Merge pull request #9394 from Security-Onion-Solutions/jertel/mvkr

move Kratos DB to /nsm

files/salt/master/master

@@ -64,8 +64,4 @@ peer:
   .*:
     - x509.sign_remote_certificate
 
-reactor:
-  - 'salt/beacon/*/watch_sqlite_db//opt/so/conf/kratos/db/sqlite.db':
-    - salt://reactor/kratos.sls
-
 

salt/common/tools/sbin/so-user

@@ -127,7 +127,7 @@ while [[ $# -gt 0 ]]; do
 done
 
 kratosUrl=${KRATOS_URL:-http://127.0.0.1:4434/admin}
-databasePath=${KRATOS_DB_PATH:-/opt/so/conf/kratos/db/db.sqlite}
+databasePath=${KRATOS_DB_PATH:-/nsm/kratos/db/db.sqlite}
 databaseTimeout=${KRATOS_DB_TIMEOUT:-5000}
 bcryptRounds=${BCRYPT_ROUNDS:-12}
 elasticUsersFile=${ELASTIC_USERS_FILE:-/opt/so/saltstack/local/salt/elasticsearch/files/users}

salt/common/tools/sbin/soup

@@ -1086,14 +1086,14 @@ verify_latest_update_script() {
   if [[ "$CURRENTSOUP" == "$GITSOUP" && "$CURRENTCMN" == "$GITCMN" && "$CURRENTIMGCMN" == "$GITIMGCMN" && "$CURRENTSOFIREWALL" == "$GITSOFIREWALL" ]]; then
     echo "This version of the soup script is up to date. Proceeding."
   else
-    echo "You are not running the latest soup version. Updating soup and its components. Might take multiple runs to complete"
+    echo "You are not running the latest soup version. Updating soup and its components. This might take multiple runs to complete."
     cp $UPDATE_DIR/salt/common/tools/sbin/soup $DEFAULT_SALT_DIR/salt/common/tools/sbin/
     cp $UPDATE_DIR/salt/common/tools/sbin/so-common $DEFAULT_SALT_DIR/salt/common/tools/sbin/
     cp $UPDATE_DIR/salt/common/tools/sbin/so-image-common $DEFAULT_SALT_DIR/salt/common/tools/sbin/
     cp $UPDATE_DIR/salt/common/tools/sbin/so-firewall $DEFAULT_SALT_DIR/salt/common/tools/sbin/
     salt-call state.apply common.soup_scripts queue=True -linfo --file-root=$UPDATE_DIR/salt --local
     echo ""
-    echo "soup has been updated. Please run soup again."
+    echo "The soup script has been modified. Please run soup again to continue the upgrade."
     exit 0
   fi
 }

salt/kratos/init.sls

@@ -22,9 +22,18 @@ kratos:
     
 kratosdir:
   file.directory:
-    - name: /opt/so/conf/kratos/db
+    - name: /nsm/kratos
     - user: 928
     - group: 928
+    - mode: 700
+    - makedirs: True
+
+kratosdbdir:
+  file.directory:
+    - name: /nsm/kratos/db
+    - user: 928
+    - group: 928
+    - mode: 700
     - makedirs: True
 
 kratoslogdir:
@@ -62,7 +71,7 @@ so-kratos:
       - /opt/so/conf/kratos/schema.json:/kratos-conf/schema.json:ro    
       - /opt/so/conf/kratos/kratos.yaml:/kratos-conf/kratos.yaml:ro
       - /opt/so/log/kratos/:/kratos-log:rw
-      - /opt/so/conf/kratos/db:/kratos-data:rw
+      - /nsm/kratos/db:/kratos-data:rw
     - port_bindings:
       - 0.0.0.0:4433:4433
       - 0.0.0.0:4434:4434

setup/so-functions

@@ -65,7 +65,7 @@ add_socore_user_manager() {
 }
 
 add_web_user() {
-	wait_for_file /opt/so/conf/kratos/db/db.sqlite 30 5
+	wait_for_file /nsm/kratos/db/db.sqlite 30 5
 	{
 		info "Attempting to add administrator user for web interface...";
 		export SKIP_STATE_APPLY=true
@@ -1771,8 +1771,9 @@ reinstall_init() {
 		# If the elastic license has been accepted restore the state file
 		restore_file "/opt/so_old_$date_string/state/yeselastic.txt" "/opt/so/state/"
 
-		# Backup directories in /nsm to prevent app errors
+		# Backup (and erase) directories in /nsm to prevent app errors
 		backup_dir /nsm/mysql "$date_string"
+		backup_dir /nsm/kratos "$date_string"
 
 		# Remove the old launcher package in case the config changes
 		remove_package launcher-final