diff --git a/salt/allowed_states.map.jinja b/salt/allowed_states.map.jinja index 1cdf6145e..4c518fa92 100644 --- a/salt/allowed_states.map.jinja +++ b/salt/allowed_states.map.jinja @@ -1,7 +1,7 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. +{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one + or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at + https://securityonion.net/license; you may not use this file except in compliance with the + Elastic License 2.0. #} {% set ISAIRGAP = salt['pillar.get']('global:airgap', False) %} {% import_yaml 'salt/minion.defaults.yaml' as saltversion %} @@ -85,6 +85,7 @@ ], 'so-manager': [ 'salt.master', + 'salt.cloud', 'ca', 'ssl', 'registry', diff --git a/salt/libvirt/init.sls b/salt/libvirt/init.sls index 1e4e3dde0..4c87e22e7 100644 --- a/salt/libvirt/init.sls +++ b/salt/libvirt/init.sls @@ -5,6 +5,9 @@ {% from 'libvirt/map.jinja' import LIBVIRTMERGED %} +include: + - libvirt.packages + install_libvirt: pkg.installed: - name: libvirt @@ -38,22 +41,6 @@ libvirt_service: - watch: - file: libvirt_config -libvirt_source-packages_dir: - file.directory: - - name: /opt/so/conf/libvirt/source-packages - -libvirt_python_wheel: - file.recurse: - - name: /opt/so/conf/libvirt/source-packages/libvirt-python - - source: salt://libvirt/source-packages/libvirt-python - - clean: True - -libvirt_python_module: - cmd.run: - - name: /opt/saltstack/salt/bin/python3.10 -m pip install --no-index --find-links=/opt/so/conf/libvirt/source-packages/libvirt-python libvirt-python - - onchanges: - - file: libvirt_python_wheel - # places cacert, clientcert, clientkey, servercert and serverkey # /etc/pki/CA/cacert.pem # /etc/pki/libvirt/clientcert.pem and /etc/pki/libvirt/servercert.pem @@ -74,5 +61,14 @@ install-guestfs-tools: pkg.installed: - name: guestfs-tools +# this should only run during the first highstate after setup. it will transfer connection from mgmt to br0 +down_original_mgmt_interface: + cmd.run: + - name: "nmcli con down {{ pillar.host.mainint }}" + - unless: + - nmcli -f GENERAL.CONNECTION dev show {{ pillar.host.mainint }} | grep bridge-slave-{{ pillar.host.mainint }} + - order: last + + # virtlogd service may not restart following reboot without this #semanage permissive -a virtlogd_t diff --git a/salt/libvirt/packages.sls b/salt/libvirt/packages.sls new file mode 100644 index 000000000..dc7db9cf8 --- /dev/null +++ b/salt/libvirt/packages.sls @@ -0,0 +1,20 @@ +#libvirt_source-packages_dir: + # file.directory: + # - name: /opt/so/conf/libvirt/source-packages + +install_libvirt-libs: + pkg.installed: + - name: libvirt-libs + +libvirt_python_wheel: + file.recurse: + - name: /opt/so/conf/libvirt/source-packages/libvirt-python + - source: salt://libvirt/source-packages/libvirt-python + - makedirs: True + - clean: True + +libvirt_python_module: + cmd.run: + - name: /opt/saltstack/salt/bin/python3.10 -m pip install --no-index --find-links=/opt/so/conf/libvirt/source-packages/libvirt-python libvirt-python + - onchanges: + - file: libvirt_python_wheel diff --git a/salt/salt/cloud/cloud.profiles.d/socloud.conf b/salt/salt/cloud/cloud.profiles.d/socloud.conf index c410fd7c3..9949e219d 100644 --- a/salt/salt/cloud/cloud.profiles.d/socloud.conf +++ b/salt/salt/cloud/cloud.profiles.d/socloud.conf @@ -50,16 +50,16 @@ sensor: - setHostname core: - provider: local-kvm + provider: kvm-via-ssh base_domain: jppol9vm ip_source: qemu-agent - ssh_username: jpatterson - private_key: /home/jpatterson/.ssh/id_rsa + ssh_username: onionuser + private_key: /home/onionuser/.ssh/id_ed25519 sudo: True deploy_command: sh /tmp/.saltcloud-*/deploy.sh script_args: -F -x python3 stable 3006.1 minion: - master: jppvirt + master: jpp90man master_port: 4506 startup_states: sls sls_list: diff --git a/salt/salt/cloud/cloud.provides.d/libvirt.conf b/salt/salt/cloud/cloud.providers.d/libvirt.conf similarity index 55% rename from salt/salt/cloud/cloud.provides.d/libvirt.conf rename to salt/salt/cloud/cloud.providers.d/libvirt.conf index 8c57cc1e5..587653010 100644 --- a/salt/salt/cloud/cloud.provides.d/libvirt.conf +++ b/salt/salt/cloud/cloud.providers.d/libvirt.conf @@ -1,11 +1,11 @@ # Set up a provider with qemu+ssh protocol -#kvm-via-ssh: -# driver: libvirt -# url: qemu+ssh://jpatterson@jppvirt/system?socket=/var/run/libvirt/libvirt-sock +kvm-via-ssh: + driver: libvirt + url: qemu+ssh://onionuser@jpphype1/system?socket=/var/run/libvirt/libvirt-sock # Or connect to a local libvirt instance -local-kvm: - driver: libvirt - url: qemu:///system +#local-kvm: +# driver: libvirt +# url: qemu:///system # work around flag for XML validation errors while cloning - validate_xml: no +# validate_xml: no diff --git a/salt/salt/cloud/init.sls b/salt/salt/cloud/init.sls new file mode 100644 index 000000000..baaf44e88 --- /dev/null +++ b/salt/salt/cloud/init.sls @@ -0,0 +1,24 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} +{% from 'salt/map.jinja' import SALTVERSION %} + +include: + - libvirt.packages + +install_salt_cloud: + pkg.installed: + - name: salt-cloud + - version: {{SALTVERSION}} + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} diff --git a/salt/salt/map.jinja b/salt/salt/map.jinja index 5f687ef3f..9a08304ca 100644 --- a/salt/salt/map.jinja +++ b/salt/salt/map.jinja @@ -1,15 +1,20 @@ +{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one + or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at + https://securityonion.net/license; you may not use this file except in compliance with the + Elastic License 2.0. #} + {% import_yaml 'salt/minion.defaults.yaml' as saltminion %} {% set SALTVERSION = saltminion.salt.minion.version %} {% if grains.os_family == 'Debian' %} {% set SPLITCHAR = '+' %} {% set SALTNOTHELD = salt['cmd.run']('apt-mark showhold | grep -q salt ; echo $?', python_shell=True) %} - {% set SALTPACKAGES = ['salt-common', 'salt-master', 'salt-minion'] %} + {% set SALTPACKAGES = ['salt-common', 'salt-master', 'salt-minion', 'salt-cloud'] %} {% set SYSTEMD_UNIT_FILE = '/lib/systemd/system/salt-minion.service' %} {% else %} {% set SPLITCHAR = '-' %} {% set SALTNOTHELD = salt['cmd.run']('yum versionlock list | grep -q salt ; echo $?', python_shell=True) %} - {% set SALTPACKAGES = ['salt', 'salt-master', 'salt-minion'] %} + {% set SALTPACKAGES = ['salt', 'salt-master', 'salt-minion', 'salt-cloud'] %} {% set SYSTEMD_UNIT_FILE = '/usr/lib/systemd/system/salt-minion.service' %} {% endif %} diff --git a/salt/salt/master.sls b/salt/salt/master.sls index 84e18b8fc..9558352dd 100644 --- a/salt/salt/master.sls +++ b/salt/salt/master.sls @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {% from 'salt/map.jinja' import SALTNOTHELD %} {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} diff --git a/salt/vars/hypervisor.map.jinja b/salt/vars/hypervisor.map.jinja index 964f69663..b8fd4ac1f 100644 --- a/salt/vars/hypervisor.map.jinja +++ b/salt/vars/hypervisor.map.jinja @@ -1 +1,6 @@ -{% set ROLE_GLOBALS = {} %} +{% import 'vars/init.map.jinja' as INIT %} +{% + set ROLE_GLOBALS = { + 'node_ip': INIT.GRAINS.ip_interfaces.get('br0')[0] + } +%}