CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

update bootstrap-salt to latest

Browse Source
This commit is contained in:
Josh Patterson
2025-11-12 18:07:14 -05:00
parent be11c718f6
commit 3427df2a54
1 changed files with 78 additions and 72 deletions
Download Patch File Download Diff File Expand all files Collapse all files

150
salt/salt/scripts/bootstrap-salt.sh
View File

@@ -26,7 +26,7 @@
#======================================================================================================================
set -o nounset # Treat unset variables as an error
__ScriptVersion="2025.02.24"
__ScriptVersion="2025.09.03"
__ScriptName="bootstrap-salt.sh"
__ScriptFullName="$0"
@@ -48,6 +48,7 @@ __ScriptArgs="$*"
# * BS_GENTOO_USE_BINHOST: If 1 add `--getbinpkg` to gentoo's emerge
# * BS_SALT_MASTER_ADDRESS: The IP or DNS name of the salt-master the minion should connect to
# * BS_SALT_GIT_CHECKOUT_DIR: The directory where to clone Salt on git installations
# * BS_TMP_DIR: The directory to use for executing the installation (defaults to /tmp)
#======================================================================================================================
@@ -171,12 +172,12 @@ __check_config_dir() {
case "$CC_DIR_NAME" in
http://*|https://*)
__fetch_url "/tmp/${CC_DIR_BASE}" "${CC_DIR_NAME}"
CC_DIR_NAME="/tmp/${CC_DIR_BASE}"
__fetch_url "${_TMP_DIR}/${CC_DIR_BASE}" "${CC_DIR_NAME}"
CC_DIR_NAME="${_TMP_DIR}/${CC_DIR_BASE}"
;;
ftp://*)
__fetch_url "/tmp/${CC_DIR_BASE}" "${CC_DIR_NAME}"
CC_DIR_NAME="/tmp/${CC_DIR_BASE}"
__fetch_url "${_TMP_DIR}/${CC_DIR_BASE}" "${CC_DIR_NAME}"
CC_DIR_NAME="${_TMP_DIR}/${CC_DIR_BASE}"
;;
*://*)
echoerror "Unsupported URI scheme for $CC_DIR_NAME"
@@ -194,22 +195,22 @@ __check_config_dir() {
case "$CC_DIR_NAME" in
*.tgz|*.tar.gz)
tar -zxf "${CC_DIR_NAME}" -C /tmp
tar -zxf "${CC_DIR_NAME}" -C ${_TMP_DIR}
CC_DIR_BASE=$(basename "${CC_DIR_BASE}" ".tgz")
CC_DIR_BASE=$(basename "${CC_DIR_BASE}" ".tar.gz")
CC_DIR_NAME="/tmp/${CC_DIR_BASE}"
CC_DIR_NAME="${_TMP_DIR}/${CC_DIR_BASE}"
;;
*.tbz|*.tar.bz2)
tar -xjf "${CC_DIR_NAME}" -C /tmp
tar -xjf "${CC_DIR_NAME}" -C ${_TMP_DIR}
CC_DIR_BASE=$(basename "${CC_DIR_BASE}" ".tbz")
CC_DIR_BASE=$(basename "${CC_DIR_BASE}" ".tar.bz2")
CC_DIR_NAME="/tmp/${CC_DIR_BASE}"
CC_DIR_NAME="${_TMP_DIR}/${CC_DIR_BASE}"
;;
*.txz|*.tar.xz)
tar -xJf "${CC_DIR_NAME}" -C /tmp
tar -xJf "${CC_DIR_NAME}" -C ${_TMP_DIR}
CC_DIR_BASE=$(basename "${CC_DIR_BASE}" ".txz")
CC_DIR_BASE=$(basename "${CC_DIR_BASE}" ".tar.xz")
CC_DIR_NAME="/tmp/${CC_DIR_BASE}"
CC_DIR_NAME="${_TMP_DIR}/${CC_DIR_BASE}"
;;
esac
@@ -245,6 +246,7 @@ __check_unparsed_options() {
#----------------------------------------------------------------------------------------------------------------------
_KEEP_TEMP_FILES=${BS_KEEP_TEMP_FILES:-$BS_FALSE}
_TEMP_CONFIG_DIR="null"
_TMP_DIR=${BS_TMP_DIR:-"/tmp"}
_SALTSTACK_REPO_URL="https://github.com/saltstack/salt.git"
_SALT_REPO_URL=${_SALTSTACK_REPO_URL}
_TEMP_KEYS_DIR="null"
@@ -281,7 +283,7 @@ _SIMPLIFY_VERSION=$BS_TRUE
_LIBCLOUD_MIN_VERSION="0.14.0"
_EXTRA_PACKAGES=""
_HTTP_PROXY=""
_SALT_GIT_CHECKOUT_DIR=${BS_SALT_GIT_CHECKOUT_DIR:-/tmp/git/salt}
_SALT_GIT_CHECKOUT_DIR=${BS_SALT_GIT_CHECKOUT_DIR:-${_TMP_DIR}/git/salt}
_NO_DEPS=$BS_FALSE
_FORCE_SHALLOW_CLONE=$BS_FALSE
_DISABLE_SSL=$BS_FALSE
@@ -367,7 +369,7 @@ __usage() {
also be specified. Salt installation will be ommitted, but some of the
dependencies could be installed to write configuration with -j or -J.
