0xb00b5/firegex-traffic-viewer
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #23 from Pwnzer0tt1/standalone-start

Browse Source 
Standalone Firegex start mode
This commit is contained in:
Domingo Dirutigliano
2025-08-04 08:33:31 +02:00
committed by GitHub
parent cf43a651a7 14d5822193
commit 6562c13ad9
5 changed files with 638 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
.dockerignore
View File

@@ -21,7 +21,8 @@ Dockerfile
/frontend/node_modules/
/backend/modules/cppregex
/backend/modules/proxy
docker-compose.yml
compose.yml
.firegex-compose.yml
# misc
**/.DS_Store

87
.github/workflows/docker-rootfs-asset.yml vendored Normal file
View File

@@ -0,0 +1,87 @@
name: Create Docker rootfs assets
on:
workflow_run:
workflows: ["Create and publish a Docker image"]
types:
- completed
branches:
- main
env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}
jobs:
create-rootfs-assets:
runs-on: ubuntu-latest
if: ${{ github.event.workflow_run.conclusion == 'success' }}
permissions:
contents: write
packages: read
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Set up QEMU
uses: docker/setup-qemu-action@master
with:
platforms: all
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@master
- name: Log in to the Container registry
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Get latest release tag
id: get_tag
run: |
LATEST_TAG=$(curl -s https://api.github.com/repos/${{ github.repository }}/releases/latest | jq -r '.tag_name')
echo "tag=$LATEST_TAG" >> $GITHUB_OUTPUT
echo "Latest release tag: $LATEST_TAG"
- name: Export rootfs for amd64
run: |
echo "Creating and exporting amd64 container..."
CONTAINER_ID=$(docker create --platform linux/amd64 ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.get_tag.outputs.tag }})
docker export $CONTAINER_ID --output="firegex-rootfs-amd64.tar"
docker rm $CONTAINER_ID
echo "Compressing amd64 rootfs..."
gzip firegex-rootfs-amd64.tar
ls -lh firegex-rootfs-amd64.tar.gz
- name: Export rootfs for arm64
run: |
echo "Creating and exporting arm64 container..."
CONTAINER_ID=$(docker create --platform linux/arm64 ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.get_tag.outputs.tag }})
docker export $CONTAINER_ID --output="firegex-rootfs-arm64.tar"
docker rm $CONTAINER_ID
echo "Compressing arm64 rootfs..."
gzip firegex-rootfs-arm64.tar
ls -lh firegex-rootfs-arm64.tar.gz
- name: Calculate checksums
run: |
echo "Calculating checksums..."
sha256sum firegex-rootfs-amd64.tar.gz > firegex-rootfs-amd64.tar.gz.sha256
sha256sum firegex-rootfs-arm64.tar.gz > firegex-rootfs-arm64.tar.gz.sha256
cat *.sha256
- name: Upload rootfs assets to release
run: |
echo "Uploading assets to release ${{ steps.get_tag.outputs.tag }}..."
gh release upload ${{ steps.get_tag.outputs.tag }} \
firegex-rootfs-amd64.tar.gz \
firegex-rootfs-amd64.tar.gz.sha256 \
firegex-rootfs-arm64.tar.gz \
firegex-rootfs-arm64.tar.gz.sha256 \
--clobber
echo "Assets uploaded successfully!"
