From af6403f8746180fdd3c94e1223dff3760a4acadd Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 6 Apr 2021 15:45:05 -0400 Subject: [PATCH 1/2] soup salt and repos ohh my --- salt/common/init.sls | 6 ++++ salt/common/tools/sbin/soup | 28 +++++++++++++++++-- salt/common/yum_repos/securityonion.repo | 14 +++++----- salt/common/yum_repos/securityonioncache.repo | 4 +-- 4 files changed, 41 insertions(+), 11 deletions(-) diff --git a/salt/common/init.sls b/salt/common/init.sls index 0ada77e1a..adf34a43a 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -74,6 +74,12 @@ repair_yumdb: - onlyif: - 'yum check-update 2>&1 | grep "Error: rpmdb open failed"' +crsynckeys: + file.recurse: + - name: /etc/pki/rpm_gpg + - source: salt://common/keys/ + + crbase: file.absent: - name: /etc/yum.repos.d/CentOS-Base.repo diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index cb2d19aed..a24af62f9 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -409,6 +409,30 @@ up_2.3.2X_to_2.3.30() { sed -i "/^strelka:/a \\ repos: \n - https://github.com/Neo23x0/signature-base" /opt/so/saltstack/local/pillar/global.sls; fi check_log_size_limit + INSTALLEDVERSION=2.3.30 +} + +up_2.3.3X_to_2.3.50() { + if [[ $OS == 'centos' ]]; then + # Import GPG Keys + gpg_rpm_import + + if [[ ! $is_airgap ]]; then + + DELREPOS=('CentOS-Base' 'CentOS-CR' 'CentOS-Debuginfo' 'docker-ce' 'CentOS-fasttrack' 'CentOS-Media' 'CentOS-Sources' 'CentOS-Vault' 'CentOS-x86_64-kernel' 'epel' 'epel-testing' 'saltstack' 'wazuh') + + for DELREPO in "${DELREPOS[@]}"; + rm /etc/yum.repos.d/$DELREPO + done + + # Copy the new repo file if not airgap + cp $UPDATE_DIR/salt/common/yum_repos/securityonion.repo /etc/yum.repos.d/ + yum clean all + yum repolist + fi + fi + INSTALLEDVERSION=2.3.50 + } verify_upgradespace() { @@ -503,7 +527,7 @@ upgrade_salt() { echo "Performing upgrade of Salt from $INSTALLEDSALTVERSION to $NEWSALTVERSION." echo "" # If CentOS - if [ "$OS" == "centos" ]; then + if [[ $OS == 'centos' ]]; then echo "Removing yum versionlock for Salt." echo "" yum versionlock delete "salt-*" @@ -518,7 +542,7 @@ upgrade_salt() { echo "" yum versionlock add "salt-*" # Else do Ubuntu things - elif [ "$OS" == "ubuntu" ]; then + elif [[ $OS == 'ubuntu' ]]; then echo "Removing apt hold for Salt." echo "" apt-mark unhold "salt-common" diff --git a/salt/common/yum_repos/securityonion.repo b/salt/common/yum_repos/securityonion.repo index e61829380..0cd96bd91 100644 --- a/salt/common/yum_repos/securityonion.repo +++ b/salt/common/yum_repos/securityonion.repo @@ -31,25 +31,25 @@ name=Extra Packages for Enterprise Linux 7 - $basearch baseurl=https://repo.securityonion.net/file/securityonion-repo/epel/ enabled=1 gpgcheck=1 -gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/RPM-GPG-KEY-EPEL-7 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7 [docker-ce-stable] name=Docker CE Stable - $basearch baseurl=https://repo.securityonion.net/file/securityonion-repo/docker-ce-stable enabled=1 gpgcheck=1 -gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/docker.pub +gpgkey=file:///etc/pki/rpm-gpg/docker.pub -[saltstack] +[saltstack3003] name=SaltStack repo for RHEL/CentOS $releasever PY3 -baseurl=https://repo.securityonion.net/file/securityonion-repo/saltstack/ +baseurl=https://repo.securityonion.net/file/securityonion-repo/saltstack3003/ enabled=1 gpgcheck=1 -gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/SALTSTACK-GPG-KEY.pub +gpgkey=file:///etc/pki/rpm-gpg/SALTSTACK-GPG-KEY.pub [wazuh_repo] gpgcheck=1 -gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/GPG-KEY-WAZUH +gpgkey=file:///etc/pki/rpm-gpg/GPG-KEY-WAZUH enabled=1 name=Wazuh repository baseurl=https://repo.securityonion.net/file/securityonion-repo/wazuh_repo/ @@ -57,7 +57,7 @@ protect=1 [wazuh4_repo] gpgcheck=1 -gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/GPG-KEY-WAZUH +gpgkey=file:///etc/pki/rpm-gpg/GPG-KEY-WAZUH enabled=1 name=Wazuh repository baseurl=https://repo.securityonion.net/file/securityonion-repo/wazuh4_repo/ diff --git a/salt/common/yum_repos/securityonioncache.repo b/salt/common/yum_repos/securityonioncache.repo index 6d5058337..bc0454ae7 100644 --- a/salt/common/yum_repos/securityonioncache.repo +++ b/salt/common/yum_repos/securityonioncache.repo @@ -40,9 +40,9 @@ enabled=1 gpgcheck=1 gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/docker.pub -[saltstack] +[saltstack3003] name=SaltStack repo for RHEL/CentOS $releasever PY3 -baseurl=http://repocache.securityonion.net/file/securityonion-repo/saltstack/ +baseurl=http://repocache.securityonion.net/file/securityonion-repo/saltstack3003/ enabled=1 gpgcheck=1 gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/SALTSTACK-GPG-KEY.pub From 92768ecd08e51d006064faf0beaf5081c3c0ad74 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 6 Apr 2021 15:47:50 -0400 Subject: [PATCH 2/2] Add upgrade function --- salt/common/tools/sbin/soup | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index a24af62f9..6578432fa 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -239,6 +239,7 @@ preupgrade_changes() { [[ "$INSTALLEDVERSION" =~ rc.3 ]] && rc3_to_2.3.0 [[ "$INSTALLEDVERSION" == 2.3.0 || "$INSTALLEDVERSION" == 2.3.1 || "$INSTALLEDVERSION" == 2.3.2 || "$INSTALLEDVERSION" == 2.3.10 ]] && up_2.3.0_to_2.3.20 [[ "$INSTALLEDVERSION" == 2.3.20 || "$INSTALLEDVERSION" == 2.3.21 ]] && up_2.3.2X_to_2.3.30 + [[ "$INSTALLEDVERSION" == 2.3.30 ]] && up_2.3.3X_to_2.3.50 } postupgrade_changes() {