-d Disables checking if Salt services are enabled to start on system boot.
You can also do this by touching /tmp/disable_salt_checks on the target
You can also do this by touching ${BS_TMP_DIR}/disable_salt_checks on the target
host. Default: \${BS_FALSE}
-D Show debug output
-f Force shallow cloning for git installations.
@@ -424,6 +426,9 @@ __usage() {
-r Disable all repository configuration performed by this script. This
option assumes all necessary repository configuration is already present
on the system.
-T If set this overrides the use of /tmp for script execution. This is
to allow for systems in which noexec is applied to temp filesystem mounts
for security reasons
-U If set, fully upgrade the system prior to bootstrapping Salt
-v Display script version
-V Install Salt into virtualenv
@@ -436,7 +441,7 @@ __usage() {
EOT
} # ---------- end of function __usage ----------
while getopts ':hvnDc:g:Gx:k:s:MSWNXCPFUKIA:i:Lp:dH:bflV:J:j:rR:aqQ' opt
while getopts ':hvnDc:g:Gx:k:s:MSWNXCPFUKIA:i:Lp:dH:bflV:J:j:rR:T:aqQ' opt
do
case "${opt}" in
@@ -478,6 +483,7 @@ do
a ) _PIP_ALL=$BS_TRUE ;;
r ) _DISABLE_REPOS=$BS_TRUE ;;
R ) _CUSTOM_REPO_URL=$OPTARG ;;
T ) _TMP_DIR="$OPTARG" ;;
J ) _CUSTOM_MASTER_CONFIG=$OPTARG ;;
j ) _CUSTOM_MINION_CONFIG=$OPTARG ;;
q ) _QUIET_GIT_INSTALLATION=$BS_TRUE ;;
@@ -495,10 +501,10 @@ done
shift $((OPTIND-1))
# Define our logging file and pipe paths
LOGFILE="/tmp/$( echo "$__ScriptName" | sed s/.sh/.log/g )"
LOGPIPE="/tmp/$( echo "$__ScriptName" | sed s/.sh/.logpipe/g )"
LOGFILE="${_TMP_DIR}/$( echo "$__ScriptName" | sed s/.sh/.log/g )"
LOGPIPE="${_TMP_DIR}/$( echo "$__ScriptName" | sed s/.sh/.logpipe/g )"
# Ensure no residual pipe exists
rm "$LOGPIPE" 2>/dev/null
rm -f "$LOGPIPE" 2>/dev/null
# Create our logging pipe
# On FreeBSD we have to use mkfifo instead of mknod
@@ -534,7 +540,7 @@ exec 2>"$LOGPIPE"
# 14 SIGALRM
# 15 SIGTERM
#----------------------------------------------------------------------------------------------------------------------
APT_ERR=$(mktemp /tmp/apt_error.XXXXXX)
APT_ERR=$(mktemp ${_TMP_DIR}/apt_error.XXXXXX)
__exit_cleanup() {
EXIT_CODE=$?
