virt

salt/allowed_states.map.jinja

@@ -1,7 +1,7 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+   or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
+   https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
+   Elastic License 2.0. #}
 
 {% set ISAIRGAP = salt['pillar.get']('global:airgap', False) %}
 {% import_yaml 'salt/minion.defaults.yaml' as saltversion %}
@@ -85,6 +85,7 @@
           ],
       'so-manager': [
           'salt.master',
+          'salt.cloud',
           'ca',
           'ssl',
           'registry',

salt/libvirt/init.sls

@@ -5,6 +5,9 @@
 
 {% from 'libvirt/map.jinja' import LIBVIRTMERGED %}
 
+include:
+  - libvirt.packages
+
 install_libvirt:
   pkg.installed:
     - name: libvirt
@@ -38,22 +41,6 @@ libvirt_service:
     - watch:
       - file: libvirt_config
 
-libvirt_source-packages_dir:
-  file.directory:
-    - name: /opt/so/conf/libvirt/source-packages
-
-libvirt_python_wheel:
-  file.recurse:
-    - name: /opt/so/conf/libvirt/source-packages/libvirt-python
-    - source: salt://libvirt/source-packages/libvirt-python
-    - clean: True
-
-libvirt_python_module:
-  cmd.run:
-    - name: /opt/saltstack/salt/bin/python3.10 -m pip install --no-index --find-links=/opt/so/conf/libvirt/source-packages/libvirt-python libvirt-python
-    - onchanges:
-      - file: libvirt_python_wheel
-
 # places cacert, clientcert, clientkey, servercert and serverkey
 # /etc/pki/CA/cacert.pem
 # /etc/pki/libvirt/clientcert.pem and /etc/pki/libvirt/servercert.pem
@@ -74,5 +61,14 @@ install-guestfs-tools:
   pkg.installed:
     - name: guestfs-tools
 
+# this should only run during the first highstate after setup. it will transfer connection from mgmt to br0
+down_original_mgmt_interface:
+  cmd.run:
+    - name: "nmcli con down {{ pillar.host.mainint }}"
+    - unless:
+      - nmcli -f GENERAL.CONNECTION dev show {{ pillar.host.mainint }} | grep bridge-slave-{{ pillar.host.mainint }}
+    - order: last
+
+
 # virtlogd service may not restart following reboot without this
 #semanage permissive -a virtlogd_t

salt/libvirt/packages.sls

@@ -0,0 +1,20 @@
+#libvirt_source-packages_dir:
+ # file.directory:
+ #   - name: /opt/so/conf/libvirt/source-packages
+
+install_libvirt-libs:
+  pkg.installed:
+    - name: libvirt-libs
+
+libvirt_python_wheel:
+  file.recurse:
+    - name: /opt/so/conf/libvirt/source-packages/libvirt-python
+    - source: salt://libvirt/source-packages/libvirt-python
+    - makedirs: True
+    - clean: True
+
+libvirt_python_module:
+  cmd.run:
+    - name: /opt/saltstack/salt/bin/python3.10 -m pip install --no-index --find-links=/opt/so/conf/libvirt/source-packages/libvirt-python libvirt-python
+    - onchanges:
+      - file: libvirt_python_wheel

salt/salt/cloud/cloud.profiles.d/socloud.conf

@@ -50,16 +50,16 @@ sensor:
       - setHostname
 
 core:
-  provider: local-kvm
+  provider: kvm-via-ssh
   base_domain: jppol9vm
   ip_source: qemu-agent
-  ssh_username: jpatterson
+  ssh_username: onionuser
-  private_key: /home/jpatterson/.ssh/id_rsa
+  private_key: /home/onionuser/.ssh/id_ed25519
   sudo: True
   deploy_command: sh /tmp/.saltcloud-*/deploy.sh
   script_args: -F -x python3 stable 3006.1
   minion:
-    master: jppvirt
+    master: jpp90man
     master_port: 4506
     startup_states: sls
     sls_list:

salt/salt/cloud/cloud.providers.d/libvirt.conf

@@ -1,11 +1,11 @@
 # Set up a provider with qemu+ssh protocol
-#kvm-via-ssh:
+kvm-via-ssh:
-#  driver: libvirt
+  driver: libvirt
-#  url: qemu+ssh://jpatterson@jppvirt/system?socket=/var/run/libvirt/libvirt-sock
+  url: qemu+ssh://onionuser@jpphype1/system?socket=/var/run/libvirt/libvirt-sock
 
 # Or connect to a local libvirt instance
-local-kvm:
+#local-kvm:
-  driver: libvirt
+#  driver: libvirt
-  url: qemu:///system
+#  url: qemu:///system
   # work around flag for XML validation errors while cloning
-  validate_xml: no
+#  validate_xml: no

salt/salt/cloud/init.sls

@@ -0,0 +1,24 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls in allowed_states %}
+{%   from 'salt/map.jinja' import SALTVERSION %}
+
+include:
+  - libvirt.packages
+
+install_salt_cloud:
+  pkg.installed:
+    - name: salt-cloud
+    - version: {{SALTVERSION}}
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/salt/map.jinja

@@ -1,15 +1,20 @@
+{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+   or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+   https://securityonion.net/license; you may not use this file except in compliance with the
+   Elastic License 2.0. #}
+
 {% import_yaml 'salt/minion.defaults.yaml' as saltminion %}
 {% set SALTVERSION = saltminion.salt.minion.version %}
 
 {% if grains.os_family == 'Debian' %}
   {% set SPLITCHAR = '+' %}
   {% set SALTNOTHELD = salt['cmd.run']('apt-mark showhold | grep -q salt ; echo $?', python_shell=True) %}
-  {% set SALTPACKAGES = ['salt-common', 'salt-master', 'salt-minion'] %}
+  {% set SALTPACKAGES = ['salt-common', 'salt-master', 'salt-minion', 'salt-cloud'] %}
   {% set SYSTEMD_UNIT_FILE = '/lib/systemd/system/salt-minion.service' %}
 {% else %}
   {% set SPLITCHAR = '-' %}
   {% set SALTNOTHELD = salt['cmd.run']('yum versionlock list | grep -q salt ; echo $?', python_shell=True) %}
-  {% set SALTPACKAGES = ['salt', 'salt-master', 'salt-minion'] %}
+  {% set SALTPACKAGES = ['salt', 'salt-master', 'salt-minion', 'salt-cloud'] %}
   {% set SYSTEMD_UNIT_FILE = '/usr/lib/systemd/system/salt-minion.service' %}
 {% endif %}
 

salt/salt/master.sls

@@ -1,3 +1,8 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
 {% from 'salt/map.jinja' import SALTNOTHELD %}
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls in allowed_states %}

salt/vars/hypervisor.map.jinja

@@ -1 +1,6 @@
-{% set ROLE_GLOBALS = {} %}
+{% import 'vars/init.map.jinja' as INIT %}
+{%
+  set ROLE_GLOBALS = {
+    'node_ip': INIT.GRAINS.ip_interfaces.get('br0')[0]
+  }
+%}