From 0fd9fb9294775b5d1e57d60ed6b4485456e09e97 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 18 May 2023 15:19:09 -0400 Subject: [PATCH] Allow additional docker parameters --- salt/curator/enabled.sls | 17 ++++++++++++ salt/docker/defaults.yaml | 26 ++++++++++++++++++- salt/docker/soc_docker.yaml | 6 +++++ salt/elastalert/enabled.sls | 16 ++++++++++++ .../enabled.sls | 18 ++++++++++++- salt/elasticfleet/enabled.sls | 15 +++++++++++ salt/elasticsearch/enabled.sls | 15 +++++++++++ salt/idh/enabled.sls | 17 ++++++++++++ salt/idstools/enabled.sls | 22 ++++++++++++++++ salt/idstools/tools/sbin/so-rule-update | 4 +++ salt/influxdb/enabled.sls | 16 ++++++++++++ salt/kibana/enabled.sls | 15 +++++++++++ salt/kratos/enabled.sls | 17 ++++++++++++ salt/logstash/enabled.sls | 15 +++++++++++ salt/mysql/enabled.sls | 15 +++++++++++ salt/nginx/enabled.sls | 16 ++++++++++++ salt/pcap/enabled.sls | 17 ++++++++++++ salt/playbook/enabled.sls | 15 +++++++++++ salt/redis/enabled.sls | 17 ++++++++++++ salt/registry/enabled.sls | 16 ++++++++++++ salt/sensoroni/enabled.sls | 17 ++++++++++++ salt/soc/enabled.sls | 16 ++++++++++++ salt/soctopus/enabled.sls | 16 ++++++++++++ salt/telegraf/enabled.sls | 16 ++++++++++++ salt/zeek/enabled.sls | 19 +++++++++++++- 25 files changed, 396 insertions(+), 3 deletions(-) diff --git a/salt/curator/enabled.sls b/salt/curator/enabled.sls index b60058692..b2574569f 100644 --- a/salt/curator/enabled.sls +++ b/salt/curator/enabled.sls @@ -28,6 +28,23 @@ so-curator: - /opt/so/conf/curator/curator.yml:/etc/curator/config/curator.yml:ro - /opt/so/conf/curator/action/:/etc/curator/action:ro - /opt/so/log/curator:/var/log/curator:rw + {% if DOCKER.containers['so-curator'].custom_bind_mounts %} + {% for BIND in DOCKER.containers['so-curator'].custom_bind_mounts %} + - {{ BIND }} + {% endfor %} + {% endif %} + {% if DOCKER.containers['so-curator'].extra_hosts %} + - extra_hosts: + {% for XTRAHOST in DOCKER.containers['so-curator'].extra_hosts %} + - {{ XTRAHOST }} + {% endfor %} + {% endif %} + {% if DOCKER.containers['so-curator'].extra_env %} + - environment: + {% for XTRAENV in DOCKER.containers['so-curator'].extra_env %} + - {{ XTRAENV }} + {% endfor %} + {% endif %} - require: - file: actionconfs - file: curconf diff --git a/salt/docker/defaults.yaml b/salt/docker/defaults.yaml index ad3506737..f2aa6e077 100644 --- a/salt/docker/defaults.yaml +++ b/salt/docker/defaults.yaml @@ -10,12 +10,14 @@ docker: - 0.0.0.0:5000:5000 custom_bind_mounts: [] extra_hosts: [] + extra_env: [] 'so-elastic-fleet': final_octet: 21 port_bindings: - 0.0.0.0:8220:8220/tcp custom_bind_mounts: [] extra_hosts: [] + extra_env: [] 'so-elasticsearch': final_octet: 22 port_bindings: @@ -23,22 +25,26 @@ docker: - 0.0.0.0:9300:9300/tcp custom_bind_mounts: [] extra_hosts: [] + extra_env: [] 'so-idstools': final_octet: 25 custom_bind_mounts: [] extra_hosts: [] + extra_env: [] 'so-influxdb': final_octet: 26 port_bindings: - 0.0.0.0:8086:8086 custom_bind_mounts: [] extra_hosts: [] + extra_env: [] 'so-kibana': final_octet: 27 port_bindings: - 0.0.0.0:5601:5601 custom_bind_mounts: [] extra_hosts: [] + extra_env: [] 'so-kratos': final_octet: 28 port_bindings: @@ -46,6 +52,7 @@ docker: - 0.0.0.0:4434:4434 custom_bind_mounts: [] extra_hosts: [] + extra_env: [] 'so-logstash': final_octet: 29 port_bindings: @@ -61,12 +68,14 @@ docker: - 0.0.0.0:9600:9600 custom_bind_mounts: [] extra_hosts: [] + extra_env: [] 'so-mysql': final_octet: 30 port_bindings: - 0.0.0.0:3306:3306 custom_bind_mounts: [] extra_hosts: [] + extra_env: [] 'so-nginx': final_octet: 31 port_bindings: @@ -76,12 +85,14 @@ docker: - 7788:7788 custom_bind_mounts: [] extra_hosts: [] + extra_env: [] 'so-playbook': final_octet: 32 port_bindings: - 