From 7ca23132554557daf79bbf1ec47ad4a949e3c870 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 3 Jun 2026 09:05:23 -0400 Subject: [PATCH 1/5] move to securityonion db --- salt/manager/tools/sbin/soup | 24 ------------------------ salt/postgres/files/init-db.sh | 7 +------ salt/soc/defaults.yaml | 5 +++-- salt/soc/merged.map.jinja | 3 ++- salt/soc/soc_soc.yaml | 14 +++++++++++++- 5 files changed, 19 insertions(+), 34 deletions(-) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 135c51276..cd5f47e35 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -746,35 +746,11 @@ post_to_3.1.0() { ### 3.2.0 Scripts ### -bootstrap_so_soc_database() { - # init-db.sh is mounted into so-postgres at /docker-entrypoint-initdb.d/init-db.sh - # and runs automatically only on a fresh data directory. Hosts upgrading from - # 3.1.0 already have /nsm/postgres populated, so the so_soc bootstrap block - # added in 3.2 never fires. Re-run the script explicitly; it's idempotent. - echo "Bootstrapping so_soc database via init-db.sh." - # The postgres image has no USER directive, so `docker exec` defaults to - # root, and the container env intentionally omits POSTGRES_USER (the upstream - # entrypoint defaults it transiently during first-init only). Recreate both - # so psql inside init-db.sh resolves the connect user correctly. - local exec_cmd="docker exec -u postgres -e POSTGRES_USER=postgres so-postgres bash /docker-entrypoint-initdb.d/init-db.sh" - if ! /usr/sbin/so-postgres-wait; then - FINAL_MESSAGE_QUEUE+=("WARNING: so-postgres was not ready during the 3.2.0 upgrade; the so_soc database may not have been bootstrapped. Re-run manually: $exec_cmd") - return 0 - fi - if ! $exec_cmd; then - FINAL_MESSAGE_QUEUE+=("WARNING: init-db.sh failed inside so-postgres during the 3.2.0 upgrade; the so_soc database may not have been bootstrapped. Re-run manually: $exec_cmd") - return 0 - fi - echo "so_soc bootstrap complete." -} - up_to_3.2.0() { INSTALLEDVERSION=3.2.0 } post_to_3.2.0() { - bootstrap_so_soc_database - POSTVERSION=3.2.0 } diff --git a/salt/postgres/files/init-db.sh b/salt/postgres/files/init-db.sh index 03e6d08dd..2187585da 100644 --- a/salt/postgres/files/init-db.sh +++ b/salt/postgres/files/init-db.sh @@ -31,9 +31,4 @@ EOSQL # only ensures the shared database exists on first initialization. if ! psql -U "$POSTGRES_USER" -tAc "SELECT 1 FROM pg_database WHERE datname='so_telegraf'" | grep -q 1; then psql -v ON_ERROR_STOP=1 -U "$POSTGRES_USER" -c "CREATE DATABASE so_telegraf" -fi - -# Bootstrap the SOC database. -if ! psql -U "$POSTGRES_USER" -tAc "SELECT 1 FROM pg_database WHERE datname='so_soc'" | grep -q 1; then - psql -v ON_ERROR_STOP=1 -U "$POSTGRES_USER" -c "CREATE DATABASE so_soc" -fi +fi \ No newline at end of file diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 62b451bec..05cad494e 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1523,8 +1523,9 @@ soc: saltstackDir: /opt/so/saltstack bypassEnabled: false postgres: - host: - password: + database: securityonion + host: "" + password: "" salt: queueDir: /opt/sensoroni/queue timeoutMs: 45000 diff --git a/salt/soc/merged.map.jinja b/salt/soc/merged.map.jinja index b34efb11d..cfc0fafbd 100644 --- a/salt/soc/merged.map.jinja +++ b/salt/soc/merged.map.jinja @@ -20,7 +20,8 @@ {% do SOCMERGED.config.server.modules.postgres.update({'host': GLOBALS.manager}) %} {% endif %} {% if not SOCMERGED.config.server.modules.postgres.password %} -{% do SOCMERGED.config.server.modules.postgres.update({'password': salt['pillar.get']('secrets:postgres_pass', '')}) %} +{% do SOCMERGED.config.server.modules.postgres.update({'password': salt['pillar.get']('postgres:auth:users:so_postgres_user:pass', '')}) %} +{% do SOCMERGED.config.server.modules.postgres.update({'user': salt['pillar.get']('postgres:auth:users:so_postgres_user:user', 'so_postgres')}) %} {% endif %} {# if SOCMERGED.config.server.modules.cases == httpcase details come from the soc pillar #} diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 3cb244eed..ad34c3bbf 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -468,8 +468,20 @@ soc: description: Hostname or IP address of the PostgreSQL server used by SOC. Defaults to the manager hostname. global: True advanced: True + port: + description: Port of the PostgreSQL server used by SOC. + global: True + advanced: True + user: + description: Username used by SOC to authenticate to the PostgreSQL server. + global: True + advanced: True + database: + description: Database used by SOC to authenticate to the PostgreSQL server. + global: True + advanced: True password: - description: Password used by SOC to authenticate to the PostgreSQL server. Defaults to the postgres superuser password seeded in the secrets pillar. + description: Password used by SOC to authenticate to