From 6785b9e4d2bbfe9e6b4cface00af12f926df148b Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 4 May 2020 15:59:07 -0400 Subject: [PATCH 1/3] [feat] Add check for hardware requirements --- setup/so-functions | 33 +++++++++++++++++++++++++++++++++ setup/so-setup | 12 ++++++++++-- setup/so-variables | 3 +++ setup/so-whiptail | 15 +++++++++++++++ 4 files changed, 61 insertions(+), 2 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 676484a91..db871271c 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -357,6 +357,39 @@ checkin_at_boot() { echo "startup_states: highstate" >> "$minion_config" } + +check_requirements() { + local eval_or_dist=$1 + local node_type=$2 # optional + local req_mem + local req_cores + local nic_list + readarray -t nic_list <<< "$(ip link| awk -F: '$0 !~ "lo|vir|veth|br|docker|wl|^[^0-9]"{print $2}' | grep -vwe "bond0" | sed 's/ //g')" + local num_nics=${#nic_list[@]} + + if [[ "$eval_or_dist" == 'eval' ]]; then + req_mem=12 + req_cores=4 + req_nics=2 + elif [[ "$eval_or_dist" == 'dist' ]]; then + req_mem=8 + req_cores=4 + if [[ "$node_type" == 'sensor' ]]; then req_nics=2; else req_nics=1; fi + fi + + if [[ $num_nics -lt $req_nics ]]; then + whiptail_requirements_error "NICs" "$num_nics" "$req_nics" + fi + + if [[ $num_cpu_cores -lt $req_cores ]]; then + whiptail_requirements_error "cores" "$num_cpu_cores" "$req_cores" + fi + + if [[ $total_mem_hr -lt $req_mem ]]; then + whiptail_requirements_error "memory" "${total_mem_hr}GB" "${req_mem}GB" + fi +} + copy_master_config() { # Copy the master config template to the proper directory diff --git a/setup/so-setup b/setup/so-setup index a22c6fba5..949f2b2d7 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -57,8 +57,6 @@ fi whiptail_install_type -whiptail_patch_schedule - if [ "$install_type" = 'EVAL' ]; then is_node=true is_master=true @@ -89,6 +87,16 @@ elif [ "$install_type" = 'HELIXSENSOR' ]; then is_helix=true fi +if [[ $is_eval ]]; then + check_requirements "eval" +elif [[ $is_distmaster || $is_minion ]]; then + check_requirements "dist" +elif [[ $is_sensor && ! $is_eval ]]; then + check_requirements "dist" "sensor" +fi + +whiptail_patch_schedule + case "$setup_type" in 'iso') whiptail_set_hostname diff --git a/setup/so-variables b/setup/so-variables index e61bc0252..786a4ca9b 100644 --- a/setup/so-variables +++ b/setup/so-variables @@ -3,6 +3,9 @@ total_mem=$(grep MemTotal /proc/meminfo | awk '{print $2}' | sed -r 's/.{3}$//') export total_mem +total_mem_hr=$(grep MemTotal /proc/meminfo | awk '{ printf("%.0f", $2/1024/1024); }') +export total_mem_hr + num_cpu_cores=$(nproc) export num_cpu_cores diff --git a/setup/so-whiptail b/setup/so-whiptail index 7511400b0..dec567af4 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -238,6 +238,21 @@ whiptail_create_web_user_password2() { } +whiptail_requirements_error() { + + local requirement_needed=$1 + local current_val=$2 + local needed_val=$3 + + [ -n "$QUIET" ] && return + + whiptail --title "Security Onion Setup" \ + --yesno "This machine currently has $current_val $requirement_needed, but needs $needed_val to meet minimum requirements. Hit YES to continue anyway, or hit NO to cancel." 8 75 + + local exitstatus=$? + whiptail_check_exitstatus $exitstatus +} + whiptail_invalid_pass_warning() { [ -n "$QUIET" ] && return From d9a8fa0474a972381dae9d6721b0857c4ce34f2c Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 4 May 2020 16:06:02 -0400 Subject: [PATCH 2/3] [fix] Hit -> Press --- setup/so-whiptail | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index dec567af4..53eb9c311 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -247,7 +247,7 @@ whiptail_requirements_error() { [ -n "$QUIET" ] && return whiptail --title "Security Onion Setup" \ - --yesno "This machine currently has $current_val $requirement_needed, but needs $needed_val to meet minimum requirements. Hit YES to continue anyway, or hit NO to cancel." 8 75 + --yesno "This machine currently has $current_val $requirement_needed, but needs $needed_val to meet minimum requirements. Press YES to continue anyway, or press NO to cancel." 8 75 local exitstatus=$? whiptail_check_exitstatus $exitstatus @@ -517,7 +517,7 @@ whiptail_make_changes() { [ -n "$QUIET" ] && return - whiptail --title "Security Onion Setup" --yesno "We are going to set this machine up as a $install_type. Please hit YES to make changes or NO to cancel." 8 75 + whiptail --title "Security Onion Setup" --yesno "We are going to set this machine up as a $install_type. Please press YES to make changes or NO to cancel." 8 75 local exitstatus=$? whiptail_check_exitstatus $exitstatus @@ -613,7 +613,7 @@ whiptail_network_notice() { [ -n "$QUIET" ] && return - whiptail --title "Security Onion Setup" --yesno "Since this is a network install we assume the management interface, DNS, Hostname, etc are already set up. Hit YES to continue." 8 75 + whiptail --title "Security Onion Setup" --yesno "Since this is a network install we assume the management interface, DNS, Hostname, etc are already set up. Press YES to continue." 8 75 local exitstatus=$? whiptail_check_exitstatus $exitstatus From 0b374371021845cc32592bdc70e550f3347f9591 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 4 May 2020 16:56:23 -0400 Subject: [PATCH 3/3] [fix] so-setup fixes (function ordering * Firewall function needs to be run at different times for different install types * Minion pillars need to be copied before running any salt states --- setup/so-setup | 28 +++++++++++++++++----------- 1 file changed, 17 insertions(+), 11 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index 949f2b2d7..7ea298a7d 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -305,8 +305,10 @@ export percentage=0 master_pillar 2>> "$setup_log" fi - set_progress_str 14 'Configuring firewall' - set_initial_firewall_policy 2>> "$setup_log" + if [[ $is_minion ]]; then + set_progress_str 14 'Configuring firewall' + set_initial_firewall_policy 2>> "$setup_log" + fi set_progress_str 16 'Running first Salt checkin' salt_firstcheckin 2>> "$setup_log" @@ -334,22 +336,26 @@ export percentage=0 salt-key -ya "$MINION_ID" >> "$setup_log" 2>&1 fi - set_progress_str 22 'Generating CA and checking in' - salt_checkin 2>> "$setup_log" - - set_progress_str 23 "$(print_salt_state_apply 'schedule')" - salt-call state.apply -l info schedule >> $setup_log 2>&1 - - set_progress_str 24 'Copying minion pillars to master' + set_progress_str 22 'Copying minion pillars to master' copy_minion_tmp_files 2>> "$setup_log" + set_progress_str 23 'Generating CA and checking in' + salt_checkin 2>> "$setup_log" + + set_progress_str 24 "$(print_salt_state_apply 'schedule')" + salt-call state.apply -l info schedule >> $setup_log 2>&1 + + if [[ $is_master || $is_helix ]]; then - set_progress_str 25 'Downloading containers from the internet' + set_progress_str 25 'Configuring firewall' + set_initial_firewall_policy 2>> "$setup_log" + + set_progress_str 26 'Downloading containers from the internet' salt-call state.apply -l info registry >> "$setup_log" 2>&1 docker_seed_registry 2>> "$setup_log" # ~ 60% when finished fi - set_progress_str 61 "$(print_salt_state_apply 'firewall')" + set_progress_str 62 "$(print_salt_state_apply 'firewall')" salt-call state.apply -l info firewall >> $setup_log 2>&1 set_progress_str 63 "$(print_salt_state_apply 'common')"