@@ -927,6 +933,11 @@ if [ -d "${_VIRTUALENV_DIR}" ]; then
exit 1
fi
# Make sure the designated temp directory exists
if [ ! -d "${_TMP_DIR}" ]; then
mkdir -p "${_TMP_DIR}"
fi
#--- FUNCTION -------------------------------------------------------------------------------------------------------
# NAME: __fetch_url
# DESCRIPTION: Retrieves a URL and writes it to a given path
@@ -1941,11 +1952,6 @@ __wait_for_apt(){
# Timeout set at 15 minutes
WAIT_TIMEOUT=900
## see if sync'ing the clocks helps
if [ -f /usr/sbin/hwclock ]; then
/usr/sbin/hwclock -s
fi
# Run our passed in apt command
"${@}" 2>"$APT_ERR"
APT_RETURN=$?
@@ -1996,14 +2002,14 @@ __apt_get_upgrade_noinput() {
#----------------------------------------------------------------------------------------------------------------------
__temp_gpg_pub() {
if __check_command_exists mktemp; then
tempfile="$(mktemp /tmp/salt-gpg-XXXXXXXX.pub 2>/dev/null)"
tempfile="$(mktemp ${_TMP_DIR}/salt-gpg-XXXXXXXX.pub 2>/dev/null)"
if [ -z "$tempfile" ]; then
echoerror "Failed to create temporary file in /tmp"
echoerror "Failed to create temporary file in ${_TMP_DIR}"
return 1
fi
else
tempfile="/tmp/salt-gpg-$$.pub"
tempfile="${_TMP_DIR}/salt-gpg-$$.pub"
fi
echo $tempfile
@@ -2043,7 +2049,7 @@ __rpm_import_gpg() {
__fetch_url "$tempfile" "$url" || return 1
# At least on CentOS 8, a missing newline at the end causes:
# error: /tmp/salt-gpg-n1gKUb1u.pub: key 1 not an armored public key.
# error: ${_TMP_DIR}/salt-gpg-n1gKUb1u.pub: key 1 not an armored public key.
# shellcheck disable=SC1003,SC2086
sed -i -e '$a\' $tempfile
@@ -2109,7 +2115,7 @@ __git_clone_and_checkout() {
fi
__SALT_GIT_CHECKOUT_PARENT_DIR=$(dirname "${_SALT_GIT_CHECKOUT_DIR}" 2>/dev/null)
__SALT_GIT_CHECKOUT_PARENT_DIR="${__SALT_GIT_CHECKOUT_PARENT_DIR:-/tmp/git}"
__SALT_GIT_CHECKOUT_PARENT_DIR="${__SALT_GIT_CHECKOUT_PARENT_DIR:-${_TMP_DIR}/git}"
__SALT_CHECKOUT_REPONAME="$(basename "${_SALT_GIT_CHECKOUT_DIR}" 2>/dev/null)"
__SALT_CHECKOUT_REPONAME="${__SALT_CHECKOUT_REPONAME:-salt}"
[ -d "${__SALT_GIT_CHECKOUT_PARENT_DIR}" ] || mkdir "${__SALT_GIT_CHECKOUT_PARENT_DIR}"
