup and recovery setup completed"
553
}
554

555
# Setup SELinux
556
setup_selinux() {
557
    log "Configuring SELinux..."
558

559
    if command -v getenforce &> /dev/null; then
560
        if [[ $(getenforce) != "Disabled" ]]; then
561
            # Set proper SELinux contexts
562
            semanage fcontext -a -t systemd_unit_file_t "/etc/bluechi(/.*)?"
563
            restorecon -Rv /etc/bluechi
564

565
            # Allow BlueChI to bind to port
566
            semanage port -a -t bluechi_port_t -p tcp 2020 2>/dev/null || true
567

568
            log "SELinux configuration completed"
569
        else
570
            warn "SELinux is disabled"
571
        fi
572
    else
573
        warn "SELinux tools not found"
574
    fi
575
}
576

577
# Setup firewall
578
setup_firewall() {
579
    local mode=$1
580

581
    log "Configuring firewall..."
582

583
    if command -v firewall-cmd &> /dev/null; then
584
        if systemctl is-active --quiet firewalld; then
585
            if [[ "$mode" == "controller" ]]; then
586
                # Open controller port
587
                firewall-cmd --permanent --add-port=2020/tcp
588
                # Open monitoring port
589
                firewall-cmd --permanent --add-port=9101/tcp
590
            fi
591

592
            # Reload firewall
593
            firewall-cmd --reload
594

595
            log "Firewall configuration completed"
596
        else
597
            warn "Firewalld is not running"
598
        fi
599
    else
600
        warn "firewall-cmd not found"
601
    fi
602
}
603

604
# Main deployment function
605
deploy_production() {
606
    local deployment_type=$1
607

608
    case "$deployment_type" in
609
        "controller-ha")
610
            log "Deploying BlueChI Controller with HA"
611
            check_prerequisites
612
            install_bluechi_secure "controller"
613
            setup_monitoring
614
            setup_ha "master" "192.168.1.100" "eth0"
615
            setup_backup
616
            ;;
617

618
        "controller")
619
            log "Deploying BlueChI Controller"
620
            check_prerequisites
621
            install_bluechi_secure "controller"
622
            setup_monitoring
623
            setup_backup
624
            ;;
625

626
        "agent")
627
            log "Deploying BlueChI Agent"
628
            check_prerequisites
629
            local controller_ip=$2
630
            local node_name=$3
631
            install_bluechi_secure "agent" "$controller_ip" "$node_name"
632
            ;;
633

634
        *)
635
            error "Unknown deployment type: $deployment_type"
636
            ;;
637
    esac
638

639
    # Start services
640
    log "Starting BlueChI services..."
641
    if [[ "$deployment_type" == "controller-ha" ]] || [[ "$deployment_type" == "controller" ]]; then
642
        systemctl enable --now bluechi-controller bluechi-agent
643
        systemctl enable --now bluechi-monitor
644
    else
645
        systemctl enable --now bluechi-agent
646
    fi
647

648
    # Final verification
649
    log "Verifying deployment..."
650
    sleep 5
651

652
    if [[ "$deployment_type" == "controller-ha" ]] || [[ "$deployment_type" == "controller" ]]; then
653
        if bluechictl list-nodes &>/dev/null; then
654
            info "BlueChI Controller is operational"
655
            bluechictl list-nodes
656
        else
657
            warn "BlueChI Controller verification failed"
658
        fi
659
    fi
660

661
    if systemctl is-active --quiet bluechi-agent; then
662
        info "BlueChI Agent is running"
663
    else
664
        warn "BlueChI Agent is not running"
665
    fi
666

667
    log "Production deployment completed successfully"
668
    info "Deployment log: $LOG_FILE"
669
    info "Configuration: $CONFIG_DIR"
670
    info "Monitoring: http://$(hostname):9101/metrics"
671
}
672

673
# Usage information
674
usage() {
675
    cat << EOF
676
BlueChI Production Deployment Script v${SCRIPT_VERSION}
677

678
Usage: $0 <deployment-type> [options]
679

680
Deployment Types:
681
  controller        Deploy BlueChI controller
682
  controller-ha     Deploy BlueChI controller with HA
683
  agent            Deploy BlueChI agent
684

685
Options for agent deployment:
686
  $0 agent <controller-ip> <node-name>
687

688
Examples:
689
  # Deploy controller with HA
690
  $0 controller-ha
691

692
  # Deploy simple controller
693
  $0 controller
694

695
  # Deploy agent
696
  $0 agent 192.168.1.10 worker-01
697

698
Features:
699
  - Enhanced security configuration
700
  - Monitoring and metrics export
701
  - High Availability support
702
  - Automated backup and recovery
703
  - SELinux and firewall configuration
704
  - Production-ready logging
705

706
For more information, check the deployment log at: $LOG_FILE
707
EOF
708
    exit 0
709
}
710

711
# Script entry point
712
if [[ $# -lt 1 ]]; then
713
    usage
714
fi
715

716
# Export required variables for controller mode
717
if [[ "$1" == "controller" ]] || [[ "$1" == "controller-ha" ]]; then
718
    export ALLOWED_NODES="controller,agent1,agent2,agent3"
719
fi
720

721
# Run deployment
722
deploy_production "$@"

Security Hardening Script#

Additional script for security hardening of BlueChI deployments:

1
#!/bin/bash
2

3
# BlueChI Security Hardening Script
4
# Implements defense-in-depth security measures
5
# Version: 1.0
6

7
set -euo pipefail
8

9
readonly CERT_DIR="/etc/bluechi/certs"
10
readonly AUDIT_LOG="/var/log/bluechi/audit.log"
11

12
# Create certificate infrastructure
13
setup_pki() {
14
    log "Setting up PKI infrastructure..."
15

16
    mkdir -p "$CERT_DIR"
17
    chmod 700 "$CERT_DIR"
18

19
    # Generate CA
20
    openssl req -x509 -newkey rsa:4096 -days 3650 -nodes \
21
        -keyout "$CERT_DIR/ca.key" \
22
        -out "$CERT_DIR/ca.crt" \
23
        -subj "/C=US/ST=State/L=City/O=Organization/CN=BlueChI CA"
24

25
    # Generate controller certificate
26
    openssl req -newkey rsa:4096 -nodes \
27
        -keyout "$CERT_DIR/controller.key" \
28
        -out "$CERT_DIR/controller.csr" \
29
        -subj "/C=US/ST=State/L=City/O=Organization/CN=bluechi-controller"
30

31
    openssl x509 -req -in "$CERT_DIR/controller.csr" \
32
        -CA "$CERT_DIR/ca.crt" -CAkey "$CERT_DIR/ca.key" \
33
        -CAcreateserial -out "$CERT_DIR/controller.crt" \
34
        -days 365 -sha256
35

36
    # Set permissions
37
    chmod 600 "$CERT_DIR"/*.key
38
    chmod 644 "$CERT_DIR"/*.crt
39
    chown -R root:bluechi "$CERT_DIR"
40

41
    log "PKI infrastructure setup completed"
42
}
43

44
# Configure audit logging
45
setup_audit() {
46
    log "Configuring audit logging..."
47

48
    # Create audit rules
49
    cat > /etc/audit/rules.d/bluechi.rules << 'EOF'
50
# BlueChI audit rules
51
-w /usr/bin/bluechictl -p x -k bluechi_commands
52
-w /etc/bluechi/ -p wa -k bluechi_config
53
-w /var/lib/bluechi/ -p wa -k bluechi_data
54
-w /etc/systemd/system/bluechi*.service -p wa -k bluechi_service
55

56
# Monitor D-Bus calls
57
-a always,exit -F arch=b64 -S connect -F a0=1 -F path=/var/run/dbus/system_bus_socket -k bluechi_dbus
58
EOF
59

60
    # Reload audit rules
61
    augenrules --load
62
    systemctl restart auditd
63

64
    # Create audit report script
65
    cat > /usr/local/bin/bluechi_audit_report.sh << 'EOF'
66
#!/bin/bash
67

68
echo "BlueChI Security Audit Report - $(date)"
69
echo "========================================="
70
echo ""
71

72
echo "Recent BlueChI Commands:"
73
ausearch -k bluechi_commands -ts recent --raw | aureport -x --summary
74
echo ""
75

76
echo "Configuration Changes:"
77
ausearch -k bluechi_config -ts recent --raw | aureport -f --summary
78
echo ""
79

80
echo "Service Modifications:"
81
ausearch -k bluechi_service -ts recent --raw | aureport -f --summary
82
echo ""
83

84
echo "Failed Authentication Attempts:"
85
journalctl -u bluechi-controller --since "1 day ago" | grep -i "auth.*fail" || echo "None found"
86
echo ""
87

88
echo "Suspicious Activities:"
89
ausearch -k bluechi_dbus -ts recent --raw | aureport --summary
90
EOF
91

92
    chmod +x /usr/local/bin/bluechi_audit_report.sh
93

94
    log "Audit logging configuration completed"
95
}
96

97
# Harden system configuration
98
harden_system() {
99
    log "Hardening system configuration..."
100

101
    # Kernel parameters for security
102
    cat >> /etc/sysctl.d/99-bluechi-security.conf << 'EOF'
103
# BlueChI Security Hardening
104
net.ipv4.tcp_syncookies = 1
105
net.ipv4.conf.all.rp_filter = 1
106
net.ipv4.conf.default.rp_filter = 1
107
net.ipv4.icmp_echo_ignore_broadcasts = 1
108
net.ipv4.conf.all.accept_source_route = 0
109
net.ipv6.conf.all.accept_source_route = 0
110
net.ipv4.conf.all.send_redirects = 0
111
net.ipv4.conf.all.accept_redirects = 0
112
net.ipv6.conf.all.accept_redirects = 0
113
net.ipv4.conf.all.log_martians = 1
114
kernel.randomize_va_space = 2
115
kernel.yama.ptrace_scope = 1
116
EOF
117

118
    sysctl -p /etc/sysctl.d/99-bluechi-security.conf
119

120
    # Restrict core dumps
121
    echo "* hard core 0" >> /etc/security/limits.conf
122

123
    # Configure fail2ban for BlueChI
124
    if command -v fail2ban-client &> /dev/null; then
125
        cat > /etc/fail2ban/jail.d/bluechi.conf << 'EOF'
126
[bluechi]
127
enabled = true
128
port = 2020
129
filter = bluechi
130
logpath = /var/log/bluechi/*.log
131
maxretry = 5
132
bantime = 3600
133
EOF
134

135
        cat > /etc/fail2ban/filter.d/bluechi.conf << 'EOF'
136
[Definition]
137
failregex = Authentication failed for .* from <HOST>
138
            Connection refused from <HOST>
139
            Invalid certificate from <HOST>
140
ignoreregex =
141
EOF
142

143
        systemctl restart fail2ban
144
    fi
145

146
    log "System hardening completed"
147
}
148

149
# Main execution
150
main() {
151
    log "Starting BlueChI security hardening..."
152

153
    setup_pki
154
    setup_audit
155
    harden_system
156

157
    log "Security hardening completed successfully"
158
}
159

160
# Run main function
161
main "$@"

Usage Examples#

Quick Development Setup#

1
# Single node for testing
2
curl -sSL https://raw.githubusercontent.com/example/bluechi-scripts/main/install-all-in-one.sh | sudo bash

Production Controller Deployment#

1
# Download script
2
wget https://raw.githubusercontent.com/example/bluechi-scripts/main/install-production.sh
3
chmod +x install-production.sh
4

5
# Deploy controller with HA
6
sudo ./install-production.sh controller-ha
7

8
# Deploy simple controller
9
sudo ./install-production.sh controller

Production Agent Deployment#

1
# Deploy agent connected to controller
2
sudo ./install-production.sh agent 192.168.1.100 worker-01

Multi-Node Setup Example#

1
# On controller node
2
sudo ./install-multi-node.sh \
3
    --mode controller \
4
    --allowed-nodes controller,worker1,worker2,worker3 \
5
    --configure-firewall
6

7
# On worker nodes
8
sudo ./install-multi-node.sh \
9
    --mode agent \
10
    --controller-ip 192.168.1.100 \
11
    --node-name worker1

Post-Installation Verification#

After installation, verify your BlueChI deployment:

1
# Check services
2
systemctl status bluechi-controller bluechi-agent
3

4
# List connected nodes
5
bluechictl list-nodes
6

7
# Check node connectivity
8
for node in $(bluechictl list-nodes | tail -n +2 | awk '{print $1}'); do
9
    echo "Node: $node"
10
    bluechictl list-units $node | head -5
11
done
12

13
# Verify monitoring (if enabled)
14
curl -s http://localhost:9101/metrics | grep bluechi
15

16
# Check logs
17
journalctl -u bluechi-controller -u bluechi-agent --since "10 minutes ago"
18

19
# Test service control
20
bluechictl start <node> <service>
21
bluechictl status <node> <service>

Troubleshooting#

Common issues and solutions:

Installation Failures#

1
# Check installation log
2
tail -f /var/log/bluechi_install.log
3

4
# Verify package installation
5
rpm -qa | grep bluechi
6

7
# Check for conflicts
8
rpm -Va | grep bluechi

Connection Issues#

1
# Test network connectivity
2
telnet controller-ip 2020
3

4
# Check firewall
5
firewall-cmd --list-all
6

7
# Verify certificates (if using TLS)
8
openssl s_client -connect controller-ip:2020 -CAfile /etc/bluechi/certs/ca.crt

Service Control Issues#

1
# Check D-Bus
2
busctl status
3

4
# Verify systemd integration
5
systemctl show bluechi-agent | grep -E "User|Group|PrivateDevices"
6

7
# Test local control
8
systemctl status httpd
9
bluechictl status $(hostname) httpd.service

Best Practices#

Security First
- Always use TLS in production
- Implement proper firewall rules
- Enable SELinux where possible
- Regular security audits
Monitoring
- Deploy monitoring from day one
- Set up alerting for critical events
- Regular health checks
- Capacity planning
Backup and Recovery
- Automate daily backups
- Test recovery procedures
- Document recovery steps
- Off-site backup storage
Documentation
- Keep deployment records
- Document custom configurations
- Maintain runbooks
- Update as needed

Conclusion#

These automation scripts provide a comprehensive solution for deploying BlueChI in various environments, from development to production. The scripts emphasize:

Security: Multiple layers of security controls
Reliability: Health checks and monitoring
Scalability: Support for multi-node deployments
Maintainability: Automated backup and recovery

By using these scripts, organizations can quickly deploy a production-ready BlueChI infrastructure that meets enterprise requirements for security, monitoring, and high availability. The modular approach allows for customization based on specific needs while maintaining best practices for system orchestration.