the PostgreSQL server. global: True sensitive: True advanced: True From 61e72c89e422754978c7abf1b8fbdf68fcd5ef76 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 3 Jun 2026 09:49:53 -0400 Subject: [PATCH 2/5] postgres updates --- salt/postgres/files/init-db.sh | 1 + salt/soc/defaults.yaml | 5 ++++- salt/soc/soc_soc.yaml | 8 ++++++-- 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/salt/postgres/files/init-db.sh b/salt/postgres/files/init-db.sh index 2187585da..d12bc4c9b 100644 --- a/salt/postgres/files/init-db.sh +++ b/salt/postgres/files/init-db.sh @@ -17,6 +17,7 @@ psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-E END IF; END \$\$; + GRANT ALL ON SCHEMA public TO "$SO_POSTGRES_USER"; GRANT ALL PRIVILEGES ON DATABASE "$POSTGRES_DB" TO "$SO_POSTGRES_USER"; -- Lock the SOC database down at the connect layer; PUBLIC gets CONNECT -- by default, which would let per-minion telegraf roles open sessions diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 05cad494e..c9399eab4 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1523,8 +1523,11 @@ soc: saltstackDir: /opt/so/saltstack bypassEnabled: false postgres: - database: securityonion host: "" + port: 5432 + sslMode: "allow" + database: securityonion + user: "" password: "" salt: queueDir: /opt/sensoroni/queue diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index ad34c3bbf..b2ac6d175 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -472,14 +472,18 @@ soc: description: Port of the PostgreSQL server used by SOC. global: True advanced: True - user: - description: Username used by SOC to authenticate to the PostgreSQL server. + sslMode: + description: "Use encrypted connections to the PostgreSQL server. Must be one of the following values: disable, allow, prefer, require, verify-ca, verify-full. Defaults to allow." global: True advanced: True database: description: Database used by SOC to authenticate to the PostgreSQL server. global: True advanced: True + user: + description: Username used by SOC to authenticate to the PostgreSQL server. + global: True + advanced: True password: description: Password used by SOC to authenticate to the PostgreSQL server. global: True From a767c79641a62b38c995d2e8ece2d62baf1d0b38 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 3 Jun 2026 10:39:37 -0400 Subject: [PATCH 3/5] restore soup db init --- salt/manager/tools/sbin/soup | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 82fb19434..d50187c9c 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -739,6 +739,28 @@ post_to_3.1.0() { ### 3.2.0 Scripts ### +bootstrap_so_soc_database() { + # init-db.sh is mounted into so-postgres at /docker-entrypoint-initdb.d/init-db.sh + # and runs automatically only on a fresh data directory. Hosts upgrading from + # 3.1.0 already have /nsm/postgres populated, so the so_soc bootstrap block + # added in 3.2 never fires. Re-run the script explicitly; it's idempotent. + echo "Bootstrapping so_soc database via init-db.sh." + # The postgres image has no USER directive, so `docker exec` defaults to + # root, and the container env intentionally omits POSTGRES_USER (the upstream + # entrypoint defaults it transiently during first-init only). Recreate both + # so psql inside init-db.sh resolves the connect user correctly. + local exec_cmd="docker exec -u postgres -e POSTGRES_USER=postgres so-postgres bash /docker-entrypoint-initdb.d/init-db.sh" + if ! /usr/sbin/so-postgres-wait; then + FINAL_MESSAGE_QUEUE+=("WARNING: so-postgres was not ready during the 3.2.0 upgrade; the so_soc database may not have been bootstrapped. Re-run manually: $exec_cmd") + return 0 + fi + if ! $exec_cmd; then + FINAL_MESSAGE_QUEUE+=("WARNING: init-db.sh failed inside so-postgres during the 3.2.0 upgrade; the so_soc database may not have been bootstrapped. Re-run manually: $exec_cmd") + return 0 + fi + echo "so_soc bootstrap complete." +} + up_to_3.2.0() { fix_logstash_0013_lumberjack_pipeline_name @@ -746,6 +768,8 @@ up_to_3.2.0() { } post_to_3.2.0() { + bootstrap_so_soc_database + # Including agent regen script here since it was missed in post_to_3.1.0 echo "Regenerating Elastic Agent Installers" /sbin/so-elastic-agent-gen-installers From 1d3d98f759132e59679bfb25980ce36c625c8007 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 3 Jun 2026 12:24:41 -0400 Subject: [PATCH 4/5] kilo --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index 944880fa1..03e153fda 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -3.2.0 +3.0.0-kilo From ca85c5d90045b333d73aa94349d82d4fadea2c89 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 3 Jun 2026 17:26:08 -0400 Subject: [PATCH 5/5] fix version --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index 03e153fda..944880fa1 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -3.0.0-kilo +3.2.0