diff --git a/salt/docker/defaults.yaml b/salt/docker/defaults.yaml index 140757524..e1962ae91 100644 --- a/salt/docker/defaults.yaml +++ b/salt/docker/defaults.yaml @@ -12,6 +12,7 @@ docker: custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-elastic-fleet': final_octet: 21 port_bindings: @@ -19,6 +20,7 @@ docker: custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-elasticsearch': final_octet: 22 port_bindings: @@ -27,6 +29,10 @@ docker: custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: + - memlock=-1:-1 + - nofile=65536:65536 + - nproc=4096 'so-influxdb': final_octet: 26 port_bindings: @@ -34,6 +40,7 @@ docker: custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-kibana': final_octet: 27 port_bindings: @@ -41,6 +48,7 @@ docker: custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-kratos': final_octet: 28 port_bindings: @@ -49,6 +57,7 @@ docker: custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-hydra': final_octet: 30 port_bindings: @@ -57,6 +66,7 @@ docker: custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-logstash': final_octet: 29 port_bindings: @@ -73,6 +83,7 @@ docker: custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-nginx': final_octet: 31 port_bindings: @@ -84,6 +95,7 @@ docker: custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-nginx-fleet-node': final_octet: 31 port_bindings: @@ -91,6 +103,7 @@ docker: custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-redis': final_octet: 33 port_bindings: @@ -99,11 +112,13 @@ docker: custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-sensoroni': final_octet: 99 custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-soc': final_octet: 34 port_bindings: @@ -111,16 +126,19 @@ docker: custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-strelka-backend': final_octet: 36 custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-strelka-filestream': final_octet: 37 custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-strelka-frontend': final_octet: 38 port_bindings: @@ -128,11 +146,13 @@ docker: custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-strelka-manager': final_octet: 39 custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-strelka-gatekeeper': final_octet: 40 port_bindings: @@ -140,6 +160,7 @@ docker: custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-strelka-coordinator': final_octet: 41 port_bindings: @@ -147,11 +168,13 @@ docker: custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-elastalert': final_octet: 42 custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-elastic-fleet-package-registry': final_octet: 44 port_bindings: @@ -159,11 +182,13 @@ docker: custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-idh': final_octet: 45 custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-elastic-agent': final_octet: 46 port_bindings: @@ -172,11 +197,13 @@ docker: custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-telegraf': final_octet: 99 custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-suricata': final_octet: 99 custom_bind_mounts: [] @@ -189,6 +216,9 @@ docker: custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: + - core=0 + - nofile=1048576:1048576 'so-kafka': final_octet: 88 port_bindings: @@ -199,3 +229,4 @@ docker: custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] diff --git a/salt/docker/soc_docker.yaml b/salt/docker/soc_docker.yaml index f855259b6..e0d7553a4 100644 --- a/salt/docker/soc_docker.yaml +++ b/salt/docker/soc_docker.yaml @@ -39,6 +39,12 @@ docker: helpLink: docker.html multiline: True forcedType: "[]string" + ulimits: + description: Ulimits for the container. + advanced: True + helpLink: docker.html + multiline: True + forcedType: "[]string" so-elastic-fleet: *dockerOptions so-elasticsearch: *dockerOptions so-influxdb: *dockerOptions @@ -62,42 +68,6 @@ docker: so-idh: *dockerOptions so-elastic-agent: *dockerOptions so-telegraf: *dockerOptions - so-suricata: - final_octet: - description: Last octet of the container IP address. - helpLink: docker.html - readonly: True - advanced: True - global: True - port_bindings: - description: List of port bindings for the container. - helpLink: docker.html - advanced: True - multiline: True - forcedType: "[]string" - custom_bind_mounts: - description: List of custom local volume bindings. - advanced: True - helpLink: docker.html - multiline: True - forcedType: "[]string" - extra_hosts: - description: List of additional host entries for the container. - advanced: True - helpLink: docker.html - multiline: True - forcedType: "[]string" - extra_env: - description: List of additional ENV entries for the container. - advanced: True - helpLink: docker.html - multiline: True - forcedType: "[]string" - ulimits: - description: Ulimits for the container, in bytes. - advanced: True - helpLink: docker.html - multiline: True - forcedType: "[]string" + so-suricata: *dockerOptions so-zeek: *dockerOptions so-kafka: *dockerOptions diff --git a/salt/elastalert/enabled.sls b/salt/elastalert/enabled.sls index 28697715a..3ccc6ed1d 100644 --- a/salt/elastalert/enabled.sls +++ b/salt/elastalert/enabled.sls @@ -51,6 +51,12 @@ so-elastalert: - {{ XTRAENV }} {% endfor %} {% endif %} + {% if DOCKER.containers['so-elastalert'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKER.containers['so-elastalert'].ulimits %} + - {{ ULIMIT }} + {% endfor %} + {% endif %} - require: - cmd: wait_for_elasticsearch - file: elastarules diff --git a/salt/elastic-fleet-package-registry/enabled.sls b/salt/elastic-fleet-package-registry/enabled.sls index 706c50e27..aee7a3348 100644 --- a/salt/elastic-fleet-package-registry/enabled.sls +++ b/salt/elastic-fleet-package-registry/enabled.sls @@ -45,6 +45,12 @@ so-elastic-fleet-package-registry: - {{ XTRAENV }} {% endfor %} {% endif %} + {% if DOCKER.containers['so-elastic-fleet-package-registry'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKER.containers['so-elastic-fleet-package-registry'].ulimits %} + - {{ ULIMIT }} + {% endfor %} + {% endif %} delete_so-elastic-fleet-package-registry_so-status.disabled: file.uncomment: - name: /opt/so/conf/so-status/so-status.conf diff --git a/salt/elasticagent/enabled.sls b/salt/elasticagent/enabled.sls index ccc1a6be5..419e19217 100644 --- a/salt/elasticagent/enabled.sls +++ b/salt/elasticagent/enabled.sls @@ -54,6 +54,12 @@ so-elastic-agent: - {{ XTRAENV }} {% endfor %} {% endif %} + {% if DOCKER.containers['so-elastic-agent'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKER.containers['so-elastic-agent'].ulimits %} + - {{ ULIMIT }} + {% endfor %} + {% endif %} - require: - file: create-elastic-agent-config - file: trusttheca diff --git a/salt/elasticfleet/enabled.sls b/salt/elasticfleet/enabled.sls index 264497007..604bb7e4e 100644 --- a/salt/elasticfleet/enabled.sls +++ b/salt/elasticfleet/enabled.sls @@ -133,6 +133,12 @@ so-elastic-fleet: - {{ XTRAENV }} {% endfor %} {% endif %} + {% if DOCKER.containers['so-elastic-fleet'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKER.containers['so-elastic-fleet'].ulimits %} + - {{ ULIMIT }} + {% endfor %} + {% endif %} - watch: - file: trusttheca - x509: etc_elasticfleet_key diff --git a/salt/elasticsearch/enabled.sls b/salt/elasticsearch/enabled.sls index 1fb1d7a8e..64f45fa58 100644 --- a/salt/elasticsearch/enabled.sls +++ b/salt/elasticsearch/enabled.sls @@ -45,15 +45,17 @@ so-elasticsearch: - discovery.type=single-node {% endif %} - ES_JAVA_OPTS=-Xms{{ GLOBALS.elasticsearch.es_heap }} -Xmx{{ GLOBALS.elasticsearch.es_heap }} -Des.transport.cname_in_publish_address=true -Dlog4j2.formatMsgNoLookups=true - ulimits: - - memlock=-1:-1 - - nofile=65536:65536 - - nproc=4096 - {% if DOCKERMERGED.containers['so-elasticsearch'].extra_env %} - {% for XTRAENV in DOCKERMERGED.containers['so-elasticsearch'].extra_env %} + {% if DOCKER.containers['so-elasticsearch'].extra_env %} + {% for XTRAENV in DOCKER.containers['so-elasticsearch'].extra_env %} - {{ XTRAENV }} {% endfor %} {% endif %} + {% if DOCKER.containers['so-elasticsearch'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKER.containers['so-elasticsearch'].ulimits %} + - {{ ULIMIT }} + {% endfor %} + {% endif %} - port_bindings: {% for BINDING in DOCKERMERGED.containers['so-elasticsearch'].port_bindings %} - {{ BINDING }} diff --git a/salt/hydra/enabled.sls b/salt/hydra/enabled.sls index b9f463f51..38982448c 100644 --- a/salt/hydra/enabled.sls +++ b/salt/hydra/enabled.sls @@ -52,6 +52,12 @@ so-hydra: - {{ XTRAENV }} {% endfor %} {% endif %} + {% if DOCKER.containers['so-hydra'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKER.containers['so-hydra'].ulimits %} + - {{ ULIMIT }} + {% endfor %} + {% endif %} - restart_policy: unless-stopped - watch: - file: hydraconfig diff --git a/salt/idh/enabled.sls b/salt/idh/enabled.sls index 139a098c4..bb9af1998 100644 --- a/salt/idh/enabled.sls +++ b/salt/idh/enabled.sls @@ -39,6 +39,12 @@ so-idh: - {{ XTRAENV }} {% endfor %} {% endif %} + {% if DOCKER.containers['so-idh'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKER.containers['so-idh'].ulimits %} + - {{ ULIMIT }} + {% endfor %} + {% endif %} - watch: - file: opencanary_config - require: diff --git a/salt/influxdb/enabled.sls b/salt/influxdb/enabled.sls index d4b287cb9..4d0ceb41f 100644 --- a/salt/influxdb/enabled.sls +++ b/salt/influxdb/enabled.sls @@ -58,6 +58,12 @@ so-influxdb: - {{ XTRAHOST }} {% endfor %} {% endif %} + {% if DOCKER.containers['so-influxdb'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKER.containers['so-influxdb'].ulimits %} + - {{ ULIMIT }} + {% endfor %} + {% endif %} - watch: - file: influxdbconf - x509: influxdb_key diff --git a/salt/kafka/enabled.sls b/salt/kafka/enabled.sls index 36ba5f9cd..e79ded0eb 100644 --- a/salt/kafka/enabled.sls +++ b/salt/kafka/enabled.sls @@ -60,6 +60,12 @@ so-kafka: {% if KAFKA_EXTERNAL_ACCESS %} - /opt/so/conf/kafka/kafka_server_jaas.conf:/opt/kafka/config/kafka_server_jaas.conf:ro {% endif %} + {% if DOCKER.containers['so-kafka'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKER.containers['so-kafka'].ulimits %} + - {{ ULIMIT }} + {% endfor %} + {% endif %} - watch: {% for sc in ['server', 'client'] %} - file: kafka_kraft_{{sc}}_properties diff --git a/salt/kibana/enabled.sls b/salt/kibana/enabled.sls index e3a183c99..e24f45a68 100644 --- a/salt/kibana/enabled.sls +++ b/salt/kibana/enabled.sls @@ -51,6 +51,12 @@ so-kibana: {% for BINDING in DOCKERMERGED.containers['so-kibana'].port_bindings %} - {{ BINDING }} {% endfor %} + {% if DOCKER.containers['so-kibana'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKER.containers['so-kibana'].ulimits %} + - {{ ULIMIT }} + {% endfor %} + {% endif %} - watch: - file: kibanaconfig diff --git a/salt/kratos/enabled.sls b/salt/kratos/enabled.sls index 668cfe853..072445410 100644 --- a/salt/kratos/enabled.sls +++ b/salt/kratos/enabled.sls @@ -45,6 +45,12 @@ so-kratos: - {{ XTRAENV }} {% endfor %} {% endif %} + {% if DOCKER.containers['so-kratos'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKER.containers['so-kratos'].ulimits %} + - {{ ULIMIT }} + {% endfor %} + {% endif %} - restart_policy: unless-stopped - watch: - file: kratosschema diff --git a/salt/logstash/enabled.sls b/salt/logstash/enabled.sls index 08feb587a..207f8d3c8 100644 --- a/salt/logstash/enabled.sls +++ b/salt/logstash/enabled.sls @@ -96,6 +96,12 @@ so-logstash: - {{ BIND }} {% endfor %} {% endif %} + {% if DOCKER.containers['so-logstash'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKER.containers['so-logstash'].ulimits %} + - {{ ULIMIT }} + {% endfor %} + {% endif %} - watch: - file: lsetcsync - file: trusttheca diff --git a/salt/nginx/enabled.sls b/salt/nginx/enabled.sls index 7dc905f49..14fad1180 100644 --- a/salt/nginx/enabled.sls +++ b/salt/nginx/enabled.sls @@ -75,6 +75,12 @@ so-nginx: - {{ XTRAENV }} {% endfor %} {% endif %} + {% if DOCKER.containers[container_config].ulimits %} + - ulimits: + {% for ULIMIT in DOCKER.containers[container_config].ulimits %} + - {{ ULIMIT }} + {% endfor %} + {% endif %} - cap_add: NET_BIND_SERVICE - port_bindings: {% for BINDING in DOCKERMERGED.containers[container_config].port_bindings %} diff --git a/salt/redis/enabled.sls b/salt/redis/enabled.sls index 65cc61e7f..d5b918225 100644 --- a/salt/redis/enabled.sls +++ b/salt/redis/enabled.sls @@ -51,6 +51,12 @@ so-redis: - {{ XTRAENV }} {% endfor %} {% endif %} + {% if DOCKER.containers['so-redis'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKER.containers['so-redis'].ulimits %} + - {{ ULIMIT }} + {% endfor %} + {% endif %} - entrypoint: "redis-server /usr/local/etc/redis/redis.conf" - watch: - file: trusttheca diff --git a/salt/registry/enabled.sls b/salt/registry/enabled.sls index 697bed98c..3601e2ed0 100644 --- a/salt/registry/enabled.sls +++ b/salt/registry/enabled.sls @@ -51,6 +51,12 @@ so-dockerregistry: - {{ XTRAENV }} {% endfor %} {% endif %} + {% if DOCKER.containers['so-dockerregistry'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKER.containers['so-dockerregistry'].ulimits %} + - {{ ULIMIT }} + {% endfor %} + {% endif %} - retry: attempts: 5 interval: 30 diff --git a/salt/sensoroni/enabled.sls b/salt/sensoroni/enabled.sls index 805becf97..86cd42998 100644 --- a/salt/sensoroni/enabled.sls +++ b/salt/sensoroni/enabled.sls @@ -40,6 +40,12 @@ so-sensoroni: - {{ XTRAENV }} {% endfor %} {% endif %} + {% if DOCKER.containers['so-sensoroni'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKER.containers['so-sensoroni'].ulimits %} + - {{ ULIMIT }} + {% endfor %} + {% endif %} - watch: - file: /opt/so/conf/sensoroni/sensoroni.json - require: diff --git a/salt/soc/enabled.sls b/salt/soc/enabled.sls index a916a1915..a98ebc359 100644 --- a/salt/soc/enabled.sls +++ b/salt/soc/enabled.sls @@ -78,6 +78,12 @@ so-soc: - {{ XTRAENV }} {% endfor %} {% endif %} + {% if DOCKER.containers['so-soc'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKER.containers['so-soc'].ulimits %} + - {{ ULIMIT }} + {% endfor %} + {% endif %} - watch: - file: trusttheca - file: /opt/so/conf/soc/* diff --git a/salt/strelka/backend/enabled.sls b/salt/strelka/backend/enabled.sls index 61e6ef3c2..bdce96146 100644 --- a/salt/strelka/backend/enabled.sls +++ b/salt/strelka/backend/enabled.sls @@ -41,6 +41,12 @@ strelka_backend: - {{ XTRAENV }} {% endfor %} {% endif %} + {% if DOCKER.containers['so-strelka-backend'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKER.containers['so-strelka-backend'].ulimits %} + - {{ ULIMIT }} + {% endfor %} + {% endif %} - restart_policy: on-failure - watch: - file: strelkasensorcompiledrules diff --git a/salt/strelka/coordinator/enabled.sls b/salt/strelka/coordinator/enabled.sls index bd8155667..c6bccd93a 100644 --- a/salt/strelka/coordinator/enabled.sls +++ b/salt/strelka/coordinator/enabled.sls @@ -44,6 +44,12 @@ strelka_coordinator: - {{ BIND }} {% endfor %} {% endif %} + {% if DOCKER.containers['so-strelka-coordinator'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKER.containers['so-strelka-coordinator'].ulimits %} + - {{ ULIMIT }} + {% endfor %} + {% endif %} delete_so-strelka-coordinator_so-status.disabled: file.uncomment: - name: /opt/so/conf/so-status/so-status.conf diff --git a/salt/strelka/filestream/enabled.sls b/salt/strelka/filestream/enabled.sls index aa400a717..93855ed7f 100644 --- a/salt/strelka/filestream/enabled.sls +++ b/salt/strelka/filestream/enabled.sls @@ -41,6 +41,12 @@ strelka_filestream: - {{ XTRAENV }} {% endfor %} {% endif %} + {% if DOCKER.containers['so-strelka-filestream'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKER.containers['so-strelka-filestream'].ulimits %} + - {{ ULIMIT }} + {% endfor %} + {% endif %} - watch: - file: filestream_config diff --git a/salt/strelka/frontend/enabled.sls b/salt/strelka/frontend/enabled.sls index faaa485d8..8ab13b69e 100644 --- a/salt/strelka/frontend/enabled.sls +++ b/salt/strelka/frontend/enabled.sls @@ -46,6 +46,12 @@ strelka_frontend: - {{ XTRAENV }} {% endfor %} {% endif %} + {% if DOCKER.containers['so-strelka-frontend'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKER.containers['so-strelka-frontend'].ulimits %} + - {{ ULIMIT }} + {% endfor %} + {% endif %} - watch: - file: frontend_config diff --git a/salt/strelka/gatekeeper/enabled.sls b/salt/strelka/gatekeeper/enabled.sls index 90e0c2d43..bc7433874 100644 --- a/salt/strelka/gatekeeper/enabled.sls +++ b/salt/strelka/gatekeeper/enabled.sls @@ -43,7 +43,13 @@ strelka_gatekeeper: {% for XTRAENV in DOCKERMERGED.containers['so-strelka-gatekeeper'].extra_env %} - {{ XTRAENV }} {% endfor %} - {% endif %} + {% endif %} + {% if DOCKER.containers['so-strelka-gatekeeper'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKER.containers['so-strelka-gatekeeper'].ulimits %} + - {{ ULIMIT }} + {% endfor %} + {% endif %} delete_so-strelka-gatekeeper_so-status.disabled: file.uncomment: diff --git a/salt/strelka/manager/enabled.sls b/salt/strelka/manager/enabled.sls index 4f5ff3dc6..f57241007 100644 --- a/salt/strelka/manager/enabled.sls +++ b/salt/strelka/manager/enabled.sls @@ -40,6 +40,12 @@ strelka_manager: - {{ XTRAENV }} {% endfor %} {% endif %} + {% if DOCKER.containers['so-strelka-manager'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKER.containers['so-strelka-manager'].ulimits %} + - {{ ULIMIT }} + {% endfor %} + {% endif %} - watch: - file: manager_config diff --git a/salt/telegraf/enabled.sls b/salt/telegraf/enabled.sls index b956c6bc5..f3b5c466d 100644 --- a/salt/telegraf/enabled.sls +++ b/salt/telegraf/enabled.sls @@ -66,6 +66,12 @@ so-telegraf: - {{ XTRAHOST }} {% endfor %} {% endif %} + {% if DOCKER.containers['so-telegraf'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKER.containers['so-telegraf'].ulimits %} + - {{ ULIMIT }} + {% endfor %} + {% endif %} - watch: - file: trusttheca - x509: telegraf_crt diff --git a/salt/zeek/enabled.sls b/salt/zeek/enabled.sls index 9a6abde35..8a7a3580d 100644 --- a/salt/zeek/enabled.sls +++ b/salt/zeek/enabled.sls @@ -18,9 +18,12 @@ so-zeek: - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-zeek:{{ GLOBALS.so_version }} - start: True - privileged: True + {% if DOCKER.containers['so-zeek'].ulimits %} - ulimits: - - core=0 - - nofile=1048576:1048576 + {% for ULIMIT in DOCKER.containers['so-zeek'].ulimits %} + - {{ ULIMIT }} + {% endfor %} + {% endif %} - binds: - /nsm/zeek/logs:/nsm/zeek/logs:rw - /nsm/zeek/spool:/nsm/zeek/spool:rw