@@ -2162,7 +2168,7 @@ __git_clone_and_checkout() {
if [ "$__SHALLOW_CLONE" -eq $BS_TRUE ]; then
# Let's try 'treeless' cloning to speed up. Treeless cloning omits trees and blobs ('files')
# but includes metadata (commit history, tags, branches etc.
# but includes metadata (commit history, tags, branches etc.
# Test for "--filter" option introduced in git 2.19, the minimal version of git where the treeless
# cloning we need actually works
if [ "$(git clone 2>&1 | grep 'filter')" != "" ]; then
@@ -2390,14 +2396,14 @@ __overwriteconfig() {
# Make a tempfile to dump any python errors into.
if __check_command_exists mktemp; then
tempfile="$(mktemp /tmp/salt-config-XXXXXXXX 2>/dev/null)"
tempfile="$(mktemp ${_TMP_DIR}/salt-config-XXXXXXXX 2>/dev/null)"
if [ -z "$tempfile" ]; then
echoerror "Failed to create temporary file in /tmp"
echoerror "Failed to create temporary file in ${_TMP_DIR}"
return 1
fi
else
tempfile="/tmp/salt-config-$$"
tempfile="${_TMP_DIR}/salt-config-$$"
fi
if [ -n "$_PY_EXE" ]; then
@@ -2760,8 +2766,8 @@ __install_salt_from_repo() {
echoinfo "Installing salt using ${_py_exe}, $(${_py_exe} --version)"
cd "${_SALT_GIT_CHECKOUT_DIR}" || return 1
mkdir -p /tmp/git/deps
echodebug "Created directory /tmp/git/deps"
mkdir -p ${_TMP_DIR}/git/deps
echodebug "Created directory ${_TMP_DIR}/git/deps"
if [ ${DISTRO_NAME_L} = "ubuntu" ] && [ "$DISTRO_MAJOR_VERSION" -eq 22 ]; then
echodebug "Ubuntu 22.04 has problem with base.txt requirements file, not parsing sys_platform == 'win32', upgrading from default pip works"
@@ -2774,7 +2780,7 @@ __install_salt_from_repo() {
fi
fi
rm -f /tmp/git/deps/*
rm -f ${_TMP_DIR}/git/deps/*
echodebug "Installing Salt requirements from PyPi, ${_pip_cmd} install ${_USE_BREAK_SYSTEM_PACKAGES} --ignore-installed ${_PIP_INSTALL_ARGS} -r requirements/static/ci/py${_py_version}/linux.txt"
${_pip_cmd} install ${_USE_BREAK_SYSTEM_PACKAGES} --ignore-installed ${_PIP_INSTALL_ARGS} -r "requirements/static/ci/py${_py_version}/linux.txt"
@@ -2799,7 +2805,7 @@ __install_salt_from_repo() {
echodebug "Running '${_py_exe} setup.py --salt-config-dir=$_SALT_ETC_DIR --salt-cache-dir=${_SALT_CACHE_DIR} ${SETUP_PY_INSTALL_ARGS} bdist_wheel'"
${_py_exe} setup.py --salt-config-dir="$_SALT_ETC_DIR" --salt-cache-dir="${_SALT_CACHE_DIR} ${SETUP_PY_INSTALL_ARGS}" bdist_wheel || return 1
mv dist/salt*.whl /tmp/git/deps/ || return 1
mv dist/salt*.whl ${_TMP_DIR}/git/deps/ || return 1
cd "${__SALT_GIT_CHECKOUT_PARENT_DIR}" || return 1
@@ -2813,14 +2819,14 @@ __install_salt_from_repo() {
${_pip_cmd} install --force-reinstall --break-system-packages "${_arch_dep}"
fi
echodebug "Running '${_pip_cmd} install ${_USE_BREAK_SYSTEM_PACKAGES} --no-deps --force-reinstall ${_PIP_INSTALL_ARGS} /tmp/git/deps/salt*.whl'"
echodebug "Running '${_pip_cmd} install ${_USE_BREAK_SYSTEM_PACKAGES} --no-deps --force-reinstall ${_PIP_INSTALL_ARGS} ${_TMP_DIR}/git/deps/salt*.whl'"
echodebug "Running ${_pip_cmd} install ${_USE_BREAK_SYSTEM_PACKAGES} --no-deps --force-reinstall ${_PIP_INSTALL_ARGS} --global-option=--salt-config-dir=$_SALT_ETC_DIR --salt-cache-dir=${_SALT_CACHE_DIR} ${SETUP_PY_INSTALL_ARGS} /tmp/git/deps/salt*.whl"
echodebug "Running ${_pip_cmd} install ${_USE_BREAK_SYSTEM_PACKAGES} --no-deps --force-reinstall ${_PIP_INSTALL_ARGS} --global-option=--salt-config-dir=$_SALT_ETC_DIR --salt-cache-dir=${_SALT_CACHE_DIR} ${SETUP_PY_INSTALL_ARGS} ${_TMP_DIR}/git/deps/salt*.whl"
${_pip_cmd} install ${_USE_BREAK_SYSTEM_PACKAGES} --no-deps --force-reinstall \
${_PIP_INSTALL_ARGS} \
--global-option="--salt-config-dir=$_SALT_ETC_DIR --salt-cache-dir=${_SALT_CACHE_DIR} ${SETUP_PY_INSTALL_ARGS}" \
/tmp/git/deps/salt*.whl || return 1
${_TMP_DIR}/git/deps/salt*.whl || return 1
echoinfo "Checking if Salt can be imported using ${_py_exe}"
CHECK_SALT_SCRIPT=$(cat << EOM
@@ -6295,8 +6301,8 @@ __get_packagesite_onedir_latest() {
}
__install_saltstack_photon_onedir_repository() {
echodebug "__install_saltstack_photon_onedir_repository() entry"
__install_saltstack_vmware_photon_os_onedir_repository() {
echodebug "__install_saltstack_vmware_photon_os_onedir_repository() entry"
if [ -n "$_PY_EXE" ] && [ "$_PY_MAJOR_VERSION" -ne 3 ]; then
echoerror "Python version is no longer supported, only Python 3"
@@ -6376,8 +6382,8 @@ __install_saltstack_photon_onedir_repository() {
return 0
}
install_photon_deps() {
echodebug "install_photon_deps() entry"
install_vmware_photon_os_deps() {
echodebug "install_vmware_photon_os_deps() entry"
if [ -n "$_PY_EXE" ] && [ "$_PY_MAJOR_VERSION" -ne 3 ]; then
echoerror "Python version is no longer supported, only Python 3"
@@ -6406,8 +6412,8 @@ install_photon_deps() {
return 0
}
install_photon_stable_post() {
echodebug "install_photon_stable_post() entry"
install_vmware_photon_os_stable_post() {
echodebug "install_vmware_photon_os_stable_post() entry"
for fname in api master minion syndic; do
# Skip salt-api since the service should be opt-in and not necessarily started on boot
@@ -6424,8 +6430,8 @@ install_photon_stable_post() {
done
}
install_photon_git_deps() {
echodebug "install_photon_git_deps() entry"
install_vmware_photon_os_git_deps() {
echodebug "install_vmware_photon_os_git_deps() entry"
if [ -n "$_PY_EXE" ] && [ "$_PY_MAJOR_VERSION" -ne 3 ]; then
echoerror "Python version is no longer supported, only Python 3"
@@ -6463,7 +6469,7 @@ install_photon_git_deps() {
__PACKAGES="python${PY_PKG_VER}-devel python${PY_PKG_VER}-pip python${PY_PKG_VER}-setuptools gcc glibc-devel linux-devel.x86_64 cython${PY_PKG_VER}"
echodebug "install_photon_git_deps() distro major version, ${DISTRO_MAJOR_VERSION}"
echodebug "install_vmware_photon_os_git_deps() distro major version, ${DISTRO_MAJOR_VERSION}"
## Photon 5 container is missing systemd on default installation
if [ "${DISTRO_MAJOR_VERSION}" -lt 5 ]; then
@@ -6489,8 +6495,8 @@ install_photon_git_deps() {
return 0
}
install_photon_git() {
echodebug "install_photon_git() entry"
install_vmware_photon_os_git() {
echodebug "install_vmware_photon_os_git() entry"
if [ "${_PY_EXE}" != "" ]; then
_PYEXE=${_PY_EXE}
@@ -6500,7 +6506,7 @@ install_photon_git() {
return 1
fi
install_photon_git_deps
install_vmware_photon_os_git_deps
if [ -f "${_SALT_GIT_CHECKOUT_DIR}/salt/syspaths.py" ]; then
${_PYEXE} setup.py --salt-config-dir="$_SALT_ETC_DIR" --salt-cache-dir="${_SALT_CACHE_DIR}" ${SETUP_PY_INSTALL_ARGS} install --prefix=/usr || return 1
@@ -6510,8 +6516,8 @@ install_photon_git() {
return 0
}
install_photon_git_post() {
echodebug "install_photon_git_post() entry"
install_vmware_photon_os_git_post() {
echodebug "install_vmware_photon_os_git_post() entry"
for fname in api master minion syndic; do
# Skip if not meant to be installed
@@ -6543,9 +6549,9 @@ install_photon_git_post() {
done
}
install_photon_restart_daemons() {
install_vmware_photon_os_restart_daemons() {
[ "$_START_DAEMONS" -eq $BS_FALSE ] && return
echodebug "install_photon_restart_daemons() entry"
echodebug "install_vmware_photon_os_restart_daemons() entry"
for fname in api master minion syndic; do
@@ -6567,8 +6573,8 @@ install_photon_restart_daemons() {
done
}
install_photon_check_services() {
echodebug "install_photon_check_services() entry"
install_vmware_photon_os_check_services() {
echodebug "install_vmware_photon_os_check_services() entry"
for fname in api master minion syndic; do
# Skip salt-api since the service should be opt-in and not necessarily started on boot
@@ -6585,8 +6591,8 @@ install_photon_check_services() {
return 0
}
install_photon_onedir_deps() {
echodebug "install_photon_onedir_deps() entry"
install_vmware_photon_os_onedir_deps() {
echodebug "install_vmware_photon_os_onedir_deps() entry"
if [ "$_UPGRADE_SYS" -eq $BS_TRUE ]; then
@@ -6600,17 +6606,17 @@ install_photon_onedir_deps() {
fi
if [ "$_DISABLE_REPOS" -eq "$BS_FALSE" ]; then
__install_saltstack_photon_onedir_repository || return 1
__install_saltstack_vmware_photon_os_onedir_repository || return 1
fi
# If -R was passed, we need to configure custom repo url with rsync-ed packages
# Which was handled in __install_saltstack_rhel_repository buu that hanlded old-stable which is for
# releases which are End-Of-Life. This call has its own check in case -r was passed without -R.
if [ "$_CUSTOM_REPO_URL" != "null" ]; then
__install_saltstack_photon_onedir_repository || return 1
__install_saltstack_vmware_photon_os_onedir_repository || return 1
fi
__PACKAGES="procps-ng sudo shadow"
__PACKAGES="procps-ng sudo shadow wget"
# shellcheck disable=SC2086
__tdnf_install_noinput ${__PACKAGES} || return 1
@@ -6626,9 +6632,9 @@ install_photon_onedir_deps() {
}
install_photon_onedir() {
install_vmware_photon_os_onedir() {
echodebug "install_photon_onedir() entry"
echodebug "install_vmware_photon_os_onedir() entry"
STABLE_REV=$ONEDIR_REV
_GENERIC_PKG_VERSION=""
@@ -6672,9 +6678,9 @@ install_photon_onedir() {
return 0
}
install_photon_onedir_post() {
install_vmware_photon_os_onedir_post() {
STABLE_REV=$ONEDIR_REV
install_photon_stable_post || return 1
install_vmware_photon_os_stable_post || return 1
return 0
}
@@ -7797,7 +7803,7 @@ install_macosx_git_deps() {
export PATH=/usr/local/bin:$PATH
fi
__fetch_url "/tmp/get-pip.py" "https://bootstrap.pypa.io/get-pip.py" || return 1
__fetch_url "${_TMP_DIR}/get-pip.py" "https://bootstrap.pypa.io/get-pip.py" || return 1
if [ -n "$_PY_EXE" ]; then
_PYEXE="${_PY_EXE}"
@@ -7807,7 +7813,7 @@ install_macosx_git_deps() {
fi
# Install PIP
$_PYEXE /tmp/get-pip.py || return 1
$_PYEXE ${_TMP_DIR}/get-pip.py || return 1
# shellcheck disable=SC2119
__git_clone_and_checkout || return 1
@@ -7819,9 +7825,9 @@ install_macosx_stable() {
install_macosx_stable_deps || return 1
__fetch_url "/tmp/${PKG}" "${SALTPKGCONFURL}" || return 1
__fetch_url "${_TMP_DIR}/${PKG}" "${SALTPKGCONFURL}" || return 1
/usr/sbin/installer -pkg "/tmp/${PKG}" -target / || return 1
/usr/sbin/installer -pkg "${_TMP_DIR}/${PKG}" -target / || return 1
return 0
}
@@ -7830,9 +7836,9 @@ install_macosx_onedir() {
install_macosx_onedir_deps || return 1
__fetch_url "/tmp/${PKG}" "${SALTPKGCONFURL}" || return 1
__fetch_url "${_TMP_DIR}/${PKG}" "${SALTPKGCONFURL}" || return 1
/usr/sbin/installer -pkg "/tmp/${PKG}" -target / || return 1
/usr/sbin/installer -pkg "${_TMP_DIR}/${PKG}" -target / || return 1
return 0
}