diff --git a/salt/docker/defaults.yaml b/salt/docker/defaults.yaml index f5a523b8c..064e13f9f 100644 --- a/salt/docker/defaults.yaml +++ b/salt/docker/defaults.yaml @@ -9,6 +9,7 @@ docker: custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-elastic-fleet': final_octet: 21 port_bindings: @@ -16,6 +17,7 @@ docker: custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-elasticsearch': final_octet: 22 port_bindings: @@ -24,6 +26,10 @@ docker: custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: + - memlock=-1:-1 + - nofile=65536:65536 + - nproc=4096 'so-influxdb': final_octet: 26 port_bindings: @@ -31,6 +37,7 @@ docker: custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-kibana': final_octet: 27 port_bindings: @@ -38,6 +45,7 @@ docker: custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-kratos': final_octet: 28 port_bindings: @@ -46,6 +54,7 @@ docker: custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-hydra': final_octet: 30 port_bindings: @@ -54,6 +63,7 @@ docker: custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-logstash': final_octet: 29 port_bindings: @@ -70,6 +80,7 @@ docker: custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-nginx': final_octet: 31 port_bindings: @@ -81,6 +92,7 @@ docker: custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-nginx-fleet-node': final_octet: 31 port_bindings: @@ -88,6 +100,7 @@ docker: custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-redis': final_octet: 33 port_bindings: @@ -96,11 +109,13 @@ docker: custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-sensoroni': final_octet: 99 custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-soc': final_octet: 34 port_bindings: @@ -108,16 +123,19 @@ docker: custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-strelka-backend': final_octet: 36 custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-strelka-filestream': final_octet: 37 custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-strelka-frontend': final_octet: 38 port_bindings: @@ -125,11 +143,13 @@ docker: custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-strelka-manager': final_octet: 39 custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-strelka-gatekeeper': final_octet: 40 port_bindings: @@ -137,6 +157,7 @@ docker: custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-strelka-coordinator': final_octet: 41 port_bindings: @@ -144,11 +165,13 @@ docker: custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-elastalert': final_octet: 42 custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-elastic-fleet-package-registry': final_octet: 44 port_bindings: @@ -156,11 +179,13 @@ docker: custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-idh': final_octet: 45 custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-elastic-agent': final_octet: 46 port_bindings: @@ -169,11 +194,13 @@ docker: custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-telegraf': final_octet: 99 custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-suricata': final_octet: 99 custom_bind_mounts: [] @@ -186,6 +213,9 @@ docker: custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: + - core=0 + - nofile=1048576:1048576 'so-kafka': final_octet: 88 port_bindings: @@ -196,3 +226,4 @@ docker: custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] diff --git a/salt/docker/soc_docker.yaml b/salt/docker/soc_docker.yaml index f855259b6..e0d7553a4 100644 --- a/salt/docker/soc_docker.yaml +++ b/salt/docker/soc_docker.yaml @@ -39,6 +39,12 @@ docker: helpLink: docker.html multiline: True forcedType: "[]string" + ulimits: + description: Ulimits for the container. + advanced: True + helpLink: docker.html + multiline: True + forcedType: "[]string" so-elastic-fleet: *dockerOptions so-elasticsearch: *dockerOptions so-influxdb: *dockerOptions @@ -62,42 +68,6 @@ docker: so-idh: *dockerOptions so-elastic-agent: *dockerOptions so-telegraf: *dockerOptions - so-suricata: - final_octet: - description: Last octet of the container IP address. - helpLink: docker.html - readonly: True - advanced: True - global: True - port_bindings: - description: List of port bindings for the container. - helpLink: docker.html - advanced: True - multiline: True - forcedType: "[]string" - custom_bind_mounts: - description: List of custom local volume bindings. - advanced: True - helpLink: docker.html - multiline: True - forcedType: "[]string" - extra_hosts: - description: List of additional host entries for the container. - advanced: True - helpLink: docker.html - multiline: True - forcedType: "[]string" - extra_env: - description: List of additional ENV entries for the container. - advanced: True - helpLink: docker.html - multiline: True - forcedType: "[]string" - ulimits: - description: Ulimits for the container, in bytes. - advanced: True - helpLink: docker.html - multiline: True - forcedType: "[]string" + so-suricata: *dockerOptions so-zeek: *dockerOptions so-kafka: *dockerOptions diff --git a/salt/elastalert/enabled.sls b/salt/elastalert/enabled.sls index e28a55958..a60c6708f 100644 --- a/salt/elastalert/enabled.sls +++ b/salt/elastalert/enabled.sls @@ -51,6 +51,12 @@ so-elastalert: - {{ XTRAENV }} {% endfor %} {% endif %} + {% if DOCKER.containers['so-elastalert'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKER.containers['so-elastalert'].ulimits %} + - {{ ULIMIT }} + {% endfor %} + {% endif %} - require: - cmd: wait_for_elasticsearch - file: elastarules diff --git a/salt/elastic-fleet-package-registry/enabled.sls b/salt/elastic-fleet-package-registry/enabled.sls index 3cd90ba87..60aae7c93 100644 --- a/salt/elastic-fleet-package-registry/enabled.sls +++ b/salt/elastic-fleet-package-registry/enabled.sls @@ -45,6 +45,12 @@ so-elastic-fleet-package-registry: - {{ XTRAENV }} {% endfor %} {% endif %} + {% if DOCKER.containers['so-elastic-fleet-package-registry'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKER.containers['so-elastic-fleet-package-registry'].ulimits %} + - {{ ULIMIT }} + {% endfor %} + {% endif %} delete_so-elastic-fleet-package-registry_so-status.disabled: file.uncomment: - name: /opt/so/conf/so-status/so-status.conf diff --git a/salt/elasticagent/enabled.sls b/salt/elasticagent/enabled.sls index f59eae1fe..0bd65905e 100644 --- a/salt/elasticagent/enabled.sls +++ b/salt/elasticagent/enabled.sls @@ -54,6 +54,12 @@ so-elastic-agent: - {{ XTRAENV }} {% endfor %} {% endif %} + {% if DOCKER.containers['so-elastic-agent'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKER.containers['so-elastic-agent'].ulimits %} + - {{ ULIMIT }} + {% endfor %} + {% endif %} - require: - file: create-elastic-agent-config - file: trusttheca diff --git a/salt/elasticfleet/enabled.sls b/salt/elasticfleet/enabled.sls index 040d15fca..f151d29ce 100644 --- a/salt/elasticfleet/enabled.sls +++ b/salt/elasticfleet/enabled.sls @@ -133,6 +133,12 @@ so-elastic-fleet: - {{ XTRAENV }} {% endfor %} {% endif %} + {% if DOCKER.containers['so-elastic-fleet'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKER.containers['so-elastic-fleet'].ulimits %} + - {{ ULIMIT }} + {% endfor %} + {% endif %} - watch: - file: trusttheca - x509: etc_elasticfleet_key diff --git a/salt/elasticsearch/enabled.sls b/salt/elasticsearch/enabled.sls index 0eb9194fb..791639546 100644 --- a/salt/elasticsearch/enabled.sls +++ b/salt/elasticsearch/enabled.sls @@ -45,15 +45,17 @@ so-elasticsearch: - discovery.type=single-node {% endif %} - ES_JAVA_OPTS=-Xms{{ GLOBALS.elasticsearch.es_heap }} -Xmx{{ GLOBALS.elasticsearch.es_heap }} -Des.transport.cname_in_publish_address=true -Dlog4j2.formatMsgNoLookups=true - ulimits: - - memlock=-1:-1 - - nofile=65536:65536 - - nproc=4096 {% if DOCKER.containers['so-elasticsearch'].extra_env %} {% for XTRAENV in DOCKER.containers['so-elasticsearch'].extra_env %} - {{ XTRAENV }} {% endfor %} {% endif %} + {% if DOCKER.containers['so-elasticsearch'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKER.containers['so-elasticsearch'].ulimits %} + - {{ ULIMIT }} + {% endfor %} + {% endif %} - port_bindings: {% for BINDING in DOCKER.containers['so-elasticsearch'].port_bindings %} - {{ BINDING }} diff --git a/salt/hydra/enabled.sls b/salt/hydra/enabled.sls index a20b22d32..3bb3f03b1 100644 --- a/salt/hydra/enabled.sls +++ b/salt/hydra/enabled.sls @@ -52,6 +52,12 @@ so-hydra: - {{ XTRAENV }} {% endfor %} {% endif %} + {% if DOCKER.containers['so-hydra'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKER.containers['so-hydra'].ulimits %} + - {{ ULIMIT }} + {% endfor %} + {% endif %} - restart_policy: unless-stopped - watch: - file: hydraconfig diff --git a/salt/idh/enabled.sls b/salt/idh/enabled.sls index e08e6647f..ed4bf835f 100644 --- a/salt/idh/enabled.sls +++ b/salt/idh/enabled.sls @@ -39,6 +39,12 @@ so-idh: - {{ XTRAENV }} {% endfor %} {% endif %} + {% if DOCKER.containers['so-idh'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKER.containers['so-idh'].ulimits %} + - {{ ULIMIT }} + {% endfor %} + {% endif %} - watch: - file: opencanary_config - require: diff --git a/salt/influxdb/enabled.sls b/salt/influxdb/enabled.sls index 65ba4fafe..18c52dff3 100644 --- a/salt/influxdb/enabled.sls +++ b/salt/influxdb/enabled.sls @@ -58,6 +58,12 @@ so-influxdb: - {{ XTRAHOST }} {% endfor %} {% endif %} + {% if DOCKER.containers['so-influxdb'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKER.containers['so-influxdb'].ulimits %} + - {{ ULIMIT }} + {% endfor %} + {% endif %} - watch: - file: influxdbconf - x509: influxdb_key diff --git a/salt/kafka/enabled.sls b/salt/kafka/enabled.sls index 88847f30b..4c431c2ca 100644 --- a/salt/kafka/enabled.sls +++ b/salt/kafka/enabled.sls @@ -60,6 +60,12 @@ so-kafka: {% if KAFKA_EXTERNAL_ACCESS %} - /opt/so/conf/kafka/kafka_server_jaas.conf:/opt/kafka/config/kafka_server_jaas.conf:ro {% endif %} + {% if DOCKER.containers['so-kafka'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKER.containers['so-kafka'].ulimits %} + - {{ ULIMIT }} + {% endfor %} + {% endif %} - watch: {% for sc in ['server', 'client'] %} - file: kafka_kraft_{{sc}}_properties diff --git a/salt/kibana/enabled.sls b/salt/kibana/enabled.sls index 56aac26cc..3b0e770bd 100644 --- a/salt/kibana/enabled.sls +++ b/salt/kibana/enabled.sls @@ -51,6 +51,12 @@ so-kibana: {% for BINDING in DOCKER.containers['so-kibana'].port_bindings %} - {{ BINDING }} {% endfor %} + {% if DOCKER.containers['so-kibana'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKER.containers['so-kibana'].ulimits %} + - {{ ULIMIT }} + {% endfor %} + {% endif %} - watch: - file: kibanaconfig diff --git a/salt/kratos/enabled.sls b/salt/kratos/enabled.sls index f0345edec..1df8f1f0d 100644 --- a/salt/kratos/enabled.sls +++ b/salt/kratos/enabled.sls @@ -45,6 +45,12 @@ so-kratos: - {{ XTRAENV }} {% endfor %} {% endif %} + {% if DOCKER.containers['so-kratos'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKER.containers['so-kratos'].ulimits %} + - {{ ULIMIT }} + {% endfor %} + {% endif %} - restart_policy: unless-stopped - watch: - file: kratosschema diff --git a/salt/logstash/enabled.sls b/salt/logstash/enabled.sls index 3c083f4ce..58d4733e3 100644 --- a/salt/logstash/enabled.sls +++ b/salt/logstash/enabled.sls @@ -96,6 +96,12 @@ so-logstash: - {{ BIND }} {% endfor %} {% endif %} + {% if DOCKER.containers['so-logstash'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKER.containers['so-logstash'].ulimits %} + - {{ ULIMIT }} + {% endfor %} + {% endif %} - watch: - file: lsetcsync - file: trusttheca diff --git a/salt/nginx/enabled.sls b/salt/nginx/enabled.sls index 4ebeb9349..5cfc9634e 100644 --- a/salt/nginx/enabled.sls +++ b/salt/nginx/enabled.sls @@ -75,6 +75,12 @@ so-nginx: - {{ XTRAENV }} {% endfor %} {% endif %} + {% if DOCKER.containers[container_config].ulimits %} + - ulimits: + {% for ULIMIT in DOCKER.containers[container_config].ulimits %} + - {{ ULIMIT }} + {% endfor %} + {% endif %} - cap_add: NET_BIND_SERVICE - port_bindings: {% for BINDING in DOCKER.containers[container_config].port_bindings %} diff --git a/salt/redis/enabled.sls b/salt/redis/enabled.sls index 3406b63d4..a22e0dea0 100644 --- a/salt/redis/enabled.sls +++ b/salt/redis/enabled.sls @@ -51,6 +51,12 @@ so-redis: - {{ XTRAENV }} {% endfor %} {% endif %} + {% if DOCKER.containers['so-redis'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKER.containers['so-redis'].ulimits %} + - {{ ULIMIT }} + {% endfor %} + {% endif %} - entrypoint: "redis-server /usr/local/etc/redis/redis.conf" - watch: - file: trusttheca diff --git a/salt/registry/enabled.sls b/salt/registry/enabled.sls index 7009f135e..71d04897b 100644 --- a/salt/registry/enabled.sls +++ b/salt/registry/enabled.sls @@ -51,6 +51,12 @@ so-dockerregistry: - {{ XTRAENV }} {% endfor %} {% endif %} + {% if DOCKER.containers['so-dockerregistry'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKER.containers['so-dockerregistry'].ulimits %} + - {{ ULIMIT }} + {% endfor %} + {% endif %} - retry: attempts: 5 interval: 30 diff --git a/salt/sensoroni/enabled.sls b/salt/sensoroni/enabled.sls index bb6846006..d9b79b8fe 100644 --- a/salt/sensoroni/enabled.sls +++ b/salt/sensoroni/enabled.sls @@ -40,6 +40,12 @@ so-sensoroni: - {{ XTRAENV }} {% endfor %} {% endif %} + {% if DOCKER.containers['so-sensoroni'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKER.containers['so-sensoroni'].ulimits %} + - {{ ULIMIT }} + {% endfor %} + {% endif %} - watch: - file: /opt/so/conf/sensoroni/sensoroni.json - require: diff --git a/salt/soc/enabled.sls b/salt/soc/enabled.sls index 5efb18fa5..2204c1ae4 100644 --- a/salt/soc/enabled.sls +++ b/salt/soc/enabled.sls @@ -78,6 +78,12 @@ so-soc: - {{ XTRAENV }} {% endfor %} {% endif %} + {% if DOCKER.containers['so-soc'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKER.containers['so-soc'].ulimits %} + - {{ ULIMIT }} + {% endfor %} + {% endif %} - watch: - file: trusttheca - file: /opt/so/conf/soc/* diff --git a/salt/strelka/backend/enabled.sls b/salt/strelka/backend/enabled.sls index 3a830c9b0..954945728 100644 --- a/salt/strelka/backend/enabled.sls +++ b/salt/strelka/backend/enabled.sls @@ -41,6 +41,12 @@ strelka_backend: - {{ XTRAENV }} {% endfor %} {% endif %} + {% if DOCKER.containers['so-strelka-backend'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKER.containers['so-strelka-backend'].ulimits %} + - {{ ULIMIT }} + {% endfor %} + {% endif %} - restart_policy: on-failure - watch: - file: strelkasensorcompiledrules diff --git a/salt/strelka/coordinator/enabled.sls b/salt/strelka/coordinator/enabled.sls index 3440cd5a4..bb4fcaabd 100644 --- a/salt/strelka/coordinator/enabled.sls +++ b/salt/strelka/coordinator/enabled.sls @@ -44,6 +44,12 @@ strelka_coordinator: - {{ BIND }} {% endfor %} {% endif %} + {% if DOCKER.containers['so-strelka-coordinator'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKER.containers['so-strelka-coordinator'].ulimits %} + - {{ ULIMIT }} + {% endfor %} + {% endif %} delete_so-strelka-coordinator_so-status.disabled: file.uncomment: - name: /opt/so/conf/so-status/so-status.conf diff --git a/salt/strelka/filestream/enabled.sls b/salt/strelka/filestream/enabled.sls index ef5d593ba..6cbed9a6a 100644 --- a/salt/strelka/filestream/enabled.sls +++ b/salt/strelka/filestream/enabled.sls @@ -41,6 +41,12 @@ strelka_filestream: - {{ XTRAENV }} {% endfor %} {% endif %} + {% if DOCKER.containers['so-strelka-filestream'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKER.containers['so-strelka-filestream'].ulimits %} + - {{ ULIMIT }} + {% endfor %} + {% endif %} - watch: - file: filestream_config diff --git a/salt/strelka/frontend/enabled.sls b/salt/strelka/frontend/enabled.sls index 709b3e71c..f595015f2 100644 --- a/salt/strelka/frontend/enabled.sls +++ b/salt/strelka/frontend/enabled.sls @@ -46,6 +46,12 @@ strelka_frontend: - {{ XTRAENV }} {% endfor %} {% endif %} + {% if DOCKER.containers['so-strelka-frontend'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKER.containers['so-strelka-frontend'].ulimits %} + - {{ ULIMIT }} + {% endfor %} + {% endif %} - watch: - file: frontend_config diff --git a/salt/strelka/gatekeeper/enabled.sls b/salt/strelka/gatekeeper/enabled.sls index 8d06ddf6a..d8301f63d 100644 --- a/salt/strelka/gatekeeper/enabled.sls +++ b/salt/strelka/gatekeeper/enabled.sls @@ -43,7 +43,13 @@ strelka_gatekeeper: {% for XTRAENV in DOCKER.containers['so-strelka-gatekeeper'].extra_env %} - {{ XTRAENV }} {% endfor %} - {% endif %} + {% endif %} + {% if DOCKER.containers['so-strelka-gatekeeper'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKER.containers['so-strelka-gatekeeper'].ulimits %} + - {{ ULIMIT }} + {% endfor %} + {% endif %} delete_so-strelka-gatekeeper_so-status.disabled: file.uncomment: diff --git a/salt/strelka/manager/enabled.sls b/salt/strelka/manager/enabled.sls index 6158a5c28..0f28f8ae9 100644 --- a/salt/strelka/manager/enabled.sls +++ b/salt/strelka/manager/enabled.sls @@ -40,6 +40,12 @@ strelka_manager: - {{ XTRAENV }} {% endfor %} {% endif %} + {% if DOCKER.containers['so-strelka-manager'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKER.containers['so-strelka-manager'].ulimits %} + - {{ ULIMIT }} + {% endfor %} + {% endif %} - watch: - file: manager_config diff --git a/salt/telegraf/enabled.sls b/salt/telegraf/enabled.sls index 1f6fe7481..bdca9b8d5 100644 --- a/salt/telegraf/enabled.sls +++ b/salt/telegraf/enabled.sls @@ -66,6 +66,12 @@ so-telegraf: - {{ XTRAHOST }} {% endfor %} {% endif %} + {% if DOCKER.containers['so-telegraf'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKER.containers['so-telegraf'].ulimits %} + - {{ ULIMIT }} + {% endfor %} + {% endif %} - watch: - file: trusttheca - x509: telegraf_crt diff --git a/salt/zeek/enabled.sls b/salt/zeek/enabled.sls index cf87946af..0c7b98fb9 100644 --- a/salt/zeek/enabled.sls +++ b/salt/zeek/enabled.sls @@ -18,9 +18,12 @@ so-zeek: - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-zeek:{{ GLOBALS.so_version }} - start: True - privileged: True + {% if DOCKER.containers['so-zeek'].ulimits %} - ulimits: - - core=0 - - nofile=1048576:1048576 + {% for ULIMIT in DOCKER.containers['so-zeek'].ulimits %} + - {{ ULIMIT }} + {% endfor %} + {% endif %} - binds: - /nsm/zeek/logs:/nsm/zeek/logs:rw - /nsm/zeek/spool:/nsm/zeek/spool:rw