CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2026-05-08 12:27:52 +02:00
Code Issues Packages Projects Releases Wiki Activity

postsalt: enable PG-canonical pillar mode by default during so-setup

Browse Source 
Drops a local pillar override (postgres.so_pillar.enabled = True) right
after secrets_pillar so the install-time highstate brings up
schema_pillar, ext_pillar_postgres, and the pg_notify_pillar engine
without operator intervention. Without this the whole PG-canonical
stack stays gated off on the default-False flag and the install lands
in legacy disk-pillar mode — which defeats the point of being on the
postsalt branch at all.

The new enable_so_pillar_postgres() function in so-functions is
idempotent (overwrites adv_postgres.sls with a fixed body) and the
generated file is mode 0644 socore:socore so it merges into pillar
under the existing local-pillar directory ownership convention.

Rollback path: edit /opt/so/saltstack/local/pillar/postgres/adv_postgres.sls
to set enabled: False, or delete the file. The schema and engine
config states will tear themselves down on the next highstate via
their existing else-branch absent states.
This commit is contained in:
Mike Reeves
2026-05-04 19:56:14 -04:00
parent 92a7bb3053
commit 7b9ab2d9d1
2 changed files with 26 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
setup/so-functions
+22
View File
@@ -1916,6 +1916,28 @@ secrets_pillar(){
fi
}
# postsalt: flip postgres:so_pillar:enabled to True in the local pillar so
# the schema_pillar / ext_pillar_postgres / pg_notify_pillar engine states
# all activate during the install highstate. Without this the entire
# PG-canonical pillar stack short-circuits on its default-False gate and
# the install ends in legacy disk-pillar mode — defeating the point of
# being on postsalt at all. The companion enabled=False rollback just
# rewrites this file or removes the flag.
enable_so_pillar_postgres() {
local pillar_dir=/opt/so/saltstack/local/pillar/postgres
mkdir -p "$pillar_dir"
cat > "$pillar_dir/adv_postgres.sls" <<'EOPILLAR'
# postsalt: enable PG-canonical pillar mode. Generated by setup/so-functions
# during install. Flip to False here (or delete this file) to roll back to
# disk-pillar mode without wiping the so_pillar.* schema in so-postgres.
postgres:
so_pillar:
enabled: True
EOPILLAR
chown -R socore:socore "$pillar_dir"
chmod 0644 "$pillar_dir/adv_postgres.sls"
}
set_network_dev_status_list() {
readarray -t nmcli_dev_status_list <<< "$(nmcli -t -f DEVICE,STATE -c no dev status)"
export nmcli_dev_status_list
setup/so-setup
+4
View File
@@ -676,6 +676,10 @@ if ! [[ -f $install_opt_file ]]; then
info "Populating the secrets pillar"
# Create the secrets pillar
secrets_pillar
info "Enabling postsalt PG-canonical pillar mode"
# Flip postgres:so_pillar:enabled so schema_pillar / ext_pillar_postgres /
# pg_notify_pillar engine states deploy as part of the install highstate.
enable_so_pillar_postgres
info "Add socore user"
# Add the socore user
add_socore_user_manager