ssh user, build cloud profiles and providers

pillar/hypervisor/nodes.sls

@@ -0,0 +1,34 @@
+{% set node_types = {} %}
+{% for minionid, ip in salt.saltutil.runner(
+    'mine.get',
+    tgt='G@role:so-hypervisor',
+    fun='network.ip_addrs',
+    tgt_type='compound') | dictsort()
+%}
+
+# only add a node to the pillar if it returned an ip from the mine
+{%   if ip | length > 0%}
+{%     set hostname = minionid.split('_') | first %}
+{%     set node_type = minionid.split('_') | last %}
+{%     if node_type not in node_types.keys() %}
+{%       do node_types.update({node_type: {hostname: ip[0]}}) %}
+{%     else %}
+{%       if hostname not in node_types[node_type] %}
+{%         do node_types[node_type].update({hostname: ip[0]}) %}
+{%       else %}
+{%         do node_types[node_type][hostname].update(ip[0]) %}
+{%       endif %}
+{%     endif %}
+{%   endif %}
+{% endfor %}
+
+
+hypervisor:
+  nodes:
+{% for node_type, values in node_types.items() %}
+    {{node_type}}:
+{%   for hostname, ip in values.items() %}
+      {{hostname}}:
+        ip: {{ip}}
+{%   endfor %}
+{% endfor %}

pillar/top.sls

@@ -66,6 +66,7 @@ base:
     - kafka.nodes
     - kafka.soc_kafka
     - kafka.adv_kafka
+    - hypervisor.nodes
     - stig.soc_stig
 
   '*_sensor':

salt/libvirt/packages.sls

@@ -6,6 +6,11 @@ install_libvirt-libs:
   pkg.installed:
     - name: libvirt-libs
 
+# provides virsh
+install_libvirt-client:
+  pkg.installed:
+    - name: libvirt-client
+
 libvirt_python_wheel:
   file.recurse:
     - name: /opt/so/conf/libvirt/source-packages/libvirt-python

salt/libvirt/ssh/files/config

@@ -0,0 +1,2 @@
+Host *
+        IdentityFile /home/soqemussh/.ssh/id_ed25519

salt/libvirt/ssh/users.sls

@@ -0,0 +1,56 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'vars/globals.map.jinja' import GLOBALS %}
+
+# used for qemu+ssh connection between manager and hypervisors
+create_soqemussh_user:
+  user.present:
+    - name: soqemussh
+    - shell: /bin/bash
+    - home: /home/soqemussh
+{% if not GLOBALS.is_manager %}
+    - groups:
+      - wheel
+{% endif %}
+
+{% if GLOBALS.is_manager %}
+
+create_local_libvirt_ssh_key_dir:
+  file.directory:
+    - name: /opt/so/saltstack/local/salt/libvirt/ssh/keys
+    - user: socore
+    - group: socore
+    - mode: 755
+    - makedirs: True
+
+# generate the key pair and put the pub key in salt local files roots
+generate_ssh_key_soqemussh:
+  cmd.run:
+    - name: ssh-keygen -q -N '' -t ed25519 -f /home/soqemussh/.ssh/id_ed25519
+    - runas: soqemussh
+    - unless: test -f /home/soqemussh/.ssh/id_ed25519
+    - require:
+      - user: create_soqemussh_user
+
+soqemussh_ssh_key_to_local:
+  cmd.run:
+    - name: cp /home/soqemussh/.ssh/id_ed25519.pub /opt/so/saltstack/local/salt/libvirt/ssh/keys
+    - onchanges:
+      - cmd: generate_ssh_key_soqemussh
+
+qemu_ssh_client_config:
+  file.managed:
+    - name: /root/.ssh/config
+    - source: salt://libvirt/ssh/files/config
+
+{% else %}
+
+soqemussh_pub_key:
+  ssh_auth.present:
+    - user: soqemussh
+    - source: salt://libvirt/ssh_keys/id_ed25519.pub
+
+{% endif %}

salt/salt/cloud/cloud.profiles.d/socloud.conf.jinja

@@ -49,8 +49,10 @@ sensor:
     sls_list:
       - setHostname
 
-core:
-  provider: kvm-via-ssh
+{%- for hv in HYPERVISORS %}
+
+core-{{hv}}:
+  provider: kvm-ssh-{{hv}}
   base_domain: jppol9vm
   ip_source: qemu-agent
   ssh_username: onionuser
@@ -64,3 +66,5 @@ core:
     startup_states: sls
     sls_list:
       - setHostname
+
+{%- endfor %}

salt/salt/cloud/cloud.providers.d/libvirt.conf

@@ -1,11 +0,0 @@
-# Set up a provider with qemu+ssh protocol
-kvm-via-ssh:
-  driver: libvirt
-  url: qemu+ssh://onionuser@jpphype1/system?socket=/var/run/libvirt/libvirt-sock
-
-# Or connect to a local libvirt instance
-#local-kvm:
-#  driver: libvirt
-#  url: qemu:///system
-  # work around flag for XML validation errors while cloning
-#  validate_xml: no

salt/salt/cloud/cloud.providers.d/libvirt.conf.jinja

@@ -0,0 +1,19 @@
+# Set up a provider with qemu+ssh protocol
+#kvm-ssh-jpphype1:
+#  driver: libvirt
+#  url: qemu+ssh://soqemussh@jpphype1/system?socket=/var/run/libvirt/libvirt-sock
+
+{%- for hv in HYPERVISORS %}
+
+kvm-ssh-{{hv}}:
+  driver: libvirt
+  url: qemu+ssh://soqemussh@{{hv}}/system?socket=/var/run/libvirt/libvirt-sock
+
+{%- endfor %}
+
+# Or connect to a local libvirt instance
+#local-kvm:
+#  driver: libvirt
+#  url: qemu:///system
+  # work around flag for XML validation errors while cloning
+#  validate_xml: no

salt/salt/cloud/init.sls

@@ -15,6 +15,22 @@ install_salt_cloud:
     - name: salt-cloud
     - version: {{SALTVERSION}}
 
+cloud_providers:
+  file.managed:
+    - name: /etc/salt/cloud.providers.d/libvirt.conf
+    - source: salt://salt/cloud/cloud.providers.d/libvirt.conf.jinja
+    - defaults:
+        HYPERVISORS: {{pillar.hypervisor.nodes}}
+    - template: jinja
+
+cloud_profiles:
+  file.managed:
+    - name: /etc/salt/cloud.profiles.d/socloud.conf
+    - source: salt://salt/cloud/cloud.profiles.d/socloud.conf.jinja
+    - defaults:
+        HYPERVISORS: {{pillar.hypervisor.nodes}}
+    - template: jinja
+
 {% else %}
 
 {{sls}}_state_not_allowed:

setup/so-setup

@@ -629,6 +629,7 @@ if ! [[ -f $install_opt_file ]]; then
 		check_requirements
 		networking_needful
 		configure_hyper_bridge
+		MNIC=br0
 		collect_mngr_hostname
 		add_mngr_ip_to_hosts
 		check_manager_connection