add ability to upgrade salt minion and master for ubuntu

2025-12-06 17:22:49 +01:00 · 2020-07-30 16:00:50 -04:00
parent a4fc2cbd42
commit 1492d132ca
3 changed files with 78 additions and 30 deletions
--- a/salt/common/tools/sbin/soup
+++ b/salt/common/tools/sbin/soup
@@ -19,8 +19,9 @@
 UPDATE_DIR=/tmp/sogh/securityonion
 INSTALLEDVERSION=$(cat /etc/soversion)
 INSTALLEDSALTVERSION=$(salt --versions-report | grep Salt: | awk {'print $2'})
-default_salt_dir=/opt/so/saltstack/default
+DEFAULT_SALT_DIR=/opt/so/saltstack/default
 BATCHSIZE=5
+SOUP_LOG=/root/soup.log

 manager_check() {
  # Check to see if this is a manager
@@ -60,13 +61,24 @@ clone_to_tmp() {
 copy_new_files() {
  # Copy new files over to the salt dir
  cd /tmp/sogh/securityonion
-  rsync -a salt $default_salt_dir/
-  rsync -a pillar $default_salt_dir/
-  chown -R socore:socore $default_salt_dir/
-  chmod 755 $default_salt_dir/pillar/firewall/addfirewall.sh
+  rsync -a salt $DEFAULT_SALT_DIR/
+  rsync -a pillar $DEFAULT_SALT_DIR/
+  chown -R socore:socore $DEFAULT_SALT_DIR/
+  chmod 755 $DEFAULT_SALT_DIR/pillar/firewall/addfirewall.sh
  cd /tmp
 }

+detect_os() {
+	# Detect Base OS
+	echo "Detecting Base OS" >> "$SOUP_LOG" 2>&1
+	if [ -f /etc/redhat-release ]; then
+		OS="centos"
+	elif [ -f /etc/os-release ]; then
+		OS="ubuntu"
+	fi
+	echo "Found OS: $OS" >> "$SOUP_LOG" 2>&1
+}
+
 highstate() {
  # Run a highstate but first cancel a running one.
  salt-call saltutil.kill_all_jobs
@@ -76,7 +88,6 @@ highstate() {
 pillar_changes() {
    # This function is to add any new pillar items if needed.
    echo "Checking to see if pillar changes are needed."
-
 }

 update_dockers() {
@@ -168,16 +179,32 @@ upgrade_check_salt() {
      echo "Performing upgrade of Salt from $INSTALLEDSALTVERSION to $NEWSALTVERSION."
      echo ""
      # If CentOS
-      echo "Removing yum versionlock for Salt."
-      echo ""
-      yum versionlock delete "salt-*"
-      echo "Updating Salt packages and restarting services."
-      echo ""
-      sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -F -M -x python3 stable "$NEWSALTVERSION"
-      echo "Applying yum versionlock for Salt."
-      echo ""
-      yum versionlock add "salt-*"
+      if [ "$OS" == "centos" ]; then
+        echo "Removing yum versionlock for Salt."
+        echo ""
+        yum versionlock delete "salt-*"
+        echo "Updating Salt packages and restarting services."
+        echo ""
+        sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -F -M -x python3 stable "$NEWSALTVERSION"
+        echo "Applying yum versionlock for Salt."
+        echo ""
+        yum versionlock add "salt-*"
      # Else do Ubuntu things
+      elif [ "$OS" == "ubuntu" ]; then
+        echo "Removing apt hold for Salt."
+        echo ""
+        apt-mark unhold "salt"
+        apt-mark unhold "salt-master"
+        apt-mark unhold "salt-minion"
+        echo "Updating Salt packages and restarting services."
+        echo ""
+        sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -F -M -x python3 stable "$NEWSALTVERSION"
+        echo "Applying apt hold for Salt."
+        echo ""
+        apt-mark hold "salt"
+        apt-mark hold "salt-master"
+        apt-mark hold "salt-minion"
+      fi
    fi 
 }

@@ -189,7 +216,7 @@ verify_latest_update_script() {
      echo "This version of the soup script is up to date. Proceeding."
    else
      echo "You are not running the latest soup version. Updating soup."
-      cp $UPDATE_DIR/salt/common/tools/sbin/soup $default_salt_dir/salt/common/tools/sbin/
+      cp $UPDATE_DIR/salt/common/tools/sbin/soup $DEFAULT_SALT_DIR/salt/common/tools/sbin/
      salt-call state.apply common queue=True
      echo ""
      echo "soup has been updated. Please run soup again."
@@ -249,7 +276,7 @@ echo "Updating dockers to $NEWVERSION."
 update_dockers

 echo ""
-echo "Copying new Security Onion code from $UPDATE_DIR to $default_salt_dir."
+echo "Copying new Security Onion code from $UPDATE_DIR to $DEFAULT_SALT_DIR."
 copy_new_files
 echo ""
 update_version
--- a/salt/salt/master.sls
+++ b/salt/salt/master.sls
@@ -1 +1,11 @@
-#Future state for Salt masters
+salt_master_package:
+  pkg.installed:
+    - pkgs:
+      - salt
+      - salt-master
+    - hold: True
+
+salt_minion_service:
+  service.running:
+    - name: salt-master
+    - enable: True
--- a/salt/salt/minion.sls
+++ b/salt/salt/minion.sls
@@ -2,22 +2,33 @@ include:
  - salt

 {% import_yaml 'salt/minion.defaults.yaml' as salt %}
-{% set saltversion = salt.salt.minion.version %}
+{% set SALTVERSION = salt.salt.minion.version %}
+
+{% if grains.saltversion|string != SALTVERSION|string %}
+  {% if grains.os|lower == 'centos' %}
+    {% set UPGRADECOMMAND = 'yum versionlock delete "salt-*" && sh bootstrap-salt.sh -F -x python3 stable {{ SALTVERSION }}' %}
+  {% elif grains.os|lower == 'ubuntu' %}
+    {% set UPGRADECOMMAND = 'apt-mark unhold salt && apt-mark unhold salt-minion && sh bootstrap-salt.sh -F -x python3 stable {{ SALTVERSION }}' %}
+  {% endif %}
+{% else %}
+  {% set UPGRADECOMMAND = 'echo "Already running Salt Minon version {{ SALTVERSION }}"' %}
+{% endif %}

-{% if grains.os|lower == 'centos' %}
 install_salt_minion:
  cmd.run:
-    {% if grains.saltversion|string != saltversion|string %}
-    - name: yum versionlock delete "salt-*" && sh bootstrap-salt.sh -F -x python3 stable {{ saltversion }}
-    {% else %}
-    - name: echo 'Already running Salt Minon version {{ saltversion }}'
-    {% endif %}
+    - name: {{ UPGRADECOMMAND }} 

-versionlock_salt_minion:
-  module.run:
-    - pkg.hold:
-      - name: "salt-*"
-{% endif %}
+#versionlock_salt_minion:
+#  module.run:
+#    - pkg.hold:
+#      - name: "salt-*"
+
+salt_minion_package:
+  pkg.installed:
+    - pkgs:
+      - salt
+      - salt-minion
+    - hold: True

 salt_minion_service:
  service.running: