Merge pull request #15223 from Security-Onion-Solutions/bravo

configure salt, then install. update bootstrap-salt. reduce salt install fail timeout
2026-06-13 05:39:18 +02:00 · 2025-11-13 11:35:43 -05:00
parent bfd08d1d2e fed75c7b39
commit 2729fdbea6
3 changed files with 115 additions and 129 deletions
@@ -26,7 +26,7 @@
 #======================================================================================================================
 set -o nounset                              # Treat unset variables as an error

-__ScriptVersion="2025.02.24"
+__ScriptVersion="2025.09.03"
 __ScriptName="bootstrap-salt.sh"

 __ScriptFullName="$0"
@@ -48,6 +48,7 @@ __ScriptArgs="$*"
 #   * BS_GENTOO_USE_BINHOST:    If 1 add `--getbinpkg` to gentoo's emerge
 #   * BS_SALT_MASTER_ADDRESS:   The IP or DNS name of the salt-master the minion should connect to
 #   * BS_SALT_GIT_CHECKOUT_DIR: The directory where to clone Salt on git installations
+#   * BS_TMP_DIR:               The directory to use for executing the installation (defaults to /tmp)
 #======================================================================================================================


@@ -171,12 +172,12 @@ __check_config_dir() {

    case "$CC_DIR_NAME" in
        http://*|https://*)
-            __fetch_url "/tmp/${CC_DIR_BASE}" "${CC_DIR_NAME}"
-            CC_DIR_NAME="/tmp/${CC_DIR_BASE}"
+            __fetch_url "${_TMP_DIR}/${CC_DIR_BASE}" "${CC_DIR_NAME}"
+            CC_DIR_NAME="${_TMP_DIR}/${CC_DIR_BASE}"
            ;;
        ftp://*)
-            __fetch_url "/tmp/${CC_DIR_BASE}" "${CC_DIR_NAME}"
-            CC_DIR_NAME="/tmp/${CC_DIR_BASE}"
+            __fetch_url "${_TMP_DIR}/${CC_DIR_BASE}" "${CC_DIR_NAME}"
+            CC_DIR_NAME="${_TMP_DIR}/${CC_DIR_BASE}"
            ;;
        *://*)
            echoerror "Unsupported URI scheme for $CC_DIR_NAME"
@@ -194,22 +195,22 @@ __check_config_dir() {

    case "$CC_DIR_NAME" in
        *.tgz|*.tar.gz)
-            tar -zxf "${CC_DIR_NAME}" -C /tmp
+            tar -zxf "${CC_DIR_NAME}" -C ${_TMP_DIR}
            CC_DIR_BASE=$(basename "${CC_DIR_BASE}" ".tgz")
            CC_DIR_BASE=$(basename "${CC_DIR_BASE}" ".tar.gz")
-            CC_DIR_NAME="/tmp/${CC_DIR_BASE}"
+            CC_DIR_NAME="${_TMP_DIR}/${CC_DIR_BASE}"
            ;;
        *.tbz|*.tar.bz2)
-            tar -xjf "${CC_DIR_NAME}" -C /tmp
+            tar -xjf "${CC_DIR_NAME}" -C ${_TMP_DIR}
            CC_DIR_BASE=$(basename "${CC_DIR_BASE}" ".tbz")
            CC_DIR_BASE=$(basename "${CC_DIR_BASE}" ".tar.bz2")
-            CC_DIR_NAME="/tmp/${CC_DIR_BASE}"
+            CC_DIR_NAME="${_TMP_DIR}/${CC_DIR_BASE}"
            ;;
        *.txz|*.tar.xz)
-            tar -xJf "${CC_DIR_NAME}" -C /tmp
+            tar -xJf "${CC_DIR_NAME}" -C ${_TMP_DIR}
            CC_DIR_BASE=$(basename "${CC_DIR_BASE}" ".txz")
            CC_DIR_BASE=$(basename "${CC_DIR_BASE}" ".tar.xz")
-            CC_DIR_NAME="/tmp/${CC_DIR_BASE}"
+            CC_DIR_NAME="${_TMP_DIR}/${CC_DIR_BASE}"
            ;;
    esac

