CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2026-03-24 21:42:42 +01:00
Code Issues Packages Projects Releases Wiki Activity

cleanup preflight

Browse Source
This commit is contained in:
Josh Patterson
2026-03-16 16:58:35 -04:00
parent 59134c65d0
commit 6feb06e623
6 changed files with 0 additions and 323 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
salt/podman/files/podman.service
View File

@@ -1,17 +0,0 @@
[Unit]
Description=Podman API Service
Requires=podman.socket
After=podman.socket
Documentation=man:podman-api(1)
StartLimitIntervalSec=0
[Service]
Type=oneshot
Environment=REGISTRIES_CONFIG_PATH=/etc/containers/registries.conf
ExecStart=/usr/bin/podman system service
TimeoutStopSec=30
KillMode=process
[Install]
WantedBy=multi-user.target
Also=podman.socket

10
salt/podman/files/podman.socket
View File

@@ -1,10 +0,0 @@
[Unit]
Description=Podman API Socket
Documentation=man:podman-api(1)
[Socket]
ListenStream=%t/podman/podman.sock
SocketMode=0660
[Install]
WantedBy=sockets.target

48
salt/podman/files/sobridge.conflist
View File

@@ -1,48 +0,0 @@
{
"args": {
"podman_options": {
"isolate": "true",
"mtu": "1500"
}
},
"cniVersion": "0.4.0",
"name": "sobridge",
"plugins": [
{
"type": "bridge",
"bridge": "sobridge",
"isGateway": true,
"ipMasq": false,
"mtu": 1500,
"hairpinMode": false,
"ipam": {
"type": "host-local",
"routes": [
{
"dst": "0.0.0.0/0"
}
],
"ranges": [
[
{
"subnet": "172.17.1.0/24",
"gateway": "172.17.1.1"
}
]
]
},
"capabilities": {
"ips": true
}
},
{
"type": "portmap",
"capabilities": {
"portMappings": false
}
},
{
"type": "tuning"
}
]
}

56
salt/podman/init.sls
View File

@@ -1,56 +0,0 @@
{% from 'docker/docker.map.jinja' import DOCKER %}
Podman pkg:
pkg.installed:
- name: podman
cnipkg:
pkg.installed:
- name: containernetworking-plugins
{#
Podman service:
file.managed:
- name: /usr/lib/systemd/system/podman.service
- source: salt://podman/podman.service
#}
sobridgeconf:
file.managed:
- name: /etc/cni/net.d/sobridge.conflist
- source: salt://podman/files/sobridge.conflist
Podman_socket_service:
service.running:
- name: podman.socket
- enable: true
Podman_service:
service.running:
- name: podman.service
- enable: true
Docker socket:
file.symlink:
- name: /var/run/docker.sock
- target: /var/run/podman/podman.sock
podman_docker_symlink:
file.symlink:
- name: /usr/bin/docker
- target: /usr/bin/podman
{#
sos_docker_net:
docker_network.present:
- name: sobridge
- subnet: {{ DOCKER.range }}
- gateway: {{ DOCKER.bip }}
- options:
com.docker.network.bridge.name: 'sobridge'
com.docker.network.driver.mtu: '1500'
com.docker.network.bridge.enable_ip_masquerade: 'true'
com.docker.network.bridge.enable_icc: 'true'
com.docker.network.bridge.host_binding_ipv4: '0.0.0.0'
- unless: 'docker network ls | grep sobridge'
#}

178
setup/so-preflight
View File

@@ -1,178 +0,0 @@
#!/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
cd "$(dirname "$0")" || exit 255
source ../salt/common/tools/sbin/so-common
source ./so-functions
script_run="$1"
retry_count=10
retry_sleep=5
warning_prefix="[WARNING]"
info_prefix="[INFO ]"
error_prefix="[ERROR ]"
if [[ $script_run == true ]]; then
preflight_log="${2:-'/root/preflight.log'}"
else
preflight_log='/root/preflight.log'
fi
check_default_repos() {
local ret_code=0
local repo_str=' Checking OS default repos with '
if [[ $script_run == true ]]; then
printf '%s' "$repo_str"
else
printf '%s' "$repo_str" | tee -a "$preflight_log"
fi
if [[ $script_run == true ]]; then
printf '%s' 'yum update.'
else
printf '%s' 'yum update.' | tee -a "$preflight_log"
fi
echo "" >> "$preflight_log"
yum -y check-update >> $preflight_log 2>&1
ret_code=$?
if [[ $ret_code == 0 || $ret_code == 100 ]]; then
printf '%s\n' ' SUCCESS'
ret_code=0
else
printf '%s\n' ' FAILURE'
fi
return $ret_code
}
check_new_repos() {
local repo_url_str=' Checking repo URLs added by setup.'
if [[ $script_run == true ]]; then
printf '%s' "$repo_url_str"
else
printf '%s' "$repo_url_str" | tee -a "$preflight_log"
fi
local repo_arr=(
"https://download.docker.com/linux/centos/docker-ce.repo"
"https://repo.securityonion.net/file/securityonion-repo/keys/SALTSTACK-GPG-KEY.pub"
"https://download.docker.com/linux/ubuntu/gpg"
)
__check_url_arr "${repo_arr[@]}"
local ret_code=$?
[[ $ret_code == 0 ]] && printf '%s\n' ' SUCCESS' || printf '%s\n' ' FAILURE'
return $ret_code
}
check_misc_urls() {
local misc_url_str=' Checking various other URLs used by setup.'
if [[ $script_run == true ]]; then
printf '%s' "$misc_url_str"
else
printf '%s' "$misc_url_str" | tee -a "$preflight_log"
fi
local so_version
so_version=$(cat ../VERSION)
local url_arr=(
"https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS"
"https://github.com/Neo23x0/signature-base"
"https://sigs.securityonion.net/$so_version/securityonion-$so_version.iso.sig"
"https://ghcr.io/"
"https://rules.emergingthreats.net/open/"
"https://rules.emergingthreatspro.com/"
)
__check_url_arr "${url_arr[@]}"
local ret_code=$?
[[ $ret_code == 0 ]] && printf '%s\n' ' SUCCESS' || printf '%s\n' ' FAILURE'
return $ret_code
}
__check_url_arr() {
local ret_code=0
echo "" >> "$preflight_log"
for url in "$@"; do
# Reset vars
local status=999 # Set status to something outside the range of normal HTTP codes but above the 200 range
local ret=1
local count=0
while [[ $ret != 0 && $count -lt $retry_count ]]; do
((count++))
[[ $count != 1 ]] && sleep $retry_sleep
status=$(curl -s -o /dev/null -w "%{http_code}" -L "$url" 2> /dev/null)
ret=$?
local count_str
printf -v count_str '%02d' "$count"
[[ $ret != 0 ]] && echo "$warning_prefix ($count_str/$retry_count) Could not reach $url, curl error code: $ret" >> "$preflight_log"
done
if [[ $ret == 0 ]]; then
url_success_str="Successfully reached $url"
if [[ $status -ge 400 ]]; then
echo "$warning_prefix $url_success_str but server responded with HTTP code $status." >> "$preflight_log"
else
printf '%s\n' "$info_prefix $url_success_str" >> "$preflight_log"
fi
else
ret_code=1
echo "$error_prefix Could not reach $url after $retry_count attempts." >> "$preflight_log"
fi
done
echo "" >> "$preflight_log"
return $ret_code
}
main() {
local intro_str="Beginning pre-flight checks."
local success_str="Pre-flight checks completed successfully!"
local fail_str="Pre-flight checks could not complete."
[[ -f $preflight_log ]] || touch "$preflight_log"
detect_os "$preflight_log"
if [[ $script_run == true ]]; then
echo "$intro_str"
else
echo "$intro_str" | tee "$preflight_log"
fi
check_default_repos &&\
check_new_repos &&\
check_misc_urls
local success=$?
echo ""
if [[ $success == 0 ]]; then
if [[ $script_run == true ]]; then
echo "$success_str"
else
echo "$success_str" | tee -a "$preflight_log"
echo ""
fi
else
if [[ $script_run == true ]]; then
echo "$fail_str"
else
echo "$fail_str" | tee -a "$preflight_log"
echo "Check $preflight_log for details."
echo ""
fi
fi
exit $success
}
main

14
setup/so-whiptail
View File

@@ -1080,20 +1080,6 @@ whiptail_passwords_dont_match() {
}
whiptail_preflight_err() {
[ -n "$TESTING" ] && return 1
read -r -d '' message <<- EOM
The so-preflight script failed checking one or more URLs required by setup. Check $setup_log for more details.
Would you like to exit setup?
EOM
whiptail --title "$whiptail_title" \
--yesno "$message" 11 75 \
--yes-button "Continue" --no-button "Exit" --defaultno
}
whiptail_proxy_ask() {
[ -n "$TESTING" ] && return