Merge pull request #14865 from Security-Onion-Solutions/saltuproc

don't allow bootstrap-salt to start daemons. splay non manager highstates 120 seconds
2025-12-06 09:12:45 +01:00 · 2025-07-22 13:37:28 -04:00
parent 1955434416 af49a8e4ef
commit ab4d055fd1
3 changed files with 20 additions and 7 deletions
--- a/salt/salt/map.jinja
+++ b/salt/salt/map.jinja
@@ -26,9 +26,9 @@

 {% if INSTALLEDSALTVERSION != SALTVERSION %}
  {% if grains.os_family|lower == 'redhat' %}
-      {% set UPGRADECOMMAND = 'yum clean all ; /usr/sbin/bootstrap-salt.sh -s 120 -r -F stable ' ~ SALTVERSION %}
+      {% set UPGRADECOMMAND = 'yum clean all ; /usr/sbin/bootstrap-salt.sh -X -r -F stable ' ~ SALTVERSION %}
  {% elif grains.os_family|lower == 'debian' %}
-    {% set UPGRADECOMMAND = '/usr/sbin/bootstrap-salt.sh -s 120 -F stable ' ~ SALTVERSION %}
+    {% set UPGRADECOMMAND = '/usr/sbin/bootstrap-salt.sh -X -F stable ' ~ SALTVERSION %}
  {% endif %}
 {% else %}
  {% set UPGRADECOMMAND = 'echo Already running Salt Minion version ' ~ SALTVERSION %}
--- a/salt/salt/minion.sls
+++ b/salt/salt/minion.sls
@@ -38,12 +38,22 @@ unhold_salt_packages:
 {% endfor %}

 install_salt_minion:
+  cmd.run:
+    - name: /bin/sh -c '{{ UPGRADECOMMAND }}'
+
+# minion service is in failed state after upgrade. this command will start it after the state run for the upgrade completes
+start_minion_post_upgrade:
  cmd.run:
    - name: |
        exec 0>&- # close stdin
        exec 1>&- # close stdout
        exec 2>&- # close stderr
-        nohup /bin/sh -c '{{ UPGRADECOMMAND }}' &
+        nohup /bin/sh -c 'sleep 30; systemctl start salt-minion' &
+    - require:
+      - cmd: install_salt_minion
+    - watch:
+      - cmd: install_salt_minion
+    - order: last

 {% endif %}

@@ -52,11 +62,9 @@ install_salt_minion:
 hold_salt_packages:
  pkg.held:
    - pkgs:
-{%   for package in SALTPACKAGES %}
-{%     if salt['pkg.version'](package) %}
+{% for package in SALTPACKAGES %}
      - {{ package }}: {{SALTVERSION}}-0.*
-{%     endif %}
-{%   endfor %}
+{% endfor %}

 remove_error_log_level_logfile:
  file.line:
--- a/salt/schedule.sls
+++ b/salt/schedule.sls
@@ -1,5 +1,10 @@
+{%   from 'vars/globals.map.jinja' import GLOBALS %}
+
 highstate_schedule:
  schedule.present:
    - function: state.highstate
    - minutes: 15
    - maxrunning: 1
+{% if not GLOBALS.is_manager %}
+    - splay: 120
+{% endif %}