@@ -245,6 +246,7 @@ __check_unparsed_options() {
 #----------------------------------------------------------------------------------------------------------------------
 _KEEP_TEMP_FILES=${BS_KEEP_TEMP_FILES:-$BS_FALSE}
 _TEMP_CONFIG_DIR="null"
+_TMP_DIR=${BS_TMP_DIR:-"/tmp"}
 _SALTSTACK_REPO_URL="https://github.com/saltstack/salt.git"
 _SALT_REPO_URL=${_SALTSTACK_REPO_URL}
 _TEMP_KEYS_DIR="null"
@@ -281,7 +283,7 @@ _SIMPLIFY_VERSION=$BS_TRUE
 _LIBCLOUD_MIN_VERSION="0.14.0"
 _EXTRA_PACKAGES=""
 _HTTP_PROXY=""
-_SALT_GIT_CHECKOUT_DIR=${BS_SALT_GIT_CHECKOUT_DIR:-/tmp/git/salt}
+_SALT_GIT_CHECKOUT_DIR=${BS_SALT_GIT_CHECKOUT_DIR:-${_TMP_DIR}/git/salt}
 _NO_DEPS=$BS_FALSE
 _FORCE_SHALLOW_CLONE=$BS_FALSE
 _DISABLE_SSL=$BS_FALSE
@@ -367,7 +369,7 @@ __usage() {
        also be specified. Salt installation will be ommitted, but some of the
        dependencies could be installed to write configuration with -j or -J.
    -d  Disables checking if Salt services are enabled to start on system boot.
-        You can also do this by touching /tmp/disable_salt_checks on the target
+        You can also do this by touching ${BS_TMP_DIR}/disable_salt_checks on the target
        host. Default: \${BS_FALSE}
    -D  Show debug output
    -f  Force shallow cloning for git installations.
@@ -424,6 +426,9 @@ __usage() {
    -r  Disable all repository configuration performed by this script. This
        option assumes all necessary repository configuration is already present
        on the system.
+    -T  If set this overrides the use of /tmp for script execution. This is
+        to allow for systems in which noexec is applied to temp filesystem mounts
+        for security reasons
    -U  If set, fully upgrade the system prior to bootstrapping Salt
    -v  Display script version
    -V  Install Salt into virtualenv
@@ -436,7 +441,7 @@ __usage() {
 EOT
 }   # ----------  end of function __usage  ----------

-while getopts ':hvnDc:g:Gx:k:s:MSWNXCPFUKIA:i:Lp:dH:bflV:J:j:rR:aqQ' opt
+while getopts ':hvnDc:g:Gx:k:s:MSWNXCPFUKIA:i:Lp:dH:bflV:J:j:rR:T:aqQ' opt
 do
  case "${opt}" in

@@ -478,6 +483,7 @@ do
    a )  _PIP_ALL=$BS_TRUE                              ;;
    r )  _DISABLE_REPOS=$BS_TRUE                        ;;
    R )  _CUSTOM_REPO_URL=$OPTARG                       ;;
+    T )  _TMP_DIR="$OPTARG"                             ;;
    J )  _CUSTOM_MASTER_CONFIG=$OPTARG                  ;;
    j )  _CUSTOM_MINION_CONFIG=$OPTARG                  ;;
    q )  _QUIET_GIT_INSTALLATION=$BS_TRUE               ;;
@@ -495,10 +501,10 @@ done
 shift $((OPTIND-1))

 # Define our logging file and pipe paths
-LOGFILE="/tmp/$( echo "$__ScriptName" | sed s/.sh/.log/g )"
-LOGPIPE="/tmp/$( echo "$__ScriptName" | sed s/.sh/.logpipe/g )"
+LOGFILE="${_TMP_DIR}/$( echo "$__ScriptName" | sed s/.sh/.log/g )"
+LOGPIPE="${_TMP_DIR}/$( echo "$__ScriptName" | sed s/.sh/.logpipe/g )"
 # Ensure no residual pipe exists
-rm "$LOGPIPE" 2>/dev/null
+rm -f "$LOGPIPE" 2>/dev/null

 # Create our logging pipe
 # On FreeBSD we have to use mkfifo instead of mknod
@@ -534,7 +540,7 @@ exec 2>"$LOGPIPE"
 #              14               SIGALRM
 #              15               SIGTERM
 #----------------------------------------------------------------------------------------------------------------------
-APT_ERR=$(mktemp /tmp/apt_error.XXXXXX)
+APT_ERR=$(mktemp ${_TMP_DIR}/apt_error.XXXXXX)
 __exit_cleanup() {
    EXIT_CODE=$?