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

8
.gitignore vendored
View File

@@ -29,7 +29,13 @@
/backend/modules/proxy
/docker-compose.yml
/firegex-compose.yml
/firegex-compose-tmp-file.yml
/.firegex-compose.yml
/.firegex-standalone.pid
/firegexfs/**
/firegexfs
/firegex.py
/tests/benchmark.csv
/tests/comparemark.csv

13
README.md
View File

@@ -1,3 +1,16 @@
# Rootless container and standalone install
- Check if docker is in rootless mode
```
> docker info -f "{{println .SecurityOptions}}"
[name=seccomp,profile=builtin name=rootless name=cgroupns]
```
- Start firegex without a container in case docker is not available or in rootless mode
<h1><img align="left" src="docs/FiregexLogo.png" width="170" /><br />[Fi]*regex 🔥</h1>
<a href="https://github.com/Pwnzer0tt1/firegex/releases/latest"><img alt="GitHub release (latest by date)" src="https://img.shields.io/github/v/release/pwnzer0tt1/firegex?color=D62246&style=flat-square"></a> <img alt="GitHub" src="https://img.shields.io/github/license/pwnzer0tt1/firegex?style=flat-square"> <img alt="GitHub top language" src="https://img.shields.io/github/languages/top/pwnzer0tt1/firegex?style=flat-square&color=44AA44"> <img alt="Code" src="https://img.shields.io/github/languages/code-size/pwnzer0tt1/firegex?color=%237289DA&label=Code&style=flat-square">

534
start.py
View File

@@ -8,12 +8,17 @@ import os
import multiprocessing
import subprocess
import getpass
import shutil
import tarfile
pref = "\033["
reset = f"{pref}0m"
class g:
composefile = "firegex-compose-tmp-file.yml"
composefile = ".firegex-compose.yml"
build = False
standalone_mode = False
rootfs_path = "./firegexfs"
pid_file = "./.firegex-standalone.pid"
os.chdir(os.path.dirname(os.path.realpath(__file__)))
if os.path.isfile("./Dockerfile"):
@@ -90,6 +95,7 @@ def gen_args(args_to_parse: list[str]|None = None):
#Main parser
parser = argparse.ArgumentParser(description="Firegex Manager")
parser.add_argument('--clear', dest="bef_clear", required=False, action="store_true", help='Delete docker volume associated to firegex resetting all the settings', default=False)
parser.add_argument('--standalone', required=False, action="store_true", help='Force standalone mode', default=False)
subcommands = parser.add_subparsers(dest="command", help="Command to execute [Default start if not running]")
@@ -106,13 +112,20 @@ def gen_args(args_to_parse: list[str]|None = None):
parser_start.add_argument('--logs', required=False, action="store_true", help='Show firegex logs', default=False)
parser_start.add_argument('--version', '-v', required=False, type=str , help='Version of the firegex image to use', default=None)
parser_start.add_argument('--prebuilt', required=False, action="store_true", help='Use prebuilt docker image', default=False)
parser_start.add_argument('--standalone', required=False, action="store_true", help='Force standalone mode', default=False)
#Stop Command
parser_stop = subcommands.add_parser('stop', help='Stop the firewall')
parser_stop.add_argument('--clear', required=False, action="store_true", help='Delete docker volume associated to firegex resetting all the settings', default=False)
parser_stop.add_argument('--standalone', required=False, action="store_true", help='Force standalone mode', default=False)
parser_restart = subcommands.add_parser('restart', help='Restart the firewall')
parser_restart.add_argument('--logs', required=False, action="store_true", help='Show firegex logs', default=False)
parser_restart.add_argument('--standalone', required=False, action="store_true", help='Force standalone mode', default=False)
#Status Command
parser_status = subcommands.add_parser('status', help='Show firewall status')
parser_status.add_argument('--standalone', required=False, action="store_true", help='Force standalone mode', default=False)
args = parser.parse_args(args=args_to_parse)
if "version" in args and args.version and g.build:
@@ -125,9 +138,18 @@ def gen_args(args_to_parse: list[str]|None = None):
if "prebuilt" in args and args.prebuilt:
g.build = False
if "psw_on_web" not in args:
args.psw_on_web = False
if "startup_psw" not in args:
args.startup_psw = None
if "clear" not in args:
args.clear = False
if "standalone" not in args:
args.standalone = False
if "threads" not in args or args.threads < 1:
args.threads = multiprocessing.cpu_count()
@@ -226,7 +248,7 @@ def write_compose(skip_password = True):
}))
def get_password():
if volume_exists() or args.psw_on_web:
if volume_exists() or args.psw_on_web or (g.standalone_mode and os.path.isfile(os.path.join(g.rootfs_path, "execute/db/firegex.db"))):
return None
if args.startup_psw:
return args.startup_psw
@@ -291,8 +313,506 @@ def nfqueue_exists():
def delete_volume():
return cmd_check("docker volume rm firegex_firegex_data")
def write_pid_file(pid):
"""Write PID to file"""
try:
with open(g.pid_file, 'w') as f:
f.write(str(pid))
return True
except Exception as e:
puts(f"Failed to write PID file: {e}", color=colors.red)
return False
def read_pid_file():
"""Read PID from file"""
try:
if os.path.exists(g.pid_file):
with open(g.pid_file, 'r') as f:
return int(f.read().strip())
return None
except Exception:
return None
def remove_pid_file():
"""Remove PID file"""
try:
if os.path.exists(g.pid_file):
os.remove(g.pid_file)
except Exception:
pass
def is_process_running(pid):
"""Check if process with given PID is running"""
if pid is None:
return False
try:
# Send signal 0 to check if process exists
os.kill(pid, 0)
return True
except (OSError, ProcessLookupError):
return False
def is_standalone_running():
"""Check if standalone Firegex is already running"""
pid = read_pid_file()
if pid and is_process_running(pid):
return True
else:
# Clean up stale PID file
remove_pid_file()
return False
def stop_standalone_process():
"""Stop the standalone Firegex process"""
pid = read_pid_file()
if pid and is_process_running(pid):
try:
puts(f"Stopping Firegex process (PID: {pid})...", color=colors.yellow)
os.kill(pid, 15) # SIGTERM
# Wait a bit for graceful shutdown
import time
for _ in range(10):
if not is_process_running(pid):
break
time.sleep(0.5)
# Force kill if still running
if is_process_running(pid):
puts("Process didn't stop gracefully, forcing termination...", color=colors.yellow)
os.kill(pid, 9) # SIGKILL
time.sleep(1)
if not is_process_running(pid):
puts("Firegex process stopped", color=colors.green)
return True
else:
puts("Failed to stop Firegex process", color=colors.red)
return False
except Exception as e:
puts(f"Error stopping process: {e}", color=colors.red)
return False
else:
puts("No running Firegex process found", color=colors.yellow)
return True
def is_docker_rootless():
"""Check if Docker is running in rootless mode"""
try:
output = cmd_check('docker info -f "{{println .SecurityOptions}}"', get_output=True)
return "rootless" in output.lower()
except Exception:
return False
def should_use_standalone():
"""Determine if standalone mode should be used"""
# Check if standalone mode is forced
if args.standalone:
return True
if is_standalone_running():
return True
# Check if Docker exists
if not cmd_check("docker --version"):
return True
# Check if Docker Compose exists
if not cmd_check("docker-compose --version") and not cmd_check("docker compose --version"):
return True
# Check if Docker is accessible
if not cmd_check("docker ps"):
return True
# Check if Docker is in rootless mode
if is_docker_rootless():
return True
return False
def is_root():
"""Check if running as root"""
return os.geteuid() == 0
def get_sudo_prefix():
"""Get sudo prefix if needed, empty string if already root"""
return "" if is_root() else "sudo "
def run_privileged_commands(commands, description="operations"):
"""Run a batch of privileged commands efficiently"""
if not commands:
return True
if is_root():
# If already root, run commands directly
for cmd in commands:
result = subprocess.run(cmd, shell=True, capture_output=True, text=True)
