Remove duplicate docker pull/sigverify logic from so-features-enable; Provide current SO version to curl

salt/common/tools/sbin/so-common

@@ -15,8 +15,6 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-IMAGEREPO=securityonion
-
 # Check for prerequisites
 if [ "$(id -u)" -ne 0 ]; then
     echo "This script must be run using sudo!"

salt/common/tools/sbin/so-features-enable

@@ -14,7 +14,7 @@
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-. /usr/sbin/so-common
+. /usr/sbin/so-image-common
 local_salt_dir=/opt/so/saltstack/local
 
 cat << EOF
@@ -52,17 +52,6 @@ manager_check() {
 
 manager_check
 
-# Let's make sure we have the public key
-curl -sSL https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS | gpg --import -
-  
-CONTAINER_REGISTRY=quay.io
-SIGNPATH=/root/sosigs
-rm -rf $SIGNPATH
-mkdir -p $SIGNPATH
-if [ -z "$BRANCH" ]; then
-  BRANCH="master"
-fi
-
 VERSION=$(lookup_pillar soversion) 
 # Modify global.sls to enable Features
 SUFFIX="-features"
@@ -72,40 +61,6 @@ TRUSTED_CONTAINERS=( \
   "so-kibana" \
   "so-logstash" )
 
-for i in "${TRUSTED_CONTAINERS[@]}"
+update_docker_containers
-do
-    # Pull down the trusted docker image
-    echo "Downloading $i"
-    docker pull $CONTAINER_REGISTRY/$IMAGEREPO/$i:$VERSION$SUFFIX
 
-    # Get signature
-    curl https://sigs.securityonion.net/$VERSION/$i:$VERSION$SUFFIX.sig --output $SIGNPATH/$i:$VERSION$SUFFIX.sig
-    if [[ $? -ne 0 ]]; then
-      echo "Unable to pull signature file for $i:$VERSION$SUFFIX"
-      exit 1
-    fi
-    # Dump our hash values
-    DOCKERINSPECT=$(docker inspect $CONTAINER_REGISTRY/$IMAGEREPO/$i:$VERSION$SUFFIX)
-       
-    echo "$DOCKERINSPECT" | jq ".[0].RepoDigests[] | select(. | contains(\"$CONTAINER_REGISTRY\"))" > $SIGNPATH/$i:$VERSION$SUFFIX.txt
-    echo "$DOCKERINSPECT" | jq ".[0].Created, .[0].RootFS.Layers" >> $SIGNPATH/$i:$VERSION$SUFFIX.txt
-        
-    if [[ $? -ne 0 ]]; then
-      echo "Unable to inspect $i:$VERSION:$SUFFIX"
-      exit 1
-    fi
-    GPGTEST=$(gpg --verify $SIGNPATH/$i:$VERSION$SUFFIX.sig $SIGNPATH/$i:$VERSION$SUFFIX.txt 2>&1)
-    if [[ $? -eq 0 ]]; then
-      # Tag it with the new registry destination
-      docker tag $CONTAINER_REGISTRY/$IMAGEREPO/$i:$VERSION$SUFFIX $HOSTNAME:5000/$IMAGEREPO/$i:$VERSION$SUFFIX
-      docker push $HOSTNAME:5000/$IMAGEREPO/$i:$VERSION$SUFFIX
-    else
-      echo "There is a problem downloading the $i:$VERSION$SUFFIX image. Details: "
-      echo ""
-      echo $GPGTEST
-      exit 1
-    fi
-    
-
-done
 sed -i 's/features: False/features: True/' $local_salt_dir/pillar/global.sls

salt/common/tools/sbin/so-image-common

@@ -16,12 +16,21 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 # Figure out if this is soup or refresh
-if [ -z "$VERSION" ]; then
+set_version() {
+  if [ -f /etc/soversion ]; then
+    CURRENTVERSION=$(cat /etc/soversion)
+  fi
+  if [ -z "$VERSION" ]; then
       VERSION="$NEWVERSION"
-fi
+  fi
+}
 
 container_list() {
+    MANAGERCHECK=so-unknown
+    if [ -f /etc/salt/grains ]; then
       MANAGERCHECK=$(cat /etc/salt/grains | grep role | awk '{print $2}')
+    fi
+
     if [ $MANAGERCHECK == 'so-import' ]; then
         TRUSTED_CONTAINERS=( \
         "so-idstools" \
@@ -96,13 +105,14 @@ operating_system() {
 }
 
 update_docker_containers() {
-  if [ -z "$VERSION" ]; then
+  # Recheck the version for scenarios were the VERSION wasn't known before this script was imported
-    VERSION="$NEWVERSION"
+  set_version
-  fi
+
   # Let's make sure we have the public key
   curl -sSL https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS | gpg --import -
   
   CONTAINER_REGISTRY=quay.io
+  IMAGEREPO=securityonion
   SIGNPATH=/root/sosigs
   rm -rf $SIGNPATH
   mkdir -p $SIGNPATH
@@ -112,33 +122,33 @@ update_docker_containers() {
   do
     # Pull down the trusted docker image
     echo "Downloading $i"
-    docker pull $CONTAINER_REGISTRY/$IMAGEREPO/$i:$VERSION
+    docker pull $CONTAINER_REGISTRY/$IMAGEREPO/$i:$VERSION$IMAGE_TAG_SUFFIX
     
     # Get signature
-    curl -A "$CURLTYPE/$OS/$(uname -r)" https://sigs.securityonion.net/$VERSION/$i:$VERSION.sig --output $SIGNPATH/$i:$VERSION.sig
+    curl -A "$CURLTYPE/$CURRENTVERSION/$OS/$(uname -r)" https://sigs.securityonion.net/$VERSION/$i:$VERSION$IMAGE_TAG_SUFFIX.sig --output $SIGNPATH/$i:$VERSION$IMAGE_TAG_SUFFIX.sig
     if [[ $? -ne 0 ]]; then
-      echo "Unable to pull signature file for $i:$VERSION"
+      echo "Unable to pull signature file for $i:$VERSION$IMAGE_TAG_SUFFIX"
       exit 1
     fi
     # Dump our hash values
-    DOCKERINSPECT=$(docker inspect $CONTAINER_REGISTRY/$IMAGEREPO/$i:$VERSION)
+    DOCKERINSPECT=$(docker inspect $CONTAINER_REGISTRY/$IMAGEREPO/$i:$VERSION$IMAGE_TAG_SUFFIX)
        
-    echo "$DOCKERINSPECT" | jq ".[0].RepoDigests[] | select(. | contains(\"$CONTAINER_REGISTRY\"))" > $SIGNPATH/$i:$VERSION.txt
+    echo "$DOCKERINSPECT" | jq ".[0].RepoDigests[] | select(. | contains(\"$CONTAINER_REGISTRY\"))" > $SIGNPATH/$i:$VERSION$IMAGE_TAG_SUFFIX.txt
-    echo "$DOCKERINSPECT" | jq ".[0].Created, .[0].RootFS.Layers" >> $SIGNPATH/$i:$VERSION.txt
+    echo "$DOCKERINSPECT" | jq ".[0].Created, .[0].RootFS.Layers" >> $SIGNPATH/$i:$VERSION$IMAGE_TAG_SUFFIX.txt
         
     if [[ $? -ne 0 ]]; then
-      echo "Unable to inspect $i:$VERSION"
+      echo "Unable to inspect $i:$VERSION$IMAGE_TAG_SUFFIX"
       exit 1
     fi
-    GPGTEST=$(gpg --verify $SIGNPATH/$i:$VERSION.sig $SIGNPATH/$i:$VERSION.txt 2>&1)
+    GPGTEST=$(gpg --verify $SIGNPATH/$i:$VERSION$IMAGE_TAG_SUFFIX.sig $SIGNPATH/$i:$VERSION$IMAGE_TAG_SUFFIX.txt 2>&1)
     if [[ $? -eq 0 ]]; then
       if [[ -z "$SKIP_TAGPUSH" ]]; then
         # Tag it with the new registry destination
-        docker tag $CONTAINER_REGISTRY/$IMAGEREPO/$i:$VERSION $HOSTNAME:5000/$IMAGEREPO/$i:$VERSION
+        docker tag $CONTAINER_REGISTRY/$IMAGEREPO/$i:$VERSION$IMAGE_TAG_SUFFIX $HOSTNAME:5000/$IMAGEREPO/$i:$VERSION$IMAGE_TAG_SUFFIX
-        docker push $HOSTNAME:5000/$IMAGEREPO/$i:$VERSION
+        docker push $HOSTNAME:5000/$IMAGEREPO/$i:$VERSION$IMAGE_TAG_SUFFIX
       fi
     else
-      echo "There is a problem downloading the $i:$VERSION image. Details: "
+      echo "There is a problem downloading the $i:$VERSION$IMAGE_TAG_SUFFIX image. Details: "
       echo ""
       echo $GPGTEST
       exit 1
@@ -146,3 +156,5 @@ update_docker_containers() {
   done
   
 }
+
+set_version