diff --git a/.codex b/.codex new file mode 100644 index 000000000..e69de29bb diff --git a/salt/common/packages.sls b/salt/common/packages.sls index cdae393d0..75b456c48 100644 --- a/salt/common/packages.sls +++ b/salt/common/packages.sls @@ -26,14 +26,33 @@ commonpkgs: - net-tools - nmap-ncat - procps-ng +{# OL10 test path: python3-docker / python3-m2crypto are not packaged in EPEL 10 and are not + referenced by SO code (salt uses its bundled docker module from salt/python_modules.sls). + python3-rich is also unavailable on EL10 (its pygments dep is not packaged), so it is + installed via pip below. Gate on the grain because GLOBALS/pillars are not available this + early (see header note). #} +{% if grains['osmajorrelease']|int < 10 %} - python3-docker - python3-m2crypto + - python3-rich +{% else %} + - python3-pip +{% endif %} - python3-packaging - python3-pyyaml - - python3-rich - rsync - sqlite - tcpdump - unzip - wget - yum-utils + +{% if grains['osmajorrelease']|int >= 10 %} +# OL10 test path: rich is not packaged for EL10; install it into the system python3 for so-status. +commonpkgs_pip_rich: + cmd.run: + - name: python3 -m pip install rich + - unless: python3 -c "import rich" + - require: + - pkg: commonpkgs +{% endif %} diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index aca8496f5..82c4d5e9c 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -354,7 +354,12 @@ gpg_rpm_import() { else local RPMKEYSLOC="$UPDATE_DIR/salt/repo/client/files/$OS/keys" fi - RPMKEYS=('RPM-GPG-KEY-oracle' 'RPM-GPG-KEY-EPEL-9' 'SALT-PROJECT-GPG-PUBKEY-2023.pub' 'docker.pub' 'securityonion.pub') + if [[ "$OSVER" == "10" ]]; then + # OL10 test path uses public repos; the public oracle-epel-release and docker repos provide their own keys + RPMKEYS=('RPM-GPG-KEY-oracle' 'SALT-PROJECT-GPG-PUBKEY-2023.pub') + else + RPMKEYS=('RPM-GPG-KEY-oracle' 'RPM-GPG-KEY-EPEL-9' 'SALT-PROJECT-GPG-PUBKEY-2023.pub' 'docker.pub' 'securityonion.pub') + fi for RPMKEY in "${RPMKEYS[@]}"; do rpm --import $RPMKEYSLOC/$RPMKEY echo "Imported $RPMKEY" @@ -626,9 +631,9 @@ salt_minion_count() { } set_os() { - if [ -f /etc/redhat-release ] && grep -q "Red Hat Enterprise Linux release 9" /etc/redhat-release && [ -f /etc/oracle-release ]; then + if [ -f /etc/oracle-release ] && grep -qE "release (9|10)\b" /etc/oracle-release; then OS=oracle - OSVER=9 + OSVER=$(grep -oE "release [0-9]+" /etc/oracle-release | grep -oE "[0-9]+") is_oracle=true is_rpm=true fi diff --git a/salt/common/tools/sbin/so-image-common b/salt/common/tools/sbin/so-image-common index 833b9a7d8..83b5f786b 100755 --- a/salt/common/tools/sbin/so-image-common +++ b/salt/common/tools/sbin/so-image-common @@ -112,8 +112,23 @@ update_docker_containers() { # does not include so-elastic-fleet since that container uses so-elastic-agent image local IMAGES_USING_ES_VERSION=("so-elasticsearch") - rm -rf $SIGNPATH >> "$LOG_FILE" 2>&1 - mkdir -p $SIGNPATH >> "$LOG_FILE" 2>&1 + rm -rf $SIGNPATH >> "$LOG_FILE" 2>&1 + mkdir -p $SIGNPATH >> "$LOG_FILE" 2>&1 + + # OL10 test path: GnuPG 2.4 enables the keybox daemon (keyboxd) by default, which deadlocks + # under the rapid sequential gpg --verify calls below ("waiting for lock ... keydb_search + # failed: Connection timed out ... No public key"). Editing the default homedir's common.conf + # is unreliable (gpg re-adds use-keyboxd when it re-initializes the homedir), so run all the + # image-signature gpg ops in a dedicated homedir whose pre-written common.conf leaves keyboxd + # off, forcing the classic keybox. Isolated from the system keyring and deterministic. + if [ "$OSVER" = "10" ]; then + export GNUPGHOME="$SIGNPATH/gnupg" + rm -rf "$GNUPGHOME" >> "$LOG_FILE" 2>&1 + mkdir -p "$GNUPGHOME" >> "$LOG_FILE" 2>&1 + chmod 700 "$GNUPGHOME" + echo "# keyboxd disabled for SO image signature verification on EL10" > "$GNUPGHOME/common.conf" + gpgconf --kill keyboxd gpg-agent >> "$LOG_FILE" 2>&1 || true + fi # Let's make sure we have the public key run_check_net_err \ diff --git a/salt/docker/init.sls b/salt/docker/init.sls index 52091ed95..838be62ef 100644 --- a/salt/docker/init.sls +++ b/salt/docker/init.sls @@ -18,10 +18,18 @@ dockergroup: dockerheldpackages: pkg.installed: - pkgs: +{% if GLOBALS.os_version|int >= 10 %} + # OL10 test path: install latest Docker CE from the public repo (no .el9 builds available) + - containerd.io + - docker-ce + - docker-ce-cli + - docker-ce-rootless-extras +{% else %} - containerd.io: 2.2.1-1.el9 - docker-ce: 3:29.2.1-1.el9 - docker-ce-cli: 1:29.2.1-1.el9 - docker-ce-rootless-extras: 29.2.1-1.el9 +{% endif %} - hold: True - update_holds: True diff --git a/salt/repo/client/init.sls b/salt/repo/client/init.sls index 5cb9bd94d..ed06e2789 100644 --- a/salt/repo/client/init.sls +++ b/salt/repo/client/init.sls @@ -1,5 +1,6 @@ {% from 'vars/globals.map.jinja' import GLOBALS %} -{% if GLOBALS.os == 'OEL' %} +{# OL10 test path uses public repos; skip the SO repo state (which removes public repos and points at /nsm/repo) #} +{% if GLOBALS.os == 'OEL' and GLOBALS.os_version|int == 9 %} include: - repo.client.oracle {% endif %} \ No newline at end of file diff --git a/salt/vars/globals.map.jinja b/salt/vars/globals.map.jinja index 385db02ae..19633412a 100644 --- a/salt/vars/globals.map.jinja +++ b/salt/vars/globals.map.jinja @@ -31,6 +31,7 @@ 'so_model': INIT.GRAINS.get('sosmodel',''), 'sensoroni_key': INIT.PILLAR.sensoroni.config.sensoronikey, 'os': INIT.GRAINS.os, + 'os_version': INIT.GRAINS.osmajorrelease, 'os_family': INIT.GRAINS.os_family, 'application_urls': {}, 'manager_roles': [ diff --git a/setup/so-functions b/setup/so-functions index c94b8eee7..f9e433417 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -903,14 +903,14 @@ detect_cloud() { detect_os() { title "Detecting Base OS" - if [ -f /etc/redhat-release ] && grep -q "Red Hat Enterprise Linux release 9" /etc/redhat-release && [ -f /etc/oracle-release ]; then + if [ -f /etc/oracle-release ] && grep -qE "release (9|10)\b" /etc/oracle-release; then OS=oracle - OSVER=9 + OSVER=$(grep -oE "release [0-9]+" /etc/oracle-release | grep -oE "[0-9]+") is_oracle=true is_rpm=true is_supported=true else - info "This OS is not supported. Security Onion requires Oracle Linux 9." + info "This OS is not supported. Security Onion requires Oracle Linux 9 or 10." fail_setup fi @@ -1783,6 +1783,15 @@ ensure_pyyaml() { # - securityonion/salt/salt/minion.defaults.yaml securityonion_repo() { + if [[ "$OSVER" == "10" ]]; then + # TEST PATH: Oracle Linux 10 uses the public OL10 + EPEL + Docker CE repos. + # Keep the stock /etc/yum.repos.d/* in place, skip the SO mirror and local reposync. + gpg_rpm_import + logCmd "dnf -y install oracle-epel-release-el10" + logCmd "dnf -y config-manager --add-repo https://download.docker.com/linux/rhel/docker-ce.repo" + logCmd "dnf repolist" + return + fi # Remove all the current repos logCmd "dnf -v clean all" logCmd "mkdir -vp /root/oldrepos" @@ -1877,12 +1886,19 @@ saltify() { info "Installing Salt $SALTVERSION" chmod u+x ../salt/salt/scripts/bootstrap-salt.sh + # Normally Salt packages come from the SO mirror, so -r disables the bootstrap's own repo setup. + # On the OL10 test path there is no SO mirror, so let bootstrap configure the public Salt repo. + local saltrepoflag="-r" + if [[ "$OSVER" == "10" ]]; then + saltrepoflag="" + fi + if [[ $waitforstate ]]; then # install all for a manager - retry 30 10 "bash ../salt/salt/scripts/bootstrap-salt.sh -r -M -X stable $SALTVERSION" || fail_setup + retry 30 10 "bash ../salt/salt/scripts/bootstrap-salt.sh $saltrepoflag -M -X stable $SALTVERSION" || fail_setup else # just a minion - retry 30 10 "bash ../salt/salt/scripts/bootstrap-salt.sh -r -X stable $SALTVERSION" || fail_setup + retry 30 10 "bash ../salt/salt/scripts/bootstrap-salt.sh $saltrepoflag -X stable $SALTVERSION" || fail_setup fi salt_install_module_deps