@@ -927,6 +933,11 @@ if [ -d "${_VIRTUALENV_DIR}" ]; then
    exit 1
 fi

+# Make sure the designated temp directory exists
+if [ ! -d "${_TMP_DIR}" ]; then
+    mkdir -p "${_TMP_DIR}"
+fi
+
 #---  FUNCTION  -------------------------------------------------------------------------------------------------------
 #         NAME:  __fetch_url
 #  DESCRIPTION:  Retrieves a URL and writes it to a given path
@@ -1941,11 +1952,6 @@ __wait_for_apt(){
    # Timeout set at 15 minutes
    WAIT_TIMEOUT=900

-    ## see if sync'ing the clocks helps
-    if [ -f /usr/sbin/hwclock ]; then
-        /usr/sbin/hwclock -s
-    fi
-
    # Run our passed in apt command
    "${@}" 2>"$APT_ERR"
    APT_RETURN=$?
@@ -1996,14 +2002,14 @@ __apt_get_upgrade_noinput() {
 #----------------------------------------------------------------------------------------------------------------------
 __temp_gpg_pub() {
    if __check_command_exists mktemp; then
-        tempfile="$(mktemp /tmp/salt-gpg-XXXXXXXX.pub 2>/dev/null)"
+        tempfile="$(mktemp ${_TMP_DIR}/salt-gpg-XXXXXXXX.pub 2>/dev/null)"

        if [ -z "$tempfile" ]; then
-            echoerror "Failed to create temporary file in /tmp"
+            echoerror "Failed to create temporary file in ${_TMP_DIR}"
            return 1
        fi
    else
-        tempfile="/tmp/salt-gpg-$$.pub"
+        tempfile="${_TMP_DIR}/salt-gpg-$$.pub"
    fi

    echo $tempfile
@@ -2043,7 +2049,7 @@ __rpm_import_gpg() {
    __fetch_url "$tempfile" "$url" || return 1

    # At least on CentOS 8, a missing newline at the end causes:
-    #   error: /tmp/salt-gpg-n1gKUb1u.pub: key 1 not an armored public key.
+    #   error: ${_TMP_DIR}/salt-gpg-n1gKUb1u.pub: key 1 not an armored public key.
    # shellcheck disable=SC1003,SC2086
    sed -i -e '$a\' $tempfile

@@ -2109,7 +2115,7 @@ __git_clone_and_checkout() {
    fi

    __SALT_GIT_CHECKOUT_PARENT_DIR=$(dirname "${_SALT_GIT_CHECKOUT_DIR}" 2>/dev/null)
-    __SALT_GIT_CHECKOUT_PARENT_DIR="${__SALT_GIT_CHECKOUT_PARENT_DIR:-/tmp/git}"
+    __SALT_GIT_CHECKOUT_PARENT_DIR="${__SALT_GIT_CHECKOUT_PARENT_DIR:-${_TMP_DIR}/git}"
    __SALT_CHECKOUT_REPONAME="$(basename "${_SALT_GIT_CHECKOUT_DIR}" 2>/dev/null)"
    __SALT_CHECKOUT_REPONAME="${__SALT_CHECKOUT_REPONAME:-salt}"
    [ -d "${__SALT_GIT_CHECKOUT_PARENT_DIR}" ] || mkdir "${__SALT_GIT_CHECKOUT_PARENT_DIR}"
@@ -2162,7 +2168,7 @@ __git_clone_and_checkout() {

        if [ "$__SHALLOW_CLONE" -eq $BS_TRUE ]; then
            # Let's try 'treeless' cloning to speed up. Treeless cloning omits trees and blobs ('files')
-	    # but includes metadata (commit history, tags, branches etc.
+            # but includes metadata (commit history, tags, branches etc.
            # Test for "--filter" option introduced in git 2.19, the minimal version of git where the treeless
            # cloning we need actually works
            if [ "$(git clone 2>&1 | grep 'filter')" != "" ]; then
@@ -2390,14 +2396,14 @@ __overwriteconfig() {

    # Make a tempfile to dump any python errors into.
    if __check_command_exists mktemp; then
-        tempfile="$(mktemp /tmp/salt-config-XXXXXXXX 2>/dev/null)"
+        tempfile="$(mktemp ${_TMP_DIR}/salt-config-XXXXXXXX 2>/dev/null)"

        if [ -z "$tempfile" ]; then
-            echoerror "Failed to create temporary file in /tmp"
+            echoerror "Failed to create temporary file in ${_TMP_DIR}"
            return 1
        fi
    else
-        tempfile="/tmp/salt-config-$$"
+        tempfile="${_TMP_DIR}/salt-config-$$"
    fi

    if [ -n "$_PY_EXE" ]; then
@@ -2760,8 +2766,8 @@ __install_salt_from_repo() {
    echoinfo "Installing salt using ${_py_exe}, $(${_py_exe} --version)"
    cd "${_SALT_GIT_CHECKOUT_DIR}" || return 1

-    mkdir -p /tmp/git/deps
-    echodebug "Created directory /tmp/git/deps"
+    mkdir -p ${_TMP_DIR}/git/deps
+    echodebug "Created directory ${_TMP_DIR}/git/deps"

    if [ ${DISTRO_NAME_L} = "ubuntu" ] && [ "$DISTRO_MAJOR_VERSION" -eq 22 ]; then
        echodebug "Ubuntu 22.04 has problem with base.txt requirements file, not parsing sys_platform == 'win32', upgrading from default pip works"
@@ -2774,7 +2780,7 @@ __install_salt_from_repo() {
        fi
    fi

-    rm -f /tmp/git/deps/*
+    rm -f ${_TMP_DIR}/git/deps/*

    echodebug "Installing Salt requirements from PyPi, ${_pip_cmd} install ${_USE_BREAK_SYSTEM_PACKAGES} --ignore-installed ${_PIP_INSTALL_ARGS} -r requirements/static/ci/py${_py_version}/linux.txt"
    ${_pip_cmd} install ${_USE_BREAK_SYSTEM_PACKAGES} --ignore-installed ${_PIP_INSTALL_ARGS} -r "requirements/static/ci/py${_py_version}/linux.txt"
@@ -2799,7 +2805,7 @@ __install_salt_from_repo() {

    echodebug "Running '${_py_exe} setup.py --salt-config-dir=$_SALT_ETC_DIR --salt-cache-dir=${_SALT_CACHE_DIR} ${SETUP_PY_INSTALL_ARGS} bdist_wheel'"
    ${_py_exe} setup.py --salt-config-dir="$_SALT_ETC_DIR" --salt-cache-dir="${_SALT_CACHE_DIR} ${SETUP_PY_INSTALL_ARGS}" bdist_wheel || return 1
-    mv dist/salt*.whl /tmp/git/deps/ || return 1
+    mv dist/salt*.whl ${_TMP_DIR}/git/deps/ || return 1

    cd "${__SALT_GIT_CHECKOUT_PARENT_DIR}" || return 1

@@ -2813,14 +2819,14 @@ __install_salt_from_repo() {
        ${_pip_cmd} install --force-reinstall --break-system-packages "${_arch_dep}"
    fi

-    echodebug "Running '${_pip_cmd} install ${_USE_BREAK_SYSTEM_PACKAGES} --no-deps --force-reinstall ${_PIP_INSTALL_ARGS} /tmp/git/deps/salt*.whl'"
+    echodebug "Running '${_pip_cmd} install ${_USE_BREAK_SYSTEM_PACKAGES} --no-deps --force-reinstall ${_PIP_INSTALL_ARGS} ${_TMP_DIR}/git/deps/salt*.whl'"

-    echodebug "Running ${_pip_cmd} install ${_USE_BREAK_SYSTEM_PACKAGES} --no-deps --force-reinstall ${_PIP_INSTALL_ARGS} --global-option=--salt-config-dir=$_SALT_ETC_DIR --salt-cache-dir=${_SALT_CACHE_DIR} ${SETUP_PY_INSTALL_ARGS} /tmp/git/deps/salt*.whl"
+    echodebug "Running ${_pip_cmd} install ${_USE_BREAK_SYSTEM_PACKAGES} --no-deps --force-reinstall ${_PIP_INSTALL_ARGS} --global-option=--salt-config-dir=$_SALT_ETC_DIR --salt-cache-dir=${_SALT_CACHE_DIR} ${SETUP_PY_INSTALL_ARGS} ${_TMP_DIR}/git/deps/salt*.whl"

    ${_pip_cmd} install ${_USE_BREAK_SYSTEM_PACKAGES} --no-deps --force-reinstall \
        ${_PIP_INSTALL_ARGS} \
        --global-option="--salt-config-dir=$_SALT_ETC_DIR --salt-cache-dir=${_SALT_CACHE_DIR} ${SETUP_PY_INSTALL_ARGS}" \
-        /tmp/git/deps/salt*.whl || return 1
+        ${_TMP_DIR}/git/deps/salt*.whl || return 1

    echoinfo "Checking if Salt can be imported using ${_py_exe}"
    CHECK_SALT_SCRIPT=$(cat << EOM
@@ -6295,8 +6301,8 @@ __get_packagesite_onedir_latest() {
 }


-__install_saltstack_photon_onedir_repository() {
-    echodebug "__install_saltstack_photon_onedir_repository() entry"
+__install_saltstack_vmware_photon_os_onedir_repository() {
+    echodebug "__install_saltstack_vmware_photon_os_onedir_repository() entry"

    if [ -n "$_PY_EXE" ] && [ "$_PY_MAJOR_VERSION" -ne 3 ]; then
        echoerror "Python version is no longer supported, only Python 3"
@@ -6376,8 +6382,8 @@ __install_saltstack_photon_onedir_repository() {
    return 0
 }

-install_photon_deps() {
-    echodebug "install_photon_deps() entry"
+install_vmware_photon_os_deps() {
+    echodebug "install_vmware_photon_os_deps() entry"

    if [ -n "$_PY_EXE" ] && [ "$_PY_MAJOR_VERSION" -ne 3 ]; then
        echoerror "Python version is no longer supported, only Python 3"
@@ -6406,8 +6412,8 @@ install_photon_deps() {
    return 0
 }

-install_photon_stable_post() {
-    echodebug "install_photon_stable_post() entry"
+install_vmware_photon_os_stable_post() {
+    echodebug "install_vmware_photon_os_stable_post() entry"

    for fname in api master minion syndic; do
        # Skip salt-api since the service should be opt-in and not necessarily started on boot
@@ -6424,8 +6430,8 @@ install_photon_stable_post() {
    done
 }

-install_photon_git_deps() {
-    echodebug "install_photon_git_deps() entry"
+install_vmware_photon_os_git_deps() {
+    echodebug "install_vmware_photon_os_git_deps() entry"

    if [ -n "$_PY_EXE" ] && [ "$_PY_MAJOR_VERSION" -ne 3 ]; then
        echoerror "Python version is no longer supported, only Python 3"
@@ -6463,7 +6469,7 @@ install_photon_git_deps() {

    __PACKAGES="python${PY_PKG_VER}-devel python${PY_PKG_VER}-pip python${PY_PKG_VER}-setuptools gcc glibc-devel linux-devel.x86_64 cython${PY_PKG_VER}"

-    echodebug "install_photon_git_deps() distro major version, ${DISTRO_MAJOR_VERSION}"
+    echodebug "install_vmware_photon_os_git_deps() distro major version, ${DISTRO_MAJOR_VERSION}"

    ## Photon 5 container is missing systemd on default installation
    if [ "${DISTRO_MAJOR_VERSION}" -lt 5  ]; then
@@ -6489,8 +6495,8 @@ install_photon_git_deps() {
    return 0
 }

-install_photon_git() {
-    echodebug "install_photon_git() entry"
+install_vmware_photon_os_git() {
+    echodebug "install_vmware_photon_os_git() entry"

    if [ "${_PY_EXE}" != "" ]; then
        _PYEXE=${_PY_EXE}
@@ -6500,7 +6506,7 @@ install_photon_git() {
        return 1
    fi

-    install_photon_git_deps
+    install_vmware_photon_os_git_deps

    if [ -f "${_SALT_GIT_CHECKOUT_DIR}/salt/syspaths.py" ]; then
        ${_PYEXE} setup.py --salt-config-dir="$_SALT_ETC_DIR" --salt-cache-dir="${_SALT_CACHE_DIR}" ${SETUP_PY_INSTALL_ARGS} install --prefix=/usr || return 1
@@ -6510,8 +6516,8 @@ install_photon_git() {
    return 0
 }

-install_photon_git_post() {
-    echodebug "install_photon_git_post() entry"
+install_vmware_photon_os_git_post() {
+    echodebug "install_vmware_photon_os_git_post() entry"

    for fname in api master minion syndic; do
        # Skip if not meant to be installed
@@ -6543,9 +6549,9 @@ install_photon_git_post() {
    done
 }

-install_photon_restart_daemons() {
+install_vmware_photon_os_restart_daemons() {
    [ "$_START_DAEMONS" -eq $BS_FALSE ] && return
-    echodebug "install_photon_restart_daemons() entry"
+    echodebug "install_vmware_photon_os_restart_daemons() entry"


    for fname in api master minion syndic; do
@@ -6567,8 +6573,8 @@ install_photon_restart_daemons() {
    done
 }

-install_photon_check_services() {
-    echodebug "install_photon_check_services() entry"
+install_vmware_photon_os_check_services() {
+    echodebug "install_vmware_photon_os_check_services() entry"

    for fname in api master minion syndic; do
        # Skip salt-api since the service should be opt-in and not necessarily started on boot
@@ -6585,8 +6591,8 @@ install_photon_check_services() {
    return 0
 }

