diff --git a/salt/common/files/daemon.json b/salt/common/files/daemon.json deleted file mode 100644 index bc6c85745..000000000 --- a/salt/common/files/daemon.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "registry-mirrors": [ - "https://:5000" - ], - "bip": "172.17.0.1/24", - "default-address-pools": [ - { - "base": "172.17.0.0/24", - "size": 24 - } - ], - "default-ulimits": { - "nofile": { - "Name": "nofile", - "Soft": 1048576, - "Hard": 1048576 - } - } -} diff --git a/salt/docker/defaults.yaml b/salt/docker/defaults.yaml index f5a523b8c..044ec98b0 100644 --- a/salt/docker/defaults.yaml +++ b/salt/docker/defaults.yaml @@ -1,6 +1,10 @@ docker: range: '172.17.1.0/24' gateway: '172.17.1.1' + ulimits: + - name: nofile + soft: 1048576 + hard: 1048576 containers: 'so-dockerregistry': final_octet: 20 @@ -9,6 +13,7 @@ docker: custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-elastic-fleet': final_octet: 21 port_bindings: @@ -16,6 +21,7 @@ docker: custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-elasticsearch': final_octet: 22 port_bindings: @@ -24,6 +30,16 @@ docker: custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: + - name: memlock + soft: -1 + hard: -1 + - name: nofile + soft: 65536 + hard: 65536 + - name: nproc + soft: 4096 + hard: 4096 'so-influxdb': final_octet: 26 port_bindings: @@ -31,6 +47,7 @@ docker: custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-kibana': final_octet: 27 port_bindings: @@ -38,6 +55,7 @@ docker: custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-kratos': final_octet: 28 port_bindings: @@ -46,6 +64,7 @@ docker: custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-hydra': final_octet: 30 port_bindings: @@ -54,6 +73,7 @@ docker: custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-logstash': final_octet: 29 port_bindings: @@ -70,6 +90,7 @@ docker: custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-nginx': final_octet: 31 port_bindings: @@ -81,6 +102,7 @@ docker: custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-nginx-fleet-node': final_octet: 31 port_bindings: @@ -88,6 +110,7 @@ docker: custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-redis': final_octet: 33 port_bindings: @@ -96,11 +119,13 @@ docker: custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-sensoroni': final_octet: 99 custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-soc': final_octet: 34 port_bindings: @@ -108,16 +133,19 @@ docker: custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-strelka-backend': final_octet: 36 custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-strelka-filestream': final_octet: 37 custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-strelka-frontend': final_octet: 38 port_bindings: @@ -125,11 +153,13 @@ docker: custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-strelka-manager': final_octet: 39 custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-strelka-gatekeeper': final_octet: 40 port_bindings: @@ -137,6 +167,7 @@ docker: custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-strelka-coordinator': final_octet: 41 port_bindings: @@ -144,11 +175,13 @@ docker: custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-elastalert': final_octet: 42 custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-elastic-fleet-package-registry': final_octet: 44 port_bindings: @@ -156,11 +189,13 @@ docker: custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-idh': final_octet: 45 custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-elastic-agent': final_octet: 46 port_bindings: @@ -169,23 +204,28 @@ docker: custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-telegraf': final_octet: 99 custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-suricata': final_octet: 99 custom_bind_mounts: [] extra_hosts: [] extra_env: [] - ulimits: - - memlock=524288000 + ulimits: [] 'so-zeek': final_octet: 99 custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: + - name: core + soft: 0 + hard: 0 'so-kafka': final_octet: 88 port_bindings: @@ -196,3 +236,4 @@ docker: custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] diff --git a/salt/docker/docker.map.jinja b/salt/docker/docker.map.jinja index 61416f7a4..595d5d272 100644 --- a/salt/docker/docker.map.jinja +++ b/salt/docker/docker.map.jinja @@ -1,8 +1,8 @@ {% import_yaml 'docker/defaults.yaml' as DOCKERDEFAULTS %} -{% set DOCKER = salt['pillar.get']('docker', DOCKERDEFAULTS.docker, merge=True) %} -{% set RANGESPLIT = DOCKER.range.split('.') %} +{% set DOCKERMERGED = salt['pillar.get']('docker', DOCKERDEFAULTS.docker, merge=True) %} +{% set RANGESPLIT = DOCKERMERGED.range.split('.') %} {% set FIRSTTHREE = RANGESPLIT[0] ~ '.' ~ RANGESPLIT[1] ~ '.' ~ RANGESPLIT[2] ~ '.' %} -{% for container, vals in DOCKER.containers.items() %} -{% do DOCKER.containers[container].update({'ip': FIRSTTHREE ~ DOCKER.containers[container].final_octet}) %} +{% for container, vals in DOCKERMERGED.containers.items() %} +{% do DOCKERMERGED.containers[container].update({'ip': FIRSTTHREE ~ DOCKERMERGED.containers[container].final_octet}) %} {% endfor %} diff --git a/salt/docker/files/daemon.json.jinja b/salt/docker/files/daemon.json.jinja new file mode 100644 index 000000000..3f5e4c914 --- /dev/null +++ b/salt/docker/files/daemon.json.jinja @@ -0,0 +1,24 @@ +{% from 'docker/docker.map.jinja' import DOCKERMERGED -%} +{ + "registry-mirrors": [ + "https://:5000" + ], + "bip": "172.17.0.1/24", + "default-address-pools": [ + { + "base": "172.17.0.0/24", + "size": 24 + } + ] +{%- if DOCKERMERGED.ulimits %}, + "default-ulimits": { +{%- for ULIMIT in DOCKERMERGED.ulimits %} + "{{ ULIMIT.name }}": { + "Name": "{{ ULIMIT.name }}", + "Soft": {{ ULIMIT.soft }}, + "Hard": {{ ULIMIT.hard }} + }{{ "," if not loop.last else "" }} +{%- endfor %} + } +{%- endif %} +} diff --git a/salt/docker/init.sls b/salt/docker/init.sls index 5cac6f185..52091ed95 100644 --- a/salt/docker/init.sls +++ b/salt/docker/init.sls @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{% from 'docker/docker.map.jinja' import DOCKER %} +{% from 'docker/docker.map.jinja' import DOCKERMERGED %} {% from 'vars/globals.map.jinja' import GLOBALS %} # docker service requires the ca.crt @@ -41,10 +41,9 @@ dockeretc: file.directory: - name: /etc/docker -# Manager daemon.json docker_daemon: file.managed: - - source: salt://common/files/daemon.json + - source: salt://docker/files/daemon.json.jinja - name: /etc/docker/daemon.json - template: jinja @@ -75,8 +74,8 @@ dockerreserveports: sos_docker_net: docker_network.present: - name: sobridge - - subnet: {{ DOCKER.range }} - - gateway: {{ DOCKER.gateway }} + - subnet: {{ DOCKERMERGED.range }} + - gateway: {{ DOCKERMERGED.gateway }} - options: com.docker.network.bridge.name: 'sobridge' com.docker.network.driver.mtu: '1500' diff --git a/salt/docker/soc_docker.yaml b/salt/docker/soc_docker.yaml index 82913bdd7..e649700da 100644 --- a/salt/docker/soc_docker.yaml +++ b/salt/docker/soc_docker.yaml @@ -7,6 +7,25 @@ docker: description: Default docker IP range for containers. helpLink: docker advanced: True + ulimits: + description: | + Default ulimit settings applied to all containers via the Docker daemon. Each entry specifies a resource name (e.g. nofile, memlock, core, nproc) with soft and hard limits. Individual container ulimits override these defaults. Valid resource names include: cpu, fsize, data, stack, core, rss, nproc, nofile, memlock, as, locks, sigpending, msgqueue, nice, rtprio, rttime. + forcedType: "[]{}" + syntax: json + advanced: True + helpLink: docker.html + uiElements: + - field: name + label: Resource Name + required: True + regex: ^(cpu|fsize|data|stack|core|rss|nproc|nofile|memlock|as|locks|sigpending|msgqueue|nice|rtprio|rttime)$ + regexFailureMessage: You must enter a valid ulimit name (cpu, fsize, data, stack, core, rss, nproc, nofile, memlock, as, locks, sigpending, msgqueue, nice, rtprio, rttime). + - field: soft + label: Soft Limit + forcedType: int + - field: hard + label: Hard Limit + forcedType: int containers: so-dockerregistry: &dockerOptions final_octet: @@ -39,6 +58,25 @@ docker: helpLink: docker multiline: True forcedType: "[]string" + ulimits: + description: | + Ulimit settings for the container. Each entry specifies a resource name (e.g. nofile, memlock, core, nproc) with optional soft and hard limits. Valid resource names include: cpu, fsize, data, stack, core, rss, nproc, nofile, memlock, as, locks, sigpending, msgqueue, nice, rtprio, rttime. + advanced: True + helpLink: docker.html + forcedType: "[]{}" + syntax: json + uiElements: + - field: name + label: Resource Name + required: True + regex: ^(cpu|fsize|data|stack|core|rss|nproc|nofile|memlock|as|locks|sigpending|msgqueue|nice|rtprio|rttime)$ + regexFailureMessage: You must enter a valid ulimit name (cpu, fsize, data, stack, core, rss, nproc, nofile, memlock, as, locks, sigpending, msgqueue, nice, rtprio, rttime). + - field: soft + label: Soft Limit + forcedType: int + - field: hard + label: Hard Limit + forcedType: int so-elastic-fleet: *dockerOptions so-elasticsearch: *dockerOptions so-influxdb: *dockerOptions @@ -62,42 +100,6 @@ docker: so-idh: *dockerOptions so-elastic-agent: *dockerOptions so-telegraf: *dockerOptions - so-suricata: - final_octet: - description: Last octet of the container IP address. - helpLink: docker - readonly: True - advanced: True - global: True - port_bindings: - description: List of port bindings for the container. - helpLink: docker - advanced: True - multiline: True - forcedType: "[]string" - custom_bind_mounts: - description: List of custom local volume bindings. - advanced: True - helpLink: docker - multiline: True - forcedType: "[]string" - extra_hosts: - description: List of additional host entries for the container. - advanced: True - helpLink: docker - multiline: True - forcedType: "[]string" - extra_env: - description: List of additional ENV entries for the container. - advanced: True - helpLink: docker - multiline: True - forcedType: "[]string" - ulimits: - description: Ulimits for the container, in bytes. - advanced: True - helpLink: docker - multiline: True - forcedType: "[]string" + so-suricata: *dockerOptions so-zeek: *dockerOptions so-kafka: *dockerOptions diff --git a/salt/elastalert/enabled.sls b/salt/elastalert/enabled.sls index e28a55958..d72c3b9c5 100644 --- a/salt/elastalert/enabled.sls +++ b/salt/elastalert/enabled.sls @@ -6,7 +6,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls.split('.')[0] in allowed_states %} {% from 'vars/globals.map.jinja' import GLOBALS %} -{% from 'docker/docker.map.jinja' import DOCKER %} +{% from 'docker/docker.map.jinja' import DOCKERMERGED %} include: - elastalert.config @@ -24,7 +24,7 @@ so-elastalert: - user: so-elastalert - networks: - sobridge: - - ipv4_address: {{ DOCKER.containers['so-elastalert'].ip }} + - ipv4_address: {{ DOCKERMERGED.containers['so-elastalert'].ip }} - detach: True - binds: - /opt/so/rules/elastalert:/opt/elastalert/rules/:ro @@ -33,24 +33,30 @@ so-elastalert: - /opt/so/conf/elastalert/predefined/:/opt/elastalert/predefined/:ro - /opt/so/conf/elastalert/custom/:/opt/elastalert/custom/:ro - /opt/so/conf/elastalert/elastalert_config.yaml:/opt/elastalert/config.yaml:ro - {% if DOCKER.containers['so-elastalert'].custom_bind_mounts %} - {% for BIND in DOCKER.containers['so-elastalert'].custom_bind_mounts %} + {% if DOCKERMERGED.containers['so-elastalert'].custom_bind_mounts %} + {% for BIND in DOCKERMERGED.containers['so-elastalert'].custom_bind_mounts %} - {{ BIND }} {% endfor %} {% endif %} - extra_hosts: - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} - {% if DOCKER.containers['so-elastalert'].extra_hosts %} - {% for XTRAHOST in DOCKER.containers['so-elastalert'].extra_hosts %} + {% if DOCKERMERGED.containers['so-elastalert'].extra_hosts %} + {% for XTRAHOST in DOCKERMERGED.containers['so-elastalert'].extra_hosts %} - {{ XTRAHOST }} {% endfor %} {% endif %} - {% if DOCKER.containers['so-elastalert'].extra_env %} + {% if DOCKERMERGED.containers['so-elastalert'].extra_env %} - environment: - {% for XTRAENV in DOCKER.containers['so-elastalert'].extra_env %} + {% for XTRAENV in DOCKERMERGED.containers['so-elastalert'].extra_env %} - {{ XTRAENV }} {% endfor %} {% endif %} + {% if DOCKERMERGED.containers['so-elastalert'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKERMERGED.containers['so-elastalert'].ulimits %} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} + {% endfor %} + {% endif %} - require: - cmd: wait_for_elasticsearch - file: elastarules diff --git a/salt/elastic-fleet-package-registry/enabled.sls b/salt/elastic-fleet-package-registry/enabled.sls index 3cd90ba87..e2833f5be 100644 --- a/salt/elastic-fleet-package-registry/enabled.sls +++ b/salt/elastic-fleet-package-registry/enabled.sls @@ -6,7 +6,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls.split('.')[0] in allowed_states %} {% from 'vars/globals.map.jinja' import GLOBALS %} -{% from 'docker/docker.map.jinja' import DOCKER %} +{% from 'docker/docker.map.jinja' import DOCKERMERGED %} include: - elastic-fleet-package-registry.config @@ -21,30 +21,36 @@ so-elastic-fleet-package-registry: - user: 948 - networks: - sobridge: - - ipv4_address: {{ DOCKER.containers['so-elastic-fleet-package-registry'].ip }} + - ipv4_address: {{ DOCKERMERGED.containers['so-elastic-fleet-package-registry'].ip }} - extra_hosts: - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} - {% if DOCKER.containers['so-elastic-fleet-package-registry'].extra_hosts %} - {% for XTRAHOST in DOCKER.containers['so-elastic-fleet-package-registry'].extra_hosts %} + {% if DOCKERMERGED.containers['so-elastic-fleet-package-registry'].extra_hosts %} + {% for XTRAHOST in DOCKERMERGED.containers['so-elastic-fleet-package-registry'].extra_hosts %} - {{ XTRAHOST }} {% endfor %} {% endif %} - port_bindings: - {% for BINDING in DOCKER.containers['so-elastic-fleet-package-registry'].port_bindings %} + {% for BINDING in DOCKERMERGED.containers['so-elastic-fleet-package-registry'].port_bindings %} - {{ BINDING }} {% endfor %} - {% if DOCKER.containers['so-elastic-fleet-package-registry'].custom_bind_mounts %} + {% if DOCKERMERGED.containers['so-elastic-fleet-package-registry'].custom_bind_mounts %} - binds: - {% for BIND in DOCKER.containers['so-elastic-fleet-package-registry'].custom_bind_mounts %} + {% for BIND in DOCKERMERGED.containers['so-elastic-fleet-package-registry'].custom_bind_mounts %} - {{ BIND }} {% endfor %} {% endif %} - {% if DOCKER.containers['so-elastic-fleet-package-registry'].extra_env %} + {% if DOCKERMERGED.containers['so-elastic-fleet-package-registry'].extra_env %} - environment: - {% for XTRAENV in DOCKER.containers['so-elastic-fleet-package-registry'].extra_env %} + {% for XTRAENV in DOCKERMERGED.containers['so-elastic-fleet-package-registry'].extra_env %} - {{ XTRAENV }} {% endfor %} {% endif %} + {% if DOCKERMERGED.containers['so-elastic-fleet-package-registry'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKERMERGED.containers['so-elastic-fleet-package-registry'].ulimits %} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} + {% endfor %} + {% endif %} delete_so-elastic-fleet-package-registry_so-status.disabled: file.uncomment: - name: /opt/so/conf/so-status/so-status.conf diff --git a/salt/elasticagent/enabled.sls b/salt/elasticagent/enabled.sls index f59eae1fe..c366ebbf7 100644 --- a/salt/elasticagent/enabled.sls +++ b/salt/elasticagent/enabled.sls @@ -6,7 +6,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls.split('.')[0] in allowed_states %} {% from 'vars/globals.map.jinja' import GLOBALS %} -{% from 'docker/docker.map.jinja' import DOCKER %} +{% from 'docker/docker.map.jinja' import DOCKERMERGED %} include: - ca @@ -22,17 +22,17 @@ so-elastic-agent: - user: 949 - networks: - sobridge: - - ipv4_address: {{ DOCKER.containers['so-elastic-agent'].ip }} + - ipv4_address: {{ DOCKERMERGED.containers['so-elastic-agent'].ip }} - extra_hosts: - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} - {% if DOCKER.containers['so-elastic-agent'].extra_hosts %} - {% for XTRAHOST in DOCKER.containers['so-elastic-agent'].extra_hosts %} + {% if DOCKERMERGED.containers['so-elastic-agent'].extra_hosts %} + {% for XTRAHOST in DOCKERMERGED.containers['so-elastic-agent'].extra_hosts %} - {{ XTRAHOST }} {% endfor %} {% endif %} - port_bindings: - {% for BINDING in DOCKER.containers['so-elastic-agent'].port_bindings %} + {% for BINDING in DOCKERMERGED.containers['so-elastic-agent'].port_bindings %} - {{ BINDING }} {% endfor %} - binds: @@ -41,19 +41,25 @@ so-elastic-agent: - /etc/pki/tls/certs/intca.crt:/etc/pki/tls/certs/intca.crt:ro - /nsm:/nsm:ro - /opt/so/log:/opt/so/log:ro - {% if DOCKER.containers['so-elastic-agent'].custom_bind_mounts %} - {% for BIND in DOCKER.containers['so-elastic-agent'].custom_bind_mounts %} + {% if DOCKERMERGED.containers['so-elastic-agent'].custom_bind_mounts %} + {% for BIND in DOCKERMERGED.containers['so-elastic-agent'].custom_bind_mounts %} - {{ BIND }} {% endfor %} {% endif %} - environment: - FLEET_CA=/etc/pki/tls/certs/intca.crt - LOGS_PATH=logs - {% if DOCKER.containers['so-elastic-agent'].extra_env %} - {% for XTRAENV in DOCKER.containers['so-elastic-agent'].extra_env %} + {% if DOCKERMERGED.containers['so-elastic-agent'].extra_env %} + {% for XTRAENV in DOCKERMERGED.containers['so-elastic-agent'].extra_env %} - {{ XTRAENV }} {% endfor %} {% endif %} + {% if DOCKERMERGED.containers['so-elastic-agent'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKERMERGED.containers['so-elastic-agent'].ulimits %} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} + {% endfor %} + {% endif %} - require: - file: create-elastic-agent-config - file: trusttheca diff --git a/salt/elasticfleet/enabled.sls b/salt/elasticfleet/enabled.sls index 040d15fca..89ba1f80a 100644 --- a/salt/elasticfleet/enabled.sls +++ b/salt/elasticfleet/enabled.sls @@ -6,7 +6,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls.split('.')