From afc14ec29d4a2dbd28c184a81239810c7cac0c3c Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 16 Mar 2026 16:58:39 -0400 Subject: [PATCH] Remove non-Oracle Linux 9 support from salt states Simplifies salt states, map files, and modules to only support Oracle Linux 9, removing all Debian/Ubuntu/CentOS/Rocky/AlmaLinux/RHEL conditional branches. --- salt/_modules/needs_restarting.py | 20 +++------ salt/ca/trustca.sls | 8 ---- salt/common/packages.sls | 49 -------------------- salt/docker/init.sls | 34 -------------- salt/firewall/init.sls | 4 -- salt/firewall/ipt.map.jinja | 20 +++------ salt/idh/openssh/config.sls | 2 - salt/idh/openssh/init.sls | 2 - salt/manager/init.sls | 2 - salt/ntp/init.sls | 5 --- salt/repo/client/map.jinja | 72 ++++++++++++------------------ salt/salt/init.sls | 7 --- salt/salt/map.jinja | 18 ++------ salt/strelka/filestream/config.sls | 7 --- salt/versionlock/init.sls | 2 +- salt/versionlock/map.jinja | 6 +-- 16 files changed, 46 insertions(+), 212 deletions(-) diff --git a/salt/_modules/needs_restarting.py b/salt/_modules/needs_restarting.py index edede9ad3..23000cac6 100644 --- a/salt/_modules/needs_restarting.py +++ b/salt/_modules/needs_restarting.py @@ -1,24 +1,14 @@ -from os import path import subprocess def check(): - osfam = __grains__['os_family'] retval = 'False' - if osfam == 'Debian': - if path.exists('/var/run/reboot-required'): - retval = 'True' + cmd = 'needs-restarting -r > /dev/null 2>&1' - elif osfam == 'RedHat': - cmd = 'needs-restarting -r > /dev/null 2>&1' - - try: - needs_restarting = subprocess.check_call(cmd, shell=True) - except subprocess.CalledProcessError: - retval = 'True' - - else: - retval = 'Unsupported OS: %s' % os + try: + needs_restarting = subprocess.check_call(cmd, shell=True) + except subprocess.CalledProcessError: + retval = 'True' return retval diff --git a/salt/ca/trustca.sls b/salt/ca/trustca.sls index 1ec5347e3..33124389f 100644 --- a/salt/ca/trustca.sls +++ b/salt/ca/trustca.sls @@ -3,8 +3,6 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{% from 'vars/globals.map.jinja' import GLOBALS %} - include: - docker @@ -18,9 +16,3 @@ trusttheca: - show_changes: False - makedirs: True -{% if GLOBALS.os_family == 'Debian' %} -symlinkca: - file.symlink: - - target: /etc/pki/tls/certs/intca.crt - - name: /etc/ssl/certs/intca.crt -{% endif %} diff --git a/salt/common/packages.sls b/salt/common/packages.sls index cd8af4bb0..cdae393d0 100644 --- a/salt/common/packages.sls +++ b/salt/common/packages.sls @@ -1,52 +1,5 @@ # we cannot import GLOBALS from vars/globals.map.jinja in this state since it is called in setup.virt.init # since it is early in setup of a new VM, the pillars imported in GLOBALS are not yet defined -{% if grains.os_family == 'Debian' %} -commonpkgs: - pkg.installed: - - skip_suggestions: True - - pkgs: - - apache2-utils - - wget - - ntpdate - - jq - - curl - - ca-certificates - - software-properties-common - - apt-transport-https - - openssl - - netcat-openbsd - - sqlite3 - - libssl-dev - - procps - - python3-dateutil - - python3-docker - - python3-packaging - - python3-lxml - - git - - rsync - - vim - - tar - - unzip - - bc - {% if grains.oscodename != 'focal' %} - - python3-rich - {% endif %} - -{% if grains.oscodename == 'focal' %} -# since Ubuntu requires and internet connection we can use pip to install modules -python3-pip: - pkg.installed - -python-rich: - pip.installed: - - name: rich - - target: /usr/local/lib/python3.8/dist-packages/ - - require: - - pkg: python3-pip -{% endif %} -{% endif %} - -{% if grains.os_family == 'RedHat' %} remove_mariadb: pkg.removed: @@ -84,5 +37,3 @@ commonpkgs: - unzip - wget - yum-utils - -{% endif %} diff --git a/salt/docker/init.sls b/salt/docker/init.sls index fa8f98567..5cac6f185 100644 --- a/salt/docker/init.sls +++ b/salt/docker/init.sls @@ -15,39 +15,6 @@ dockergroup: - name: docker - gid: 920 -{% if GLOBALS.os_family == 'Debian' %} -{% if grains.oscodename == 'bookworm' %} -dockerheldpackages: - pkg.installed: - - pkgs: - - containerd.io: 2.2.1-1~debian.12~bookworm - - docker-ce: 5:29.2.1-1~debian.12~bookworm - - docker-ce-cli: 5:29.2.1-1~debian.12~bookworm - - docker-ce-rootless-extras: 5:29.2.1-1~debian.12~bookworm - - hold: True - - update_holds: True -{% elif grains.oscodename == 'jammy' %} -dockerheldpackages: - pkg.installed: - - pkgs: - - containerd.io: 2.2.1-1~ubuntu.22.04~jammy - - docker-ce: 5:29.2.1-1~ubuntu.22.04~jammy - - docker-ce-cli: 5:29.2.1-1~ubuntu.22.04~jammy - - docker-ce-rootless-extras: 5:29.2.1-1~ubuntu.22.04~jammy - - hold: True - - update_holds: True -{% else %} -dockerheldpackages: - pkg.installed: - - pkgs: - - containerd.io: 1.7.21-1 - - docker-ce: 5:27.2.0-1~ubuntu.20.04~focal - - docker-ce-cli: 5:27.2.0-1~ubuntu.20.04~focal - - docker-ce-rootless-extras: 5:27.2.0-1~ubuntu.20.04~focal - - hold: True - - update_holds: True -{% endif %} -{% else %} dockerheldpackages: pkg.installed: - pkgs: @@ -57,7 +24,6 @@ dockerheldpackages: - docker-ce-rootless-extras: 29.2.1-1.el9 - hold: True - update_holds: True -{% endif %} #disable docker from managing iptables iptables_disabled: diff --git a/salt/firewall/init.sls b/salt/firewall/init.sls index cf7ae01a6..8bf0c2af1 100644 --- a/salt/firewall/init.sls +++ b/salt/firewall/init.sls @@ -27,14 +27,12 @@ iptables_config: - source: salt://firewall/iptables.jinja - template: jinja -{% if grains.os_family == 'RedHat' %} disable_firewalld: service.dead: - name: firewalld - enable: False - require: - file: iptables_config -{% endif %} iptables_restore: cmd.run: @@ -44,7 +42,6 @@ iptables_restore: - onlyif: - iptables-restore --test {{ iptmap.configfile }} -{% if grains.os_family == 'RedHat' %} enable_firewalld: service.running: - name: firewalld @@ -52,7 +49,6 @@ enable_firewalld: - onfail: - file: iptables_config - cmd: iptables_restore -{% endif %} {% else %} diff --git a/salt/firewall/ipt.map.jinja b/salt/firewall/ipt.map.jinja index 629c1bdd8..596a8af4e 100644 --- a/salt/firewall/ipt.map.jinja +++ b/salt/firewall/ipt.map.jinja @@ -1,14 +1,6 @@ -{% set iptmap = salt['grains.filter_by']({ - 'Debian': { - 'service': 'netfilter-persistent', - 'iptpkg': 'iptables', - 'persistpkg': 'iptables-persistent', - 'configfile': '/etc/iptables/rules.v4' - }, - 'RedHat': { - 'service': 'iptables', - 'iptpkg': 'iptables-nft', - 'persistpkg': 'iptables-nft-services', - 'configfile': '/etc/sysconfig/iptables' - }, -}) %} +{% set iptmap = { + 'service': 'iptables', + 'iptpkg': 'iptables-nft', + 'persistpkg': 'iptables-nft-services', + 'configfile': '/etc/sysconfig/iptables' +} %} diff --git a/salt/idh/openssh/config.sls b/salt/idh/openssh/config.sls index 5e2acd8d2..58fad40a2 100644 --- a/salt/idh/openssh/config.sls +++ b/salt/idh/openssh/config.sls @@ -3,7 +3,6 @@ include: - idh.openssh -{% if grains.os_family == 