From 591616fe5b8fa675696b6c7c91054c7b15fc768b Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 15 Nov 2022 11:05:17 -0500 Subject: [PATCH] Add statics to all containers --- salt/docker/defaults.yaml | 8 ++++++-- salt/elastic-fleet/init.sls | 4 ++++ salt/filebeat/init.sls | 4 ++++ salt/grafana/init.sls | 6 ++++-- salt/idh/init.sls | 1 + salt/idstools/init.sls | 4 ++++ salt/influxdb/init.sls | 4 ++++ salt/kibana/init.sls | 7 ++++--- salt/kratos/init.sls | 4 ++++ salt/logstash/init.sls | 23 +++++++++++++---------- salt/mysql/init.sls | 5 ++++- salt/nginx/init.sls | 4 ++++ salt/playbook/init.sls | 5 ++++- salt/redis/init.sls | 5 ++++- salt/registry/init.sls | 4 ++++ salt/soctopus/init.sls | 5 ++++- salt/strelka/init.sls | 20 +++++++++++++++++++- 17 files changed, 91 insertions(+), 22 deletions(-) diff --git a/salt/docker/defaults.yaml b/salt/docker/defaults.yaml index fdfb6ff70..fee8a5951 100644 --- a/salt/docker/defaults.yaml +++ b/salt/docker/defaults.yaml @@ -6,7 +6,7 @@ docker: containers: 'registry': final_octet: 20 - 'so-elastic-agent': + 'so-elastic-fleet': final_octet: 21 'so-elasticsearch': final_octet: 22 @@ -14,7 +14,7 @@ docker: final_octet: 23 'so-grafana': final_octet: 24 - 'so-idh': + 'so-idstools': final_octet: 25 'so-influxdb': final_octet: 26 @@ -44,3 +44,7 @@ docker: final_octet: 38 'so-strelka-manager': final_octet: 39 + 'so-strelka-gatekeeper': + final_octet: 40 + 'so-strelka-coordinator': + final_octet: 41 diff --git a/salt/elastic-fleet/init.sls b/salt/elastic-fleet/init.sls index 4b985c23f..45d15ad58 100644 --- a/salt/elastic-fleet/init.sls +++ b/salt/elastic-fleet/init.sls @@ -4,6 +4,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} {% from 'vars/globals.map.jinja' import GLOBALS %} +{% from 'docker/docker.map.jinja' import DOCKER %} # These values are generated during node install and stored in minion pillar {% set SERVICETOKEN = salt['pillar.get']('elasticfleet:server:es_token','') %} @@ -47,6 +48,9 @@ so-elastic-fleet: - hostname: Fleet-{{ GLOBALS.hostname }} - detach: True - user: 947 + - networks: + - sosnet: + - ipv4_address: {{ DOCKER.containers['so-elastic-fleet'].ip }} - extra_hosts: - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} - port_bindings: diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls index 3eed07696..908deba14 100644 --- a/salt/filebeat/init.sls +++ b/salt/filebeat/init.sls @@ -5,6 +5,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} +{% from 'docker/docker.map.jinja' import DOCKER %} {% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'filebeat/modules.map.jinja' import MODULESMERGED with context %} {% from 'filebeat/modules.map.jinja' import MODULESENABLED with context %} @@ -97,6 +98,9 @@ so-filebeat: - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-filebeat:{{ GLOBALS.so_version }} - hostname: so-filebeat - user: root + - networks: + - sosnet: + - ipv4_address: {{ DOCKER.containers['so-filebeat'].ip }} - extra_hosts: {{ FILEBEAT_EXTRA_HOSTS }} - binds: - /nsm:/nsm:ro diff --git a/salt/grafana/init.sls b/salt/grafana/init.sls index f20cdffff..901a8b6f7 100644 --- a/salt/grafana/init.sls +++ b/salt/grafana/init.sls @@ -1,8 +1,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} {% from 'vars/globals.map.jinja' import GLOBALS %} - - +{% from 'docker/docker.map.jinja' import DOCKER %} {% set GRAFANA = salt['pillar.get']('manager:grafana', '0') %} {% set ADMINPASS = salt['pillar.get']('secrets:grafana_admin') %} @@ -126,6 +125,9 @@ so-grafana: - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-grafana:{{ GLOBALS.so_version }} - hostname: grafana - user: socore + - networks: + - sosnet: + - ipv4_address: {{ DOCKER.containers['so-grafana'].ip }} - binds: - /nsm/grafana:/var/lib/grafana:rw - /opt/so/conf/grafana/etc/grafana.ini:/etc/grafana/grafana.ini:ro diff --git a/salt/idh/init.sls