[0] in allowed_states %} {% from 'vars/globals.map.jinja' import GLOBALS %} -{% from 'docker/docker.map.jinja' import DOCKER %} +{% from 'docker/docker.map.jinja' import DOCKERMERGED %} {% from 'elasticfleet/map.jinja' import ELASTICFLEETMERGED %} {# This value is generated during node install and stored in minion pillar #} @@ -94,17 +94,17 @@ so-elastic-fleet: - user: 947 - networks: - sobridge: - - ipv4_address: {{ DOCKER.containers['so-elastic-fleet'].ip }} + - ipv4_address: {{ DOCKERMERGED.containers['so-elastic-fleet'].ip }} - extra_hosts: - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} - {% if DOCKER.containers['so-elastic-fleet'].extra_hosts %} - {% for XTRAHOST in DOCKER.containers['so-elastic-fleet'].extra_hosts %} + {% if DOCKERMERGED.containers['so-elastic-fleet'].extra_hosts %} + {% for XTRAHOST in DOCKERMERGED.containers['so-elastic-fleet'].extra_hosts %} - {{ XTRAHOST }} {% endfor %} {% endif %} - port_bindings: - {% for BINDING in DOCKER.containers['so-elastic-fleet'].port_bindings %} + {% for BINDING in DOCKERMERGED.containers['so-elastic-fleet'].port_bindings %} - {{ BINDING }} {% endfor %} - binds: @@ -112,8 +112,8 @@ so-elastic-fleet: - /etc/pki/elasticfleet-server.key:/etc/pki/elasticfleet-server.key:ro - /etc/pki/tls/certs/intca.crt:/etc/pki/tls/certs/intca.crt:ro - /opt/so/log/elasticfleet:/usr/share/elastic-agent/logs - {% if DOCKER.containers['so-elastic-fleet'].custom_bind_mounts %} - {% for BIND in DOCKER.containers['so-elastic-fleet'].custom_bind_mounts %} + {% if DOCKERMERGED.containers['so-elastic-fleet'].custom_bind_mounts %} + {% for BIND in DOCKERMERGED.containers['so-elastic-fleet'].custom_bind_mounts %} - {{ BIND }} {% endfor %} {% endif %} @@ -128,11 +128,17 @@ so-elastic-fleet: - FLEET_CA=/etc/pki/tls/certs/intca.crt - FLEET_SERVER_ELASTICSEARCH_CA=/etc/pki/tls/certs/intca.crt - LOGS_PATH=logs - {% if DOCKER.containers['so-elastic-fleet'].extra_env %} - {% for XTRAENV in DOCKER.containers['so-elastic-fleet'].extra_env %} + {% if DOCKERMERGED.containers['so-elastic-fleet'].extra_env %} + {% for XTRAENV in DOCKERMERGED.containers['so-elastic-fleet'].extra_env %} - {{ XTRAENV }} {% endfor %} {% endif %} + {% if DOCKERMERGED.containers['so-elastic-fleet'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKERMERGED.containers['so-elastic-fleet'].ulimits %} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} + {% endfor %} + {% endif %} - watch: - file: trusttheca - x509: etc_elasticfleet_key diff --git a/salt/elasticsearch/enabled.sls b/salt/elasticsearch/enabled.sls index 0eb9194fb..29ab80329 100644 --- a/salt/elasticsearch/enabled.sls +++ b/salt/elasticsearch/enabled.sls @@ -6,7 +6,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls.split('.')[0] in allowed_states %} {% from 'vars/globals.map.jinja' import GLOBALS %} -{% from 'docker/docker.map.jinja' import DOCKER %} +{% from 'docker/docker.map.jinja' import DOCKERMERGED %} {% from 'elasticsearch/config.map.jinja' import ELASTICSEARCH_NODES %} {% from 'elasticsearch/config.map.jinja' import ELASTICSEARCH_SEED_HOSTS %} {% from 'elasticsearch/config.map.jinja' import ELASTICSEARCHMERGED %} @@ -28,15 +28,15 @@ so-elasticsearch: - user: elasticsearch - networks: - sobridge: - - ipv4_address: {{ DOCKER.containers['so-elasticsearch'].ip }} + - ipv4_address: {{ DOCKERMERGED.containers['so-elasticsearch'].ip }} - extra_hosts: {% for node in ELASTICSEARCH_NODES %} {% for hostname, ip in node.items() %} - {{hostname}}:{{ip}} {% endfor %} {% endfor %} - {% if DOCKER.containers['so-elasticsearch'].extra_hosts %} - {% for XTRAHOST in DOCKER.containers['so-elasticsearch'].extra_hosts %} + {% if DOCKERMERGED.containers['so-elasticsearch'].extra_hosts %} + {% for XTRAHOST in DOCKERMERGED.containers['so-elasticsearch'].extra_hosts %} - {{ XTRAHOST }} {% endfor %} {% endif %} @@ -45,17 +45,19 @@ so-elasticsearch: - discovery.type=single-node {% endif %} - ES_JAVA_OPTS=-Xms{{ GLOBALS.elasticsearch.es_heap }} -Xmx{{ GLOBALS.elasticsearch.es_heap }} -Des.transport.cname_in_publish_address=true -Dlog4j2.formatMsgNoLookups=true - ulimits: - - memlock=-1:-1 - - nofile=65536:65536 - - nproc=4096 - {% if DOCKER.containers['so-elasticsearch'].extra_env %} - {% for XTRAENV in DOCKER.containers['so-elasticsearch'].extra_env %} + {% if DOCKERMERGED.containers['so-elasticsearch'].extra_env %} + {% for XTRAENV in DOCKERMERGED.containers['so-elasticsearch'].extra_env %} - {{ XTRAENV }} {% endfor %} {% endif %} + {% if DOCKERMERGED.containers['so-elasticsearch'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKERMERGED.containers['so-elasticsearch'].ulimits %} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} + {% endfor %} + {% endif %} - port_bindings: - {% for BINDING in DOCKER.containers['so-elasticsearch'].port_bindings %} + {% for BINDING in DOCKERMERGED.containers['so-elasticsearch'].port_bindings %} - {{ BINDING }} {% endfor %} - binds: @@ -75,8 +77,8 @@ so-elasticsearch: - {{ repo }}:{{ repo }}:rw {% endfor %} {% endif %} - {% if DOCKER.containers['so-elasticsearch'].custom_bind_mounts %} - {% for BIND in DOCKER.containers['so-elasticsearch'].custom_bind_mounts %} + {% if DOCKERMERGED.containers['so-elasticsearch'].custom_bind_mounts %} + {% for BIND in DOCKERMERGED.containers['so-elasticsearch'].custom_bind_mounts %} - {{ BIND }} {% endfor %} {% endif %} diff --git a/salt/firewall/iptables.jinja b/salt/firewall/iptables.jinja index acb6b0eaf..91cfd92ec 100644 --- a/salt/firewall/iptables.jinja +++ b/salt/firewall/iptables.jinja @@ -1,5 +1,5 @@ {%- from 'vars/globals.map.jinja' import GLOBALS %} -{%- from 'docker/docker.map.jinja' import DOCKER %} +{%- from 'docker/docker.map.jinja' import DOCKERMERGED %} {%- from 'firewall/map.jinja' import FIREWALL_MERGED %} {%- set role = GLOBALS.role.split('-')[1] %} {%- from 'firewall/containers.map.jinja' import NODE_CONTAINERS %} @@ -8,9 +8,9 @@ {%- set D1 = [] %} {%- set D2 = [] %} {%- for container in NODE_CONTAINERS %} -{%- set IP = DOCKER.containers[container].ip %} -{%- if DOCKER.containers[container].port_bindings is defined %} -{%- for binding in DOCKER.containers[container].port_bindings %} +{%- set IP = DOCKERMERGED.containers[container].ip %} +{%- if DOCKERMERGED.containers[container].port_bindings is defined %} +{%- for binding in DOCKERMERGED.containers[container].port_bindings %} {#- cant split int so we convert to string #} {%- set binding = binding|string %} {#- split the port binding by /. if proto not specified, default is tcp #} @@ -33,13 +33,13 @@ {%- set hostPort = bsa[0] %} {%- set containerPort = bsa[1] %} {%- endif %} -{%- do PR.append("-A POSTROUTING -s " ~ DOCKER.containers[container].ip ~ "/32 -d " ~ DOCKER.containers[container].ip ~ "/32 -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ containerPort ~ " -j MASQUERADE") %} +{%- do PR.append("-A POSTROUTING -s " ~ DOCKERMERGED.containers[container].ip ~ "/32 -d " ~ DOCKERMERGED.containers[container].ip ~ "/32 -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ containerPort ~ " -j MASQUERADE") %} {%- if bindip | length and bindip != '0.0.0.0' %} -{%- do D1.append("-A DOCKER -d " ~ bindip ~ "/32 ! -i sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ hostPort ~ " -j DNAT --to-destination " ~ DOCKER.containers[container].ip ~ ":" ~ containerPort) %} +{%- do D1.append("-A DOCKER -d " ~ bindip ~ "/32 ! -i sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ hostPort ~ " -j DNAT --to-destination " ~ DOCKERMERGED.containers[container].ip ~ ":" ~ containerPort) %} {%- else %} -{%- do D1.append("-A DOCKER ! -i sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ hostPort ~ " -j DNAT --to-destination " ~ DOCKER.containers[container].ip ~ ":" ~ containerPort) %} +{%- do D1.append("-A DOCKER ! -i sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ hostPort ~ " -j DNAT --to-destination " ~ DOCKERMERGED.containers[container].ip ~ ":" ~ containerPort) %} {%- endif %} -{%- do D2.append("-A DOCKER -d " ~ DOCKER.containers[container].ip ~ "/32 ! -i sobridge -o sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ containerPort ~ " -j ACCEPT") %} +{%- do D2.append("-A DOCKER -d " ~ DOCKERMERGED.containers[container].ip ~ "/32 ! -i sobridge -o sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ containerPort ~ " -j ACCEPT") %} {%- endfor %} {%- endif %} {%- endfor %} @@ -52,7 +52,7 @@ :DOCKER - [0:0] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER --A POSTROUTING -s {{DOCKER.range}} ! -o sobridge -j MASQUERADE +-A POSTROUTING -s {{DOCKERMERGED.range}} ! -o sobridge -j MASQUERADE {%- for rule in PR %} {{ rule }} {%- endfor %} diff --git a/salt/firewall/map.jinja b/salt/firewall/map.jinja index 8bd0512ec..58d8c189d 100644 --- a/salt/firewall/map.jinja +++ b/salt/firewall/map.jinja @@ -1,11 +1,11 @@ {% from 'vars/globals.map.jinja' import GLOBALS %} -{% from 'docker/docker.map.jinja' import DOCKER %} +{% from 'docker/docker.map.jinja' import DOCKERMERGED %} {% import_yaml 'firewall/defaults.yaml' as FIREWALL_DEFAULT %} {# add our ip to self #} {% do FIREWALL_DEFAULT.firewall.hostgroups.self.append(GLOBALS.node_ip) %} {# add dockernet range #} -{% do FIREWALL_DEFAULT.firewall.hostgroups.dockernet.append(DOCKER.range) %} +{% do FIREWALL_DEFAULT.firewall.hostgroups.dockernet.append(DOCKERMERGED.range) %} {% if GLOBALS.role == 'so-idh' %} {% from 'idh/opencanary_config.map.jinja' import IDH_PORTGROUPS %} diff --git a/salt/hydra/enabled.sls b/salt/hydra/enabled.sls index a20b22d32..ee6a0c811 100644 --- a/salt/hydra/enabled.sls +++ b/salt/hydra/enabled.sls @@ -11,7 +11,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls.split('.')[0] in allowed_states %} -{% from 'docker/docker.map.jinja' import DOCKER %} +{% from 'docker/docker.map.jinja' import DOCKERMERGED %} {% from 'vars/globals.map.jinja' import GLOBALS %} {% if 'api' in salt['pillar.get']('features', []) %} @@ -26,32 +26,38 @@ so-hydra: - name: so-hydra - networks: - sobridge: - - ipv4_address: {{ DOCKER.containers['so-hydra'].ip }} + - ipv4_address: {{ DOCKERMERGED.containers['so-hydra'].ip }} - binds: - /opt/so/conf/hydra/:/hydra-conf:ro - /opt/so/log/hydra/:/hydra-log:rw - /nsm/hydra/db:/hydra-data:rw - {% if DOCKER.containers['so-hydra'].custom_bind_mounts %} - {% for BIND in DOCKER.containers['so-hydra'].custom_bind_mounts %} + {% if DOCKERMERGED.containers['so-hydra'].custom_bind_mounts %} + {% for BIND in DOCKERMERGED.containers['so-hydra'].custom_bind_mounts %} - {{ BIND }} {% endfor %} {% endif %} - port_bindings: - {% for BINDING in DOCKER.containers['so-hydra'].port_bindings %} + {% for BINDING in DOCKERMERGED.containers['so-hydra'].port_bindings %} - {{ BINDING }} {% endfor %} - {% if DOCKER.containers['so-hydra'].extra_hosts %} + {% if DOCKERMERGED.containers['so-hydra'].extra_hosts %} - extra_hosts: - {% for XTRAHOST in DOCKER.containers['so-hydra'].extra_hosts %} + {% for XTRAHOST in DOCKERMERGED.containers['so-hydra'].extra_hosts %} - {{ XTRAHOST }} {% endfor %} {% endif %} - {% if DOCKER.containers['so-hydra'].extra_env %} + {% if DOCKERMERGED.containers['so-hydra'].extra_env %} - environment: - {% for XTRAENV in DOCKER.containers['so-hydra'].extra_env %} + {% for XTRAENV in DOCKERMERGED.containers['so-hydra'].extra_env %} - {{ XTRAENV }} {% endfor %} {% endif %} + {% if DOCKERMERGED.containers['so-hydra'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKERMERGED.containers['so-hydra'].ulimits %} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} + {% endfor %} + {% endif %} - restart_policy: unless-stopped - watch: - file: hydraconfig diff --git a/salt/idh/enabled.sls b/salt/idh/enabled.sls index e08e6647f..9c0e22816 100644 --- a/salt/idh/enabled.sls +++ b/salt/idh/enabled.sls @@ -6,7 +6,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls.split('.')