virt

2025-12-06 17:22:49 +01:00 · 2024-08-09 11:53:07 -04:00
parent 3643303a51
commit a28ac3bee6
9 changed files with 90 additions and 34 deletions
--- a/salt/allowed_states.map.jinja
+++ b/salt/allowed_states.map.jinja
@@ -1,7 +1,7 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
+{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+   or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+   https://securityonion.net/license; you may not use this file except in compliance with the
+   Elastic License 2.0. #}

 {% set ISAIRGAP = salt['pillar.get']('global:airgap', False) %}
 {% import_yaml 'salt/minion.defaults.yaml' as saltversion %}
@@ -85,6 +85,7 @@
          ],
      'so-manager': [
          'salt.master',
+          'salt.cloud',
          'ca',
          'ssl',
          'registry',
--- a/salt/libvirt/init.sls
+++ b/salt/libvirt/init.sls
@@ -5,6 +5,9 @@

 {% from 'libvirt/map.jinja' import LIBVIRTMERGED %}

+include:
+  - libvirt.packages
+
 install_libvirt:
  pkg.installed:
    - name: libvirt
@@ -38,22 +41,6 @@ libvirt_service:
    - watch:
      - file: libvirt_config

-libvirt_source-packages_dir:
-  file.directory:
-    - name: /opt/so/conf/libvirt/source-packages
-
-libvirt_python_wheel:
-  file.recurse:
-    - name: /opt/so/conf/libvirt/source-packages/libvirt-python
-    - source: salt://libvirt/source-packages/libvirt-python
-    - clean: True
-
-libvirt_python_module:
-  cmd.run:
-    - name: /opt/saltstack/salt/bin/python3.10 -m pip install --no-index --find-links=/opt/so/conf/libvirt/source-packages/libvirt-python libvirt-python
-    - onchanges:
-      - file: libvirt_python_wheel
-
 # places cacert, clientcert, clientkey, servercert and serverkey
 # /etc/pki/CA/cacert.pem
 # /etc/pki/libvirt/clientcert.pem and /etc/pki/libvirt/servercert.pem
@@ -74,5 +61,14 @@ install-guestfs-tools:
  pkg.installed:
    - name: guestfs-tools

+# this should only run during the first highstate after setup. it will transfer connection from mgmt to br0
+down_original_mgmt_interface:
+  cmd.run:
+    - name: "nmcli con down {{ pillar.host.mainint }}"
+    - unless:
+      - nmcli -f GENERAL.CONNECTION dev show {{ pillar.host.mainint }} | grep bridge-slave-{{ pillar.host.mainint }}
+    - order: last
+
+
 # virtlogd service may not restart following reboot without this
 #semanage permissive -a virtlogd_t
--- a/salt/libvirt/packages.sls
+++ b/salt/libvirt/packages.sls
@@ -0,0 +1,20 @@
+#libvirt_source-packages_dir:
+ # file.directory:
+ #   - name: /opt/so/conf/libvirt/source-packages
+
+install_libvirt-libs:
+  pkg.installed:
+    - name: libvirt-libs
+
+libvirt_python_wheel:
+  file.recurse:
+    - name: /opt/so/conf/libvirt/source-packages/libvirt-python
+    - source: salt://libvirt/source-packages/libvirt-python
+    - makedirs: True
+    - clean: True
+
+libvirt_python_module:
+  cmd.run:
+    - name: /opt/saltstack/salt/bin/python3.10 -m pip install --no-index --find-links=/opt/so/conf/libvirt/source-packages/libvirt-python libvirt-python
+    - onchanges:
+      - file: libvirt_python_wheel
--- a/salt/salt/cloud/cloud.profiles.d/socloud.conf
+++ b/salt/salt/cloud/cloud.profiles.d/socloud.conf
@@ -50,16 +50,16 @@ sensor:
      - setHostname

 core:
-  provider: local-kvm
+  provider: kvm-via-ssh
  base_domain: jppol9vm
  ip_source: qemu-agent
-  ssh_username: jpatterson
-  private_key: /home/jpatterson/.ssh/id_rsa
+  ssh_username: onionuser
+  private_key: /home/onionuser/.ssh/id_ed25519
  sudo: True
  deploy_command: sh /tmp/.saltcloud-*/deploy.sh
  script_args: -F -x python3 stable 3006.1
  minion:
-    master: jppvirt
+    master: jpp90man
    master_port: 4506
    startup_states: sls
    sls_list:
--- a/salt/salt/cloud/cloud.providers.d/libvirt.conf
+++ b/salt/salt/cloud/cloud.providers.d/libvirt.conf
@@ -1,11 +1,11 @@
 # Set up a provider with qemu+ssh protocol
-#kvm-via-ssh:
-#  driver: libvirt
-#  url: qemu+ssh://jpatterson@jppvirt/system?socket=/var/run/libvirt/libvirt-sock
+kvm-via-ssh:
+  driver: libvirt
+  url: qemu+ssh://onionuser@jpphype1/system?socket=/var/run/libvirt/libvirt-sock

 # Or connect to a local libvirt instance
-local-kvm:
-  driver: libvirt
-  url: qemu:///system
+#local-kvm:
+#  driver: libvirt
+#  url: qemu:///system
  # work around flag for XML validation errors while cloning
-  validate_xml: no
+#  validate_xml: no
--- a/salt/salt/cloud/init.sls
+++ b/salt/salt/cloud/init.sls
@@ -0,0 +1,24 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls in allowed_states %}
+{%   from 'salt/map.jinja' import SALTVERSION %}
+
+include:
+  - libvirt.packages
+
+install_salt_cloud:
+  pkg.installed:
+    - name: salt-cloud
+    - version: {{SALTVERSION}}
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}
--- a/salt/salt/map.jinja
+++ b/salt/salt/map.jinja
@@ -1,15 +1,20 @@
+{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+   or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+   https://securityonion.net/license; you may not use this file except in compliance with the
+   Elastic License 2.0. #}
+
 {% import_yaml 'salt/minion.defaults.yaml' as saltminion %}
 {% set SALTVERSION = saltminion.salt.minion.version %}

 {% if grains.os_family == 'Debian' %}
  {% set SPLITCHAR = '+' %}
  {% set SALTNOTHELD = salt['cmd.run']('apt-mark showhold | grep -q salt ; echo $?', python_shell=True) %}
-  {% set SALTPACKAGES = ['salt-common', 'salt-master', 'salt-minion'] %}
+  {% set SALTPACKAGES = ['salt-common', 'salt-master', 'salt-minion', 'salt-cloud'] %}
  {% set SYSTEMD_UNIT_FILE = '/lib/systemd/system/salt-minion.service' %}
 {% else %}
  {% set SPLITCHAR = '-' %}
  {% set SALTNOTHELD = salt['cmd.run']('yum versionlock list | grep -q salt ; echo $?', python_shell=True) %}
-  {% set SALTPACKAGES = ['salt', 'salt-master', 'salt-minion'] %}
+  {% set SALTPACKAGES = ['salt', 'salt-master', 'salt-minion', 'salt-cloud'] %}
  {% set SYSTEMD_UNIT_FILE = '/usr/lib/systemd/system/salt-minion.service' %}
 {% endif %}

--- a/salt/salt/master.sls
+++ b/salt/salt/master.sls
@@ -1,3 +1,8 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
 {% from 'salt/map.jinja' import SALTNOTHELD %}
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls in allowed_states %}
--- a/salt/vars/hypervisor.map.jinja
+++ b/salt/vars/hypervisor.map.jinja
@@ -1 +1,6 @@
-{% set ROLE_GLOBALS = {} %}
+{% import 'vars/init.map.jinja' as INIT %}
+{%
+  set ROLE_GLOBALS = {
+    'node_ip': INIT.GRAINS.ip_interfaces.get('br0')[0]
+  }
+%}