if result.returncode != 0:
puts(f"Command failed: {cmd}", color=colors.red)
puts(f"Error: {result.stderr}", color=colors.red)
return False
return True
else:
# If not root, create a script and run it with sudo once
import tempfile
with tempfile.NamedTemporaryFile(mode='w', suffix='.sh', delete=False) as script_file:
script_file.write("#!/bin/sh\nset -e\n")
for cmd in commands:
script_file.write(f"{cmd}\n")
script_path = script_file.name
try:
os.chmod(script_path, 0o755)
result = subprocess.run(f"sudo sh {script_path}", shell=True, capture_output=True, text=True)
if result.returncode != 0:
puts(f"Failed to execute {description}", color=colors.red)
puts(f"Error: {result.stderr}", color=colors.red)
return False
return True
finally:
os.unlink(script_path)
def safe_run_command(cmd, check_result=True, use_sudo=False):
"""Run a command safely with proper error handling"""
if use_sudo:
cmd = f"{get_sudo_prefix()}{cmd}"
try:
result = subprocess.run(cmd, shell=True, capture_output=True, text=True)
if check_result and result.returncode != 0:
puts(f"Command failed: {cmd}", color=colors.red)
puts(f"Error: {result.stderr}", color=colors.red)
return False
return result.returncode == 0
except Exception as e:
puts(f"Error running command: {cmd}", color=colors.red)
puts(f"Exception: {e}", color=colors.red)
return False
def cleanup_standalone_mounts():
"""Cleanup any existing mounts for standalone mode"""
mount_points = [
f"{g.rootfs_path}/dev",
f"{g.rootfs_path}/proc",
f"{g.rootfs_path}/sys_host/net.ipv4.conf.all.route_localnet",
f"{g.rootfs_path}/sys_host/net.ipv4.ip_forward",
f"{g.rootfs_path}/sys_host/net.ipv4.conf.all.forwarding",
f"{g.rootfs_path}/sys_host/net.ipv6.conf.all.forwarding"
]
# Create umount commands (with || true to ignore errors)
umount_commands = [f"umount {mount_point} || true" for mount_point in mount_points]
# Run all umount commands in one batch
run_privileged_commands(umount_commands, "cleanup mounts")
def get_latest_release_tag():
"""Get the latest release tag from GitHub API"""
import urllib.request
import json
try:
url = "https://api.github.com/repos/Pwnzer0tt1/firegex/releases/latest"
with urllib.request.urlopen(url) as response:
data = json.loads(response.read().decode())
return data.get('tag_name')
except Exception as e:
puts(f"Failed to get latest release tag: {e}", color=colors.red)
return None
def get_architecture():
"""Get current architecture (amd64 or arm64)"""
import platform
arch = platform.machine().lower()
if arch in ['x86_64', 'amd64']:
return 'amd64'
elif arch in ['aarch64', 'arm64']:
return 'arm64'
else:
puts(f"Unsupported architecture: {arch}", color=colors.red)
return None
def download_file(url, filename):
"""Download a file using urllib"""
import urllib.request
try:
puts(f"Downloading {filename}...", color=colors.green)
urllib.request.urlretrieve(url, filename)
return True
except Exception as e:
puts(f"Failed to download {filename}: {e}", color=colors.red)
return False
def setup_standalone_rootfs():
"""Set up the standalone rootfs"""
puts("Setting up standalone mode...", color=colors.green)
# Remove and recreate rootfs directory
if os.path.exists(g.rootfs_path):
puts("Rootfs already exists, skipping download...", color=colors.yellow)
# Clean up any existing mounts
cleanup_standalone_mounts()
return True
puts("Creating rootfs directory...", color=colors.green)
try:
os.makedirs(g.rootfs_path, exist_ok=True)
except Exception as e:
puts(f"Failed to create rootfs directory: {e}", color=colors.red)
return False
# Get latest release tag
release_tag = get_latest_release_tag()
if not release_tag:
puts("Failed to get latest release tag", color=colors.red)
return False
# Get current architecture
arch = get_architecture()
if not arch:
return False
# Download rootfs from GitHub releases
puts(f"Downloading rootfs for {arch} architecture from GitHub releases...", color=colors.green)
# Construct download URL
rootfs_filename = f"firegex-rootfs-{arch}.tar.gz"