[0] in allowed_states %} {% from 'vars/globals.map.jinja' import GLOBALS %} -{% from 'docker/docker.map.jinja' import DOCKER %} +{% from 'docker/docker.map.jinja' import DOCKERMERGED %} include: - idh.config @@ -22,23 +22,29 @@ so-idh: - /nsm/idh:/var/tmp:rw - /opt/so/conf/idh/http-skins:/usr/local/lib/python3.12/site-packages/opencanary/modules/data/http/skin:ro - /opt/so/conf/idh/opencanary.conf:/etc/opencanaryd/opencanary.conf:ro - {% if DOCKER.containers['so-idh'].custom_bind_mounts %} - {% for BIND in DOCKER.containers['so-idh'].custom_bind_mounts %} + {% if DOCKERMERGED.containers['so-idh'].custom_bind_mounts %} + {% for BIND in DOCKERMERGED.containers['so-idh'].custom_bind_mounts %} - {{ BIND }} {% endfor %} {% endif %} - {% if DOCKER.containers['so-idh'].extra_hosts %} + {% if DOCKERMERGED.containers['so-idh'].extra_hosts %} - extra_hosts: - {% for XTRAHOST in DOCKER.containers['so-idh'].extra_hosts %} + {% for XTRAHOST in DOCKERMERGED.containers['so-idh'].extra_hosts %} - {{ XTRAHOST }} {% endfor %} {% endif %} - {% if DOCKER.containers['so-idh'].extra_env %} + {% if DOCKERMERGED.containers['so-idh'].extra_env %} - environment: - {% for XTRAENV in DOCKER.containers['so-idh'].extra_env %} + {% for XTRAENV in DOCKERMERGED.containers['so-idh'].extra_env %} - {{ XTRAENV }} {% endfor %} {% endif %} + {% if DOCKERMERGED.containers['so-idh'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKERMERGED.containers['so-idh'].ulimits %} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} + {% endfor %} + {% endif %} - watch: - file: opencanary_config - require: diff --git a/salt/influxdb/enabled.sls b/salt/influxdb/enabled.sls index 65ba4fafe..45038ece5 100644 --- a/salt/influxdb/enabled.sls +++ b/salt/influxdb/enabled.sls @@ -6,7 +6,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls.split('.')[0] in allowed_states %} {% from 'vars/globals.map.jinja' import GLOBALS %} -{% from 'docker/docker.map.jinja' import DOCKER %} +{% from 'docker/docker.map.jinja' import DOCKERMERGED %} {% set PASSWORD = salt['pillar.get']('secrets:influx_pass') %} {% set TOKEN = salt['pillar.get']('influxdb:token') %} @@ -21,7 +21,7 @@ so-influxdb: - hostname: influxdb - networks: - sobridge: - - ipv4_address: {{ DOCKER.containers['so-influxdb'].ip }} + - ipv4_address: {{ DOCKERMERGED.containers['so-influxdb'].ip }} - environment: - INFLUXD_CONFIG_PATH=/conf/config.yaml - INFLUXDB_HTTP_LOG_ENABLED=false @@ -31,8 +31,8 @@ so-influxdb: - DOCKER_INFLUXDB_INIT_ORG=Security Onion - DOCKER_INFLUXDB_INIT_BUCKET=telegraf/so_short_term - DOCKER_INFLUXDB_INIT_ADMIN_TOKEN={{ TOKEN }} - {% if DOCKER.containers['so-influxdb'].extra_env %} - {% for XTRAENV in DOCKER.containers['so-influxdb'].extra_env %} + {% if DOCKERMERGED.containers['so-influxdb'].extra_env %} + {% for XTRAENV in DOCKERMERGED.containers['so-influxdb'].extra_env %} - {{ XTRAENV }} {% endfor %} {% endif %} @@ -43,21 +43,27 @@ so-influxdb: - /nsm/influxdb:/var/lib/influxdb2:rw - /etc/pki/influxdb.crt:/conf/influxdb.crt:ro - /etc/pki/influxdb.key:/conf/influxdb.key:ro - {% if DOCKER.containers['so-influxdb'].custom_bind_mounts %} - {% for BIND in DOCKER.containers['so-influxdb'].custom_bind_mounts %} + {% if DOCKERMERGED.containers['so-influxdb'].custom_bind_mounts %} + {% for BIND in DOCKERMERGED.containers['so-influxdb'].custom_bind_mounts %} - {{ BIND }} {% endfor %} {% endif %} - port_bindings: - {% for BINDING in DOCKER.containers['so-influxdb'].port_bindings %} + {% for BINDING in DOCKERMERGED.containers['so-influxdb'].port_bindings %} - {{ BINDING }} {% endfor %} - {% if DOCKER.containers['so-influxdb'].extra_hosts %} + {% if DOCKERMERGED.containers['so-influxdb'].extra_hosts %} - extra_hosts: - {% for XTRAHOST in DOCKER.containers['so-influxdb'].extra_hosts %} + {% for XTRAHOST in DOCKERMERGED.containers['so-influxdb'].extra_hosts %} - {{ XTRAHOST }} {% endfor %} {% endif %} + {% if DOCKERMERGED.containers['so-influxdb'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKERMERGED.containers['so-influxdb'].ulimits %} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} + {% endfor %} + {% endif %} - watch: - file: influxdbconf - x509: influxdb_key diff --git a/salt/kafka/enabled.sls b/salt/kafka/enabled.sls index 88847f30b..06fa701c6 100644 --- a/salt/kafka/enabled.sls +++ b/salt/kafka/enabled.sls @@ -12,7 +12,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls.split('.')[0] in allowed_states %} {% from 'vars/globals.map.jinja' import GLOBALS %} -{% from 'docker/docker.map.jinja' import DOCKER %} +{% from 'docker/docker.map.jinja' import DOCKERMERGED %} {% set KAFKANODES = salt['pillar.get']('kafka:nodes') %} {% set KAFKA_EXTERNAL_ACCESS = salt['pillar.get']('kafka:config:external_access:enabled', default=False) %} {% if 'gmd' in salt['pillar.get']('features', []) %} @@ -31,22 +31,22 @@ so-kafka: - name: so-kafka - networks: - sobridge: - - ipv4_address: {{ DOCKER.containers['so-kafka'].ip }} + - ipv4_address: {{ DOCKERMERGED.containers['so-kafka'].ip }} - user: kafka - environment: KAFKA_HEAP_OPTS: -Xmx2G -Xms1G - KAFKA_OPTS: "-javaagent:/opt/jolokia/agents/jolokia-agent-jvm-javaagent.jar=port=8778,host={{ DOCKER.containers['so-kafka'].ip }},policyLocation=file:/opt/jolokia/jolokia.xml {%- if KAFKA_EXTERNAL_ACCESS %} -Djava.security.auth.login.config=/opt/kafka/config/kafka_server_jaas.conf {% endif -%}" + KAFKA_OPTS: "-javaagent:/opt/jolokia/agents/jolokia-agent-jvm-javaagent.jar=port=8778,host={{ DOCKERMERGED.containers['so-kafka'].ip }},policyLocation=file:/opt/jolokia/jolokia.xml {%- if KAFKA_EXTERNAL_ACCESS %} -Djava.security.auth.login.config=/opt/kafka/config/kafka_server_jaas.conf {% endif -%}" - extra_hosts: {% for node in KAFKANODES %} - {{ node }}:{{ KAFKANODES[node].ip }} {% endfor %} - {% if DOCKER.containers['so-kafka'].extra_hosts %} - {% for XTRAHOST in DOCKER.containers['so-kafka'].extra_hosts %} + {% if DOCKERMERGED.containers['so-kafka'].extra_hosts %} + {% for XTRAHOST in DOCKERMERGED.containers['so-kafka'].extra_hosts %} - {{ XTRAHOST }} {% endfor %} {% endif %} - port_bindings: - {% for BINDING in DOCKER.containers['so-kafka'].port_bindings %} + {% for BINDING in DOCKERMERGED.containers['so-kafka'].port_bindings %} - {{ BINDING }} {% endfor %} - binds: @@ -60,6 +60,12 @@ so-kafka: {% if KAFKA_EXTERNAL_ACCESS %} - /opt/so/conf/kafka/kafka_server_jaas.conf:/opt/kafka/config/kafka_server_jaas.conf:ro {% endif %} + {% if DOCKERMERGED.containers['so-kafka'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKERMERGED.containers['so-kafka'].ulimits %} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} + {% endfor %} + {% endif %} - watch: {% for sc in ['server', 'client'] %} - file: kafka_kraft_{{sc}}_properties diff --git a/salt/kibana/enabled.sls b/salt/kibana/enabled.sls index 56aac26cc..04f44e508 100644 --- a/salt/kibana/enabled.sls +++ b/salt/kibana/enabled.sls @@ -5,7 +5,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls.split('.')[0] in allowed_states %} -{% from 'docker/docker.map.jinja' import DOCKER %} +{% from 'docker/docker.map.jinja' import DOCKERMERGED %} {% from 'vars/globals.map.jinja' import GLOBALS %} include: @@ -20,20 +20,20 @@ so-kibana: - user: kibana - networks: - sobridge: - - ipv4_address: {{ DOCKER.containers['so-kibana'].ip }} + - ipv4_address: {{ DOCKERMERGED.containers['so-kibana'].ip }} - environment: - ELASTICSEARCH_HOST={{ GLOBALS.manager }} - ELASTICSEARCH_PORT=9200 - MANAGER={{ GLOBALS.manager }} - {% if DOCKER.containers['so-kibana'].extra_env %} - {% for XTRAENV in DOCKER.containers['so-kibana'].extra_env %} + {% if DOCKERMERGED.containers['so-kibana'].extra_env %} + {% for XTRAENV in DOCKERMERGED.containers['so-kibana'].extra_env %} - {{ XTRAENV }} {% endfor %} {% endif %} - extra_hosts: - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} - {% if DOCKER.containers['so-kibana'].extra_hosts %} - {% for XTRAHOST in DOCKER.containers['so-kibana'].extra_hosts %} + {% if DOCKERMERGED.containers['so-kibana'].extra_hosts %} + {% for XTRAHOST in DOCKERMERGED.containers['so-kibana'].extra_hosts %} - {{ XTRAHOST }} {% endfor %} {% endif %} @@ -42,15 +42,21 @@ so-kibana: - /opt/so/log/kibana:/var/log/kibana:rw - /opt/so/conf/kibana/customdashboards:/usr/share/kibana/custdashboards:ro - /sys/fs/cgroup:/sys/fs/cgroup:ro - {% if DOCKER.containers['so-kibana'].custom_bind_mounts %} - {% for BIND in DOCKER.containers['so-kibana'].custom_bind_mounts %} + {% if DOCKERMERGED.containers['so-kibana'].custom_bind_mounts %} + {% for BIND in DOCKERMERGED.containers['so-kibana'].custom_bind_mounts %} - {{ BIND }} {% endfor %} {% endif %} - port_bindings: - {% for BINDING in DOCKER.containers['so-kibana'].port_bindings %} + {% for BINDING in DOCKERMERGED.containers['so-kibana'].port_bindings %} - {{ BINDING }} {% endfor %} + {% if DOCKERMERGED.containers['so-kibana'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKERMERGED.containers['so-kibana'].ulimits %} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} + {% endfor %} + {% endif %} - watch: - file: kibanaconfig diff --git a/salt/kratos/enabled.sls b/salt/kratos/enabled.sls index f0345edec..35587a520 100644 --- a/salt/kratos/enabled.sls +++ b/salt/kratos/enabled.sls @@ -5,7 +5,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls.split('.')[0] in allowed_states %} -{% from 'docker/docker.map.jinja' import DOCKER %} +{% from 'docker/docker.map.jinja' import DOCKERMERGED %} {% from 'vars/globals.map.jinja' import GLOBALS %} include: @@ -19,32 +19,38 @@ so-kratos: - name: so-kratos - networks: - sobridge: - - ipv4_address: {{ DOCKER.containers['so-kratos'].ip }} + - ipv4_address: {{ DOCKERMERGED.containers['so-kratos'].ip }} - binds: - /opt/so/conf/kratos/:/kratos-conf:ro - /opt/so/log/kratos/:/kratos-log:rw - /nsm/kratos/db:/kratos-data:rw - {% if DOCKER.containers['so-kratos'].custom_bind_mounts %} - {% for BIND in DOCKER.containers['so-kratos'].custom_bind_mounts %} + {% if DOCKERMERGED.containers['so-kratos'].custom_bind_mounts %} + {% for BIND in DOCKERMERGED.containers['so-kratos'].custom_bind_mounts %} - {{ BIND }} {% endfor %} {% endif %} - port_bindings: - {% for BINDING in DOCKER.containers['so-kratos'].port_bindings %} + {% for BINDING in DOCKERMERGED.containers['so-kratos'].port_bindings %} - {{ BINDING }} {% endfor %} - {% if DOCKER.containers['so-kratos'].extra_hosts %} + {% if DOCKERMERGED.containers['so-kratos'].extra_hosts %} - extra_hosts: - {% for XTRAHOST in DOCKER.containers['so-kratos'].extra_hosts %} + {% for XTRAHOST in DOCKERMERGED.containers['so-kratos'].extra_hosts %} - {{ XTRAHOST }} {% endfor %} {% endif %} - {% if DOCKER.containers['so-kratos'].extra_env %} + {% if DOCKERMERGED.containers['so-kratos'].extra_env %} - environment: - {% for XTRAENV in DOCKER.containers['so-kratos'].extra_env %} + {% for XTRAENV in DOCKERMERGED.containers['so-kratos'].extra_env %} - {{ XTRAENV }} {% endfor %} {% endif %} + {% if DOCKERMERGED.containers['so-kratos'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKERMERGED.containers['so-kratos'].ulimits %} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} + {% endfor %} + {% endif %} - restart_policy: unless-stopped - watch: - file: kratosschema diff --git a/salt/logstash/enabled.sls b/salt/logstash/enabled.sls index 3c083f4ce..d89304144 100644 --- a/salt/logstash/enabled.sls +++ b/salt/logstash/enabled.sls @@ -6,7 +6,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls.split('.')[0] in allowed_states %} {% from 'vars/globals.map.jinja' import GLOBALS %} -{% from 'docker/docker.map.jinja' import DOCKER %} +{% from 'docker/docker.map.jinja' import DOCKERMERGED %} {% from 'logstash/map.jinja' import LOGSTASH_MERGED %} {% from 'logstash/map.jinja' import LOGSTASH_NODES %} {% set lsheap = LOGSTASH_MERGED.settings.lsheap %} @@ -32,7 +32,7 @@ so-logstash: - name: so-logstash - networks: - sobridge: - - ipv4_address: {{ DOCKER.containers['so-logstash'].ip }} + - ipv4_address: {{ DOCKERMERGED.containers['so-logstash'].ip }} - user: logstash - extra_hosts: {% for node in LOGSTASH_NODES %} @@ -40,20 +40,20 @@ so-logstash: - {{hostname}}:{{ip}} {% endfor %} {% endfor %} - {% if DOCKER.containers['so-logstash'].extra_hosts %} - {% for XTRAHOST in DOCKER.containers['so-logstash'].extra_hosts %} + {% if DOCKERMERGED.containers['so-logstash'].extra_hosts %} + {% for XTRAHOST in DOCKERMERGED.containers['so-logstash'].extra_hosts %} - {{ XTRAHOST }} {% endfor %} {% endif %} - environment: - LS_JAVA_OPTS=-Xms{{ lsheap }} -Xmx{{ lsheap }} - {% if DOCKER.containers['so-logstash'].extra_env %} - {% for XTRAENV in DOCKER.containers['so-logstash'].extra_env %} + {% if DOCKERMERGED.containers['so-logstash'].extra_env %} + {% for XTRAENV in DOCKERMERGED.containers['so-logstash'].extra_env %} - {{ XTRAENV }} {% endfor %} {% endif %} - port_bindings: - {% for BINDING in DOCKER.containers['so-logstash'].port_bindings %} + {% for BINDING in DOCKERMERGED.containers['so-logstash'].port_bindings %} - {{ BINDING }} {% endfor %} - binds: @@ -91,11 +91,17 @@ so-logstash: - /opt/so/log/fleet/:/osquery/logs:ro - /opt/so/log/strelka:/strelka:ro {% endif %} - {% if DOCKER.containers['so-logstash'].custom_bind_mounts %} - {% for BIND in DOCKER.containers['so-logstash'].custom_bind_mounts %} + {% if DOCKERMERGED.containers['so-logstash'].custom_bind_mounts %} + {% for BIND in DOCKERMERGED.containers['so-logstash'].custom_bind_mounts %} - {{ BIND }} {% endfor %} {% endif %} + {% if DOCKERMERGED.containers['so-logstash'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKERMERGED.containers['so-logstash'].ulimits %} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} + {% endfor %} + {% endif %} - watch: - file: lsetcsync - file: trusttheca diff --git a/salt/nginx/enabled.sls b/salt/nginx/enabled.sls index 4ebeb9349..2e4c9631c 100644 --- a/salt/nginx/enabled.sls +++ b/salt/nginx/enabled.sls @@ -6,7 +6,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls.split('.')[0] in allowed_states %} {% from 'vars/globals.map.jinja' import GLOBALS %} -{% from 'docker/docker.map.jinja' import DOCKER %} +{% from 'docker/docker.map.jinja' import DOCKERMERGED %} {% from 'nginx/map.jinja' import NGINXMERGED %} include: @@ -37,11 +37,11 @@ so-nginx: - hostname: so-nginx - networks: - sobridge: - - ipv4_address: {{ DOCKER.containers[container_config].ip }} + - ipv4_address: {{ DOCKERMERGED.containers[container_config].ip }} - extra_hosts: - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} - {% if DOCKER.containers[container_config].extra_hosts %} - {% for XTRAHOST in DOCKER.containers[container_config].extra_hosts %} + {% if DOCKERMERGED.containers[container_config].extra_hosts %} + {% for XTRAHOST in DOCKERMERGED.containers[container_config].extra_hosts %} - {{ XTRAHOST }} {% endfor %} {% endif %} @@ -64,20 +64,26 @@ so-nginx: - /opt/so/rules/nids/suri:/surirules:ro {% endif %} {% endif %} - {% if DOCKER.containers[container_config].custom_bind_mounts %} - {% for BIND in DOCKER.containers[container_config].custom_bind_mounts %} + {% if DOCKERMERGED.containers[container_config].custom_bind_mounts %} + {% for BIND in DOCKERMERGED.containers[container_config].custom_bind_mounts %} - {{ BIND }} {% endfor %} {% endif %} - {% if DOCKER.containers[container_config].extra_env %} + {% if DOCKERMERGED.containers[container_config].extra_env %} - environment: - {% for XTRAENV in DOCKER.containers[container_config].extra_env %} + {% for XTRAENV in DOCKERMERGED.containers[container_config].extra_env %} - {{ XTRAENV }} {% endfor %} {% endif %} + {% if DOCKERMERGED.containers[container_config].ulimits %} + - ulimits: + {% for ULIMIT in DOCKERMERGED.containers[container_config].ulimits %} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} + {% endfor %} + {% endif %} - cap_add: NET_BIND_SERVICE - port_bindings: - {% for BINDING in DOCKER.containers[container_config].port_bindings %} + {% for BINDING in DOCKERMERGED.containers[container_config].port_bindings %} - {{ BINDING }} {% endfor %} - watch: diff --git a/salt/nginx/etc/nginx.conf b/salt/nginx/etc/nginx.conf index f3b769104..b7777f12f 100644 --- a/salt/nginx/etc/nginx.conf +++ b/salt/nginx/etc/nginx.conf @@ -1,5 +1,5 @@ {%- from 'vars/globals.map.jinja' import GLOBALS %} -{%- from 'docker/docker.map.jinja' import DOCKER %} +{%- from 'docker/docker.map.jinja' import DOCKERMERGED %} {%- from 'nginx/map.jinja' import NGINXMERGED %} {%- set role = grains.id.split('_') | last %} {%- set influxpass = salt['pillar.get']('secrets:influx_pass') %} diff --git a/salt/redis/enabled.sls b/salt/redis/enabled.sls index 3406b63d4..4cea8d028 100644 --- a/salt/redis/enabled.sls +++ b/salt/redis/enabled.sls @@ -5,7 +5,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls.split('.')[0] in allowed_states %} -{% from 'docker/docker.map.jinja' import DOCKER %} +{% from 'docker/docker.map.jinja' import DOCKERMERGED %} {% from 'vars/globals.map.jinja' import GLOBALS %} include: @@ -21,9 +21,9 @@ so-redis: - user: socore - networks: - sobridge: - - ipv4_address: {{ DOCKER.containers['so-redis'].ip }} + - ipv4_address: {{ DOCKERMERGED.containers['so-redis'].ip }} - port_bindings: - {% for BINDING in DOCKER.containers['so-redis'].port_bindings %} + {% for BINDING in DOCKERMERGED.containers['so-redis'].port_bindings %} - {{ BINDING }} {% endfor %} - binds: @@ -34,23 +34,29 @@ so-redis: - /etc/pki/redis.crt:/certs/redis.crt:ro - /etc/pki/redis.key:/certs/redis.key:ro - /etc/pki/tls/certs/intca.crt:/certs/ca.crt:ro - {% if DOCKER.containers['so-redis'].custom_bind_mounts %} - {% for BIND in DOCKER.containers['so-redis'].custom_bind_mounts %} + {% if DOCKERMERGED.containers['so-redis'].custom_bind_mounts %} + {% for BIND in DOCKERMERGED.containers['so-redis'].custom_bind_mounts %} - {{ BIND }} {% endfor %} {% endif %} - {% if DOCKER.containers['so-redis'].extra_hosts %} + {% if DOCKERMERGED.containers['so-redis'].extra_hosts %} - extra_hosts: - {% for XTRAHOST in DOCKER.containers['so-redis'].extra_hosts %} + {% for XTRAHOST in DOCKERMERGED.containers['so-redis'].extra_hosts %} - {{ XTRAHOST }} {% endfor %} {% endif %} - {% if DOCKER.containers['so-redis'].extra_env %} + {% if DOCKERMERGED.containers['so-redis'].extra_env %} - environment: - {% for XTRAENV in DOCKER.containers['so-redis'].extra_env %} + {% for XTRAENV in DOCKERMERGED.containers['so-redis'].extra_env %} - {{ XTRAENV }} {% endfor %} {% endif %} + {% if DOCKERMERGED.containers['so-redis'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKERMERGED.containers['so-redis'].ulimits %} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} + {% endfor %} + {% endif %} - entrypoint: "redis-server /usr/local/etc/redis/redis.conf" - watch: - file: trusttheca diff --git a/salt/registry/enabled.sls b/salt/registry/enabled.sls index 7009f135e..fc5021910 100644 --- a/salt/registry/enabled.sls +++ b/salt/registry/enabled.sls @@ -6,7 +6,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls.split('.')