'RedHat' %} idh_sshd_selinux: selinux.port_policy_present: - port: {{ openssh_map.config.port }} @@ -13,7 +12,6 @@ idh_sshd_selinux: - file: openssh_config - require: - pkg: python_selinux_mgmt_tools -{% endif %} openssh_config: file.replace: diff --git a/salt/idh/openssh/init.sls b/salt/idh/openssh/init.sls index 79d082502..b530eb280 100644 --- a/salt/idh/openssh/init.sls +++ b/salt/idh/openssh/init.sls @@ -16,8 +16,6 @@ openssh: - name: {{ openssh_map.service }} {% endif %} -{% if grains.os_family == 'RedHat' %} python_selinux_mgmt_tools: pkg.installed: - name: policycoreutils-python-utils -{% endif %} diff --git a/salt/manager/init.sls b/salt/manager/init.sls index 7148ea16e..2353bb64b 100644 --- a/salt/manager/init.sls +++ b/salt/manager/init.sls @@ -63,11 +63,9 @@ yara_log_dir: - user - group -{% if GLOBALS.os_family == 'RedHat' %} install_createrepo: pkg.installed: - name: createrepo_c -{% endif %} repo_conf_dir: file.directory: diff --git a/salt/ntp/init.sls b/salt/ntp/init.sls index 1fc523e94..e5f322a4e 100644 --- a/salt/ntp/init.sls +++ b/salt/ntp/init.sls @@ -2,7 +2,6 @@ # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'ntp/config.map.jinja' import NTPCONFIG %} chrony_pkg: @@ -17,11 +16,7 @@ chronyconf: - defaults: NTPCONFIG: {{ NTPCONFIG }} -{% if GLOBALS.os_family == 'RedHat' %} chronyd: -{% else %} -chrony: -{% endif %} service.running: - enable: True - watch: diff --git a/salt/repo/client/map.jinja b/salt/repo/client/map.jinja index 2c040c3c5..21f52a5e7 100644 --- a/salt/repo/client/map.jinja +++ b/salt/repo/client/map.jinja @@ -1,43 +1,29 @@ -{% from 'vars/globals.map.jinja' import GLOBALS %} - -{% if GLOBALS.os_family == 'RedHat' %} - {% set REPOPATH = '/etc/yum.repos.d/' %} -{% if GLOBALS.os == 'OEL' %} - {% set ABSENTFILES = [ - 'centos-addons.repo', - 'centos-devel.repo', - 'centos-extras.repo', - 'centos.repo', - 'docker-ce.repo', - 'epel.repo', - 'epel-testing.repo', - 'saltstack.repo', - 'salt-latest.repo', - 'wazuh.repo' - 'Rocky-Base.repo', - 'Rocky-CR.repo', - 'Rocky-Debuginfo.repo', - 'Rocky-fasttrack.repo', - 'Rocky-Media.repo', - 'Rocky-Sources.repo', - 'Rocky-Vault.repo', - 'Rocky-x86_64-kernel.repo', - 'rocky-addons.repo', - 'rocky-devel.repo', - 'rocky-extras.repo', - 'rocky.repo', - 'oracle-linux-ol9.repo', - 'uek-ol9.repo', - 'virt-ol9.repo' - ] - %} -{% else %} - {% set ABSENTFILES = [] %} -{% endif %} - -{% else %} - - {% set REPOPATH = '/etc/apt/sources.list.d/' %} - {% set ABSENTFILES = [] %} - -{% endif %} +{% set REPOPATH = '/etc/yum.repos.d/' %} +{% set ABSENTFILES = [ + 'centos-addons.repo', + 'centos-devel.repo', + 'centos-extras.repo', + 'centos.repo', + 'docker-ce.repo', + 'epel.repo', + 'epel-testing.repo', + 'saltstack.repo', + 'salt-latest.repo', + 'wazuh.repo' + 'Rocky-Base.repo', + 'Rocky-CR.repo', + 'Rocky-Debuginfo.repo', + 'Rocky-fasttrack.repo', + 'Rocky-Media.repo', + 'Rocky-Sources.repo', + 'Rocky-Vault.repo', + 'Rocky-x86_64-kernel.repo', + 'rocky-addons.repo', + 'rocky-devel.repo', + 'rocky-extras.repo', + 'rocky.repo', + 'oracle-linux-ol9.repo', + 'uek-ol9.repo', + 'virt-ol9.repo' + ] +%} diff --git a/salt/salt/init.sls b/salt/salt/init.sls index 724f79a95..cea67f46a 100644 --- a/salt/salt/init.sls +++ b/salt/salt/init.sls @@ -1,10 +1,3 @@ -{% if grains.oscodename == 'focal' %} -saltpymodules: - pkg.installed: - - pkgs: - - python3-docker -{% endif %} - # distribute to minions for salt