0.0.0.0:3000:3000 custom_bind_mounts: [] extra_hosts: [] + extra_env: [] 'so-redis': final_octet: 33 port_bindings: @@ -89,63 +100,76 @@ docker: - 0.0.0.0:9696:9696 custom_bind_mounts: [] extra_hosts: [] + extra_env: [] 'so-soc': final_octet: 34 port_bindings: - 0.0.0.0:9822:9822 custom_bind_mounts: [] extra_hosts: [] + extra_env: [] 'so-soctopus': final_octet: 35 port_bindings: - 0.0.0.0:7000:7000 custom_bind_mounts: [] extra_hosts: [] + extra_env: [] 'so-strelka-backend': final_octet: 36 custom_bind_mounts: [] extra_hosts: [] + extra_env: [] 'so-strelka-filestream': final_octet: 37 custom_bind_mounts: [] extra_hosts: [] + extra_env: [] 'so-strelka-frontend': final_octet: 38 port_bindings: - 0.0.0.0:57314:57314 custom_bind_mounts: [] extra_hosts: [] + extra_env: [] 'so-strelka-manager': final_octet: 39 custom_bind_mounts: [] extra_hosts: [] + extra_env: [] 'so-strelka-gatekeeper': final_octet: 40 port_bindings: - 0.0.0.0:6381:6379 custom_bind_mounts: [] extra_hosts: [] + extra_env: [] 'so-strelka-coordinator': final_octet: 41 port_bindings: - 0.0.0.0:6380:6379 custom_bind_mounts: [] extra_hosts: [] + extra_env: [] 'so-elastalert': final_octet: 42 custom_bind_mounts: [] extra_hosts: [] + extra_env: [] 'so-curator': final_octet: 43 custom_bind_mounts: [] extra_hosts: [] + extra_env: [] 'so-elastic-fleet-package-registry': final_octet: 44 port_bindings: - 0.0.0.0:8080:8080/tcp custom_bind_mounts: [] extra_hosts: [] + extra_env: [] 'so-idh': final_octet: 45 custom_bind_mounts: [] - extra_hosts: [] \ No newline at end of file + extra_hosts: [] + extra_env: [] \ No newline at end of file diff --git a/salt/docker/soc_docker.yaml b/salt/docker/soc_docker.yaml index c8d18abde..b6f5ca0ca 100644 --- a/salt/docker/soc_docker.yaml +++ b/salt/docker/soc_docker.yaml @@ -40,6 +40,12 @@ docker: helpLink: docker.html multiline: True forcedType: "[]string" + extra_env: + description: List of additional ENV entries for the container. + advanced: True + helpLink: docker.html + multiline: True + forcedType: "[]string" so-dockerregistry: *dockerOptions so-elastalert: *dockerOptions so-elastic-fleet-package-registry: *dockerOptions diff --git a/salt/elastalert/enabled.sls b/salt/elastalert/enabled.sls index 3e043b46c..2c0c497ed 100644 --- a/salt/elastalert/enabled.sls +++ b/salt/elastalert/enabled.sls @@ -31,8 +31,24 @@ so-elastalert: - /opt/so/log/elastalert:/var/log/elastalert:rw - /opt/so/conf/elastalert/modules/:/opt/elastalert/modules/:ro - /opt/so/conf/elastalert/elastalert_config.yaml:/opt/elastalert/config.yaml:ro + {% if DOCKER.containers['so-elastalert'].custom_bind_mounts %} + {% for BIND in DOCKER.containers['so-elastalert'].custom_bind_mounts %} + - {{ BIND }} + {% endfor %} + {% endif %} - extra_hosts: - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} + {% if DOCKER.containers['so-elastalert'].extra_hosts %} + {% for XTRAHOST in DOCKER.containers['so-elastalert'].extra_hosts %} + - {{ XTRAHOST }} + {% endfor %} + {% endif %} + {% if DOCKER.containers['so-elastalert'].extra_env %} + - environment: + {% for XTRAENV in DOCKER.containers['so-elastalert'].extra_env %} + - {{ XTRAENV }} + {% enfor %} + {% enfif %} - require: - cmd: wait_for_elasticsearch - file: elastarules diff --git a/salt/elastic-fleet-package-registry/enabled.sls b/salt/elastic-fleet-package-registry/enabled.sls index 5f663e78f..bbdcd2dce 100644 --- a/salt/elastic-fleet-package-registry/enabled.sls +++ b/salt/elastic-fleet-package-registry/enabled.sls @@ -24,11 +24,27 @@ so-elastic-fleet-package-registry: - ipv4_address: {{ DOCKER.containers['so-elastic-fleet-package-registry'].ip }} - extra_hosts: - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} + {% if DOCKER.containers['so-elastic-fleet-package-registry'].extra_hosts %} + {% for XTRAHOST in DOCKER.containers['so-elastic-fleet-package-registry'].extra_hosts %} + - {{ XTRAHOST }} + {% endfor %} + {% endif %} - port_bindings: {% for BINDING in DOCKER.containers['so-elastic-fleet-package-registry'].port_bindings %} - {{ BINDING }} {% endfor %} - + {% if DOCKER.containers['so-elastic-fleet-package-registry'].custom_bind_mounts %} + - binds: + {% for BIND in DOCKER.containers['so-elastic-fleet-package-registry'].custom_bind_mounts %} + - {{ BIND }} + {% endfor %} + {% endif %} + {% if DOCKER.containers['so-elastic-fleet-package-registry'].extra_env %} + - environment: + {% for XTRAENV in DOCKER.containers['so-elastic-fleet-package-registry'].extra_env %} + - {{ XTRAENV }} + {% enfor %} + {% enfif %} delete_so-elastic-fleet-package-registry_so-status.disabled: file.uncomment: - name: /opt/so/conf/so-status/so-status.conf diff --git a/salt/elasticfleet/enabled.sls b/salt/elasticfleet/enabled.sls index a3982e760..eb714f77c 100644 --- a/salt/elasticfleet/enabled.sls +++ b/salt/elasticfleet/enabled.sls @@ -28,6 +28,11 @@ so-elastic-fleet: - extra_hosts: - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} + {% if DOCKER.containers['so-elastic-fleet'].extra_hosts %} + {% for XTRAHOST in DOCKER.containers['so-elastic-fleet'].extra_hosts %} + - {{ XTRAHOST }} + {% endfor %} + {% endif %} - port_bindings: {% for BINDING in DOCKER.containers['so-elastic-fleet'].port_bindings %} - {{ BINDING }} @@ -35,6 +40,11 @@ so-elastic-fleet: - binds: - /etc/pki:/etc/pki:ro #- /opt/so/conf/elastic-fleet/state:/usr/share/elastic-agent/state:rw + {% if DOCKER.containers['so-elastic-fleet'].custom_bind_mounts %} + {% for BIND in DOCKER.containers['so-elastic-fleet'].custom_bind_mounts %} + - {{ BIND }} + {% endfor %} + {% endif %} - environment: - FLEET_SERVER_ENABLE=true - FLEET_URL=https://{{ GLOBALS.node_ip }}:8220 @@ -45,6 +55,11 @@ so-elastic-fleet: - FLEET_SERVER_CERT=/etc/pki/elasticfleet.crt - FLEET_SERVER_CERT_KEY=/etc/pki/elasticfleet.key - FLEET_CA=/etc/pki/tls/certs/intca.crt + {% if DOCKER.containers['so-elastic-fleet'].extra_env %} + {% for XTRAENV in DOCKER.containers['so-elastic-fleet'].extra_env %} + - {{ XTRAENV }} + {% enfor %} + {% enfif %} {% endif %} delete_so-elastic-fleet_so-status.disabled: diff --git a/salt/elasticsearch/enabled.sls b/salt/elasticsearch/enabled.sls index fa51a4124..1f1b0f35f 100644 --- a/salt/elasticsearch/enabled.sls +++ b/salt/elasticsearch/enabled.sls @@ -26,6 +26,11 @@ so-elasticsearch: - sobridge: - ipv4_address: {{ DOCKER.containers['so-elasticsearch'].ip }} - extra_hosts: {{ LOGSTASH_NODES }} + {% if DOCKER.containers['so-elasticsearch'].extra_hosts %} + {% for XTRAHOST in DOCKER.containers['so-elasticsearch'].extra_hosts %} + - {{ XTRAHOST }} + {% endfor %} + {% endif %} - environment: {% if LOGSTASH_NODES | length == 1 %} - discovery.type=single-node @@ -35,6 +40,11 @@ so-elasticsearch: - memlock=-1:-1 - nofile=65536:65536 - nproc=4096 + {% if DOCKER.containers['so-elastalert'].extra_env %} + {% for XTRAENV in DOCKER.containers['so-elastalert'].extra_env %} + - {{ XTRAENV }} + {% enfor %} + {% enfif %} - port_bindings: {% for BINDING in DOCKER.containers['so-elasticsearch'].port_bindings %} - {{ BINDING }} @@ -60,6 +70,11 @@ so-elasticsearch: - {{ repo }}:{{ repo }}:rw {% endfor %} {% endif %} + {% if DOCKER.containers['so-elasticsearch'].custom_bind_mounts %} + {% for BIND in DOCKER.containers['so-elasticsearch'].custom_bind_mounts %} + - {{ BIND }} + {% endfor %} + {% endif %} - watch: - file: cacertz - file: esyml diff --git a/salt/idh/enabled.sls b/salt/idh/enabled.sls index 82bee138b..ad580a788 100644 --- a/salt/idh/enabled.sls +++ b/salt/idh/enabled.sls @@ -20,6 +20,23 @@ so-idh: - binds: - /nsm/idh:/var/tmp:rw - /opt/so/conf/idh/opencanary.conf:/etc/opencanaryd/opencanary.conf:ro + {% if DOCKER.containers['so-idh'].custom_bind_mounts %} + {% for BIND in DOCKER.containers['so-idh'].custom_bind_mounts %} + - {{ BIND }} + {% endfor %} + {% endif %} + {% if DOCKER.containers['so-idh'].extra_hosts %} + - extra_hosts: + {% for XTRAHOST in DOCKER.containers['so-idh'].extra_hosts %} + - {{ XTRAHOST }} + {% endfor %} + {% endif %} + {% if DOCKER.containers['so-idh'].extra_env %} + - environment: + {% for XTRAENV in DOCKER.containers['so-idh'].extra_env %} + - {{ XTRAENV }} + {% enfor %} + {% enfif %} - watch: - file: opencanary_config - require: diff --git a/salt/idstools/enabled.sls b/salt/idstools/enabled.sls index b56d6c2e5..558ebff6d 100644 --- a/salt/idstools/enabled.sls +++ b/salt/idstools/enabled.sls @@ -26,10 +26,32 @@ so-idstools: - http_proxy={{ proxy }} - https_proxy={{ proxy }} - no_proxy={{ salt['pillar.get']('manager:no_proxy') }} + {% if DOCKER.containers['so-elastalert'].extra_env %} + {% for XTRAENV in DOCKER.containers['so-elastalert'].extra_env %} + - {{ XTRAENV }} + {% enfor %} + {% endif %} + {% elif DOCKER.containers['so-elastalert'].extra_env %} + - environment: + {% for XTRAENV in DOCKER.containers['so-elastalert'].extra_env %} + - {{ XTRAENV }} + {% enfor %} {% endif %} - binds: - /opt/so/conf/idstools/etc:/opt/so/idstools/etc:ro - /opt/so/rules/nids:/opt/so/rules/nids:rw + - /nsm/rules/suricata:/nsm/rules/suricata:rw + {% if DOCKER.containers['so-idstools'].custom_bind_mounts %} + {% for BIND in DOCKER.containers['so-idstools'].custom_bind_mounts %} + - {{ BIND }} + {% endfor %} + {% endif %} + {% if DOCKER.containers['so-idstools'].extra_hosts %} + - extra_hosts: + {% for XTRAHOST in DOCKER.containers['so-idstools'].extra_hosts %} + - {{ XTRAHOST }} + {% endfor %} + {% endif %} - watch: - file: idstoolsetcsync diff --git a/salt/idstools/tools/sbin/so-rule-update b/salt/idstools/tools/sbin/so-rule-update index a3c2616a4..5f6895f3b 100755 --- a/salt/idstools/tools/sbin/so-rule-update +++ b/salt/idstools/tools/sbin/so-rule-update @@ -2,6 +2,10 @@ . /usr/sbin/so-common +# Pull down the latest rules if not airgap + +docker exec so-idstools idstools-rulecat -v --suricata-version 6.0 -o /nsm/rules/suricata/ --force + argstr="" for arg in "$@"; do argstr="${argstr} \"${arg}\"" diff --git a/salt/influxdb/enabled.sls b/salt/influxdb/enabled.sls index 209406932..1f2cc86aa 100644 --- a/salt/influxdb/enabled.sls +++ b/salt/influxdb/enabled.sls @@ -30,16 +30,32 @@ so-influxdb: - DOCKER_INFLUXDB_INIT_ORG=Security Onion - DOCKER_INFLUXDB_INIT_BUCKET=telegraf/so_short_term - DOCKER_INFLUXDB_INIT_ADMIN_TOKEN={{ TOKEN }} + {% if DOCKER.containers['so-influxdb'].extra_env %} + {% for XTRAENV in DOCKER.containers['so-influxdb'].extra_env %} + - {{ XTRAENV }} + {% enfor %} + {% endif %} - binds: - /opt/so/log/influxdb/:/log:rw - /opt/so/conf/influxdb/config.yaml:/conf/config.yaml:ro - /nsm/influxdb:/var/lib/influxdb2:rw - /etc/pki/influxdb.crt:/conf/influxdb.crt:ro - /etc/pki/influxdb.key:/conf/influxdb.key:ro + {% if DOCKER.containers['so-influxdb'].custom_bind_mounts %} + {% for BIND in DOCKER.containers['so-influxdb'].custom_bind_mounts %} + - {{ BIND }} + {% endfor %} + {% endif %} - port_bindings: {% for BINDING in DOCKER.containers['so-influxdb'].port_bindings %} - {{ BINDING }} {% endfor %} + {% if DOCKER.containers['so-influxdb'].extra_hosts %} + - extra_hosts: + {% for XTRAHOST in DOCKER.containers['so-influxdb'].extra_hosts %} + - {{ XTRAHOST }} + {% endfor %} + {% endif %} - watch: - file: influxdbconf - require: diff --git a/salt/kibana/enabled.sls b/salt/kibana/enabled.sls index 8f7091a0f..343b9b510 100644 --- a/salt/kibana/enabled.sls +++ b/salt/kibana/enabled.sls @@ -25,13 +25,28 @@ so-kibana: - ELASTICSEARCH_HOST={{ GLOBALS.manager }} - ELASTICSEARCH_PORT=9200 - MANAGER={{ GLOBALS.manager }} + {% if DOCKER.containers['so-kibana'].extra_env %} + {% for XTRAENV in DOCKER.containers['so-kibana'].extra_env %} + - {{ XTRAENV }} + {% enfor %} + {% endif %} - extra_hosts: - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} + {% if DOCKER.containers['so-kibana'].extra_hosts %} + {% for XTRAHOST in DOCKER.containers['so-kibana'].extra_hosts %} + - {{ XTRAHOST }} + {% endfor %} + {% endif %} - binds: - /opt/so/conf/kibana/etc:/usr/share/kibana/config:rw - /opt/so/log/kibana:/var/log/kibana:rw - /opt/so/conf/kibana/customdashboards:/usr/share/kibana/custdashboards:ro - /sys/fs/cgroup:/sys/fs/cgroup:ro + {% if DOCKER.containers['so-kibana'].custom_bind_mounts %} + {% for BIND in DOCKER.containers['so-kibana'].custom_bind_mounts %} + - {{ BIND }} + {% endfor %} + {% endif %} - port_bindings: {% for BINDING in DOCKER.containers['so-kibana'].port_bindings %} - {{ BINDING }} diff --git a/salt/kratos/enabled.sls b/salt/kratos/enabled.sls index 9358c9349..823fd6672 100644 --- a/salt/kratos/enabled.sls +++ b/salt/kratos/enabled.sls @@ -25,10 +25,27 @@ so-kratos: - /opt/so/conf/kratos/kratos.yaml:/kratos-conf/kratos.yaml:ro - /opt/so/log/kratos/:/kratos-log:rw - /nsm/kratos/db:/kratos-data:rw + {% if DOCKER.containers['so-kratos'].custom_bind_mounts %} + {% for BIND in DOCKER.containers['so-kratos'].custom_bind_mounts %} + - {{ BIND }} + {% endfor %} + {% endif %} - port_bindings: {% for BINDING in DOCKER.containers['so-kratos'].port_bindings %} - {{ BINDING }} {% endfor %} + {% if DOCKER.containers['so-kratos'].extra_hosts %} + - extra_hosts: + {% for XTRAHOST in DOCKER.containers['so-kratos'].extra_hosts %} + - {{ XTRAHOST }} + {% endfor %} + {% endif %} + {% if DOCKER.containers['so-kratos'].extra_env %} + - environment: + {% for XTRAENV in DOCKER.containers['so-kratos'].extra_env %} + - {{ XTRAENV }} + {% enfor %} + {% endif %} - restart_policy: unless-stopped - watch: - file: kratosschema diff --git a/salt/logstash/enabled.sls b/salt/logstash/enabled.sls index 65905cd6c..97e0e7e2d 100644 --- a/salt/logstash/enabled.sls +++ b/salt/logstash/enabled.sls @@ -26,8 +26,18 @@ so-logstash: - ipv4_address: {{ DOCKER.containers['so-logstash'].ip }} - user: logstash - extra_hosts: {{ REDIS_NODES }} + {% if DOCKER.containers['so-logstash'].extra_hosts %} + {% for XTRAHOST in DOCKER.containers['so-logstash'].extra_hosts %} + - {{ XTRAHOST }} + {% endfor %} + {% endif %} - environment: - LS_JAVA_OPTS=-Xms{{ lsheap }} -Xmx{{ lsheap }} + {% if DOCKER.containers['so-logstash'].extra_env %} + {% for XTRAENV in DOCKER.containers['so-logstash'].extra_env %} + - {{ XTRAENV }} + {% enfor %} + {% endif %} - port_bindings: {% for BINDING in DOCKER.containers['so-logstash'].port_bindings %} - {{ BINDING }} @@ -65,6 +75,11 @@ so-logstash: - /opt/so/log/fleet/:/osquery/logs:ro - /opt/so/log/strelka:/strelka:ro {% endif %} + {% if DOCKER.containers['so-logstash'].custom_bind_mounts %} + {% for BIND in DOCKER.containers['so-logstash'].custom_bind_mounts %} + - {{ BIND }} + {% endfor %} + {% endif %} - watch: - file: lsetcsync {% for assigned_pipeline in LOGSTASH_MERGED.assigned_pipelines.roles[GLOBALS.role.split('-')[1]] %} diff --git a/salt/mysql/enabled.sls b/salt/mysql/enabled.sls index 12112121f..f9890c300 100644 --- a/salt/mysql/enabled.sls +++ b/salt/mysql/enabled.sls @@ -33,6 +33,11 @@ so-mysql: - ipv4_address: {{ DOCKER.containers['so-mysql'].ip }} - extra_hosts: - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} + {% if DOCKER.containers['so-mysql'].extra_hosts %} + {% for XTRAHOST in DOCKER.containers['so-mysql'].extra_hosts %} + - {{ XTRAHOST }} + {% endfor %} + {% endif %} - port_bindings: {% for BINDING in DOCKER.containers['so-mysql'].port_bindings %} - {{ BINDING }} @@ -40,11 +45,21 @@ so-mysql: - environment: - MYSQL_ROOT_HOST={{ GLOBALS.so_docker_bip }} - MYSQL_ROOT_PASSWORD=/etc/mypass + {% if DOCKER.containers['so-mysql'].extra_env %} + {% for XTRAENV in DOCKER.containers['so-mysql'].extra_env %} + - {{ XTRAENV }} + {% endfor %} + {% endif %} - binds: - /opt/so/conf/mysql/etc/my.cnf:/etc/my.cnf:ro - /opt/so/conf/mysql/etc/mypass:/etc/mypass - /nsm/mysql:/var/lib/mysql:rw - /opt/so/log/mysql:/var/log/mysql:rw + {% if DOCKER.containers['so-mysql'].custom_bind_mounts %} + {% for BIND in DOCKER.containers['so-mysql'].custom_bind_mounts %} + - {{ BIND }} + {% endfor %} + {% endif %} - watch: - /opt/so/conf/mysql/etc - require: diff --git a/salt/nginx/enabled.sls b/salt/nginx/enabled.sls index 592388cf6..d85c58726 100644 --- a/salt/nginx/enabled.sls +++ b/salt/nginx/enabled.sls @@ -21,6 +21,11 @@ so-nginx: - ipv4_address: {{ DOCKER.containers['so-nginx'].ip }} - extra_hosts: - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} + {% if DOCKER.containers['so-nginx'].extra_hosts %} + {% for XTRAHOST in DOCKER.containers['so-nginx'].extra_hosts %} + - {{ XTRAHOST }} + {% endfor %} + {% endif %} - binds: - /opt/so/conf/nginx/nginx.conf:/etc/nginx/nginx.conf:ro - /opt/so/log/nginx/:/var/log/nginx:rw @@ -38,6 +43,17 @@ so-nginx: - /opt/so/conf/navigator/pre-attack.json:/opt/socore/html/navigator/assets/pre-attack.json:ro - /nsm/repo:/opt/socore/html/repo:ro {% endif %} + {% if DOCKER.containers['so-nginx'].custom_bind_mounts %} + {% for BIND in DOCKER.containers['so-nginx'].custom_bind_mounts %} + - {{ BIND }} + {% endfor %} + {% endif %} + {% if DOCKER.containers['so-nginx'].extra_env %} + - environment: + {% for XTRAENV in DOCKER.containers['so-nginx'].extra_env %} + - {{ XTRAENV }} + {% enfor %} + {% endif %} - cap_add: NET_BIND_SERVICE - port_bindings: {% for BINDING in DOCKER.containers['so-nginx'].port_bindings %} diff --git a/salt/pcap/enabled.sls b/salt/pcap/enabled.sls index b4027065f..12dc28c6d 100644 --- a/salt/pcap/enabled.sls +++ b/salt/pcap/enabled.sls @@ -24,6 +24,23 @@ so-steno: - /nsm/pcapindex:/nsm/pcapindex:rw - /nsm/pcaptmp:/tmp:rw - /opt/so/log/stenographer:/var/log/stenographer:rw + {% if DOCKER.containers['so-steno'].custom_bind_mounts %} + {% for BIND in DOCKER.containers['so-steno'].custom_bind_mounts %} + - {{ BIND }} + {% endfor %} + {% endif %} + {% if DOCKER.containers['so-steno'].extra_hosts %} + - extra_hosts: + {% for XTRAHOST in DOCKER.containers['so-steno'].extra_hosts %} + - {{ XTRAHOST }} + {% endfor %} + {% endif %} + {% if DOCKER.containers['so-steno'].extra_env %} + - environment: + {% for XTRAENV in DOCKER.containers['so-steno'].extra_env %} + - {{ XTRAENV }} + {% enfor %} + {% endif %} - watch: - file: stenoconf - require: diff --git a/salt/playbook/enabled.sls b/salt/playbook/enabled.sls index 22da3c0ff..9beceee3d 100644 --- a/salt/playbook/enabled.sls +++ b/salt/playbook/enabled.sls @@ -34,13 +34,28 @@ so-playbook: - ipv4_address: {{ DOCKER.containers['so-playbook'].ip }} - binds: - /opt/so/log/playbook:/playbook/log:rw + {% if DOCKER.containers['so-playbook'].custom_bind_mounts %} + {% for BIND in DOCKER.containers['so-playbook'].custom_bind_mounts %} + - {{ BIND }} + {% endfor %} + {% endif %} - extra_hosts: - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} + {% if DOCKER.containers['so-playbook'].extra_hosts %} + {% for XTRAHOST in DOCKER.containers['so-kratos'].extra_hosts %} + - {{ XTRAHOST }} + {% endfor %} + {% endif %} - environment: - REDMINE_DB_MYSQL={{ GLOBALS.manager }} - REDMINE_DB_DATABASE=playbook - REDMINE_DB_USERNAME=playbookdbuser - REDMINE_DB_PASSWORD={{ PLAYBOOKPASS }} + {% if DOCKER.containers['so-kratos'].extra_env %} + {% for XTRAENV in DOCKER.containers['so-kratos'].extra_env %} + - {{ XTRAENV }} + {% enfor %} + {% endif %} - port_bindings: {% for BINDING in DOCKER.containers['so-playbook'].port_bindings %} - {{ BINDING }} diff --git a/salt/redis/enabled.sls b/salt/redis/enabled.sls index 26f95e59f..fa69cdf05 100644 --- a/salt/redis/enabled.sls +++ b/salt/redis/enabled.sls @@ -35,6 +35,23 @@ so-redis: {% else %} - /etc/ssl/certs/intca.crt:/certs/ca.crt:ro {% endif %} + {% if DOCKER.containers['so-redis'].custom_bind_mounts %} + {% for BIND in DOCKER.containers['so-redis'].custom_bind_mounts %} + - {{ BIND }} + {% endfor %} + {% endif %} + {% if DOCKER.containers['so-redis'].extra_hosts %} + - extra_hosts: + {% for XTRAHOST in DOCKER.containers['so-redis'].extra_hosts %} + - {{ XTRAHOST }} + {% endfor %} + {% endif %} + {% if DOCKER.containers['so-redis'].extra_env %} + - environment: + {% for XTRAENV in DOCKER.containers['so-redis'].extra_env %} + - {{ XTRAENV }} + {% enfor %} + {% endif %} - entrypoint: "redis-server /usr/local/etc/redis/redis.conf" - watch: - file: /opt/so/conf/redis/etc diff --git a/salt/registry/enabled.sls b/salt/registry/enabled.sls index 0ce3ee318..5d3cbef93 100644 --- a/salt/registry/enabled.sls +++ b/salt/registry/enabled.sls @@ -30,9 +30,25 @@ so-dockerregistry: - /nsm/docker-registry/docker:/var/lib/registry/docker:rw - /etc/pki/registry.crt:/etc/pki/registry.crt:ro - /etc/pki/registry.key:/etc/pki/registry.key:ro + {% if DOCKER.containers['so-dockerregistry'].custom_bind_mounts %} + {% for BIND in DOCKER.containers['so-dockerregistry'].custom_bind_mounts %} + - {{ BIND }} + {% endfor %} + {% endif %} + {% if DOCKER.containers['so-dockerregistry'].extra_hosts %} + - extra_hosts: + {% for XTRAHOST in DOCKER.containers['so-dockerregistry'].extra_hosts %} + - {{ XTRAHOST }} + {% endfor %} + {% endif %} - client_timeout: 180 - environment: - HOME=/root + {% if DOCKER.containers['so-kratos'].extra_env %} + {% for XTRAENV in DOCKER.containers['so-kratos'].extra_env %} + - {{ XTRAENV }} + {% enfor %} + {% endif %} - retry: attempts: 5 interval: 30 diff --git a/salt/sensoroni/enabled.sls b/salt/sensoroni/enabled.sls index e506de49d..9078d2867 100644 --- a/salt/sensoroni/enabled.sls +++ b/salt/sensoroni/enabled.sls @@ -21,6 +21,23 @@ so-sensoroni: - /opt/so/conf/sensoroni/sensoroni.json:/opt/sensoroni/sensoroni.json:ro - /opt/so/conf/sensoroni/analyzers:/opt/sensoroni/analyzers:rw - /opt/so/log/sensoroni:/opt/sensoroni/logs:rw + {% if DOCKER.containers['so-sensoroni'].custom_bind_mounts %} + {% for BIND in DOCKER.containers['so-sensoroni'].custom_bind_mounts %} + - {{ BIND }} + {% endfor %} + {% endif %} + {% if DOCKER.containers['so-sensoroni'].extra_hosts %} + - extra_hosts: + {% for XTRAHOST in DOCKER.containers['so-sensoroni'].extra_hosts %} + - {{ XTRAHOST }} + {% endfor %} + {% endif %} + {% if DOCKER.containers['so-sensoroni'].extra_env %} + - environment: + {% for XTRAENV in DOCKER.containers['so-sensoroni'].extra_env %} + - {{ XTRAENV }} + {% enfor %} + {% endif %} - watch: - file: /opt/so/conf/sensoroni/sensoroni.json - require: diff --git a/salt/soc/enabled.sls b/salt/soc/enabled.sls index 2e4528080..55b65e335 100644 --- a/salt/soc/enabled.sls +++ b/salt/soc/enabled.sls @@ -32,11 +32,27 @@ so-soc: - /opt/so/conf/soc/soc_users_roles:/opt/sensoroni/rbac/users_roles:rw - /opt/so/conf/soc/salt:/opt/sensoroni/salt:rw - /opt/so/saltstack:/opt/so/saltstack:rw + {% if DOCKER.containers['so-soc'].custom_bind_mounts %} + {% for BIND in DOCKER.containers['so-soc'].custom_bind_mounts %} + - {{ BIND }} + {% endfor %} + {% endif %} - extra_hosts: {{ DOCKER_EXTRA_HOSTS }} + {% if DOCKER.containers['so-soc'].extra_hosts %} + {% for XTRAHOST in DOCKER.containers['so-soc'].extra_hosts %} + - {{ XTRAHOST }} + {% endfor %} + {% endif %} - port_bindings: {% for BINDING in DOCKER.containers['so-soc'].port_bindings %} - {{ BINDING }} {% endfor %} + {% if DOCKER.containers['so-soc'].extra_env %} + - environment: + {% for XTRAENV in DOCKER.containers['so-soc'].extra_env %} + - {{ XTRAENV }} + {% enfor %} + {% endif %} - watch: - file: /opt/so/conf/soc/* - require: diff --git a/salt/soctopus/enabled.sls b/salt/soctopus/enabled.sls index 9c2ee4de7..9007360f9 100644 --- a/salt/soctopus/enabled.sls +++ b/salt/soctopus/enabled.sls @@ -29,6 +29,11 @@ so-soctopus: {% if GLOBALS.airgap %} - /nsm/repo/rules/sigma:/soctopus/sigma {% endif %} + {% if DOCKER.containers['so-soctopus'].custom_bind_mounts %} + {% for BIND in DOCKER.containers['so-soctopus'].custom_bind_mounts %} + - {{ BIND }} + {% endfor %} + {% endif %} - port_bindings: {% for BINDING in DOCKER.containers['so-soctopus'].port_bindings %} - {{ BINDING }} @@ -36,6 +41,17 @@ so-soctopus: - extra_hosts: - {{GLOBALS.url_base}}:{{GLOBALS.manager_ip}} - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} + {% if DOCKER.containers['so-soctopus'].extra_hosts %} + {% for XTRAHOST in DOCKER.containers['so-soctopus'].extra_hosts %} + - {{ XTRAHOST }} + {% endfor %} + {% endif %} + {% if DOCKER.containers['so-soctopus'].extra_env %} + - environment: + {% for XTRAENV in DOCKER.containers['so-soctopus'].extra_env %} + - {{ XTRAENV }} + {% enfor %} + {% endif %} - require: - file: soctopusconf - file: navigatordefaultlayer diff --git a/salt/telegraf/enabled.sls b/salt/telegraf/enabled.sls index 04459d7ff..9a5ba527e 100644 --- a/salt/telegraf/enabled.sls +++ b/salt/telegraf/enabled.sls @@ -22,6 +22,11 @@ so-telegraf: - HOST_SYS=/host/sys - HOST_MOUNT_PREFIX=/host - GODEBUG=x509ignoreCN=0 + {% if DOCKER.containers['so-telegraf'].extra_env %} + {% for XTRAENV in DOCKER.containers['so-telegraf'].extra_env %} + - {{ XTRAENV }} + {% enfor %} + {% endif %} - network_mode: host - init: True - binds: @@ -47,6 +52,17 @@ so-telegraf: - /opt/so/log/suricata:/var/log/suricata:ro - /opt/so/log/raid:/var/log/raid:ro - /opt/so/log/sostatus:/var/log/sostatus:ro + {% if DOCKER.containers['so-telegraf'].custom_bind_mounts %} + {% for BIND in DOCKER.containers['so-telegraf'].custom_bind_mounts %} + - {{ BIND }} + {% endfor %} + {% endif %} + {% if DOCKER.containers['so-telegraf'].extra_hosts %} + - extra_hosts: + {% for XTRAHOST in DOCKER.containers['so-telegraf'].extra_hosts %} + - {{ XTRAHOST }} + {% endfor %} + {% endif %} - watch: - file: tgrafconf - file: tgrafsyncscripts diff --git a/salt/zeek/enabled.sls b/salt/zeek/enabled.sls index 611402fbc..b701dfd19 100644 --- a/salt/zeek/enabled.sls +++ b/salt/zeek/enabled.sls @@ -31,8 +31,25 @@ so-zeek: - /opt/so/conf/zeek/policy/custom:/opt/zeek/share/zeek/policy/custom:ro - /opt/so/conf/zeek/policy/cve-2020-0601:/opt/zeek/share/zeek/policy/cve-2020-0601:ro - /opt/so/conf/zeek/policy/intel:/opt/zeek/share/zeek/policy/intel:rw - - /opt/so/conf/zeek/bpf:/opt/zeek/etc/bpf:ro + - /opt/so/conf/zeek/bpf:/opt/zeek/etc/bpf:ro + {% if DOCKER.containers['so-zeek'].custom_bind_mounts %} + {% for BIND in DOCKER.containers['so-zeek'].custom_bind_mounts %} + - {{ BIND }} + {% endfor %} + {% endif %} - network_mode: host + {% if DOCKER.containers['so-zeek'].extra_hosts %} + - extra_hosts: + {% for XTRAHOST in DOCKER.containers['so-zeek'].extra_hosts %} + - {{ XTRAHOST }} + {% endfor %} + {% endif %} + {% if DOCKER.containers['so-zeek'].extra_env %} + - environment: + {% for XTRAENV in DOCKER.containers['so-zeek'].extra_env %} + - {{ XTRAENV }} + {% enfor %} + {% endif %} - watch: - file: /opt/so/conf/zeek/local.zeek - file: /opt/so/conf/zeek/node.cfg