[0] in allowed_states %} {% from 'vars/globals.map.jinja' import GLOBALS %} -{% from 'docker/docker.map.jinja' import DOCKER %} +{% from 'docker/docker.map.jinja' import DOCKERMERGED %} include: - registry.ssl @@ -20,10 +20,10 @@ so-dockerregistry: - hostname: so-registry - networks: - sobridge: - - ipv4_address: {{ DOCKER.containers['so-dockerregistry'].ip }} + - ipv4_address: {{ DOCKERMERGED.containers['so-dockerregistry'].ip }} - restart_policy: always - port_bindings: - {% for BINDING in DOCKER.containers['so-dockerregistry'].port_bindings %} + {% for BINDING in DOCKERMERGED.containers['so-dockerregistry'].port_bindings %} - {{ BINDING }} {% endfor %} - binds: @@ -32,25 +32,31 @@ so-dockerregistry: - /nsm/docker-registry/docker:/var/lib/registry/docker:rw - /etc/pki/registry.crt:/etc/pki/registry.crt:ro - /etc/pki/registry.key:/etc/pki/registry.key:ro - {% if DOCKER.containers['so-dockerregistry'].custom_bind_mounts %} - {% for BIND in DOCKER.containers['so-dockerregistry'].custom_bind_mounts %} + {% if DOCKERMERGED.containers['so-dockerregistry'].custom_bind_mounts %} + {% for BIND in DOCKERMERGED.containers['so-dockerregistry'].custom_bind_mounts %} - {{ BIND }} {% endfor %} {% endif %} - {% if DOCKER.containers['so-dockerregistry'].extra_hosts %} + {% if DOCKERMERGED.containers['so-dockerregistry'].extra_hosts %} - extra_hosts: - {% for XTRAHOST in DOCKER.containers['so-dockerregistry'].extra_hosts %} + {% for XTRAHOST in DOCKERMERGED.containers['so-dockerregistry'].extra_hosts %} - {{ XTRAHOST }} {% endfor %} {% endif %} - client_timeout: 180 - environment: - HOME=/root - {% if DOCKER.containers['so-dockerregistry'].extra_env %} - {% for XTRAENV in DOCKER.containers['so-dockerregistry'].extra_env %} + {% if DOCKERMERGED.containers['so-dockerregistry'].extra_env %} + {% for XTRAENV in DOCKERMERGED.containers['so-dockerregistry'].extra_env %} - {{ XTRAENV }} {% endfor %} {% endif %} + {% if DOCKERMERGED.containers['so-dockerregistry'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKERMERGED.containers['so-dockerregistry'].ulimits %} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} + {% endfor %} + {% endif %} - retry: attempts: 5 interval: 30 diff --git a/salt/sensoroni/enabled.sls b/salt/sensoroni/enabled.sls index bb6846006..7790574f6 100644 --- a/salt/sensoroni/enabled.sls +++ b/salt/sensoroni/enabled.sls @@ -4,7 +4,7 @@ # Elastic License 2.0. {% from 'vars/globals.map.jinja' import GLOBALS %} -{% from 'docker/docker.map.jinja' import DOCKER %} +{% from 'docker/docker.map.jinja' import DOCKERMERGED %} include: @@ -23,23 +23,29 @@ so-sensoroni: - /opt/so/conf/sensoroni/templates:/opt/sensoroni/templates:ro - /opt/so/log/sensoroni:/opt/sensoroni/logs:rw - /nsm/suripcap/:/nsm/suripcap:rw - {% if DOCKER.containers['so-sensoroni'].custom_bind_mounts %} - {% for BIND in DOCKER.containers['so-sensoroni'].custom_bind_mounts %} + {% if DOCKERMERGED.containers['so-sensoroni'].custom_bind_mounts %} + {% for BIND in DOCKERMERGED.containers['so-sensoroni'].custom_bind_mounts %} - {{ BIND }} {% endfor %} {% endif %} - {% if DOCKER.containers['so-sensoroni'].extra_hosts %} + {% if DOCKERMERGED.containers['so-sensoroni'].extra_hosts %} - extra_hosts: - {% for XTRAHOST in DOCKER.containers['so-sensoroni'].extra_hosts %} + {% for XTRAHOST in DOCKERMERGED.containers['so-sensoroni'].extra_hosts %} - {{ XTRAHOST }} {% endfor %} {% endif %} - {% if DOCKER.containers['so-sensoroni'].extra_env %} + {% if DOCKERMERGED.containers['so-sensoroni'].extra_env %} - environment: - {% for XTRAENV in DOCKER.containers['so-sensoroni'].extra_env %} + {% for XTRAENV in DOCKERMERGED.containers['so-sensoroni'].extra_env %} - {{ XTRAENV }} {% endfor %} {% endif %} + {% if DOCKERMERGED.containers['so-sensoroni'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKERMERGED.containers['so-sensoroni'].ulimits %} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} + {% endfor %} + {% endif %} - watch: - file: /opt/so/conf/sensoroni/sensoroni.json - require: diff --git a/salt/soc/defaults.map.jinja b/salt/soc/defaults.map.jinja index a2e72bcca..2821bb8e5 100644 --- a/salt/soc/defaults.map.jinja +++ b/salt/soc/defaults.map.jinja @@ -5,7 +5,7 @@ {% import_yaml 'soc/defaults.yaml' as SOCDEFAULTS %} {% from 'vars/globals.map.jinja' import GLOBALS %} -{% from 'docker/docker.map.jinja' import DOCKER -%} +{% from 'docker/docker.map.jinja' import DOCKERMERGED -%} {% set INFLUXDB_TOKEN = salt['pillar.get']('influxdb:token') %} {% import_text 'influxdb/metrics_link.txt' as METRICS_LINK %} @@ -32,7 +32,7 @@ {% endif %} {% endfor %} -{% do SOCDEFAULTS.soc.config.server.modules.statickeyauth.update({'anonymousCidr': DOCKER.range, 'apiKey': pillar.sensoroni.config.sensoronikey}) %} +{% do SOCDEFAULTS.soc.config.server.modules.statickeyauth.update({'anonymousCidr': DOCKERMERGED.range, 'apiKey': pillar.sensoroni.config.sensoronikey}) %} {% do SOCDEFAULTS.soc.config.server.client.case.update({'analyzerNodeId': GLOBALS.hostname}) %} {% do SOCDEFAULTS.soc.config.server.client.update({'exportNodeId': GLOBALS.hostname}) %} diff --git a/salt/soc/enabled.sls b/salt/soc/enabled.sls index 5efb18fa5..1805bacaf 100644 --- a/salt/soc/enabled.sls +++ b/salt/soc/enabled.sls @@ -6,7 +6,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls.split('.')[0] in allowed_states %} {% from 'vars/globals.map.jinja' import GLOBALS %} -{% from 'docker/docker.map.jinja' import DOCKER %} +{% from 'docker/docker.map.jinja' import DOCKERMERGED %} {% from 'soc/merged.map.jinja' import DOCKER_EXTRA_HOSTS %} {% from 'soc/merged.map.jinja' import SOCMERGED %} @@ -22,7 +22,7 @@ so-soc: - name: so-soc - networks: - sobridge: - - ipv4_address: {{ DOCKER.containers['so-soc'].ip }} + - ipv4_address: {{ DOCKERMERGED.containers['so-soc'].ip }} - binds: - /nsm/rules:/nsm/rules:rw - /opt/so/conf/strelka:/opt/sensoroni/yara:rw @@ -63,21 +63,27 @@ so-soc: - {{hostname}}:{{ip}} {% endfor %} {% endfor %} - {% if DOCKER.containers['so-soc'].extra_hosts %} - {% for XTRAHOST in DOCKER.containers['so-soc'].extra_hosts %} + {% if DOCKERMERGED.containers['so-soc'].extra_hosts %} + {% for XTRAHOST in DOCKERMERGED.containers['so-soc'].extra_hosts %} - {{ XTRAHOST }} {% endfor %} {% endif %} - port_bindings: - {% for BINDING in DOCKER.containers['so-soc'].port_bindings %} + {% for BINDING in DOCKERMERGED.containers['so-soc'].port_bindings %} - {{ BINDING }} {% endfor %} - {% if DOCKER.containers['so-soc'].extra_env %} + {% if DOCKERMERGED.containers['so-soc'].extra_env %} - environment: - {% for XTRAENV in DOCKER.containers['so-soc'].extra_env %} + {% for XTRAENV in DOCKERMERGED.containers['so-soc'].extra_env %} - {{ XTRAENV }} {% endfor %} {% endif %} + {% if DOCKERMERGED.containers['so-soc'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKERMERGED.containers['so-soc'].ulimits %} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} + {% endfor %} + {% endif %} - watch: - file: trusttheca - file: /opt/so/conf/soc/* diff --git a/salt/strelka/backend/enabled.sls b/salt/strelka/backend/enabled.sls index 3a830c9b0..ca3f0e6dc 100644 --- a/salt/strelka/backend/enabled.sls +++ b/salt/strelka/backend/enabled.sls @@ -5,7 +5,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls.split('.')[0] in allowed_states %} -{% from 'docker/docker.map.jinja' import DOCKER %} +{% from 'docker/docker.map.jinja' import DOCKERMERGED %} {% from 'vars/globals.map.jinja' import GLOBALS %} include: @@ -18,29 +18,35 @@ strelka_backend: - binds: - /opt/so/conf/strelka/backend/:/etc/strelka/:ro - /opt/so/conf/strelka/rules/compiled/:/etc/yara/:ro - {% if DOCKER.containers['so-strelka-backend'].custom_bind_mounts %} - {% for BIND in DOCKER.containers['so-strelka-backend'].custom_bind_mounts %} + {% if DOCKERMERGED.containers['so-strelka-backend'].custom_bind_mounts %} + {% for BIND in DOCKERMERGED.containers['so-strelka-backend'].custom_bind_mounts %} - {{ BIND }} {% endfor %} {% endif %} - name: so-strelka-backend - networks: - sobridge: - - ipv4_address: {{ DOCKER.containers['so-strelka-backend'].ip }} + - ipv4_address: {{ DOCKERMERGED.containers['so-strelka-backend'].ip }} - command: strelka-backend - extra_hosts: - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} - {% if DOCKER.containers['so-strelka-backend'].extra_hosts %} - {% for XTRAHOST in DOCKER.containers['so-strelka-backend'].extra_hosts %} + {% if DOCKERMERGED.containers['so-strelka-backend'].extra_hosts %} + {% for XTRAHOST in DOCKERMERGED.containers['so-strelka-backend'].extra_hosts %} - {{ XTRAHOST }} {% endfor %} {% endif %} - {% if DOCKER.containers['so-strelka-backend'].extra_env %} + {% if DOCKERMERGED.containers['so-strelka-backend'].extra_env %} - environment: - {% for XTRAENV in DOCKER.containers['so-strelka-backend'].extra_env %} + {% for XTRAENV in DOCKERMERGED.containers['so-strelka-backend'].extra_env %} - {{ XTRAENV }} {% endfor %} {% endif %} + {% if DOCKERMERGED.containers['so-strelka-backend'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKERMERGED.containers['so-strelka-backend'].ulimits %} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} + {% endfor %} + {% endif %} - restart_policy: on-failure - watch: - file: strelkasensorcompiledrules diff --git a/salt/strelka/coordinator/enabled.sls b/salt/strelka/coordinator/enabled.sls index 3440cd5a4..6756a324c 100644 --- a/salt/strelka/coordinator/enabled.sls +++ b/salt/strelka/coordinator/enabled.sls @@ -5,7 +5,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls.split('.')[0] in allowed_states %} -{% from 'docker/docker.map.jinja' import DOCKER %} +{% from 'docker/docker.map.jinja' import DOCKERMERGED %} {% from 'vars/globals.map.jinja' import GLOBALS %} include: @@ -18,32 +18,38 @@ strelka_coordinator: - name: so-strelka-coordinator - networks: - sobridge: - - ipv4_address: {{ DOCKER.containers['so-strelka-coordinator'].ip }} + - ipv4_address: {{ DOCKERMERGED.containers['so-strelka-coordinator'].ip }} - entrypoint: redis-server --save "" --appendonly no - extra_hosts: - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} - {% if DOCKER.containers['so-strelka-coordinator'].extra_hosts %} - {% for XTRAHOST in DOCKER.containers['so-strelka-coordinator'].extra_hosts %} + {% if DOCKERMERGED.containers['so-strelka-coordinator'].extra_hosts %} + {% for XTRAHOST in DOCKERMERGED.containers['so-strelka-coordinator'].extra_hosts %} - {{ XTRAHOST }} {% endfor %} {% endif %} - port_bindings: - {% for BINDING in DOCKER.containers['so-strelka-coordinator'].port_bindings %} + {% for BINDING in DOCKERMERGED.containers['so-strelka-coordinator'].port_bindings %} - {{ BINDING }} {% endfor %} - {% if DOCKER.containers['so-strelka-coordinator'].extra_env %} + {% if DOCKERMERGED.containers['so-strelka-coordinator'].extra_env %} - environment: - {% for XTRAENV in DOCKER.containers['so-strelka-coordinator'].extra_env %} + {% for XTRAENV in DOCKERMERGED.containers['so-strelka-coordinator'].extra_env %} - {{ XTRAENV }} {% endfor %} {% endif %} - binds: - /nsm/strelka/coord-redis-data:/data:rw - {% if DOCKER.containers['so-strelka-coordinator'].custom_bind_mounts %} - {% for BIND in DOCKER.containers['so-strelka-coordinator'].custom_bind_mounts %} + {% if DOCKERMERGED.containers['so-strelka-coordinator'].custom_bind_mounts %} + {% for BIND in DOCKERMERGED.containers['so-strelka-coordinator'].custom_bind_mounts %} - {{ BIND }} {% endfor %} {% endif %} + {% if DOCKERMERGED.containers['so-strelka-coordinator'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKERMERGED.containers['so-strelka-coordinator'].ulimits %} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} + {% endfor %} + {% endif %} delete_so-strelka-coordinator_so-status.disabled: file.uncomment: - name: /opt/so/conf/so-status/so-status.conf diff --git a/salt/strelka/filestream/enabled.sls b/salt/strelka/filestream/enabled.sls index ef5d593ba..b03faf4b1 100644 --- a/salt/strelka/filestream/enabled.sls +++ b/salt/strelka/filestream/enabled.sls @@ -5,7 +5,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls.split('.')[0] in allowed_states %} -{% from 'docker/docker.map.jinja' import DOCKER %} +{% from 'docker/docker.map.jinja' import DOCKERMERGED %} {% from 'vars/globals.map.jinja' import GLOBALS %} include: @@ -18,29 +18,35 @@ strelka_filestream: - binds: - /opt/so/conf/strelka/filestream/:/etc/strelka/:ro - /nsm/strelka:/nsm/strelka - {% if DOCKER.containers['so-strelka-filestream'].custom_bind_mounts %} - {% for BIND in DOCKER.containers['so-strelka-filestream'].custom_bind_mounts %} + {% if DOCKERMERGED.containers['so-strelka-filestream'].custom_bind_mounts %} + {% for BIND in DOCKERMERGED.containers['so-strelka-filestream'].custom_bind_mounts %} - {{ BIND }} {% endfor %} {% endif %} - name: so-strelka-filestream - networks: - sobridge: - - ipv4_address: {{ DOCKER.containers['so-strelka-filestream'].ip }} + - ipv4_address: {{ DOCKERMERGED.containers['so-strelka-filestream'].ip }} - command: strelka-filestream - extra_hosts: - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} - {% if DOCKER.containers['so-strelka-filestream'].extra_hosts %} - {% for XTRAHOST in DOCKER.containers['so-strelka-filestream'].extra_hosts %} + {% if DOCKERMERGED.containers['so-strelka-filestream'].extra_hosts %} + {% for XTRAHOST in DOCKERMERGED.containers['so-strelka-filestream'].extra_hosts %} - {{ XTRAHOST }} {% endfor %} {% endif %} - {% if DOCKER.containers['so-strelka-filestream'].extra_env %} + {% if DOCKERMERGED.containers['so-strelka-filestream'].extra_env %} - environment: - {% for XTRAENV in DOCKER.containers['so-strelka-filestream'].extra_env %} + {% for XTRAENV in DOCKERMERGED.containers['so-strelka-filestream'].extra_env %} - {{ XTRAENV }} {% endfor %} {% endif %} + {% if DOCKERMERGED.containers['so-strelka-filestream'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKERMERGED.containers['so-strelka-filestream'].ulimits %} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} + {% endfor %} + {% endif %} - watch: - file: filestream_config diff --git a/salt/strelka/frontend/enabled.sls b/salt/strelka/frontend/enabled.sls index 709b3e71c..58e703898 100644 --- a/salt/strelka/frontend/enabled.sls +++ b/salt/strelka/frontend/enabled.sls @@ -5,7 +5,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls.split('.')[0] in allowed_states %} -{% from 'docker/docker.map.jinja' import DOCKER %} +{% from 'docker/docker.map.jinja' import DOCKERMERGED %} {% from 'vars/globals.map.jinja' import GLOBALS %} include: @@ -18,8 +18,8 @@ strelka_frontend: - binds: - /opt/so/conf/strelka/frontend/:/etc/strelka/:ro - /nsm/strelka/log/:/var/log/strelka/:rw - {% if DOCKER.containers['so-strelka-frontend'].custom_bind_mounts %} - {% for BIND in DOCKER.containers['so-strelka-frontend'].custom_bind_mounts %} + {% if DOCKERMERGED.containers['so-strelka-frontend'].custom_bind_mounts %} + {% for BIND in DOCKERMERGED.containers['so-strelka-frontend'].custom_bind_mounts %} - {{ BIND }} {% endfor %} {% endif %} @@ -27,25 +27,31 @@ strelka_frontend: - name: so-strelka-frontend - networks: - sobridge: - - ipv4_address: {{ DOCKER.containers['so-strelka-frontend'].ip }} + - ipv4_address: {{ DOCKERMERGED.containers['so-strelka-frontend'].ip }} - command: strelka-frontend - extra_hosts: - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} - {% if DOCKER.containers['so-strelka-frontend'].extra_hosts %} - {% for XTRAHOST in DOCKER.containers['so-strelka-frontend'].extra_hosts %} + {% if DOCKERMERGED.containers['so-strelka-frontend'].extra_hosts %} + {% for XTRAHOST in DOCKERMERGED.containers['so-strelka-frontend'].extra_hosts %} - {{ XTRAHOST }} {% endfor %} {% endif %} - port_bindings: - {% for BINDING in DOCKER.containers['so-strelka-frontend'].port_bindings %} + {% for BINDING in DOCKERMERGED.containers['so-strelka-frontend'].port_bindings %} - {{ BINDING }} {% endfor %} - {% if DOCKER.containers['so-strelka-frontend'].extra_env %} + {% if DOCKERMERGED.containers['so-strelka-frontend'].extra_env %} - environment: - {% for XTRAENV in DOCKER.containers['so-strelka-frontend'].extra_env %} + {% for XTRAENV in DOCKERMERGED.containers['so-strelka-frontend'].extra_env %} - {{ XTRAENV }} {% endfor %} {% endif %} + {% if DOCKERMERGED.containers['so-strelka-frontend'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKERMERGED.containers['so-strelka-frontend'].ulimits %} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} + {% endfor %} + {% endif %} - watch: - file: frontend_config diff --git a/salt/strelka/gatekeeper/enabled.sls b/salt/strelka/gatekeeper/enabled.sls index 8d06ddf6a..45b6e467e 100644 --- a/salt/strelka/gatekeeper/enabled.sls +++ b/salt/strelka/gatekeeper/enabled.sls @@ -5,7 +5,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls.split('.')[0] in allowed_states %} -{% from 'docker/docker.map.jinja' import DOCKER %} +{% from 'docker/docker.map.jinja' import DOCKERMERGED %} {% from 'vars/globals.map.jinja' import GLOBALS %} include: @@ -18,32 +18,38 @@ strelka_gatekeeper: - name: so-strelka-gatekeeper - networks: - sobridge: - - ipv4_address: {{ DOCKER.containers['so-strelka-gatekeeper'].ip }} + - ipv4_address: {{ DOCKERMERGED.containers['so-strelka-gatekeeper'].ip }} - entrypoint: redis-server --save "" --appendonly no --maxmemory-policy allkeys-lru - extra_hosts: - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} - {% if DOCKER.containers['so-strelka-gatekeeper'].extra_hosts %} - {% for XTRAHOST in DOCKER.containers['so-strelka-gatekeeper'].extra_hosts %} + {% if DOCKERMERGED.containers['so-strelka-gatekeeper'].extra_hosts %} + {% for XTRAHOST in DOCKERMERGED.containers['so-strelka-gatekeeper'].extra_hosts %} - {{ XTRAHOST }} {% endfor %} {% endif %} - port_bindings: - {% for BINDING in DOCKER.containers['so-strelka-gatekeeper'].port_bindings %} + {% for BINDING in DOCKERMERGED.containers['so-strelka-gatekeeper'].port_bindings %} - {{ BINDING }} {% endfor %} - binds: - /nsm/strelka/gk-redis-data:/data:rw - {% if DOCKER.containers['so-strelka-gatekeeper'].custom_bind_mounts %} - {% for BIND in DOCKER.containers['so-strelka-gatekeeper'].custom_bind_mounts %} + {% if DOCKERMERGED.containers['so-strelka-gatekeeper'].custom_bind_mounts %} + {% for BIND in DOCKERMERGED.containers['so-strelka-gatekeeper'].custom_bind_mounts %} - {{ BIND }} {% endfor %} {% endif %} - {% if DOCKER.containers['so-strelka-gatekeeper'].extra_env %} + {% if DOCKERMERGED.containers['so-strelka-gatekeeper'].extra_env %} - environment: - {% for XTRAENV in DOCKER.containers['so-strelka-gatekeeper'].extra_env %} + {% for XTRAENV in DOCKERMERGED.containers['so-strelka-gatekeeper'].extra_env %} - {{ XTRAENV }} {% endfor %} - {% endif %} + {% endif %} + {% if DOCKERMERGED.containers['so-strelka-gatekeeper'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKERMERGED.containers['so-strelka-gatekeeper'].ulimits %} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} + {% endfor %} + {% endif %} delete_so-strelka-gatekeeper_so-status.disabled: file.uncomment: diff --git a/salt/strelka/manager/enabled.sls b/salt/strelka/manager/enabled.sls index 6158a5c28..7c73452d8 100644 --- a/salt/strelka/manager/enabled.sls +++ b/salt/strelka/manager/enabled.sls @@ -5,7 +5,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls.split('.')