upgrades salt_bootstrap: file.managed: diff --git a/salt/salt/map.jinja b/salt/salt/map.jinja index 62b7f1b18..ee886fb51 100644 --- a/salt/salt/map.jinja +++ b/salt/salt/map.jinja @@ -17,22 +17,12 @@ {% set SALTVERSION = saltminion.salt.minion.version | string %} {% set INSTALLEDSALTVERSION = grains.saltversion | string %} -{% if grains.os_family == 'Debian' %} - {% set SPLITCHAR = '+' %} - {% set SALTPACKAGES = ['salt-common', 'salt-master', 'salt-minion', 'salt-cloud'] %} - {% set SYSTEMD_UNIT_FILE = '/lib/systemd/system/salt-minion.service' %} -{% else %} - {% set SPLITCHAR = '-' %} - {% set SALTPACKAGES = ['salt', 'salt-master', 'salt-minion', 'salt-cloud'] %} - {% set SYSTEMD_UNIT_FILE = '/usr/lib/systemd/system/salt-minion.service' %} -{% endif %} +{% set SPLITCHAR = '-' %} +{% set SALTPACKAGES = ['salt', 'salt-master', 'salt-minion', 'salt-cloud'] %} +{% set SYSTEMD_UNIT_FILE = '/usr/lib/systemd/system/salt-minion.service' %} {% if INSTALLEDSALTVERSION != SALTVERSION %} - {% if grains.os_family|lower == 'redhat' %} - {% set UPGRADECOMMAND = 'yum clean all ; /usr/sbin/bootstrap-salt.sh -X -r -F stable ' ~ SALTVERSION %} - {% elif grains.os_family|lower == 'debian' %} - {% set UPGRADECOMMAND = '/usr/sbin/bootstrap-salt.sh -X -F stable ' ~ SALTVERSION %} - {% endif %} + {% set UPGRADECOMMAND = 'yum clean all ; /usr/sbin/bootstrap-salt.sh -X -r -F stable ' ~ SALTVERSION %} {% else %} {% set UPGRADECOMMAND = 'echo Already running Salt Minion version ' ~ SALTVERSION %} {% endif %} diff --git a/salt/strelka/filestream/config.sls b/salt/strelka/filestream/config.sls index 2809bd8b1..2eaee7b53 100644 --- a/salt/strelka/filestream/config.sls +++ b/salt/strelka/filestream/config.sls @@ -47,12 +47,6 @@ filestream_config: FILESTREAMCONFIG: {{ STRELKAMERGED.filestream.config }} # Filecheck Section -{% if GLOBALS.os_family == 'Debian' %} -install_watchdog: - pkg.installed: - - name: python3-watchdog - -{% elif GLOBALS.os_family == 'RedHat' %} remove_old_watchdog: pkg.removed: - name: python3-watchdog @@ -60,7 +54,6 @@ remove_old_watchdog: install_watchdog: pkg.installed: - name: securityonion-python39-watchdog -{% endif %} filecheck_logdir: file.directory: diff --git a/salt/versionlock/init.sls b/salt/versionlock/init.sls index a310356b4..e2ee77347 100644 --- a/salt/versionlock/init.sls +++ b/salt/versionlock/init.sls @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{% if grains.os_family == 'Debian' or (grains.os_family == 'RedHat' and salt['pkg.version']('python3-dnf-plugin-versionlock') != "") %} +{% if salt['pkg.version']('python3-dnf-plugin-versionlock') != "" %} {% from 'versionlock/map.jinja' import VERSIONLOCKMERGED %} {% for pkg in VERSIONLOCKMERGED.hold %} {{pkg}}_held: diff --git a/salt/versionlock/map.jinja b/salt/versionlock/map.jinja index 1477657bc..75d8a1b97 100644 --- a/salt/versionlock/map.jinja +++ b/salt/versionlock/map.jinja @@ -6,11 +6,7 @@ {% import_yaml 'versionlock/defaults.yaml' as VERSIONLOCKDEFAULTS %} {% set VERSIONLOCKMERGED = salt['pillar.get']('versionlock', VERSIONLOCKDEFAULTS.versionlock, merge=True) %} -{% if grains.os_family == 'RedHat' %} -{% set HELD = salt['pkg.list_holds']() %} -{% else %} -{% set HELD = salt['pkg.get_selections'](state='hold')['hold'] %} -{% endif %} +{% set HELD = salt['pkg.list_holds']() %} {# these are packages held / versionlock in other states #} {% set PACKAGES_HELD_IN_OTHER_STATES = [