Merge branch 'dev' into logrotate-fix

2026-03-06 12:56:24 +01:00 · 2021-01-22 15:20:55 -05:00
parent 249651edc7 2159914742
commit 59a4b148bc
51 changed files with 602 additions and 366 deletions
--- a/salt/common/files/99-reserved-ports.conf
+++ b/salt/common/files/99-reserved-ports.conf
@@ -0,0 +1 @@
+net.ipv4.ip_local_reserved_ports="55000,57314"
--- a/salt/common/init.sls
+++ b/salt/common/init.sls
@@ -1,7 +1,5 @@
-{% set show_top = salt['state.show_top']() %}
-{% set top_states = show_top.values() | join(', ') %}
-
-{% if 'common' in top_states %}
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls in allowed_states %}

 {% set role = grains.id.split('_') | last %}

@@ -258,10 +256,21 @@ docker:
    - watch:
      - file: docker_daemon

+# Reserve OS ports for Docker proxy in case boot settings are not already applied/present
+dockerapplyports:
+    cmd.run:
+      - name: if [ ! -f /etc/sysctl.d/99-reserved-ports.conf ]; then sysctl -w net.ipv4.ip_local_reserved_ports="55000,57314"; fi
+
+# Reserve OS ports for Docker proxy
+dockerreserveports:
+  file.managed:
+    - source: salt://common/files/99-reserved-ports.conf
+    - name: /etc/sysctl.d/99-reserved-ports.conf
+
 {% else %}

-common_state_not_allowed:
+{{sls}}_state_not_allowed:
  test.fail_without_changes:
-    - name: common_state_not_allowed
+    - name: {{sls}}_state_not_allowed

 {% endif %}
--- a/salt/common/tools/sbin/so-image-common
+++ b/salt/common/tools/sbin/so-image-common
@@ -16,7 +16,7 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.

 # NOTE: This script depends on so-common
-IMAGEREPO=securityonion
+IMAGEREPO=security-onion-solutions

 container_list() {
  MANAGERCHECK=$1
@@ -103,7 +103,7 @@ update_docker_containers() {
  local PROGRESS_CALLBACK=$3
  local LOG_FILE=$4

-  local CONTAINER_REGISTRY=quay.io
+  local CONTAINER_REGISTRY=ghcr.io
  local SIGNPATH=/root/sosigs
  
  if [ -z "$CURLTYPE" ]; then
--- a/salt/common/tools/sbin/so-tcpreplay
+++ b/salt/common/tools/sbin/so-tcpreplay
@@ -48,9 +48,15 @@ if ! docker ps | grep -q so-tcpreplay; then
  echo

  if is_manager_node; then
-	  TRUSTED_CONTAINERS=("so-tcpreplay")
-	  mkdir -p /opt/so/log/tcpreplay
-	  update_docker_containers "tcpreplay" "" "" "/opt/so/log/tcpreplay/init.log"
+  	set_version
+  	if ! docker images | grep so-tcpreplay | grep ":5000" | grep -q $VERSION ; then
+  		echo "Pulling so-tcpreplay image"
+		  TRUSTED_CONTAINERS=("so-tcpreplay")
+		  mkdir -p /opt/so/log/tcpreplay
+		  update_docker_containers "tcpreplay" "" "" "/opt/so/log/tcpreplay/init.log"
+		else
+			echo "so-tcpreplay image exists."
+		fi
 	fi
 	if is_sensor_node; then
 		if ! is_manager_node; then
				`@@ -0,0 +1 @@`
				`net.ipv4.ip_local_reserved_ports="55000,57314"`