From 01ac1cdccacd7d43cb2a2afaf7ec8ff6a6e96231 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 15 Jan 2025 14:13:12 -0500 Subject: [PATCH] check features and allowed/states --- salt/allowed_states.map.jinja | 4 +- salt/hypervisor/init.sls | 33 ++++++++++++ salt/libvirt/init.sls | 32 +++++++++-- salt/libvirt/packages.sls | 51 ++++++++++++++---- salt/libvirt/ssh/users.sls | 37 ++++++++++--- salt/reactor/check_hypervisor.sls | 2 +- salt/salt/cloud/init.sls | 31 ++++++++--- salt/salt/cloud/reactor_config_hypervisor.sls | 53 +++++++++++++++++++ salt/salt/master.sls | 13 +++-- 9 files changed, 226 insertions(+), 30 deletions(-) create mode 100644 salt/salt/cloud/reactor_config_hypervisor.sls diff --git a/salt/allowed_states.map.jinja b/salt/allowed_states.map.jinja index 07c677ba6..25cae50a7 100644 --- a/salt/allowed_states.map.jinja +++ b/salt/allowed_states.map.jinja @@ -86,6 +86,7 @@ 'so-manager': [ 'salt.master', 'salt.cloud', + 'libvirt', 'ca', 'ssl', 'registry', @@ -206,7 +207,8 @@ 'firewall', 'schedule', 'docker_clean', - 'stig' + 'stig', + 'hypervisor' ], 'so-desktop': [ 'ssl', diff --git a/salt/hypervisor/init.sls b/salt/hypervisor/init.sls index 3fa63bbcb..7bec6f25c 100644 --- a/salt/hypervisor/init.sls +++ b/salt/hypervisor/init.sls @@ -1,3 +1,18 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. +# +# Note: Per the Elastic License 2.0, the second limitation states: +# +# "You may not move, change, disable, or circumvent the license key functionality +# in the software, and you may not remove or obscure any functionality in the +# software that is protected by the license key." + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} +{% if 'hvn' in salt['pillar.get']('features', []) %} + hypervisor_log_dir: file.directory: - name: /opt/so/log/hypervisor @@ -7,3 +22,21 @@ hypervisor_sbin: - name: /usr/sbin - source: salt://hypervisor/tools/sbin - file_mode: 744 + +{% else %} +{{sls}}_no_license_detected: + test.fail_without_changes: + - name: {{sls}}_no_license_detected + - comment: + - "Hypervisor nodes are a feature supported only for customers with a valid license. + Contact Security Onion Solutions, LLC via our website at https://securityonionsolutions.com + for more information about purchasing a license to enable this feature." +{% endif %} + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/libvirt/init.sls b/salt/libvirt/init.sls index dae0ed2bd..b0c131330 100644 --- a/salt/libvirt/init.sls +++ b/salt/libvirt/init.sls @@ -1,9 +1,18 @@ # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. +# +# Note: Per the Elastic License 2.0, the second limitation states: +# +# "You may not move, change, disable, or circumvent the license key functionality +# in the software, and you may not remove or obscure any functionality in the +# software that is protected by the license key." -{% from 'libvirt/map.jinja' import LIBVIRTMERGED %} +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} +{% if 'hvn' in salt['pillar.get']('features', []) %} +{% from 'libvirt/map.jinja' import LIBVIRTMERGED %} include: - libvirt.64962 @@ -94,6 +103,23 @@ down_original_mgmt_interface: - nmcli -f GENERAL.CONNECTION dev show {{ pillar.host.mainint }} | grep bridge-slave-{{ pillar.host.mainint }} - order: last - # virtlogd service may not restart following reboot without this #semanage permissive -a virtlogd_t + +{% else %} +{{sls}}_no_license_detected: + test.fail_without_changes: + - name: {{sls}}_no_license_detected + - comment: + - "Hypervisor nodes are a feature supported only for customers with a valid license. + Contact Security Onion Solutions, LLC via our website at https://securityonionsolutions.com + for more information about purchasing a license to enable this feature." +{% endif %} + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/libvirt/packages.sls b/salt/libvirt/packages.sls index 4de30568a..5f4b343a7 100644 --- a/salt/libvirt/packages.sls +++ b/salt/libvirt/packages.sls @@ -1,6 +1,25 @@ -#libvirt_source-packages_dir: - # file.directory: - # - name: /opt/so/conf/libvirt/source-packages +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. +# +# Note: Per the Elastic License 2.0, the second limitation states: +# +# "You may not