CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add dynamic ability for IP range for sosnet

Browse Source
This commit is contained in:
Mike Reeves
2022-11-14 20:20:38 -05:00
parent e41361e127
commit 6016b0e38a
6 changed files with 45 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
salt/docker/defaults.yaml
View File

@@ -1,6 +1,8 @@
docker: docker:
bip: 172.17.0.1/24 bip: 172.17.0.1
range: 172.17.0.0/24 range: 172.17.0.0/24
sosrange: 172.17.1.0/24
sosbip: 172.17.1.1
containers: containers:
'so-elasticsearch': 'so-elasticsearch':
final_octet: 22 final_octet: 22

6
salt/docker/init.sls
View File

@@ -3,6 +3,8 @@
# https://securityonion.net/license; you may not use this file except in compliance with the # https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0. # Elastic License 2.0.
{% from 'docker/docker.map.jinja' import DOCKER %}
dockergroup: dockergroup:
group.present: group.present:
- name: docker - name: docker
@@ -50,3 +52,7 @@ dockerreserveports:
- source: salt://common/files/99-reserved-ports.conf - source: salt://common/files/99-reserved-ports.conf
- name: /etc/sysctl.d/99-reserved-ports.conf - name: /etc/sysctl.d/99-reserved-ports.conf
sosnet:
docker_network.present:
- subnet: {{ DOCKER.sosnet }}
- gateway: {{ DOCKER.sosbip }}

4
salt/elasticsearch/init.sls
View File

@@ -290,7 +290,9 @@ so-elasticsearch:
- hostname: elasticsearch - hostname: elasticsearch
- name: so-elasticsearch - name: so-elasticsearch
- user: elasticsearch - user: elasticsearch
- ipv4_address: {{ DOCKER.containers['so-elasticsearch'].ip }} - networks:
- sosnet:
- ipv4_address: {{ DOCKER.containers['so-elasticsearch'].ip }}
- extra_hosts: {{ REDIS_NODES }} - extra_hosts: {{ REDIS_NODES }}
- environment: - environment:
{% if REDIS_NODES | length == 1 %} {% if REDIS_NODES | length == 1 %}

17
setup/so-functions
View File

@@ -254,11 +254,16 @@ collect_dns_domain() {
collect_dockernet() { collect_dockernet() {
if ! whiptail_dockernet_check; then if ! whiptail_dockernet_check; then
whiptail_dockernet_net "172.17.0.0" whiptail_dockernet_sosnet "172.17.1.0"
whiptail_dockernet_nososnet "172.17.0.0"
while ! valid_ip4 "$DOCKERNET"; do while ! valid_ip4 "$DOCKERNET"; do
whiptail_invalid_input whiptail_invalid_input
whiptail_dockernet_net "$DOCKERNET" whiptail_dockernet_nonsosnet "$DOCKERNET"
done
while ! valid_ip4 "$DOCKERNET2"; do
whiptail_invalid_input
whiptail_dockernet_sosnet "$DOCKERNET2"
done done
fi fi
} }
@@ -996,6 +1001,9 @@ docker_registry() {
if [ -z "$DOCKERNET" ]; then if [ -z "$DOCKERNET" ]; then
DOCKERNET=172.17.0.0 DOCKERNET=172.17.0.0
fi fi
if [ -z "$DOCKERNET2" ]; then
DOCKERNET2=172.17.1.0
fi
# Make the host use the manager docker registry # Make the host use the manager docker registry
DNETBIP=$(echo $DOCKERNET | awk -F'.' '{print $1,$2,$3,1}' OFS='.')/24 DNETBIP=$(echo $DOCKERNET | awk -F'.' '{print $1,$2,$3,1}' OFS='.')/24
if [ -n "$TURBO" ]; then local proxy="$TURBO"; else local proxy="https://$MSRV"; fi if [ -n "$TURBO" ]; then local proxy="$TURBO"; else local proxy="https://$MSRV"; fi
@@ -1376,9 +1384,12 @@ create_global() {
if [ -z "$DOCKERNET" ]; then if [ -z "$DOCKERNET" ]; then
DOCKERNET=172.17.0.0 DOCKERNET=172.17.0.0
DOCKERNET2=172.17.1.0
DOCKERBIP=$(echo $DOCKERNET | awk -F'.' '{print $1,$2,$3,1}' OFS='.')/24 DOCKERBIP=$(echo $DOCKERNET | awk -F'.' '{print $1,$2,$3,1}' OFS='.')/24
DOCKER2BIP=$(echo $DOCKERNET2 | awk -F'.' '{print $1,$2,$3,1}' OFS='.')/24
else else
DOCKERBIP=$(echo $DOCKERNET | awk -F'.' '{print $1,$2,$3,1}' OFS='.')/24 DOCKERBIP=$(echo $DOCKERNET | awk -F'.' '{print $1,$2,$3,1}' OFS='.')/24
DOCKER2BIP=$(echo $DOCKERNET2 | awk -F'.' '{print $1,$2,$3,1}' OFS='.')/24
fi fi
if [ -f "$global_pillar_file" ]; then if [ -f "$global_pillar_file" ]; then
@@ -1462,6 +1473,8 @@ docker_pillar() {
touch $adv_docker_pillar_file touch $adv_docker_pillar_file
printf '%s\n'\ printf '%s\n'\
"docker:"\ "docker:"\
" sosrange: '$DOCKERNET2/24'"\
" sosbip: '$DOCKER2BIP'"\
" range: '$DOCKERNET/24'"\ " range: '$DOCKERNET/24'"\
" bip: '$DOCKERBIP'" > $docker_pillar_file " bip: '$DOCKERBIP'" > $docker_pillar_file
} }

4
setup/so-setup
View File

@@ -319,6 +319,7 @@ if ! [[ -f $install_opt_file ]]; then
check_elastic_license check_elastic_license
check_requirements "manager" check_requirements "manager"
networking_needful networking_needful
collect_dockernet
whiptail_airgap whiptail_airgap
detect_cloud detect_cloud
set_minion_info set_minion_info
@@ -339,6 +340,7 @@ if ! [[ -f $install_opt_file ]]; then
check_elastic_license check_elastic_license
check_requirements "manager" check_requirements "manager"
networking_needful networking_needful
collect_dockernet
whiptail_airgap whiptail_airgap
detect_cloud detect_cloud
set_minion_info set_minion_info
@@ -357,6 +359,7 @@ if ! [[ -f $install_opt_file ]]; then
waitforstate=true waitforstate=true
check_requirements "manager" check_requirements "manager"
networking_needful networking_needful
collect_dockernet
whiptail_airgap whiptail_airgap
detect_cloud detect_cloud
set_default_log_size >> $setup_log 2>&1 set_default_log_size >> $setup_log 2>&1
@@ -373,6 +376,7 @@ if ! [[ -f $install_opt_file ]]; then
waitforstate=true waitforstate=true
check_requirements "manager" check_requirements "manager"
networking_needful networking_needful
collect_dockernet
whiptail_airgap whiptail_airgap
detect_cloud detect_cloud
set_default_log_size >> $setup_log 2>&1 set_default_log_size >> $setup_log 2>&1

16
setup/so-whiptail
View File

@@ -325,12 +325,24 @@ whiptail_dockernet_check(){
} }
whiptail_dockernet_net() { whiptail_dockernet_sosnet() {
[ -n "$TESTING" ] && return
DOCKERNET2=$(whiptail --title "$whiptail_title" --inputbox \
"\nEnter a /24 size network range for SOS containers to use WITHOUT the /24 suffix. This range will be used on ALL nodes." 11 65 "$1" 3>&1 1>&2 2>&3)
local exitstatus=$?
whiptail_check_exitstatus $exitstatus
}
whiptail_dockernet_nososnet() {
[ -n "$TESTING" ] && return [ -n "$TESTING" ] && return
DOCKERNET=$(whiptail --title "$whiptail_title" --inputbox \ DOCKERNET=$(whiptail --title "$whiptail_title" --inputbox \
"\nEnter a /24 size network range for docker to use WITHOUT the /24 suffix. This range will be used on ALL nodes." 11 65 "$1" 3>&1 1>&2 2>&3) "\nEnter a /24 size network range for NON SOS containers to use WITHOUT the /24 suffix. This range will be used on ALL nodes." 11 65 "$1" 3>&1 1>&2 2>&3)
local exitstatus=$? local exitstatus=$?
whiptail_check_exitstatus $exitstatus whiptail_check_exitstatus $exitstatus