download_url = f"https://github.com/Pwnzer0tt1/firegex/releases/download/{release_tag}/{rootfs_filename}"
tar_path = os.path.join(g.rootfs_path, rootfs_filename)
# Download the rootfs archive
if not download_file(download_url, tar_path):
return False
try:
# Extract tar.gz file
puts("Extracting rootfs...", color=colors.green)
with tarfile.open(tar_path, 'r:gz') as tar:
tar.extractall(path=g.rootfs_path, filter=lambda _: False)
# Remove tar.gz file
os.remove(tar_path)
# Create necessary directories
os.makedirs(os.path.join(g.rootfs_path, "dev"), exist_ok=True)
os.makedirs(os.path.join(g.rootfs_path, "proc"), exist_ok=True)
os.makedirs(os.path.join(g.rootfs_path, "sys_host"), exist_ok=True)
puts("Rootfs setup completed", color=colors.green)
return True
except Exception as e:
puts(f"Failed to extract rootfs: {e}", color=colors.red)
# Clean up partial extraction
if os.path.exists(tar_path):
os.remove(tar_path)
return False
def setup_standalone_mounts():
"""Set up bind mounts for standalone mode"""
puts("Setting up bind mounts...", color=colors.green)
# Create mount point files
mount_files = [
"net.ipv4.conf.all.route_localnet",
"net.ipv4.ip_forward",
"net.ipv4.conf.all.forwarding",
"net.ipv6.conf.all.forwarding"
]
sys_host_dir = os.path.join(g.rootfs_path, "sys_host")
# Prepare all privileged commands
privileged_commands = []
# Touch commands for mount point files
for mount_file in mount_files:
file_path = os.path.join(sys_host_dir, mount_file)
privileged_commands.append(f"touch {file_path}")
# Mount commands
privileged_commands.extend([
f"mount --bind /dev {g.rootfs_path}/dev",
f"mount --bind /proc {g.rootfs_path}/proc",
f"mount --bind /proc/sys/net/ipv4/conf/all/route_localnet {g.rootfs_path}/sys_host/net.ipv4.conf.all.route_localnet",
f"mount --bind /proc/sys/net/ipv4/ip_forward {g.rootfs_path}/sys_host/net.ipv4.ip_forward",
f"mount --bind /proc/sys/net/ipv4/conf/all/forwarding {g.rootfs_path}/sys_host/net.ipv4.conf.all.forwarding",
f"mount --bind /proc/sys/net/ipv6/conf/all/forwarding {g.rootfs_path}/sys_host/net.ipv6.conf.all.forwarding"
])
# Run all privileged commands in one batch
if not run_privileged_commands(privileged_commands, "setup bind mounts"):
puts("Failed to set up bind mounts", color=colors.red)
return False
return True
def run_standalone():
"""Run Firegex in standalone mode as a daemon"""
puts("Starting Firegex in standalone mode...", color=colors.green)
# Check if already running
if is_standalone_running():
puts("Firegex is already running in standalone mode!", color=colors.yellow)
pid = read_pid_file()
puts(f"Process PID: {pid}", color=colors.cyan)
return
# Set up environment variables
env_vars = [
f"PORT={args.port}",
f"NTHREADS={args.threads}",
]
# Add password if set
psw_set = get_password()
if psw_set:
env_vars.append(f"HEX_SET_PSW={psw_set.encode().hex()}")
# Prepare environment string for chroot
env_string = " ".join([f"{var}" for var in env_vars])
# Run chroot command in background
chroot_cmd = f"{get_sudo_prefix()}env {env_string} chroot --userspec=root:root {g.rootfs_path} /bin/python3 /execute/app.py DOCKER"
puts(f"Running: {chroot_cmd}", color=colors.cyan)
puts("Starting as daemon...", color=colors.green)
try:
# Start process in background
process = subprocess.Popen(
chroot_cmd,
shell=True,
stdout=subprocess.DEVNULL,
stderr=subprocess.DEVNULL,
stdin=subprocess.DEVNULL,
preexec_fn=os.setsid # Create new session
)
# Write PID to file
if write_pid_file(process.pid):
puts(f"Firegex started successfully (PID: {process.pid})", color=colors.green)
puts(f"PID saved to: {g.pid_file}", color=colors.cyan)
if is_process_running(process.pid):
puts("Firegex is running in background", color=colors.green)
puts(f"Web interface should be available at: http://localhost:{args.port}", color=colors.cyan)
else:
puts("Firegex process failed to start", color=colors.red)
remove_pid_file()
cleanup_standalone_mounts()
else:
puts("Failed to save PID file", color=colors.red)
process.terminate()
cleanup_standalone_mounts()
except Exception as e:
puts(f"Failed to start Firegex: {e}", color=colors.red)
cleanup_standalone_mounts()
def stop_standalone():
"""Stop standalone mode by stopping the process and cleaning up mounts"""
puts("Stopping standalone mode...", color=colors.green)
# Stop the process
if stop_standalone_process():
# Clean up mounts
cleanup_standalone_mounts()
# Remove PID file
remove_pid_file()
puts("Standalone mode stopped", color=colors.green)
else:
# Clean up anyway
cleanup_standalone_mounts()
remove_pid_file()
puts("Cleanup completed", color=colors.yellow)
def clear_standalone():
"""Clear standalone rootfs"""
puts("Clearing standalone rootfs...", color=colors.green)
cleanup_standalone_mounts()
if os.path.exists(g.rootfs_path):
# If permission denied, use privileged command
if run_privileged_commands([f"chmod ugo+rw -R {g.rootfs_path}", f"rm -rf {g.rootfs_path}"], "remove rootfs"):
puts("Standalone rootfs cleared", color=colors.green)
else:
puts("Failed to clear standalone rootfs", color=colors.red)
else:
puts("Standalone rootfs not found", color=colors.yellow)
def status_standalone():
"""Show standalone mode status"""
puts("Standalone mode status:", color=colors.cyan, is_bold=True)
# Check if running
if is_standalone_running():
pid = read_pid_file()
puts(f"Status: Running (PID: {pid})", color=colors.green)
puts(f"Web interface: http://localhost:{args.port}", color=colors.cyan)
else:
puts("Status: Not running", color=colors.red)
if os.path.exists(g.rootfs_path):
puts(f"Rootfs: Available ({g.rootfs_path})", color=colors.white)
else:
puts("Rootfs: Not available", color=colors.yellow)
def main():
# Check if we should use standalone mode
if should_use_standalone():
if not is_linux():
puts("Standalone mode only works on Linux!", color=colors.red)
puts("Please install Docker and Docker Compose.", color=colors.red)
exit(1)
g.standalone_mode = True
if args.standalone:
puts("Standalone mode forced by --standalone option", color=colors.cyan)
elif is_standalone_running():
puts("Standalone mode already running, using it", color=colors.cyan)
else:
puts("Docker not available or in rootless mode, using standalone mode", color=colors.yellow)
# Ensure we have root privileges for standalone mode operations
if not is_root():
puts("Standalone mode requires root privileges. 'sudo' will be used.", color=colors.yellow)
if args.command == "start" or args.command is None:
# Check if already running
if is_standalone_running():
pid = read_pid_file()
puts(f"Firegex is already running in standalone mode! (PID: {pid})", color=colors.yellow)
puts(f"Web interface available at: http://localhost:{args.port}", color=colors.cyan)
return
if not setup_standalone_rootfs():
exit(1)
if not setup_standalone_mounts():
exit(1)
run_standalone()
elif args.command == "stop":
stop_standalone()
elif args.command == "status":
status_standalone()
elif args.command == "restart":
stop_standalone()
if not setup_standalone_mounts():
exit(1)
run_standalone()
else:
puts("Command not supported in standalone mode", color=colors.red)
exit(1)
# Handle clear option for standalone mode
if args.clear:
clear_standalone()
return
# Original Docker-based logic
if not cmd_check("docker --version"):
puts("Docker not found! please install docker and docker compose!", color=colors.red)
exit()
@@ -348,6 +868,12 @@ def main():
composecmd("down", g.composefile)
else:
puts("Firegex is not running!" , color=colors.red, is_bold=True, flush=True)
case "status":
if check_already_running():
puts("Firegex is running in Docker mode", color=colors.green)
puts(f"Web interface: http://localhost:{args.port}", color=colors.cyan)
else:
puts("Firegex is not running", color=colors.red)
write_compose()
@@ -362,11 +888,7 @@ def main():
if __name__ == "__main__":
try:
try:
main()
finally:
if os.path.isfile(g.composefile):
os.remove(g.composefile)
except KeyboardInterrupt:
print()