move, change, disable, or circumvent the license key functionality +# in the software, and you may not remove or obscure any functionality in the +# software that is protected by the license key." + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[0] in allowed_states %} +{% if 'hvn' in salt['pillar.get']('features', []) %} + +# allows for creating vm images +# any node manipulating images needs this +install_qemu-img: + pkg.installed: + - name: qemu-img + +{% if 'hyper' in grains.id.split('_') | last %} install_libvirt-libs: pkg.installed: @@ -11,12 +30,6 @@ install_libvirt-client: pkg.installed: - name: libvirt-client -# allows for creating vm images -# any node manipulating images needs this -install_qemu-img: - pkg.installed: - - name: qemu-img - install_guestfs-tools: pkg.installed: - name: guestfs-tools @@ -47,3 +60,23 @@ libvirt_python_module: - name: /opt/saltstack/salt/bin/python3 -m pip install --no-index --find-links=/opt/so/conf/libvirt/source-packages/libvirt-python libvirt-python - onchanges: - file: libvirt_python_wheel + +{% endif %} + +{% else %} +{{sls}}_no_license_detected: + test.fail_without_changes: + - name: {{sls}}_no_license_detected + - comment: + - "Hypervisor nodes are a feature supported only for customers with a valid license. + Contact Security Onion Solutions, LLC via our website at https://securityonionsolutions.com + for more information about purchasing a license to enable this feature." +{% endif %} + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/libvirt/ssh/users.sls b/salt/libvirt/ssh/users.sls index f0e30caec..0829075d2 100644 --- a/salt/libvirt/ssh/users.sls +++ b/salt/libvirt/ssh/users.sls @@ -1,20 +1,27 @@ # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. +# +# Note: Per the Elastic License 2.0, the second limitation states: +# +# "You may not move, change, disable, or circumvent the license key functionality +# in the software, and you may not remove or obscure any functionality in the +# software that is protected by the license key." -{% from 'vars/globals.map.jinja' import GLOBALS %} +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} +{% if 'hvn' in salt['pillar.get']('features', []) %} +{% from 'vars/globals.map.jinja' import GLOBALS %} - - -{% if GLOBALS.is_manager %} +{% if GLOBALS.is_manager %} qemu_ssh_client_config: file.managed: - name: /root/.ssh/config - source: salt://libvirt/ssh/files/config -{% else %} +{% else %} # used for qemu+ssh connection between manager and hypervisors create_soqemussh_user: @@ -32,4 +39,22 @@ soqemussh_pub_key: - user: soqemussh - source: salt://libvirt/ssh/keys/id_ed25519.pub +{% endif %} + +{% else %} +{{sls}}_no_license_detected: + test.fail_without_changes: + - name: {{sls}}_no_license_detected + - comment: + - "Hypervisor nodes are a feature supported only for customers with a valid license. + Contact Security Onion Solutions, LLC via our website at https://securityonionsolutions.com + for more information about purchasing a license to enable this feature." +{% endif %} + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + {% endif %} diff --git a/salt/reactor/check_hypervisor.sls b/salt/reactor/check_hypervisor.sls index fdf75453d..9afc42354 100644 --- a/salt/reactor/check_hypervisor.sls +++ b/salt/reactor/check_hypervisor.sls @@ -1,4 +1,4 @@ -{% if data['id'].endswith(('_hypervisor', '_managerhyper')) %} +{% if data['act'] == 'accept' and data['id'].endswith(('_hypervisor', '_managerhyper')) and data['result'] == True %} check_and_trigger: runner.setup_hypervisor.setup_environment: [] {% endif %} diff --git a/salt/salt/cloud/init.sls b/salt/salt/cloud/init.sls index 5e160581b..7d987a5da 100644 --- a/salt/salt/cloud/init.sls +++ b/salt/salt/cloud/init.sls @@ -2,11 +2,18 @@ # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. +# +# Note: Per the Elastic License 2.0, the second limitation states: +# +# "You may not move, change, disable, or circumvent the license key functionality +# in the software, and you may not remove or obscure any functionality in the +# software that is protected by the license key." {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} -{% from 'salt/map.jinja' import SALTVERSION %} -{% set HYPERVISORS = salt['pillar.get']('hypervisor:nodes', {} ) %} +{% if 'hvn' in salt['pillar.get']('features', []) %} +{% from 'salt/map.jinja' import SALTVERSION %} +{% set HYPERVISORS = salt['pillar.get']('hypervisor:nodes', {} ) %} include: - libvirt.packages @@ -16,6 +23,7 @@ install_salt_cloud: - name: salt-cloud - version: {{SALTVERSION}} +{% if HYPERVISORS %} cloud_providers: file.managed: - name: /etc/salt/cloud.providers.d/libvirt.conf @@ -32,15 +40,26 @@ cloud_profiles: HYPERVISORS: {{HYPERVISORS}} - template: jinja -{% for role, hosts in HYPERVISORS.items() %} -{% for host in hosts.keys() %} +{% for role, hosts in HYPERVISORS.items() %} +{% for host in hosts.keys() %} hypervisor_{{host}}_{{role}}_pillar_dir: file.directory: - name: /opt/so/saltstack/local/pillar/hypervisor/{{host}}_{{role}} -{% endfor %} -{% endfor %} +{% endfor %} +{% endfor %} +{% endif %} + +{% else %} +{{sls}}_no_license_detected: + test.fail_without_changes: + - name: {{sls}}_no_license_detected + - comment: + - "Hypervisor nodes are a feature supported only for customers with a valid license. + Contact Security Onion Solutions, LLC via our website at https://securityonionsolutions.com + for more information about purchasing a license to enable this feature." +{% endif %} {% else %} diff --git a/salt/salt/cloud/reactor_config_hypervisor.sls b/salt/salt/cloud/reactor_config_hypervisor.sls new file mode 100644 index 000000000..433e01f31 --- /dev/null +++ b/salt/salt/cloud/reactor_config_hypervisor.sls @@ -0,0 +1,53 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. +# +# Note: Per the Elastic License 2.0, the second limitation states: +# +# "You may not move, change, disable, or circumvent the license key functionality +# in the software, and you may not remove or obscure any functionality in the +# software that is protected by the license key." + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls.split('.')[:2]|join('.') in allowed_states %} +{% if 'hvn' in salt['pillar.get']('features', []) %} +reactor_config_hypervisor: + file.managed: + - name: /etc/salt/master.d/reactor_hypervisor.conf + - contents: | + reactor: + - 'salt/key': + - salt://reactor/check_hypervisor.sls + - 'salt/cloud/*/deploying': + - /opt/so/saltstack/default/salt/reactor/createEmptyPillar.sls + - 'setup/so-minion': + - /opt/so/saltstack/default/salt/reactor/sominion_setup.sls + - 'salt/cloud/*/destroyed': + - /opt/so/saltstack/default/salt/reactor/virtReleaseHardware.sls + - /opt/so/saltstack/default/salt/reactor/deleteKey.sls + - user: root + - group: root + - mode: 644 + - makedirs: True + - watch_in: + - service: salt_master_service + - order: last + +{% else %} +{{sls}}_no_license_detected: + test.fail_without_changes: + - name: {{sls}}_no_license_detected + - comment: + - "Hypervisor nodes are a feature supported only for customers with a valid license. + Contact Security Onion Solutions, LLC via our website at https://securityonionsolutions.com + for more information about purchasing a license to enable this feature." +{% endif %} + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/salt/master.sls b/salt/salt/master.sls index 7e823f4e8..b997ced4e 100644 --- a/salt/salt/master.sls +++ b/salt/salt/master.sls @@ -2,14 +2,21 @@ # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. +# +# Note: Per the Elastic License 2.0, the second limitation states: +# +# "You may not move, change, disable, or circumvent the license key functionality +# in the software, and you may not remove or obscure any functionality in the +# software that is protected by the license key." {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} include: - salt.minion -{% if salt['pillar.get']('hypervisor:nodes', {} ) %} +{% if 'hvn' in salt['pillar.get']('features', []) %} - salt.cloud + - salt.cloud.reactor_config_hypervisor {% endif %} hold_salt_master_package: @@ -55,10 +62,8 @@ salt_master_service: {# # we need to managed adding the following to salt-master config if there are hypervisors reactor: - - 'salt/auth/accept/*': + - 'salt/key': - salt://reactor/check_hypervisor.sls - #- salt/cloud/*/creating': - #- salt/cloud/*/requesting - 'salt/cloud/*/deploying': - /opt/so/saltstack/default/salt/reactor/createEmptyPillar.sls - 'setup/so-minion':