b/salt/idh/init.sls index 1d0d640f4..2cf22c358 100644 --- a/salt/idh/init.sls +++ b/salt/idh/init.sls @@ -5,6 +5,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} +{% import_yaml 'docker/defaults.yaml' as DOCKERDEFAULTS %} {% from 'vars/globals.map.jinja' import GLOBALS %} {% set RESTRICTIDHSERVICES = salt['pillar.get']('idh:restrict_management_ip', False) %} diff --git a/salt/idstools/init.sls b/salt/idstools/init.sls index 8a7aa6500..418ecec28 100644 --- a/salt/idstools/init.sls +++ b/salt/idstools/init.sls @@ -4,6 +4,7 @@ # Elastic License 2.0. {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} +{% from 'docker/docker.map.jinja' import DOCKER %} {% from 'vars/globals.map.jinja' import GLOBALS %} {% set proxy = salt['pillar.get']('manager:proxy') %} @@ -31,6 +32,9 @@ so-idstools: - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-idstools:{{ GLOBALS.so_version }} - hostname: so-idstools - user: socore + - networks: + - sosnet: + - ipv4_address: {{ DOCKER.containers['so-idstools'].ip }} {% if proxy %} - environment: - http_proxy={{ proxy }} diff --git a/salt/influxdb/init.sls b/salt/influxdb/init.sls index 321ce76d6..33aa87769 100644 --- a/salt/influxdb/init.sls +++ b/salt/influxdb/init.sls @@ -1,5 +1,6 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} +{% from 'docker/docker.map.jinja' import DOCKER %} {% from 'vars/globals.map.jinja' import GLOBALS %} {% set GRAFANA = salt['pillar.get']('manager:grafana', '0') %} @@ -47,6 +48,9 @@ so-influxdb: docker_container.running: - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-influxdb:{{ GLOBALS.so_version }} - hostname: influxdb + - networks: + - sosnet: + - ipv4_address: {{ DOCKER.containers['so-influxdb'].ip }} - environment: - INFLUXDB_HTTP_LOG_ENABLED=false - binds: diff --git a/salt/kibana/init.sls b/salt/kibana/init.sls index 9aac6bc37..9f45e2376 100644 --- a/salt/kibana/init.sls +++ b/salt/kibana/init.sls @@ -5,12 +5,10 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} +{% from 'docker/docker.map.jinja' import DOCKER %} {% from 'vars/globals.map.jinja' import GLOBALS %} - - {% import_yaml 'kibana/defaults.yaml' as default_settings %} {% set KIBANA_SETTINGS = salt['grains.filter_by'](default_settings, default='kibana', merge=salt['pillar.get']('kibana', {})) %} - {% from 'kibana/config.map.jinja' import KIBANACONFIG with context %} # Add ES Group @@ -84,6 +82,9 @@ so-kibana: - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-kibana:{{ GLOBALS.so_version }} - hostname: kibana - user: kibana + - networks: + - sosnet: + - ipv4_address: {{ DOCKER.containers['so-kibana'].ip }} - environment: - ELASTICSEARCH_HOST={{ GLOBALS.manager }} - ELASTICSEARCH_PORT=9200 diff --git a/salt/kratos/init.sls b/salt/kratos/init.sls index 6f3f3e19d..b58ecc8fa 100644 --- a/salt/kratos/init.sls +++ b/salt/kratos/init.sls @@ -5,6 +5,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} +{% from 'docker/docker.map.jinja' import DOCKER %} {% from 'vars/globals.map.jinja' import GLOBALS %} # Add Kratos Group @@ -58,6 +59,9 @@ so-kratos: - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-kratos:{{ GLOBALS.so_version }} - hostname: kratos - name: so-kratos + - networks: + - sosnet: + - ipv4_address: {{ DOCKER.containers['so-kratos'].ip }} - binds: - /opt/so/conf/kratos/schema.json:/kratos-conf/schema.json:ro - /opt/so/conf/kratos/kratos.yaml:/kratos-conf/kratos.yaml:ro diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls index bf4d03984..481f727e4 100644 --- a/salt/logstash/init.sls +++ b/salt/logstash/init.sls @@ -6,19 +6,19 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} +{% from 'docker/docker.map.jinja' import DOCKER %} +{% from 'logstash/map.jinja' import REDIS_NODES with context %} +{% from 'vars/globals.map.jinja' import GLOBALS %} - {% from 'logstash/map.jinja' import REDIS_NODES with context %} - {% from 'vars/globals.map.jinja' import GLOBALS %} - - # Logstash Section - Decide which pillar to use - {% set lsheap = salt['pillar.get']('logstash_settings:lsheap') %} - {% if GLOBALS.role in ['so-eval','so-managersearch', 'so-manager', 'so-standalone'] %} +# Logstash Section - Decide which pillar to use +{% set lsheap = salt['pillar.get']('logstash_settings:lsheap') %} +{% if GLOBALS.role in ['so-eval','so-managersearch', 'so-manager', 'so-standalone'] %} {% set nodetype = GLOBALS.role %} - {% endif %} +{% endif %} - {% set PIPELINES = salt['pillar.get']('logstash:pipelines', {}) %} - {% set DOCKER_OPTIONS = salt['pillar.get']('logstash:docker_options', {}) %} - {% set TEMPLATES = salt['pillar.get']('elasticsearch:templates', {}) %} +{% set PIPELINES = salt['pillar.get']('logstash:pipelines', {}) %} +{% set DOCKER_OPTIONS = salt['pillar.get']('logstash:docker_options', {}) %} +{% set TEMPLATES = salt['pillar.get']('elasticsearch:templates', {}) %} include: - ssl @@ -139,6 +139,9 @@ so-logstash: - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-logstash:{{ GLOBALS.so_version }} - hostname: so-logstash - name: so-logstash + - networks: + - sosnet: + - ipv4_address: {{ DOCKER.containers['so-logstash'].ip }} - user: logstash - extra_hosts: {{ REDIS_NODES }} - environment: diff --git a/salt/mysql/init.sls b/salt/mysql/init.sls index 04ab5b140..e9766ea83 100644 --- a/salt/mysql/init.sls +++ b/salt/mysql/init.sls @@ -5,8 +5,8 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} +{% from 'docker/docker.map.jinja' import DOCKER %} {% from 'vars/globals.map.jinja' import GLOBALS %} - {%- set MYSQLPASS = salt['pillar.get']('secrets:mysql') %} # MySQL Setup @@ -84,6 +84,9 @@ so-mysql: - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-mysql:{{ GLOBALS.so_version }} - hostname: so-mysql - user: socore + - networks: + - sosnet: + - ipv4_address: {{ DOCKER.containers['so-mysql'].ip }} - port_bindings: - 0.0.0.0:3306:3306 - environment: diff --git a/salt/nginx/init.sls b/salt/nginx/init.sls index 201a35704..69fc541fa 100644 --- a/salt/nginx/init.sls +++ b/salt/nginx/init.sls @@ -1,6 +1,7 @@ {% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} +{% from 'docker/docker.map.jinja' import DOCKER %} include: - ssl @@ -83,6 +84,9 @@ so-nginx: docker_container.running: - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-nginx:{{ GLOBALS.so_version }} - hostname: so-nginx + - networks: + - sosnet: + - ipv4_address: {{ DOCKER.containers['so-nginx'].ip }} - binds: - /opt/so/conf/nginx/nginx.conf:/etc/nginx/nginx.conf:ro - /opt/so/log/nginx/:/var/log/nginx:rw diff --git a/salt/playbook/init.sls b/salt/playbook/init.sls index 75b6b5b2e..6784422c3 100644 --- a/salt/playbook/init.sls +++ b/salt/playbook/init.sls @@ -5,8 +5,8 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} +{% from 'docker/docker.map.jinja' import DOCKER %} {% from 'vars/globals.map.jinja' import GLOBALS %} - {%- set MYSQLPASS = salt['pillar.get']('secrets:mysql') -%} {%- set PLAYBOOKPASS = salt['pillar.get']('secrets:playbook_db') -%} @@ -80,6 +80,9 @@ so-playbook: - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-playbook:{{ GLOBALS.so_version }} - hostname: playbook - name: so-playbook + - networks: + - sosnet: + - ipv4_address: {{ DOCKER.containers['so-playbook'].ip }} - binds: - /opt/so/log/playbook:/playbook/log:rw - environment: diff --git a/salt/redis/init.sls b/salt/redis/init.sls index 1a353a1f0..a481c989d 100644 --- a/salt/redis/init.sls +++ b/salt/redis/init.sls @@ -5,7 +5,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} - +{% from 'docker/docker.map.jinja' import DOCKER %} {% from 'vars/globals.map.jinja' import GLOBALS %} include: @@ -46,6 +46,9 @@ so-redis: - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-redis:{{ GLOBALS.so_version }} - hostname: so-redis - user: socore + - networks: + - sosnet: + - ipv4_address: {{ DOCKER.containers['so-redis'].ip }} - port_bindings: - 0.0.0.0:6379:6379 - 0.0.0.0:9696:9696 diff --git a/salt/registry/init.sls b/salt/registry/init.sls index 76ccbf070..c4ffc4800 100644 --- a/salt/registry/init.sls +++ b/salt/registry/init.sls @@ -1,5 +1,6 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} +{% from 'docker/docker.map.jinja' import DOCKER %} include: - ssl @@ -37,6 +38,9 @@ so-dockerregistry: docker_container.running: - image: ghcr.io/security-onion-solutions/registry:latest - hostname: so-registry + - networks: + - sosnet: + - ipv4_address: {{ DOCKER.containers['registry'].ip }} - restart_policy: always - port_bindings: - 0.0.0.0:5000:5000 diff --git a/salt/soctopus/init.sls b/salt/soctopus/init.sls index a2cba07ad..13559c626 100644 --- a/salt/soctopus/init.sls +++ b/salt/soctopus/init.sls @@ -1,6 +1,6 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} - +{% from 'docker/docker.map.jinja' import DOCKER %} {% from 'vars/globals.map.jinja' import GLOBALS %} include: @@ -63,6 +63,9 @@ so-soctopus: - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-soctopus:{{ GLOBALS.so_version }} - hostname: soctopus - name: so-soctopus + - networks: + - sosnet: + - ipv4_address: {{ DOCKER.containers['so-soctopus'].ip }} - binds: - /opt/so/conf/soctopus/SOCtopus.conf:/SOCtopus/SOCtopus.conf:ro - /opt/so/log/soctopus/:/var/log/SOCtopus/:rw diff --git a/salt/strelka/init.sls b/salt/strelka/init.sls index e3477dd9e..00bc33223 100644 --- a/salt/strelka/init.sls +++ b/salt/strelka/init.sls @@ -5,7 +5,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} - +{% from 'docker/docker.map.jinja' import DOCKER %} {% from 'vars/globals.map.jinja' import GLOBALS %} {% set STRELKA_RULES = salt['pillar.get']('strelka:rules', '1') %} {% import_yaml 'strelka/defaults.yaml' as strelka_config with context %} @@ -152,6 +152,9 @@ strelka_coordinator: docker_container.running: - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-redis:{{ GLOBALS.so_version }} - name: so-strelka-coordinator + - networks: + - sosnet: + - ipv4_address: {{ DOCKER.containers['so-strelka-coordinator'].ip }} - entrypoint: redis-server --save "" --appendonly no - port_bindings: - 0.0.0.0:6380:6379 @@ -165,6 +168,9 @@ strelka_gatekeeper: docker_container.running: - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-redis:{{ GLOBALS.so_version }} - name: so-strelka-gatekeeper + - networks: + - sosnet: + - ipv4_address: {{ DOCKER.containers['so-strelka-gatekeeper'].ip }} - entrypoint: redis-server --save "" --appendonly no --maxmemory-policy allkeys-lru - port_bindings: - 0.0.0.0:6381:6379 @@ -182,6 +188,9 @@ strelka_frontend: - /nsm/strelka/log/:/var/log/strelka/:rw - privileged: True - name: so-strelka-frontend + - networks: + - sosnet: + - ipv4_address: {{ DOCKER.containers['so-strelka-frontend'].ip }} - command: strelka-frontend - port_bindings: - 0.0.0.0:57314:57314 @@ -198,6 +207,9 @@ strelka_backend: - /opt/so/conf/strelka/backend/:/etc/strelka/:ro - /opt/so/conf/strelka/rules/:/etc/yara/:ro - name: so-strelka-backend + - networks: + - sosnet: + - ipv4_address: {{ DOCKER.containers['so-strelka-backend'].ip }} - command: strelka-backend - restart_policy: on-failure @@ -212,6 +224,9 @@ strelka_manager: - binds: - /opt/so/conf/strelka/manager/:/etc/strelka/:ro - name: so-strelka-manager + - networks: + - sosnet: + - ipv4_address: {{ DOCKER.containers['so-strelka-manager'].ip }} - command: strelka-manager append_so-strelka-manager_so-status.conf: @@ -226,6 +241,9 @@ strelka_filestream: - /opt/so/conf/strelka/filestream/:/etc/strelka/:ro - /nsm/strelka:/nsm/strelka - name: so-strelka-filestream + - networks: + - sosnet: + - ipv4_address: {{ DOCKER.containers['so-strelka-filestream'].ip }} - command: strelka-filestream append_so-strelka-filestream_so-status.conf: