From 2f198ed9fb8b5646e469432fbdf6dac47d17abea Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Thu, 15 Apr 2021 09:42:00 -0400
Subject: [PATCH 1/8] change how salt is held and unheld from updates

---
 salt/salt/map.jinja  | 14 +++-----------
 salt/salt/minion.sls | 24 +++++++++++++-----------
 2 files changed, 16 insertions(+), 22 deletions(-)

diff --git a/salt/salt/map.jinja b/salt/salt/map.jinja
index 6b5273b84..67742812b 100644
--- a/salt/salt/map.jinja
+++ b/salt/salt/map.jinja
@@ -1,5 +1,6 @@
 {% import_yaml 'salt/minion.defaults.yaml' as saltminion %}
 {% set SALTVERSION = saltminion.salt.minion.version %}
+{% set INSTALLEDSALTVERSION = salt['pkg.version']('salt-minion').split(SPLITCHAR)[0] %}
 
 {% if grains.os == 'Ubuntu' %}
   {% set SPLITCHAR = '+' %}
@@ -7,20 +8,11 @@
   {% set SPLITCHAR = '-' %}
 {% endif %}
 
-{% set INSTALLEDSALTVERSION = salt['pkg.version']('salt-minion').split(SPLITCHAR)[0] %}
-{% set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') %}
-
-{% if grains.os|lower == 'ubuntu' %}
-  {% set COMMON = 'salt-common' %}
-{% elif grains.os|lower in ['centos', 'redhat'] %}
-  {% set COMMON = 'salt' %}
-{% endif %}
-
 {% if grains.saltversion|string != SALTVERSION|string %}
   {% if grains.os|lower in ['centos', 'redhat'] %}
-      {% set UPGRADECOMMAND = 'yum clean all ; yum versionlock delete "salt-*" && /usr/sbin/bootstrap-salt.sh -X -s 120 -r -F -x python3 stable ' ~ SALTVERSION ~ ' ; yum versionlock add "salt-*"' %}
+      {% set UPGRADECOMMAND = 'yum clean all ; /usr/sbin/bootstrap-salt.sh -X -s 120 -r -F -x python3 stable ' ~ SALTVERSION ~ ' && yum versionlock add "salt-*"' %}
   {% elif grains.os|lower == 'ubuntu' %}
-    {% set UPGRADECOMMAND = 'apt-mark unhold salt-common ; apt-mark unhold salt-minion && /usr/sbin/bootstrap-salt.sh -X -s 120 -F -x python3 stable ' ~ SALTVERSION ~ ' ; apt-mark hold salt-common && apt-mark hold salt-minion' %}
+    {% set UPGRADECOMMAND = '/usr/sbin/bootstrap-salt.sh -X -s 120 -F -x python3 stable ' ~ SALTVERSION ~ ' && apt-mark hold salt-common && apt-mark hold salt-minion' %}
   {% endif %}
 {% else %}
   {% set UPGRADECOMMAND = 'echo Already running Salt Minion version ' ~ SALTVERSION %}
diff --git a/salt/salt/minion.sls b/salt/salt/minion.sls
index 1c7f1a5e8..6488124f6 100644
--- a/salt/salt/minion.sls
+++ b/salt/salt/minion.sls
@@ -9,6 +9,12 @@ include:
   - salt
   - systemd.reload
 
+{% if "{{INSTALLEDSALTVERSION}}" != "{{SALTVERSION}}" %}
+unhold_salt_packages:
+  module.run:
+    - pkg.unhold:
+      - 'salt-*'
+
 install_salt_minion:
   cmd.run:
     - name: |
@@ -16,15 +22,13 @@ install_salt_minion:
         exec 1>&- # close stdout
         exec 2>&- # close stderr
         nohup /bin/sh -c '{{ UPGRADECOMMAND }}' &
-    - onlyif: test "{{INSTALLEDSALTVERSION}}" != "{{SALTVERSION}}"
+{% endif %}
 
-salt_minion_package:
-  pkg.installed:
-    - pkgs:
-      - {{ COMMON }}
-      - salt-minion
-    - hold: True
-    - onlyif: test "{{INSTALLEDSALTVERSION}}" == "{{SALTVERSION}}"
+{% if "{{INSTALLEDSALTVERSION}}" == "{{SALTVERSION}}" %}
+hold_salt_packages:
+  module.run:
+    - pkg.hold:
+      - 'salt-*'
 
 set_log_levels:
   file.append:
@@ -46,11 +50,9 @@ salt_minion_service_unit_file:
       - module: systemd_reload
     - listen_in:
       - service: salt_minion_service
-    - onlyif: test "{{INSTALLEDSALTVERSION}}" == "{{SALTVERSION}}"
 
 salt_minion_service:
   service.running:
     - name: salt-minion
     - enable: True
-    - onlyif: test "{{INSTALLEDSALTVERSION}}" == "{{SALTVERSION}}"
-
+{% endif %}

From 22edbcc1112cbec4f93a525443c8de292448336e Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Thu, 15 Apr 2021 11:29:01 -0400
Subject: [PATCH 2/8] can use SPLITCHAR before defined

---
 salt/salt/map.jinja | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/salt/salt/map.jinja b/salt/salt/map.jinja
index 67742812b..3ba7194f5 100644
--- a/salt/salt/map.jinja
+++ b/salt/salt/map.jinja
@@ -1,6 +1,5 @@
 {% import_yaml 'salt/minion.defaults.yaml' as saltminion %}
 {% set SALTVERSION = saltminion.salt.minion.version %}
-{% set INSTALLEDSALTVERSION = salt['pkg.version']('salt-minion').split(SPLITCHAR)[0] %}
 
 {% if grains.os == 'Ubuntu' %}
   {% set SPLITCHAR = '+' %}
@@ -8,6 +7,8 @@
   {% set SPLITCHAR = '-' %}
 {% endif %}
 
+{% set INSTALLEDSALTVERSION = salt['pkg.version']('salt-minion').split(SPLITCHAR)[0] %}
+
 {% if grains.saltversion|string != SALTVERSION|string %}
   {% if grains.os|lower in ['centos', 'redhat'] %}
       {% set UPGRADECOMMAND = 'yum clean all ; /usr/sbin/bootstrap-salt.sh -X -s 120 -r -F -x python3 stable ' ~ SALTVERSION ~ ' && yum versionlock add "salt-*"' %}

From 9d01387a04725611b3c7b96cafbd9bebe48070c8 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Thu, 15 Apr 2021 11:57:25 -0400
Subject: [PATCH 3/8] remove references to the common salt package

---
 salt/salt/master.sls | 12 ++++--------
 salt/salt/minion.sls |  1 -
 2 files changed, 4 insertions(+), 9 deletions(-)

diff --git a/salt/salt/master.sls b/salt/salt/master.sls
index 3c23bbb36..d0a655051 100644
--- a/salt/salt/master.sls
+++ b/salt/salt/master.sls
@@ -1,17 +1,13 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls in allowed_states %}
 
-{% from 'salt/map.jinja' import COMMON with context %}
-
 include:
   - salt.minion
 
-salt_master_package:
-  pkg.installed:
-    - pkgs:
-      - {{ COMMON }}
-      - salt-master
-    - hold: True
+hold_salt_master_package:
+  module.run:
+    - pkg.hold:
+      - 'salt-master'
 
 salt_master_service:
   service.running:
diff --git a/salt/salt/minion.sls b/salt/salt/minion.sls
index 6488124f6..e656ae8a6 100644
--- a/salt/salt/minion.sls
+++ b/salt/salt/minion.sls
@@ -1,4 +1,3 @@
-{% from 'salt/map.jinja' import COMMON with context %}
 {% from 'salt/map.jinja' import UPGRADECOMMAND with context %}
 {% from 'salt/map.jinja' import SALTVERSION %}
 {% from 'salt/map.jinja' import INSTALLEDSALTVERSION %}

From 9d676efada5b07a38d2140d387b6d1b4072b1a2b Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Thu, 15 Apr 2021 12:45:34 -0400
Subject: [PATCH 4/8] move salt_minion_service state outside jinja if

---
 salt/salt/minion.sls | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/salt/salt/minion.sls b/salt/salt/minion.sls
index e656ae8a6..1b0f7d901 100644
--- a/salt/salt/minion.sls
+++ b/salt/salt/minion.sls
@@ -49,9 +49,11 @@ salt_minion_service_unit_file:
       - module: systemd_reload
     - listen_in:
       - service: salt_minion_service
+{% endif %}
 
+# this has to be outside the if statement above since there are <requisite>_in calls to this state
 salt_minion_service:
   service.running:
     - name: salt-minion
     - enable: True
-{% endif %}
+    - onlyif: test "{{INSTALLEDSALTVERSION}}" == "{{SALTVERSION}}"
\ No newline at end of file

From 24b263c81227052bceaa468ac2175e7683ddeb1d Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Fri, 16 Apr 2021 11:37:18 -0400
Subject: [PATCH 5/8] only hold/unhold packages if not already unheld/held

---
 salt/salt/map.jinja  |  2 ++
 salt/salt/minion.sls | 15 +++++++++++----
 2 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/salt/salt/map.jinja b/salt/salt/map.jinja
index 3ba7194f5..5c1689e6c 100644
--- a/salt/salt/map.jinja
+++ b/salt/salt/map.jinja
@@ -3,8 +3,10 @@
 
 {% if grains.os == 'Ubuntu' %}
   {% set SPLITCHAR = '+' %}
+  {% set SALTNOTHELD = salt['cmd.run']('apt-mark showhold | grep salt-* ; echo $?') %}
 {% else %}
   {% set SPLITCHAR = '-' %}
+  {% set SALTNOTHELD = salt['cmd.run']('yum versionlock list | grep salt-* ; echo $?') %}
 {% endif %}
 
 {% set INSTALLEDSALTVERSION = salt['pkg.version']('salt-minion').split(SPLITCHAR)[0] %}
diff --git a/salt/salt/minion.sls b/salt/salt/minion.sls
index 1b0f7d901..5145da34b 100644
--- a/salt/salt/minion.sls
+++ b/salt/salt/minion.sls
@@ -1,6 +1,7 @@
 {% from 'salt/map.jinja' import UPGRADECOMMAND with context %}
 {% from 'salt/map.jinja' import SALTVERSION %}
 {% from 'salt/map.jinja' import INSTALLEDSALTVERSION %}
+{% from 'salt/map.jinja' import SALTNOTHELD %}
 {% import_yaml 'salt/minion.defaults.yaml' as SALTMINION %}
 {% set service_start_delay = SALTMINION.salt.minion.service_start_delay %}
 
@@ -8,11 +9,14 @@ include:
   - salt
   - systemd.reload
 
-{% if "{{INSTALLEDSALTVERSION}}" != "{{SALTVERSION}}" %}
+{% if INSTALLEDSALTVERSION|string != SALTVERSION|string %}
+
+{% if SALTNOTHELD == 0 %}
 unhold_salt_packages:
   module.run:
     - pkg.unhold:
-      - 'salt-*'
+      - name: 'salt-*'
+{% endif %}
 
 install_salt_minion:
   cmd.run:
@@ -23,11 +27,14 @@ install_salt_minion:
         nohup /bin/sh -c '{{ UPGRADECOMMAND }}' &
 {% endif %}
 
-{% if "{{INSTALLEDSALTVERSION}}" == "{{SALTVERSION}}" %}
+{% if INSTALLEDSALTVERSION|string == SALTVERSION|string %}
+
+{% if SALTNOTHELD == 1 %}
 hold_salt_packages:
   module.run:
     - pkg.hold:
-      - 'salt-*'
+      - name: 'salt-*'
+{% endif %}
 
 set_log_levels:
   file.append:

From 1b15f018742d7f28bcce7b76582ec189fd9c3aea Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Fri, 16 Apr 2021 13:09:01 -0400
Subject: [PATCH 6/8] fix salt.master state

---
 salt/salt/master.sls | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/salt/salt/master.sls b/salt/salt/master.sls
index d0a655051..8b2b6c7d0 100644
--- a/salt/salt/master.sls
+++ b/salt/salt/master.sls
@@ -1,13 +1,16 @@
+{% from 'salt/map.jinja' import SALTNOTHELD %}
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls in allowed_states %}
 
 include:
   - salt.minion
 
+{% if SALTNOTHELD == 1 %}
 hold_salt_master_package:
   module.run:
     - pkg.hold:
-      - 'salt-master'
+      - name: salt-master
+{% endif %}
 
 salt_master_service:
   service.running:

From 58febe795574fd200bcb5e48c77659c75c8fd4e5 Mon Sep 17 00:00:00 2001
From: William Wernert <william.wernert@securityonionsolutions.com>
Date: Fri, 16 Apr 2021 16:04:07 -0400
Subject: [PATCH 7/8] [fix] so-docker-prune breaks when multiple "so-" images
 share a version

---
 salt/common/tools/sbin/so-docker-prune | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/salt/common/tools/sbin/so-docker-prune b/salt/common/tools/sbin/so-docker-prune
index 5a56f506d..f6c043ef3 100755
--- a/salt/common/tools/sbin/so-docker-prune
+++ b/salt/common/tools/sbin/so-docker-prune
@@ -60,15 +60,19 @@ def main(quiet):
   no_prunable = True
   for t_list in grouped_tag_lists:
     try:
-      # Keep the 2 most current images
+      # Group tags by version, in case multiple images exist with the same version string
       t_list.sort(key=lambda x: Version(get_image_version(x)), reverse=True)
-      if len(t_list) <= 2:
+      grouped_t_list = [ list(it) for _,it in groupby(t_list, lambda x: get_image_version(x)) ]
+
+      # Keep the 2 most current version groups
+      if len(grouped_t_list) <= 2:
         continue
       else:
         no_prunable = False
-        for tag in t_list[2:]:
-          if not quiet: print(f'Removing image {tag}')
-          client.images.remove(tag)
+        for group in grouped_t_list[2:]:
+          for tag in group:
+            if not quiet: print(f'Removing image {tag}')
+            client.images.remove(tag)
     except InvalidVersion as e:
       print(f'so-{get_so_image_basename(t_list[0])}: {e.args[0]}', file=sys.stderr)
       exit(1)

From 9e57fd2df0b88f18bc02629fe185dc47c0716169 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Mon, 19 Apr 2021 09:00:30 -0400
Subject: [PATCH 8/8] cant pipe to grep without , python_shell=True

---
 salt/salt/map.jinja | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/salt/salt/map.jinja b/salt/salt/map.jinja
index 5c1689e6c..5d6d980be 100644
--- a/salt/salt/map.jinja
+++ b/salt/salt/map.jinja
@@ -3,10 +3,10 @@
 
 {% if grains.os == 'Ubuntu' %}
   {% set SPLITCHAR = '+' %}
-  {% set SALTNOTHELD = salt['cmd.run']('apt-mark showhold | grep salt-* ; echo $?') %}
+  {% set SALTNOTHELD = salt['cmd.run']('apt-mark showhold | grep salt-* ; echo $?', python_shell=True) %}
 {% else %}
   {% set SPLITCHAR = '-' %}
-  {% set SALTNOTHELD = salt['cmd.run']('yum versionlock list | grep salt-* ; echo $?') %}
+  {% set SALTNOTHELD = salt['cmd.run']('yum versionlock list | grep salt-* ; echo $?', python_shell=True) %}
 {% endif %}
 
 {% set INSTALLEDSALTVERSION = salt['pkg.version']('salt-minion').split(SPLITCHAR)[0] %}