-install_photon_onedir_deps() {
-    echodebug "install_photon_onedir_deps() entry"
+install_vmware_photon_os_onedir_deps() {
+    echodebug "install_vmware_photon_os_onedir_deps() entry"


    if [ "$_UPGRADE_SYS" -eq $BS_TRUE ]; then
@@ -6600,17 +6606,17 @@ install_photon_onedir_deps() {
    fi

    if [ "$_DISABLE_REPOS" -eq "$BS_FALSE" ]; then
-        __install_saltstack_photon_onedir_repository || return 1
+        __install_saltstack_vmware_photon_os_onedir_repository || return 1
    fi

    # If -R was passed, we need to configure custom repo url with rsync-ed packages
    # Which was handled in __install_saltstack_rhel_repository buu that hanlded old-stable which is for
    # releases which are End-Of-Life. This call has its own check in case -r was passed without -R.
    if [ "$_CUSTOM_REPO_URL" != "null" ]; then
-        __install_saltstack_photon_onedir_repository || return 1
+        __install_saltstack_vmware_photon_os_onedir_repository || return 1
    fi

-    __PACKAGES="procps-ng sudo shadow"
+    __PACKAGES="procps-ng sudo shadow wget"

    # shellcheck disable=SC2086
    __tdnf_install_noinput ${__PACKAGES} || return 1
@@ -6626,9 +6632,9 @@ install_photon_onedir_deps() {
 }


-install_photon_onedir() {
+install_vmware_photon_os_onedir() {

-    echodebug "install_photon_onedir() entry"
+    echodebug "install_vmware_photon_os_onedir() entry"

    STABLE_REV=$ONEDIR_REV
    _GENERIC_PKG_VERSION=""
@@ -6672,9 +6678,9 @@ install_photon_onedir() {
    return 0
 }

-install_photon_onedir_post() {
+install_vmware_photon_os_onedir_post() {
    STABLE_REV=$ONEDIR_REV
-    install_photon_stable_post || return 1
+    install_vmware_photon_os_stable_post || return 1

    return 0
 }
@@ -7797,7 +7803,7 @@ install_macosx_git_deps() {
        export PATH=/usr/local/bin:$PATH
    fi

-    __fetch_url "/tmp/get-pip.py" "https://bootstrap.pypa.io/get-pip.py" || return 1
+    __fetch_url "${_TMP_DIR}/get-pip.py" "https://bootstrap.pypa.io/get-pip.py" || return 1

    if [ -n "$_PY_EXE" ]; then
        _PYEXE="${_PY_EXE}"
@@ -7807,7 +7813,7 @@ install_macosx_git_deps() {
    fi

    # Install PIP
-    $_PYEXE /tmp/get-pip.py || return 1
+    $_PYEXE ${_TMP_DIR}/get-pip.py || return 1

    # shellcheck disable=SC2119
    __git_clone_and_checkout || return 1
@@ -7819,9 +7825,9 @@ install_macosx_stable() {

    install_macosx_stable_deps || return 1

-    __fetch_url "/tmp/${PKG}" "${SALTPKGCONFURL}" || return 1
+    __fetch_url "${_TMP_DIR}/${PKG}" "${SALTPKGCONFURL}" || return 1

-    /usr/sbin/installer -pkg "/tmp/${PKG}" -target / || return 1
+    /usr/sbin/installer -pkg "${_TMP_DIR}/${PKG}" -target / || return 1

    return 0
 }
@@ -7830,9 +7836,9 @@ install_macosx_onedir() {

    install_macosx_onedir_deps || return 1

-    __fetch_url "/tmp/${PKG}" "${SALTPKGCONFURL}" || return 1
+    __fetch_url "${_TMP_DIR}/${PKG}" "${SALTPKGCONFURL}" || return 1

-    /usr/sbin/installer -pkg "/tmp/${PKG}" -target / || return 1
+    /usr/sbin/installer -pkg "${_TMP_DIR}/${PKG}" -target / || return 1

    return 0
 }
@@ -502,6 +502,7 @@ configure_minion() {
 		minion_type=desktop
 	fi
 	info "Configuring minion type as $minion_type" 
+	logCmd "mkdir -p /etc/salt/minion.d"
 	echo "role: so-$minion_type" > /etc/salt/grains
 	
 	local minion_config=/etc/salt/minion
@@ -541,20 +542,6 @@ configure_minion() {
 		"log_file: /opt/so/log/salt/minion"\
 		"#startup_states: highstate" >> "$minion_config"

-	# At the time the so-managerhype node does not yet have the bridge configured.
-	# The so-hypervisor node doesn't either, but it doesn't cause issues here.
-	local usebr0=false
-	if [ "$minion_type" == 'hypervisor' ]; then
-    	usebr0=true
-	fi
-	local pillar_json="{\"host\": {\"mainint\": \"$MNIC\"}, \"usebr0\": $usebr0}"
-	info "Running: salt-call state.apply salt.mine_functions --local --file-root=../salt/ -l info pillar='$pillar_json'"
-	salt-call state.apply salt.mine_functions --local --file-root=../salt/ -l info pillar="$pillar_json"
-
-	{
-		logCmd "systemctl enable salt-minion";
-		logCmd "systemctl restart salt-minion";
-	} >> "$setup_log" 2>&1
 }

 checkin_at_boot() {
@@ -798,25 +785,18 @@ configure_hyper_bridge() {
 }

 copy_salt_master_config() {
-
+	logCmd "mkdir /etc/salt"
 	title "Copy the Salt master config template to the proper directory"
 	if [ "$setup_type" = 'iso' ]; then
 		logCmd "cp /root/SecurityOnion/files/salt/master/master /etc/salt/master"
-		#logCmd "cp /root/SecurityOnion/files/salt/master/salt-master.service /usr/lib/systemd/system/salt-master.service"
 	else
 		logCmd "cp ../files/salt/master/master /etc/salt/master"
-		#logCmd "cp ../files/salt/master/salt-master.service /usr/lib/systemd/system/salt-master.service"
 	fi
 	info "Copying pillar and salt files in $temp_install_dir to $local_salt_dir"
 	logCmd "cp -R $temp_install_dir/pillar/ $local_salt_dir/"
 	if [ -d "$temp_install_dir"/salt ] ; then
 		logCmd "cp -R $temp_install_dir/salt/ $local_salt_dir/"
 	fi
-
-	# Restart the service so it picks up the changes
-	logCmd "systemctl daemon-reload"
-	logCmd "systemctl enable salt-master"
-	logCmd "systemctl restart salt-master"
 }

 create_local_nids_rules() {
@@ -1941,11 +1921,12 @@ repo_sync_local() {
 }

 saltify() {
-	info "Installing Salt"
 	SALTVERSION=$(grep "version:" ../salt/salt/master.defaults.yaml | grep -o "[0-9]\+\.[0-9]\+")
+	info "Installing Salt $SALTVERSION"
+	chmod u+x ../salt/salt/scripts/bootstrap-salt.sh
 	if [[ $is_deb ]]; then

-		DEBIAN_FRONTEND=noninteractive retry 150 20 "apt-get -y -o Dpkg::Options::=\"--force-confdef\" -o Dpkg::Options::=\"--force-confold\" upgrade" >> "$setup_log" 2>&1 || fail_setup
+		DEBIAN_FRONTEND=noninteractive retry 30 10 "apt-get -y -o Dpkg::Options::=\"--force-confdef\" -o Dpkg::Options::=\"--force-confold\" upgrade" >> "$setup_log" 2>&1 || fail_setup
 		if [ $OSVER == "focal" ]; then update-alternatives --install /usr/bin/python python /usr/bin/python3.10 10; fi
 		local pkg_arr=(
 			'apache2-utils'
@@ -1958,16 +1939,11 @@ saltify() {
 			'jq'
 			'gnupg'
 		)
-		retry 150 20 "apt-get -y install ${pkg_arr[*]}" || fail_setup
+		retry 30 10 "apt-get -y install ${pkg_arr[*]}" || fail_setup

 		logCmd "mkdir -vp /etc/apt/keyrings"
 		logCmd "wget -q --inet4-only -O /etc/apt/keyrings/docker.pub https://download.docker.com/linux/ubuntu/gpg"

-		# Download public key
-		logCmd "curl -fsSL -o /etc/apt/keyrings/salt-archive-keyring-2023.pgp https://packages.broadcom.com/artifactory/api/security/keypair/SaltProjectKey/public"
-		# Create apt repo target configuration
-		echo "deb [signed-by=/etc/apt/keyrings/salt-archive-keyring-2023.pgp arch=amd64] https://packages.broadcom.com/artifactory/saltproject-deb/ stable main" | sudo tee /etc/apt/sources.list.d/salt.list
-
 		if [[ $is_ubuntu ]]; then
 			# Add Docker Repo
 			add-apt-repository -y "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" 
@@ -1978,45 +1954,50 @@ saltify() {
 			echo "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $OSVER stable" > /etc/apt/sources.list.d/docker.list 
 		fi

-		logCmd "apt-key add /etc/apt/keyrings/salt-archive-keyring-2023.pgp"
-
-		#logCmd "apt-key add /opt/so/gpg/SALTSTACK-GPG-KEY.pub"
 		logCmd "apt-key add /etc/apt/keyrings/docker.pub"