[0] in allowed_states %} -{% from 'docker/docker.map.jinja' import DOCKER %} +{% from 'docker/docker.map.jinja' import DOCKERMERGED %} {% from 'vars/globals.map.jinja' import GLOBALS %} include: @@ -17,29 +17,35 @@ strelka_manager: - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-strelka-manager:{{ GLOBALS.so_version }} - binds: - /opt/so/conf/strelka/manager/:/etc/strelka/:ro - {% if DOCKER.containers['so-strelka-manager'].custom_bind_mounts %} - {% for BIND in DOCKER.containers['so-strelka-manager'].custom_bind_mounts %} + {% if DOCKERMERGED.containers['so-strelka-manager'].custom_bind_mounts %} + {% for BIND in DOCKERMERGED.containers['so-strelka-manager'].custom_bind_mounts %} - {{ BIND }} {% endfor %} {% endif %} - name: so-strelka-manager - networks: - sobridge: - - ipv4_address: {{ DOCKER.containers['so-strelka-manager'].ip }} + - ipv4_address: {{ DOCKERMERGED.containers['so-strelka-manager'].ip }} - command: strelka-manager - extra_hosts: - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} - {% if DOCKER.containers['so-strelka-manager'].extra_hosts %} - {% for XTRAHOST in DOCKER.containers['so-strelka-manager'].extra_hosts %} + {% if DOCKERMERGED.containers['so-strelka-manager'].extra_hosts %} + {% for XTRAHOST in DOCKERMERGED.containers['so-strelka-manager'].extra_hosts %} - {{ XTRAHOST }} {% endfor %} {% endif %} - {% if DOCKER.containers['so-strelka-manager'].extra_env %} + {% if DOCKERMERGED.containers['so-strelka-manager'].extra_env %} - environment: - {% for XTRAENV in DOCKER.containers['so-strelka-manager'].extra_env %} + {% for XTRAENV in DOCKERMERGED.containers['so-strelka-manager'].extra_env %} - {{ XTRAENV }} {% endfor %} {% endif %} + {% if DOCKERMERGED.containers['so-strelka-manager'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKERMERGED.containers['so-strelka-manager'].ulimits %} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} + {% endfor %} + {% endif %} - watch: - file: manager_config diff --git a/salt/suricata/enabled.sls b/salt/suricata/enabled.sls index ec521abb3..d9d7f32ae 100644 --- a/salt/suricata/enabled.sls +++ b/salt/suricata/enabled.sls @@ -6,7 +6,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls.split('.')[0] in allowed_states %} {% from 'vars/globals.map.jinja' import GLOBALS %} -{% from 'docker/docker.map.jinja' import DOCKER %} +{% from 'docker/docker.map.jinja' import DOCKERMERGED %} {% from 'suricata/map.jinja' import SURICATAMERGED %} @@ -20,16 +20,15 @@ so-suricata: - privileged: True - environment: - INTERFACE={{ GLOBALS.sensor.interface }} - {% if DOCKER.containers['so-suricata'].extra_env %} - {% for XTRAENV in DOCKER.containers['so-suricata'].extra_env %} + {% if DOCKERMERGED.containers['so-suricata'].extra_env %} + {% for XTRAENV in DOCKERMERGED.containers['so-suricata'].extra_env %} - {{ XTRAENV }} {% endfor %} {% endif %} - {# we look at SURICATAMERGED.config['af-packet'][0] since we only allow one interface and therefore always the first list item #} - {% if SURICATAMERGED.config['af-packet'][0]['mmap-locked'] == "yes" and DOCKER.containers['so-suricata'].ulimits %} + {% if DOCKERMERGED.containers['so-suricata'].ulimits %} - ulimits: - {% for ULIMIT in DOCKER.containers['so-suricata'].ulimits %} - - {{ ULIMIT }} + {% for ULIMIT in DOCKERMERGED.containers['so-suricata'].ulimits %} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - binds: @@ -42,15 +41,15 @@ so-suricata: - /nsm/suricata/extracted:/var/log/suricata//filestore:rw - /opt/so/conf/suricata/bpf:/etc/suricata/bpf:ro - /nsm/suripcap/:/nsm/suripcap:rw - {% if DOCKER.containers['so-suricata'].custom_bind_mounts %} - {% for BIND in DOCKER.containers['so-suricata'].custom_bind_mounts %} + {% if DOCKERMERGED.containers['so-suricata'].custom_bind_mounts %} + {% for BIND in DOCKERMERGED.containers['so-suricata'].custom_bind_mounts %} - {{ BIND }} {% endfor %} {% endif %} - network_mode: host - {% if DOCKER.containers['so-suricata'].extra_hosts %} + {% if DOCKERMERGED.containers['so-suricata'].extra_hosts %} - extra_hosts: - {% for XTRAHOST in DOCKER.containers['so-suricata'].extra_hosts %} + {% for XTRAHOST in DOCKERMERGED.containers['so-suricata'].extra_hosts %} - {{ XTRAHOST }} {% endfor %} {% endif %} diff --git a/salt/telegraf/enabled.sls b/salt/telegraf/enabled.sls index 1f6fe7481..fc9946149 100644 --- a/salt/telegraf/enabled.sls +++ b/salt/telegraf/enabled.sls @@ -6,7 +6,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls.split('.')[0] in allowed_states %} {% from 'vars/globals.map.jinja' import GLOBALS %} -{% from 'docker/docker.map.jinja' import DOCKER %} +{% from 'docker/docker.map.jinja' import DOCKERMERGED %} {% from 'telegraf/map.jinja' import TELEGRAFMERGED %} include: @@ -25,8 +25,8 @@ so-telegraf: - HOST_SYS=/host/sys - HOST_MOUNT_PREFIX=/host - GODEBUG=x509ignoreCN=0 - {% if DOCKER.containers['so-telegraf'].extra_env %} - {% for XTRAENV in DOCKER.containers['so-telegraf'].extra_env %} + {% if DOCKERMERGED.containers['so-telegraf'].extra_env %} + {% for XTRAENV in DOCKERMERGED.containers['so-telegraf'].extra_env %} - {{ XTRAENV }} {% endfor %} {% endif %} @@ -55,17 +55,23 @@ so-telegraf: {% if GLOBALS.is_manager or GLOBALS.role == 'so-heavynode' %} - /opt/so/conf/telegraf/etc/escurl.config:/etc/telegraf/elasticsearch.config:ro {% endif %} - {% if DOCKER.containers['so-telegraf'].custom_bind_mounts %} - {% for BIND in DOCKER.containers['so-telegraf'].custom_bind_mounts %} + {% if DOCKERMERGED.containers['so-telegraf'].custom_bind_mounts %} + {% for BIND in DOCKERMERGED.containers['so-telegraf'].custom_bind_mounts %} - {{ BIND }} {% endfor %} {% endif %} - {% if DOCKER.containers['so-telegraf'].extra_hosts %} + {% if DOCKERMERGED.containers['so-telegraf'].extra_hosts %} - extra_hosts: - {% for XTRAHOST in DOCKER.containers['so-telegraf'].extra_hosts %} + {% for XTRAHOST in DOCKERMERGED.containers['so-telegraf'].extra_hosts %} - {{ XTRAHOST }} {% endfor %} {% endif %} + {% if DOCKERMERGED.containers['so-telegraf'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKERMERGED.containers['so-telegraf'].ulimits %} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} + {% endfor %} + {% endif %} - watch: - file: trusttheca - x509: telegraf_crt diff --git a/salt/vars/globals.map.jinja b/salt/vars/globals.map.jinja index ca75437eb..385db02ae 100644 --- a/salt/vars/globals.map.jinja +++ b/salt/vars/globals.map.jinja @@ -1,5 +1,5 @@ {% import 'vars/init.map.jinja' as INIT %} -{% from 'docker/docker.map.jinja' import DOCKER %} +{% from 'docker/docker.map.jinja' import DOCKERMERGED %} {% from 'global/map.jinja' import GLOBALMERGED %} {% from 'vars/' ~ INIT.GRAINS.role.split('-')[1] ~ '.map.jinja' import ROLE_GLOBALS %} {# role is so-role so we have to split off the 'so' #} @@ -25,8 +25,8 @@ 'pcap_engine': GLOBALMERGED.pcapengine, 'pipeline': GLOBALMERGED.pipeline, 'so_version': INIT.PILLAR.global.soversion, - 'so_docker_gateway': DOCKER.gateway, - 'so_docker_range': DOCKER.range, + 'so_docker_gateway': DOCKERMERGED.gateway, + 'so_docker_range': DOCKERMERGED.range, 'url_base': INIT.PILLAR.global.url_base, 'so_model': INIT.GRAINS.get('sosmodel',''), 'sensoroni_key': INIT.PILLAR.sensoroni.config.sensoronikey, diff --git a/salt/zeek/enabled.sls b/salt/zeek/enabled.sls index cf87946af..ee78714c8 100644 --- a/salt/zeek/enabled.sls +++ b/salt/zeek/enabled.sls @@ -6,7 +6,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls.split('.')[0] in allowed_states %} {% from 'vars/globals.map.jinja' import GLOBALS %} -{% from 'docker/docker.map.jinja' import DOCKER %} +{% from 'docker/docker.map.jinja' import DOCKERMERGED %} include: @@ -18,9 +18,12 @@ so-zeek: - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-zeek:{{ GLOBALS.so_version }} - start: True - privileged: True + {% if DOCKERMERGED.containers['so-zeek'].ulimits %} - ulimits: - - core=0 - - nofile=1048576:1048576 + {% for ULIMIT in DOCKERMERGED.containers['so-zeek'].ulimits %} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} + {% endfor %} + {% endif %} - binds: - /nsm/zeek/logs:/nsm/zeek/logs:rw - /nsm/zeek/spool:/nsm/zeek/spool:rw @@ -36,21 +39,21 @@ so-zeek: - /opt/so/conf/zeek/bpf:/opt/zeek/etc/bpf:ro - /opt/so/conf/zeek/config.zeek:/opt/zeek/share/zeek/site/packages/ja4/config.zeek:ro - /opt/so/conf/zeek/zkg:/opt/so/conf/zeek/zkg:ro - {% if DOCKER.containers['so-zeek'].custom_bind_mounts %} - {% for BIND in DOCKER.containers['so-zeek'].custom_bind_mounts %} + {% if DOCKERMERGED.containers['so-zeek'].custom_bind_mounts %} + {% for BIND in DOCKERMERGED.containers['so-zeek'].custom_bind_mounts %} - {{ BIND }} {% endfor %} {% endif %} - network_mode: host - {% if DOCKER.containers['so-zeek'].extra_hosts %} + {% if DOCKERMERGED.containers['so-zeek'].extra_hosts %} - extra_hosts: - {% for XTRAHOST in DOCKER.containers['so-zeek'].extra_hosts %} + {% for XTRAHOST in DOCKERMERGED.containers['so-zeek'].extra_hosts %} - {{ XTRAHOST }} {% endfor %} {% endif %} - {% if DOCKER.containers['so-zeek'].extra_env %} + {% if DOCKERMERGED.containers['so-zeek'].extra_env %} - environment: - {% for XTRAENV in DOCKER.containers['so-zeek'].extra_env %} + {% for XTRAENV in DOCKERMERGED.containers['so-zeek'].extra_env %} - {{ XTRAENV }} {% endfor %} {% endif %}