From 6988f03ebc7fd5746ee1a245a3f18ca5896a69de Mon Sep 17 00:00:00 2001
From: Josh Patterson <josh.patterson@securityonionsolutions.com>
Date: Fri, 16 May 2025 14:24:07 -0400
Subject: [PATCH] setup bridge and fix salt before first highstate for
 hypervisors

---
 salt/libvirt/bridge.sls | 49 +++++++++++++++++++++++++++++++++++++++++
 salt/libvirt/init.sls   | 46 +-------------------------------------
 setup/so-functions      |  9 ++++++++
 setup/so-setup          |  2 ++
 4 files changed, 61 insertions(+), 45 deletions(-)
 create mode 100644 salt/libvirt/bridge.sls

diff --git a/salt/libvirt/bridge.sls b/salt/libvirt/bridge.sls
new file mode 100644
index 000000000..5ff5d670c
--- /dev/null
+++ b/salt/libvirt/bridge.sls
@@ -0,0 +1,49 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{%  from 'libvirt/map.jinja' import LIBVIRTMERGED %}
+{%  from 'salt/map.jinja' import SYSTEMD_UNIT_FILE %}
+
+down_original_mgmt_interface:
+  cmd.run:
+    - name: "nmcli con down {{ pillar.host.mainint }}"
+    - unless:
+      - nmcli -f GENERAL.CONNECTION dev show {{ pillar.host.mainint }} | grep bridge-slave-{{ pillar.host.mainint }}
+    - order: last
+
+wait_for_br0_ip:
+  cmd.run:
+    - name: |
+        counter=0
+        until ip addr show br0 | grep -q "inet "; do
+          sleep 1
+          counter=$((counter+1))
+          if [ $counter -ge 90 ]; then
+            echo "Timeout waiting for br0 to get an IP address"
+            exit 1
+          fi
+        done
+        echo "br0 has IP address: $(ip addr show br0 | grep 'inet ' | awk '{print $2}')"
+    - timeout: 95
+    - onchanges:
+      - cmd: down_original_mgmt_interface
+
+update_mine_functions:
+  file.managed:
+    - name: /etc/salt/minion.d/mine_functions.conf
+    - contents: |
+        mine_interval: 25
+        mine_functions:
+          network.ip_addrs:
+            - interface: br0
+    - onchanges:
+      - cmd: wait_for_br0_ip
+
+restart_salt_minion_service:
+  service.running:
+    - name: salt-minion
+    - enable: True
+    - listen:
+      - file: update_mine_functions
diff --git a/salt/libvirt/init.sls b/salt/libvirt/init.sls
index 1312cc112..576c29c33 100644
--- a/salt/libvirt/init.sls
+++ b/salt/libvirt/init.sls
@@ -13,12 +13,12 @@
 {% if sls in allowed_states %}
 {%   if 'vrt' in salt['pillar.get']('features', []) %}
 {%     from 'libvirt/map.jinja' import LIBVIRTMERGED %}
+{%     from 'salt/map.jinja' import SYSTEMD_UNIT_FILE %}
 
 include:
   - libvirt.64962
   - libvirt.packages
   - libvirt.ssh.users
-  - salt.mine_functions
 
 install_libvirt:
   pkg.installed:
@@ -93,50 +93,6 @@ disable_default_bridge:
     - onlyif:
       - virsh net-list | grep default
 
-# this should only run during the first highstate after setup. it will transfer connection from mgmt to br0
-down_original_mgmt_interface:
-  cmd.run:
-    - name: "nmcli con down {{ pillar.host.mainint }}"
-    - unless:
-      - nmcli -f GENERAL.CONNECTION dev show {{ pillar.host.mainint }} | grep bridge-slave-{{ pillar.host.mainint }}
-    - order: last
-
-update_mine_functions_interface:
-  file.replace:
-    - name: /etc/salt/minion.d/mine_functions.conf
-    - pattern: "    - interface: ([a-zA-Z0-9]+)"
-    - repl: "    - interface: br0"
-    - onchanges:
-      - cmd: down_original_mgmt_interface
-
-wait_for_br0_ip:
-  cmd.run:
-    - name: |
-        counter=0
-        until ip addr show br0 | grep -q "inet "; do
-          sleep 1
-          counter=$((counter+1))
-          if [ $counter -ge 90 ]; then
-            echo "Timeout waiting for br0 to get an IP address"
-            exit 1
-          fi
-        done
-        echo "br0 has IP address: $(ip addr show br0 | grep 'inet ' | awk '{print $2}')"
-    - timeout: 95
-    - onchanges:
-      - file: update_mine_functions_interface
-
-mine_update_mine_interface:
-  module.run:
-    - mine.send:
-      - network.ip_addrs
-      - interface: br0
-    - onchanges:
-      - cmd: wait_for_br0_ip
-
-# virtlogd service may not restart following reboot without this
-#semanage permissive -a virtlogd_t
-
 {%   else %}
 {{sls}}_no_license_detected:
   test.fail_without_changes:
diff --git a/setup/so-functions b/setup/so-functions
index d28d7baf3..a03e0166b 100755
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -1186,6 +1186,15 @@ get_minion_type() {
 	echo "$minion_type"
 }
 
+hypervisor_local_states() {
+	# these states need to run before the first highstate so that we dont deal with the salt-minion restarting
+	# and we need these setup prior to the highstate
+	if [ $is_hypervisor ] || [ $is_managerhype ]; then
+        salt-call state.apply libvirt.64962 --local --file-root=../salt/ -l info
+        salt-call state.apply libvirt.bridge --local --file-root=../salt/ -l info pillar='{"host": {"mainint": "enp1s0"}}'
+	fi
+}
+
 install_cleanup() {
 	if [ -f "$temp_install_dir" ]; then
 		info "Installer removing the following files:"
diff --git a/setup/so-setup b/setup/so-setup
index 115bdadb7..1736da5bc 100755
--- a/setup/so-setup
+++ b/setup/so-setup
@@ -822,6 +822,7 @@ if ! [[ -f $install_opt_file ]]; then
 		checkin_at_boot
 		set_initial_firewall_access
 		logCmd "salt-call schedule.enable -linfo --local"
+		hypervisor_local_states
 		verify_setup
 	else
 		touch /root/accept_changes
@@ -847,6 +848,7 @@ if ! [[ -f $install_opt_file ]]; then
 		configure_minion "$minion_type"
 		check_sos_appliance
 		drop_install_options
+		hypervisor_local_states
 		verify_setup
 	fi