-		# Add SO Saltstack Repo
-		#echo "deb https://repo.securityonion.net/file/securityonion-repo/ubuntu/20.04/amd64/salt3004.2/ focal main" > /etc/apt/sources.list.d/saltstack.list
-
-		# Ain't nothing but a GPG 
-
-		retry 150 20 "apt-get update" "" "Err:" || fail_setup
+		retry 30 10 "apt-get update" "" "Err:" || fail_setup
 		if [[ $waitforstate ]]; then
-			retry 150 20 "apt-get -y install salt-common=$SALTVERSION salt-minion=$SALTVERSION salt-master=$SALTVERSION" || fail_setup
-			retry 150 20 "apt-mark hold salt-minion salt-common salt-master" || fail_setup
-			retry 150 20 "apt-get -y install python3-pip python3-dateutil python3-m2crypto python3-packaging python3-influxdb python3-lxml" || exit 1
+			retry 30 10 "bash ../salt/salt/scripts/bootstrap-salt.sh -M -X stable $SALTVERSION" || fail_setup
+			retry 30 10 "apt-mark hold salt-minion salt-common salt-master" || fail_setup
+			retry 30 10 "apt-get -y install python3-pip python3-dateutil python3-m2crypto python3-packaging python3-influxdb python3-lxml" || exit 1
 		else
-			retry 150 20 "apt-get -y install salt-common=$SALTVERSION salt-minion=$SALTVERSION" || fail_setup
-			retry 150 20 "apt-mark hold salt-minion salt-common" || fail_setup
+			retry 30 10 "bash ../salt/salt/scripts/bootstrap-salt.sh -X stable $SALTVERSION" || fail_setup
+			retry 30 10 "apt-mark hold salt-minion salt-common" || fail_setup
 		fi
 	fi
 		
 	if [[ $is_rpm ]]; then
 		if [[ $waitforstate ]]; then 
 			# install all for a manager
-			logCmd "dnf -y install salt-$SALTVERSION salt-master-$SALTVERSION salt-minion-$SALTVERSION"
+			retry 30 10 "bash ../salt/salt/scripts/bootstrap-salt.sh -r -M -X stable $SALTVERSION" || fail_setup
 		else
-			# We just need the minion
-			if [[ $is_airgap ]]; then
-			    logCmd "dnf -y install salt salt-minion"
-			else
-			    logCmd "dnf -y install salt-$SALTVERSION salt-minion-$SALTVERSION"
-			fi
+			# just a minion
+			retry 30 10 "bash ../salt/salt/scripts/bootstrap-salt.sh -r -X stable $SALTVERSION" || fail_setup
 		fi
 	fi

-	logCmd "mkdir -p /etc/salt/minion.d"
 	salt_install_module_deps
 	salt_patch_x509_v2

+	# At the time the so-managerhype node does not yet have the bridge configured.
+	# The so-hypervisor node doesn't either, but it doesn't cause issues here.
+	local usebr0=false
+	if [ "$minion_type" == 'hypervisor' ]; then
+    	usebr0=true
+	fi
+	local pillar_json="{\"host\": {\"mainint\": \"$MNIC\"}, \"usebr0\": $usebr0}"
+	info "Running: salt-call state.apply salt.mine_functions --local --file-root=../salt/ -l info pillar='$pillar_json'"
+	salt-call state.apply salt.mine_functions --local --file-root=../salt/ -l info pillar="$pillar_json"
+
+	if [[ $waitforstate ]]; then 
+		logCmd "systemctl enable salt-master";
+		logCmd "systemctl start salt-master";
+	fi
+
+	logCmd "systemctl enable salt-minion";
+	logCmd "systemctl restart salt-minion";
+
 }

 salt_install_module_deps() {
@@ -745,13 +745,12 @@ if ! [[ -f $install_opt_file ]]; then
 		securityonion_repo
 		# Update existing packages
 		update_packages
-		# Install salt
-		saltify
-		# Start the master service
+		# Put salt-master config in place
 		copy_salt_master_config
 		configure_minion "$minion_type"
+		# Install salt
+		saltify
 		check_sos_appliance
-
 		logCmd "salt-key -yd $MINION_ID"
 		sleep 2 # Debug RSA Key format errors
 		logCmd "salt-call state.show_top"
@@ -852,8 +851,8 @@ if ! [[ -f $install_opt_file ]]; then
 		gpg_rpm_import
 		securityonion_repo
 		update_packages
-		saltify
 		configure_minion "$minion_type"
+		saltify
 		check_sos_appliance
 		drop_install_options
 		hypervisor_local_states