dont run curator on searchnode if truecluster is enabled - https://github.com/Security-Onion-Solutions/securityonion/issues/2806

salt/curator/init.sls

@@ -6,6 +6,7 @@
 {% set MANAGER = salt['grains.get']('master') %}
 {% if grains['role'] in ['so-eval', 'so-node', 'so-managersearch', 'so-heavynode', 'so-standalone'] %}
   {% from 'elasticsearch/auth.map.jinja' import ELASTICAUTH with context %}
+  {% from "curator/map.jinja" import CURATOROPTIONS with context %}
 # Curator
 # Create the group
 curatorgroup:
@@ -118,8 +119,10 @@ so-curatordeletecron:
    - dayweek: '*'
 
 so-curator:
-  docker_container.running:
+  docker_container.{{ CURATOROPTIONS.status }}:
+  {% if CURATOROPTIONS.status == 'running' %}
     - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-curator:{{ VERSION }}
+    - start: {{ CURATOROPTIONS.start }}
     - hostname: curator
     - name: so-curator
     - user: curator
@@ -129,11 +132,27 @@ so-curator:
       - /opt/so/conf/curator/curator.yml:/etc/curator/config/curator.yml:ro
       - /opt/so/conf/curator/action/:/etc/curator/action:ro
       - /opt/so/log/curator:/var/log/curator:rw
+  {% else %}
+    - force: True
+  {% endif %}
 
 append_so-curator_so-status.conf:
   file.append:
     - name: /opt/so/conf/so-status/so-status.conf
     - text: so-curator
+    - unless: grep -q so-curator /opt/so/conf/so-status/so-status.conf
+
+  {% if not CURATOROPTIONS.start %}
+so-curator_so-status.disabled:
+  file.comment:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - regex: ^so-curator$
+  {% else %}
+delete_so-curator_so-status.disabled:
+  file.uncomment:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - regex: ^so-curator$
+  {% endif %}
 
 # Begin Curator Cron Jobs
 

salt/curator/map.jinja

@@ -0,0 +1,12 @@
+{% set CURATOROPTIONS = {} %}
+{% set ENABLED = salt['pillar.get']('curator:enabled', True) %}
+{% set TRUECLUSTER = salt['pillar.get']('elasticsearch:true_cluster', False) %}
+
+# don't start the docker container if searchnode and true clustering is enabled or disabled via pillar
+{% if (grains.id.split('_')|last == 'searchnode' and TRUECLUSTER) or not ENABLED %}
+  {% do CURATOROPTIONS.update({'start': False}) %}
+  {% do CURATOROPTIONS.update({'status': 'absent'}) %}
+{% else %}
+  {% do CURATOROPTIONS.update({'start': True}) %}
+  {% do CURATOROPTIONS.update({'status': 'running'}) %}
+{% endif %}

salt/top.sls

@@ -11,7 +11,6 @@
 {% set FILEBEAT = salt['pillar.get']('filebeat:enabled', True) %}
 {% set KIBANA = salt['pillar.get']('kibana:enabled', True) %}
 {% set LOGSTASH = salt['pillar.get']('logstash:enabled', True) %}
-{% set CURATOR = salt['pillar.get']('curator:enabled', True) %}
 {% set REDIS = salt['pillar.get']('redis:enabled', True) %}
 {% set STRELKA = salt['pillar.get']('strelka:enabled', '0') %}
 {% import_yaml 'salt/minion.defaults.yaml' as saltversion %}
@@ -127,9 +126,7 @@ base:
     {%- if FILEBEAT %}
     - filebeat
     {%- endif %}
-    {%- if CURATOR %}
     - curator
-    {%- endif %}
     {%- if ELASTALERT %}
     - elastalert
     {%- endif %}
@@ -265,9 +262,7 @@ base:
     {%- if FILEBEAT %}
     - filebeat
     {%- endif %}
-    {%- if CURATOR %}
     - curator
-    {%- endif %}
     {%- if ELASTALERT %}
     - elastalert
     {%- endif %}
@@ -310,9 +305,7 @@ base:
     {%- if LOGSTASH %}
     - logstash
     {%- endif %}
-    {%- if CURATOR %}
     - curator
-    {%- endif %}
     {%- if FILEBEAT %}
     - filebeat
     {%- endif %}
@@ -354,9 +347,7 @@ base:
     {%- if REDIS %}
     - redis
     {%- endif %}
-    {%- if CURATOR %}
     - curator
-    {%- endif %}
     {%- if KIBANA %}
     - kibana
     {%- endif %}
@@ -409,9 +400,7 @@ base:
     {%- if REDIS %}
     - redis
     {%- endif %}
-    {%- if CURATOR %}
     - curator
-    {%- endif %}
     {%- if FILEBEAT %}
     - filebeat
     {%- endif %}