merge with dev and fix merge conflict in so-functions https://github.com/Security-Onion-Solutions/securityonion/issues/3264

2026-06-15 22:58:42 +02:00 · 2021-04-20 10:03:15 -04:00
parent 5cda35db0a 3b203b9a31
commit 115764ae38
91 changed files with 1860 additions and 672 deletions
@@ -3,28 +3,19 @@

 {% if grains.os == 'Ubuntu' %}
  {% set SPLITCHAR = '+' %}
+  {% set SALTNOTHELD = salt['cmd.run']('apt-mark showhold | grep salt-* ; echo $?', python_shell=True) %}
 {% else %}
  {% set SPLITCHAR = '-' %}
+  {% set SALTNOTHELD = salt['cmd.run']('yum versionlock list | grep salt-* ; echo $?', python_shell=True) %}
 {% endif %}

 {% set INSTALLEDSALTVERSION = salt['pkg.version']('salt-minion').split(SPLITCHAR)[0] %}
-{% set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') %}
-
-{% if grains.os|lower == 'ubuntu' %}
-  {% set COMMON = 'salt-common' %}
-{% elif grains.os|lower in ['centos', 'redhat'] %}
-  {% set COMMON = 'salt' %}
-{% endif %}

 {% if grains.saltversion|string != SALTVERSION|string %}
  {% if grains.os|lower in ['centos', 'redhat'] %}
-    {% if ISAIRGAP is sameas true %}
-      {% set UPGRADECOMMAND = 'yum clean all && yum versionlock delete "salt-*" && /usr/sbin/bootstrap-salt.sh -X -s 120 -r -F -x python3 stable ' ~ SALTVERSION ~ ' && yum versionlock add "salt-*"' %}
-    {% else %}
-      {% set UPGRADECOMMAND = 'yum versionlock delete "salt-*" && /usr/sbin/bootstrap-salt.sh -X -s 120 -F -x python3 stable ' ~ SALTVERSION ~ ' && yum versionlock add "salt-*"' %}
-    {% endif %}
+      {% set UPGRADECOMMAND = 'yum clean all ; /usr/sbin/bootstrap-salt.sh -X -s 120 -r -F -x python3 stable ' ~ SALTVERSION ~ ' && yum versionlock add "salt-*"' %}
  {% elif grains.os|lower == 'ubuntu' %}
-    {% set UPGRADECOMMAND = 'apt-mark unhold salt-common && apt-mark unhold salt-minion && /usr/sbin/bootstrap-salt.sh -X -s 120 -F -x python3 stable ' ~ SALTVERSION ~ ' && apt-mark hold salt-common && apt-mark hold salt-minion' %}
+    {% set UPGRADECOMMAND = '/usr/sbin/bootstrap-salt.sh -X -s 120 -F -x python3 stable ' ~ SALTVERSION ~ ' && apt-mark hold salt-common && apt-mark hold salt-minion' %}
  {% endif %}
 {% else %}
  {% set UPGRADECOMMAND = 'echo Already running Salt Minion version ' ~ SALTVERSION %}
@@ -2,4 +2,4 @@
 # When updating the salt version, also update the version in securityonion-builds/images/iso-task/Dockerfile and saltify function in so-functions
 salt:
  master:
-    version: 3002.5
+    version: 3003
@@ -1,17 +1,16 @@
+{% from 'salt/map.jinja' import SALTNOTHELD %}
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls in allowed_states %}

-{% from 'salt/map.jinja' import COMMON with context %}
-
 include:
  - salt.minion

-salt_master_package:
-  pkg.installed:
-    - pkgs:
-      - {{ COMMON }}
-      - salt-master
-    - hold: True
+{% if SALTNOTHELD == 1 %}
+hold_salt_master_package:
+  module.run:
+    - pkg.hold:
+      - name: salt-master
+{% endif %}

 salt_master_service:
  service.running:
@@ -2,5 +2,6 @@
 # When updating the salt version, also update the version in securityonion-builds/images/iso-task/Dockerfile and saltify function in so-functions
 salt:
  minion:
-    version: 3002.5
-    check_threshold: 3600 # in seconds, threshold used for so-salt-minion-check. any value less than 600 seconds may cause a lot of salt-minion restarts since the job to touch the file occurs every 5-8 minutes by default
+    version: 3003
+    check_threshold: 3600 # in seconds, threshold used for so-salt-minion-check. any value less than 600 seconds may cause a lot of salt-minion restarts since the job to touch the file occurs every 5-8 minutes by default
+    service_start_delay: 30 # in seconds.
@@ -1,10 +1,22 @@
-{% from 'salt/map.jinja' import COMMON with context %}
 {% from 'salt/map.jinja' import UPGRADECOMMAND with context %}
 {% from 'salt/map.jinja' import SALTVERSION %}
 {% from 'salt/map.jinja' import INSTALLEDSALTVERSION %}
+{% from 'salt/map.jinja' import SALTNOTHELD %}
+{% import_yaml 'salt/minion.defaults.yaml' as SALTMINION %}
+{% set service_start_delay = SALTMINION.salt.minion.service_start_delay %}

 include:
  - salt
+  - systemd.reload
+
+{% if INSTALLEDSALTVERSION|string != SALTVERSION|string %}
+
+{% if SALTNOTHELD == 0 %}
+unhold_salt_packages:
+  module.run:
+    - pkg.unhold:
+      - name: 'salt-*'
+{% endif %}

 install_salt_minion:
  cmd.run:
@@ -13,15 +25,16 @@ install_salt_minion:
        exec 1>&- # close stdout
        exec 2>&- # close stderr
        nohup /bin/sh -c '{{ UPGRADECOMMAND }}' &
-    - onlyif: test "{{INSTALLEDSALTVERSION}}" != "{{SALTVERSION}}"
+{% endif %}

-salt_minion_package:
-  pkg.installed:
-    - pkgs:
-      - {{ COMMON }}
-      - salt-minion
-    - hold: True
-    - onlyif: test "{{INSTALLEDSALTVERSION}}" == "{{SALTVERSION}}"
+{% if INSTALLEDSALTVERSION|string == SALTVERSION|string %}
+
+{% if SALTNOTHELD == 1 %}
+hold_salt_packages:
+  module.run:
+    - pkg.hold:
+      - name: 'salt-*'
+{% endif %}

 set_log_levels:
  file.append:
@@ -32,6 +45,20 @@ set_log_levels:
    - listen_in:
      - service: salt_minion_service

+salt_minion_service_unit_file:
+  file.managed:
+    - name: /etc/systemd/system/multi-user.target.wants/salt-minion.service
+    - source: salt://salt/service/salt-minion.service.jinja
+    - template: jinja
+    - defaults:
+        service_start_delay: {{ service_start_delay }}
+    - onchanges_in:
+      - module: systemd_reload
+    - listen_in:
+      - service: salt_minion_service
+{% endif %}
+
+# this has to be outside the if statement above since there are <requisite>_in calls to this state
 salt_minion_service:
  service.running:
    - name: salt-minion
@@ -0,0 +1,15 @@
+[Unit]
+Description=The Salt Minion
+Documentation=man:salt-minion(1) file:///usr/share/doc/salt/html/contents.html https://docs.saltstack.com/en/latest/contents.html
+After=network.target salt-master.service
+
+[Service]
+KillMode=process
+Type=notify
+NotifyAccess=all
+LimitNOFILE=8192
+ExecStart=/usr/bin/salt-minion
+ExecStartPre=/bin/sleep {{ salt['pillar.get']('salt:minion:service_start_delay', service_start_delay) }}
+
+[Install]
+WantedBy=multi-user.target