rework of os patch scheduling, added the abilty to enable/disable and adjust splay - https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/84

2026-01-15 20:51:28 +01:00 · 2019-11-07 09:49:36 -05:00
parent fa87308bac
commit 9914e55ec3
7 changed files with 188 additions and 74 deletions
--- a/salt/patch/os/init.sls
+++ b/salt/patch/os/init.sls
--- a/salt/patch/os/schedule.sls
+++ b/salt/patch/os/schedule.sls
@@ -0,0 +1,76 @@
+{% if salt['pillar.get']('patch:os:schedule_name') %}
+  {% set patch_os_pillar = salt['pillar.get']('patch:os') %}
+  {% set schedule_name = patch_os_pillar.schedule_name %}
+  {% set splay = patch_os_pillar.get('splay', 300) %}
+
+  {% if schedule_name != 'manual' and schedule_name != 'auto' %}
+    {% import_yaml "patch/os/schedules/"~schedule_name~".yml" as os_schedule %}
+
+    {% if patch_os_pillar.enabled %}
+
+patch_os_schedule:
+  schedule.present:
+    - function: state.sls
+    - job_args:
+      - patch.os
+    - when:
+      {% for days in os_schedule.patch.os.schedule %}
+        {% for day, times in days.iteritems() %}
+          {% for time in times %}
+        - {{day}} {{time}}
+          {% endfor %}
+        {% endfor %}
+      {% endfor %}
+    - splay: {{splay}}
+    - return_job: True
+
+    {% else %}
+
+disable_patch_os_schedule:
+  schedule.disabled:
+    - name: patch_os_schedule
+
+    {% endif %}
+
+
+  {% elif schedule_name == 'auto' %}
+
+    {% if patch_os_pillar.enabled %}
+
+patch_os_schedule:
+  schedule.present:
+    - function: state.sls
+    - job_args:
+      - patch.os
+    - minutes: 1
+    - splay: {{splay}}
+    - return_job: True
+
+    {% else %}
+
+disable_patch_os_schedule:
+  schedule.disabled:
+    - name: patch_os_schedule
+
+    {% endif %}
+
+  {% elif schedule_name == 'manual' %}
+
+remove_patch_os_schedule:
+  schedule.absent:
+    - name: patch_os_schedule
+
+  {% endif %}
+
+{% else %}
+
+no_os_patch_schedule_name_set:
+  test.fail_without_changes:
+    - name: "Set a pillar value for patch:os:schedule_name in this minion's .sls file. If an OS patch schedule is not listed as enabled in show_schedule output below, then OS patches will need to be applied manually until this is corrected."
+
+show_schedule:
+  module.run:
+    - name: schedule.is_enabled
+    - m_name: patch_os_schedule
+
+{% endif %}
--- a/salt/patch/os/schedules/example_schedule.yml
+++ b/salt/patch/os/schedules/example_schedule.yml
@@ -0,0 +1,10 @@
+patch:
+  os:
+    schedule:
+      - Tuesday:
+        - '15:00'
+      - Thursday:
+        - '03:00'
+      - Saturday:
+        - '01:00'
+        - '15:00'
--- a/salt/patch/schedule/os.sls
+++ b/salt/patch/schedule/os.sls
@@ -1,32 +0,0 @@
-{% if salt['pillar.get']('patch:os:schedule') != 'manual' and salt['pillar.get']('patch:os:schedule') != 'auto' %}
-
-patch_os_schedule:
-  schedule.present:
-    - function: state.sls
-    - job_args:
-      - patch.os
-    - when:
-  {% for days in pillar['patch']['os']['schedule'] %}
-    {% for day, times in days.iteritems() %}
-      {% for time in times %}
-        - {{day}} {{time}}
-      {% endfor %}
-    {% endfor %}
-  {% endfor %}
-    - splay:
-        start: 30
-        end: 120
-
-{% elif salt['pillar.get']('patch:os:schedule') == 'auto' %}
-
-patch_os_schedule:
-  schedule.present:
-    - function: state.sls
-    - job_args:
-      - patch.os
-    - minutes: 20
-    - splay:
-        start: 150
-        end: 300
-
-{% endif %}