diff --git a/salt/common/tools/sbin/so-elastic-auth b/salt/common/tools/sbin/so-elastic-auth index 6631badf2..6157cb4b4 100755 --- a/salt/common/tools/sbin/so-elastic-auth +++ b/salt/common/tools/sbin/so-elastic-auth @@ -22,7 +22,7 @@ fi ES_AUTH_PILLAR=${ELASTIC_AUTH_PILLAR:-/opt/so/saltstack/local/pillar/elasticsearch/auth.sls} ES_USERS_FILE=${ELASTIC_USERS_FILE:-/opt/so/saltstack/local/salt/elasticsearch/files/users} -authEnable=${1:-true} +authEnable=$1 if ! grep -q "enabled: " "$ES_AUTH_PILLAR"; then echo "Elastic auth pillar file is invalid. Unable to proceed." @@ -30,17 +30,18 @@ if ! grep -q "enabled: " "$ES_AUTH_PILLAR"; then fi function restart() { - so-elastic-stop - salt-call state.highstate queue=True + if [[ -z "$ELASTIC_AUTH_SKIP_HIGHSTATE" ]]; then + echo "Elasticsearch on all affected minions will now be stopped and then restarted..." + salt -C 'G@role:so-standalone or G@role:so-eval or G@role:so-import or G@role:so-manager or G@role:so-managersearch or G@role:so-node or G@role:so-heavynode' cmd.run so-elastic-stop queue=True + echo "Applying highstate to all affected minions..." + salt -C 'G@role:so-standalone or G@role:so-eval or G@role:so-import or G@role:so-manager or G@role:so-managersearch or G@role:so-node or G@role:so-heavynode' state.highstate queue=True + fi } if [[ "$authEnable" == "true" ]]; then if grep -q "enabled: False" "$ES_AUTH_PILLAR"; then sed -i 's/enabled: False/enabled: True/g' "$ES_AUTH_PILLAR" - if [[ -z "$ELASTIC_AUTH_SKIP_HIGHSTATE" ]]; then - echo "Applying highstate - this may take a few minutes..." - restart - fi + restart echo "Elastic auth is now enabled." if grep -q "argon" "$ES_USERS_FILE"; then echo "" @@ -53,10 +54,7 @@ if [[ "$authEnable" == "true" ]]; then elif [[ "$authEnable" == "false" ]]; then if grep -q "enabled: True" "$ES_AUTH_PILLAR"; then sed -i 's/enabled: True/enabled: False/g' "$ES_AUTH_PILLAR" - if [[ -z "$ELASTIC_AUTH_SKIP_HIGHSTATE" ]]; then - echo "Applying highstate - this may take a few minutes..." - restart - fi + restart echo "Elastic auth is now disabled." else echo "Auth is already disabled." @@ -64,6 +62,6 @@ elif [[ "$authEnable" == "false" ]]; then else echo "Usage: $0 " echo "" - echo "Enables Elastic authentication. Defaults to true." + echo "Toggles Elastic authentication. Elasticsearch will be restarted on each affected minion." echo "" fi diff --git a/salt/common/tools/sbin/so-elasticsearch-pipeline-view b/salt/common/tools/sbin/so-elasticsearch-pipeline-view index 9f799c07f..3239aec0a 100755 --- a/salt/common/tools/sbin/so-elasticsearch-pipeline-view +++ b/salt/common/tools/sbin/so-elasticsearch-pipeline-view @@ -21,5 +21,5 @@ if [ "$1" == "" ]; then {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_ingest/pipeline/* | jq . else - {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_ingest/pipeline/$1 | jq . + {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_ingest/pipeline/$1 | jq .[] fi diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 32280f707..c1e25b208 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -884,7 +884,8 @@ main() { # Testing that salt-master is up by checking that is it connected to itself set +e - retry 50 10 "salt-call state.show_top -l error" || fail "salt-master could not be reached. Check $SOUP_LOG for details." + echo "Waiting on the Salt Master service to be ready." + salt-call state.show_top -l error queue=True || fail "salt-master could not be reached. Check $SOUP_LOG for details." set -e echo "" @@ -904,7 +905,9 @@ main() { echo "" echo "Running a highstate to complete the Security Onion upgrade on this manager. This could take several minutes." + set +e salt-call state.highstate -l info queue=True + set -e echo "" echo "Upgrade from $INSTALLEDVERSION to $NEWVERSION complete." @@ -918,9 +921,9 @@ main() { echo "Starting Salt Master service." systemctl start salt-master - # Testing that salt-master is up by checking that is it connected to itself set +e - retry 50 10 "salt-call state.show_top -l error" || fail "salt-master could not be reached. Check $SOUP_LOG for details." + echo "Waiting on the Salt Master service to be ready." + salt-call state.show_top -l error queue=True || fail "salt-master could not be reached. Check $SOUP_LOG for details." set -e echo "Running a highstate. This could take several minutes." @@ -929,7 +932,8 @@ main() { [[ $is_airgap -eq 0 ]] && unmount_update thehive_maint - if [[ $UPGRADESALT -eq 1 ]]; then + NUM_MINIONS=$(ls /opt/so/saltstack/local/pillar/minions/*_*.sls | wc -l) + if [[ $UPGRADESALT -eq 1 ]] && [[ $NUM_MINIONS -gt 1 ]]; then if [[ $is_airgap -eq 0 ]]; then echo "" echo "Cleaning repos on remote Security Onion nodes." @@ -956,8 +960,6 @@ main() { esac fi - NUM_MINIONS=$(ls /opt/so/saltstack/local/pillar/minions/*_*.sls | wc -l) - if [[ $NUM_MINIONS -gt 1 ]]; then cat << EOF @@ -995,4 +997,4 @@ EOF read -r input main "$@" | tee -a $SOUP_LOG - \ No newline at end of file + diff --git a/salt/registry/init.sls b/salt/registry/init.sls index b59465fb7..eb0c2df0c 100644 --- a/salt/registry/init.sls +++ b/salt/registry/init.sls @@ -43,7 +43,7 @@ so-dockerregistry: - /nsm/docker-registry/docker:/var/lib/registry/docker:rw - /etc/pki/registry.crt:/etc/pki/registry.crt:ro - /etc/pki/registry.key:/etc/pki/registry.key:ro - - timeout: 180 + - client_timeout: 180 - retry: attempts: 5 interval: 30 diff --git a/setup/so-setup b/setup/so-setup index 34802fef9..68490657f 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -753,7 +753,7 @@ echo "1" > /root/accept_changes salt-call state.apply -l info manager >> $setup_log 2>&1 echo "Executing so-elastic-auth..." >> $setup_log 2>&1 - ELASTIC_AUTH_SKIP_HIGHSTATE=true bash /opt/so/saltstack/default/salt/common/tools/sbin/so-elastic-auth >> $setup_log 2>&1 + ELASTIC_AUTH_SKIP_HIGHSTATE=true bash /opt/so/saltstack/default/salt/common/tools/sbin/so-elastic-auth true >> $setup_log 2>&1 echo "Finished so-elastic-auth..." >> $setup_log 2>&1 fi