From 10ae53f1089637a91b752258b1b53a0fa717badd Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Wed, 29 Oct 2025 10:23:44 -0400 Subject: [PATCH 1/8] upgrade salt 3006.16 --- salt/salt/master.defaults.yaml | 2 +- salt/salt/minion.defaults.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/salt/master.defaults.yaml b/salt/salt/master.defaults.yaml index 8e1a618fd..9dfe8587f 100644 --- a/salt/salt/master.defaults.yaml +++ b/salt/salt/master.defaults.yaml @@ -1,4 +1,4 @@ # version cannot be used elsewhere in this pillar as soup is grepping for it to determine if Salt needs to be patched salt: master: - version: '3006.9' + version: '3006.16' diff --git a/salt/salt/minion.defaults.yaml b/salt/salt/minion.defaults.yaml index 7ec839950..e897313d2 100644 --- a/salt/salt/minion.defaults.yaml +++ b/salt/salt/minion.defaults.yaml @@ -1,5 +1,5 @@ # version cannot be used elsewhere in this pillar as soup is grepping for it to determine if Salt needs to be patched salt: minion: - version: '3006.9' + version: '3006.16' check_threshold: 3600 # in seconds, threshold used for so-salt-minion-check. any value less than 600 seconds may cause a lot of salt-minion restarts since the job to touch the file occurs every 5-8 minutes by default From 6d12a8bfa16b5f9438e7457d0b1143af361e00ed Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Wed, 29 Oct 2025 15:31:46 -0400 Subject: [PATCH 2/8] handle salt-cloud upgrade during soup --- salt/manager/tools/sbin/soup | 27 ++++++++++++++++++++++++--- 1 file changed, 24 insertions(+), 3 deletions(-) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 952645c61..3bc4e9ca9 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -1265,19 +1265,36 @@ upgrade_salt() { echo "" # If rhel family if [[ $is_rpm ]]; then + # Check if salt-cloud is installed + local salt_cloud_installed=false + if rpm -q salt-cloud &>/dev/null; then + salt_cloud_installed=true + fi + echo "Removing yum versionlock for Salt." echo "" yum versionlock delete "salt" yum versionlock delete "salt-minion" yum versionlock delete "salt-master" + # Remove salt-cloud versionlock if installed + if [[ $salt_cloud_installed == true ]]; then + yum versionlock delete "salt-cloud" + fi echo "Updating Salt packages." echo "" set +e # if oracle run with -r to ignore repos set by bootstrap if [[ $OS == 'oracle' ]]; then - run_check_net_err \ - "sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -X -r -F -M stable \"$NEWSALTVERSION\"" \ - "Could not update salt, please check $SOUP_LOG for details." + # Add -L flag only if salt-cloud is already installed + if [[ $salt_cloud_installed == true ]]; then + run_check_net_err \ + "sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -X -r -L -F -M stable \"$NEWSALTVERSION\"" \ + "Could not update salt, please check $SOUP_LOG for details." + else + run_check_net_err \ + "sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -X -r -F -M stable \"$NEWSALTVERSION\"" \ + "Could not update salt, please check $SOUP_LOG for details." + fi # if another rhel family variant we want to run without -r to allow the bootstrap script to manage repos else run_check_net_err \ @@ -1290,6 +1307,10 @@ upgrade_salt() { yum versionlock add "salt-0:$NEWSALTVERSION-0.*" yum versionlock add "salt-minion-0:$NEWSALTVERSION-0.*" yum versionlock add "salt-master-0:$NEWSALTVERSION-0.*" + # Add salt-cloud versionlock if installed + if [[ $salt_cloud_installed == true ]]; then + yum versionlock add "salt-cloud-0:$NEWSALTVERSION-0.*" + fi # Else do Ubuntu things elif [[ $is_deb ]]; then echo "Removing apt hold for Salt." From 30970acfafd18d8ba1588b5e66bf6e0104253259 Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Wed, 29 Oct 2025 16:05:12 -0400 Subject: [PATCH 3/8] var for SALTVERSION in cloud config --- salt/salt/cloud/cloud.profiles.d/socloud.conf.jinja | 2 +- salt/salt/cloud/config.sls | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/salt/salt/cloud/cloud.profiles.d/socloud.conf.jinja b/salt/salt/cloud/cloud.profiles.d/socloud.conf.jinja index 025e23d89..23fd15983 100644 --- a/salt/salt/cloud/cloud.profiles.d/socloud.conf.jinja +++ b/salt/salt/cloud/cloud.profiles.d/socloud.conf.jinja @@ -14,7 +14,7 @@ sool9_{{host}}: private_key: /etc/ssh/auth_keys/soqemussh/id_ecdsa sudo: True deploy_command: sh /tmp/.saltcloud-*/deploy.sh - script_args: -r -F -x python3 stable 3006.9 + script_args: -r -F -x python3 stable {{ SALTVERSION }} minion: master: {{ grains.host }} master_port: 4506 diff --git a/salt/salt/cloud/config.sls b/salt/salt/cloud/config.sls index dfbfda56b..8dfbf325e 100644 --- a/salt/salt/cloud/config.sls +++ b/salt/salt/cloud/config.sls @@ -13,6 +13,7 @@ {% if '.'.join(sls.split('.')[:2]) in allowed_states %} {% if 'vrt' in salt['pillar.get']('features', []) %} {% set HYPERVISORS = salt['pillar.get']('hypervisor:nodes', {} ) %} +{% from 'salt/map.jinja' import SALTVERSION %} {% if HYPERVISORS %} cloud_providers: @@ -32,6 +33,7 @@ cloud_profiles: HYPERVISORS: {{HYPERVISORS}} MANAGERHOSTNAME: {{ grains.host }} MANAGERIP: {{ pillar.host.mainip }} + SALTVERSION: {{ SALTVERSION }} - template: jinja - makedirs: True {% endif %} From 1949be90c23a19611c54d3efa69c5028f735d29f Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Wed, 29 Oct 2025 16:49:59 -0400 Subject: [PATCH 4/8] allow to preserve files --- salt/common/tools/sbin/so-common | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index 365852e63..ba2cb5ae7 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -220,12 +220,22 @@ compare_es_versions() { } copy_new_files() { + # Define files to exclude from deletion (relative to their respective base directories) + local EXCLUDE_FILES=( + "salt/hypervisor/soc_hypervisor.yaml" + ) + + # Build rsync exclude arguments + local EXCLUDE_ARGS=() + for file in "${EXCLUDE_FILES[@]}"; do + EXCLUDE_ARGS+=(--exclude="$file") + done + # Copy new files over to the salt dir cd $UPDATE_DIR - rsync -a salt $DEFAULT_SALT_DIR/ --delete - rsync -a pillar $DEFAULT_SALT_DIR/ --delete + rsync -a salt $DEFAULT_SALT_DIR/ --delete "${EXCLUDE_ARGS[@]}" + rsync -a pillar $DEFAULT_SALT_DIR/ --delete "${EXCLUDE_ARGS[@]}" chown -R socore:socore $DEFAULT_SALT_DIR/ - chmod 755 $DEFAULT_SALT_DIR/pillar/firewall/addfirewall.sh cd /tmp } From 70d4223a7588121ec1c5283646eb09433760de0b Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Thu, 30 Oct 2025 13:13:16 -0400 Subject: [PATCH 5/8] update salt-cloud config if salt was upgraded --- salt/manager/tools/sbin/soup | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 3bc4e9ca9..8f399707c 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -1345,6 +1345,10 @@ upgrade_salt() { else echo "Salt upgrade success." echo "" + if [[ $salt_cloud_installed == true ]]; then + echo "Updating salt-cloud config to use the new Salt version" + salt-call state.apply salt.cloud.config pillar='{"passedVersion": "'$NEWSALTVERSION'"}' concurrent=True + fi fi } From 8ca5276a0e97043564f7a85b91063c05cb1e8ca3 Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Thu, 30 Oct 2025 13:59:08 -0400 Subject: [PATCH 6/8] update cloud profile with local and point to new code --- salt/manager/tools/sbin/soup | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 8f399707c..c5a94af86 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -1347,7 +1347,9 @@ upgrade_salt() { echo "" if [[ $salt_cloud_installed == true ]]; then echo "Updating salt-cloud config to use the new Salt version" - salt-call state.apply salt.cloud.config pillar='{"passedVersion": "'$NEWSALTVERSION'"}' concurrent=True + # neither salt-minion or salt-master is running so we need to run with --local + # the Salt upgrade happens before we copy the new code to default so we need to point the file root to the new code + salt-call state.apply salt.cloud.config --local --file-root=$UPDATE_DIR/salt pillar='{"passedVersion": "'$NEWSALTVERSION'"}' concurrent=True fi fi From 9027e4e06558ba61b6a4a7d58198639dfca33102 Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Thu, 30 Oct 2025 14:48:48 -0400 Subject: [PATCH 7/8] update salt-cloud profile after new code copied --- salt/salt/cloud/config.sls | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/salt/cloud/config.sls b/salt/salt/cloud/config.sls index 8dfbf325e..8b5e15fe1 100644 --- a/salt/salt/cloud/config.sls +++ b/salt/salt/cloud/config.sls @@ -21,7 +21,7 @@ cloud_providers: - name: /etc/salt/cloud.providers.d/libvirt.conf - source: salt://salt/cloud/cloud.providers.d/libvirt.conf.jinja - defaults: - HYPERVISORS: {{HYPERVISORS}} + HYPERVISORS: {{ HYPERVISORS }} - template: jinja - makedirs: True @@ -30,7 +30,7 @@ cloud_profiles: - name: /etc/salt/cloud.profiles.d/socloud.conf - source: salt://salt/cloud/cloud.profiles.d/socloud.conf.jinja - defaults: - HYPERVISORS: {{HYPERVISORS}} + HYPERVISORS: {{ HYPERVISORS }} MANAGERHOSTNAME: {{ grains.host }} MANAGERIP: {{ pillar.host.mainip }} SALTVERSION: {{ SALTVERSION }} From b8c2808abe8629a736efef67c7b8a283b6f1d13d Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Thu, 30 Oct 2025 15:09:40 -0400 Subject: [PATCH 8/8] update salt-cloud profile after new code copied --- salt/manager/tools/sbin/soup | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index c5a94af86..8fd3f0b64 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -21,6 +21,8 @@ whiptail_title='Security Onion UPdater' NOTIFYCUSTOMELASTICCONFIG=false TOPFILE=/opt/so/saltstack/default/salt/top.sls BACKUPTOPFILE=/opt/so/saltstack/default/salt/top.sls.backup +SALTUPGRADED=false +SALT_CLOUD_INSTALLED=false # used to display messages to the user at the end of soup declare -a FINAL_MESSAGE_QUEUE=() @@ -1260,15 +1262,13 @@ upgrade_check_salt() { } upgrade_salt() { - SALTUPGRADED=True echo "Performing upgrade of Salt from $INSTALLEDSALTVERSION to $NEWSALTVERSION." echo "" # If rhel family if [[ $is_rpm ]]; then # Check if salt-cloud is installed - local salt_cloud_installed=false if rpm -q salt-cloud &>/dev/null; then - salt_cloud_installed=true + SALT_CLOUD_INSTALLED=true fi echo "Removing yum versionlock for Salt." @@ -1277,7 +1277,7 @@ upgrade_salt() { yum versionlock delete "salt-minion" yum versionlock delete "salt-master" # Remove salt-cloud versionlock if installed - if [[ $salt_cloud_installed == true ]]; then + if [[ $SALT_CLOUD_INSTALLED == true ]]; then yum versionlock delete "salt-cloud" fi echo "Updating Salt packages." @@ -1286,7 +1286,7 @@ upgrade_salt() { # if oracle run with -r to ignore repos set by bootstrap if [[ $OS == 'oracle' ]]; then # Add -L flag only if salt-cloud is already installed - if [[ $salt_cloud_installed == true ]]; then + if [[ $SALT_CLOUD_INSTALLED == true ]]; then run_check_net_err \ "sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -X -r -L -F -M stable \"$NEWSALTVERSION\"" \ "Could not update salt, please check $SOUP_LOG for details." @@ -1308,7 +1308,7 @@ upgrade_salt() { yum versionlock add "salt-minion-0:$NEWSALTVERSION-0.*" yum versionlock add "salt-master-0:$NEWSALTVERSION-0.*" # Add salt-cloud versionlock if installed - if [[ $salt_cloud_installed == true ]]; then + if [[ $SALT_CLOUD_INSTALLED == true ]]; then yum versionlock add "salt-cloud-0:$NEWSALTVERSION-0.*" fi # Else do Ubuntu things @@ -1343,14 +1343,9 @@ upgrade_salt() { echo "" exit 1 else + SALTUPGRADED=true echo "Salt upgrade success." echo "" - if [[ $salt_cloud_installed == true ]]; then - echo "Updating salt-cloud config to use the new Salt version" - # neither salt-minion or salt-master is running so we need to run with --local - # the Salt upgrade happens before we copy the new code to default so we need to point the file root to the new code - salt-call state.apply salt.cloud.config --local --file-root=$UPDATE_DIR/salt pillar='{"passedVersion": "'$NEWSALTVERSION'"}' concurrent=True - fi fi } @@ -1592,6 +1587,11 @@ main() { # ensure the mine is updated and populated before highstates run, following the salt-master restart update_salt_mine + if [[ $SALT_CLOUD_INSTALLED == true && $SALTUPGRADED == true ]]; then + echo "Updating salt-cloud config to use the new Salt version" + salt-call state.apply salt.cloud.config concurrent=True + fi + enable_highstate echo ""