CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

cloud-init needs to import repo gpg keys so packags can install

Browse Source
This commit is contained in:
m0duspwnens
2025-01-17 23:16:18 -05:00
parent c13c85bd2d
commit 7c50a5e17b
1 changed files with 45 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
salt/_runners/setup_hypervisor.py
View File

@@ -46,6 +46,7 @@ CLI Examples:
salt-run setup_hypervisor.create_vm myvm3 300G salt-run setup_hypervisor.create_vm myvm3 300G
""" """
import base64
import hashlib import hashlib
import logging import logging
import os import os
@@ -71,6 +72,16 @@ formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(messag
stream_handler.setFormatter(formatter) stream_handler.setFormatter(formatter)
log.addHandler(stream_handler) log.addHandler(stream_handler)
def _read_and_encode_key(key_path: str) -> str:
"""Read a key file and return its base64 encoded content."""
try:
with salt.utils.files.fopen(key_path, 'rb') as f:
content = f.read()
return base64.b64encode(content).decode('utf-8')
except Exception as e:
log.error("Error reading key file %s: %s", key_path, str(e))
raise
def _check_license(): def _check_license():
"""Check if the license file exists and contains required values.""" """Check if the license file exists and contains required values."""
license_path = '/opt/so/saltstack/local/pillar/soc/license.sls' license_path = '/opt/so/saltstack/local/pillar/soc/license.sls'
@@ -463,6 +474,14 @@ def create_vm(vm_name: str, disk_size: str = '6G'):
# Get hostname for repo configuration # Get hostname for repo configuration
manager_hostname = socket.gethostname() manager_hostname = socket.gethostname()
# Read and encode GPG keys
keys_dir = '/opt/so/saltstack/default/salt/repo/client/files/oracle/keys'
oracle_key = _read_and_encode_key(os.path.join(keys_dir, 'RPM-GPG-KEY-oracle'))
epel_key = _read_and_encode_key(os.path.join(keys_dir, 'RPM-GPG-KEY-EPEL-9'))
salt_key = _read_and_encode_key(os.path.join(keys_dir, 'SALT-PROJECT-GPG-PUBKEY-2023.pub'))
docker_key = _read_and_encode_key(os.path.join(keys_dir, 'docker.pub'))
securityonion_key = _read_and_encode_key(os.path.join(keys_dir, 'securityonion.pub'))
# Create meta-data # Create meta-data
meta_data = f"""instance-id: {vm_name} meta_data = f"""instance-id: {vm_name}
local-hostname: {vm_name} local-hostname: {vm_name}
@@ -508,9 +527,34 @@ write_files:
enabled=1 enabled=1
gpgcheck=1 gpgcheck=1
sslverify=0 sslverify=0
- path: /etc/pki/rpm-gpg/RPM-GPG-KEY-oracle
encoding: b64
content: |
{oracle_key}
- path: /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-9
encoding: b64
content: |
{epel_key}
- path: /etc/pki/rpm-gpg/SALT-PROJECT-GPG-PUBKEY-2023.pub
encoding: b64
content: |
{salt_key}
- path: /etc/pki/rpm-gpg/docker.pub
encoding: b64
content: |
{docker_key}
- path: /etc/pki/rpm-gpg/securityonion.pub
encoding: b64
content: |
{securityonion_key}
runcmd: runcmd:
# Remove all repo files except securityonion.repo # Import GPG keys and remove repo files except securityonion.repo
- rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-oracle
- rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-9
- rpm --import /etc/pki/rpm-gpg/SALT-PROJECT-GPG-PUBKEY-2023.pub
- rpm --import /etc/pki/rpm-gpg/docker.pub
- rpm --import /etc/pki/rpm-gpg/securityonion.pub
- for f in /etc/yum.repos.d/*.repo; do if [ "$(basename $f)" != "securityonion.repo" ]; then rm -f "$f"; fi; done - for f in /etc/yum.repos.d/*.repo; do if [ "$(basename $f)" != "securityonion.repo" ]; then rm -f "$f"; fi; done
- systemctl enable --now serial-getty@ttyS0.service - systemctl enable --now serial-getty@ttyS0.service
- systemctl enable --now NetworkManager - systemctl enable --now NetworkManager