Merge branch '2.4/firewall' into 2.4createrepoinstall

2025-12-08 02:02:50 +01:00 · 2023-01-10 11:38:31 -05:00
parent d2e623747d 3e9bddcd11
commit ab8f41ecb5
37 changed files with 413 additions and 183 deletions
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -254,11 +254,16 @@ collect_dns_domain() {

 collect_dockernet() {
 	if ! whiptail_dockernet_check; then
-		whiptail_dockernet_net "172.17.0.0"
+		whiptail_dockernet_sosnet "172.17.1.0"
+		whiptail_dockernet_nososnet "172.17.0.0"

 		while ! valid_ip4 "$DOCKERNET"; do
 			whiptail_invalid_input
-			whiptail_dockernet_net "$DOCKERNET"
+			whiptail_dockernet_nonsosnet "$DOCKERNET"
+		done
+		while ! valid_ip4 "$DOCKERNET2"; do
+			whiptail_invalid_input
+			whiptail_dockernet_sosnet "$DOCKERNET2"
 		done
 	fi
 }
@@ -996,6 +1001,9 @@ docker_registry() {
 	if [ -z "$DOCKERNET" ]; then
 		DOCKERNET=172.17.0.0
 	fi
+	if [ -z "$DOCKERNET2" ]; then
+		DOCKERNET2=172.17.1.0
+	fi
 	# Make the host use the manager docker registry
 	DNETBIP=$(echo $DOCKERNET | awk -F'.' '{print $1,$2,$3,1}' OFS='.')/24
 	if [ -n "$TURBO" ]; then local proxy="$TURBO"; else local proxy="https://$MSRV"; fi
@@ -1410,9 +1418,12 @@ create_global() {

 	if [ -z "$DOCKERNET" ]; then
 		DOCKERNET=172.17.0.0
+		DOCKERNET2=172.17.1.0
 		DOCKERBIP=$(echo $DOCKERNET | awk -F'.' '{print $1,$2,$3,1}' OFS='.')/24
+		DOCKER2BIP=$(echo $DOCKERNET2 | awk -F'.' '{print $1,$2,$3,1}' OFS='.')
 	else
 		DOCKERBIP=$(echo $DOCKERNET | awk -F'.' '{print $1,$2,$3,1}' OFS='.')/24
+		DOCKER2BIP=$(echo $DOCKERNET2 | awk -F'.' '{print $1,$2,$3,1}' OFS='.')
 	fi

 	if [ -f "$global_pillar_file" ]; then
@@ -1497,6 +1508,8 @@ docker_pillar() {
 	touch $adv_docker_pillar_file
 	printf '%s\n'\
 		"docker:"\
+		"  sosrange: '$DOCKERNET2/24'"\
+		"  sosbip: '$DOCKER2BIP'"\
 		"  range: '$DOCKERNET/24'"\
 		"  bip: '$DOCKERBIP'" > $docker_pillar_file
 }
@@ -1953,6 +1966,15 @@ repo_sync_local() {
 	echo "gpgcheck=1" >> /root/repodownload.conf
 	echo "gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/securityonion.pub" >> /root/repodownload.conf

+	REPOSYNC=$(rpm -qa | grep createrepo | wc -l)
+	if [[ ! "$REPOSYNC" -gt 0 ]]; then
+		# Install reposync
+		info "Installing createrepo"
+		logCmd "yum -y install -c /root/repodownload.conf yum-utils createrepo"
+	else
+		info "We have what we need to sync"
+	fi
+
 	logCmd "reposync --norepopath -n -g -l -d -m -c /root/repodownload.conf -r securityonionsync --download-metadata -p /nsm/repo/"
 	

--- a/setup/so-setup
+++ b/setup/so-setup
@@ -317,6 +317,7 @@ if ! [[ -f $install_opt_file ]]; then
 		check_elastic_license
 		check_requirements "manager"
 		networking_needful
+		collect_dockernet
 		whiptail_airgap
 		detect_cloud
 		set_minion_info
@@ -336,6 +337,7 @@ if ! [[ -f $install_opt_file ]]; then
 		check_elastic_license
 		check_requirements "manager"
 		networking_needful
+		collect_dockernet
 		whiptail_airgap
 		detect_cloud
 		set_minion_info
@@ -354,6 +356,7 @@ if ! [[ -f $install_opt_file ]]; then
 		waitforstate=true
 		check_requirements "manager"
 		networking_needful
+		collect_dockernet
 		whiptail_airgap
 		detect_cloud
 		set_default_log_size >> $setup_log 2>&1
@@ -370,6 +373,7 @@ if ! [[ -f $install_opt_file ]]; then
 		waitforstate=true
 		check_requirements "manager"
 		networking_needful
+		collect_dockernet
 		whiptail_airgap
 		detect_cloud
 		set_default_log_size >> $setup_log 2>&1
@@ -548,6 +552,7 @@ if ! [[ -f $install_opt_file ]]; then

 		generate_ca
 		generate_ssl
+		logCmd "salt-call state.apply -l info firewall"

 		# create these so the registry state can add so-registry to /opt/so/conf/so-status/so-status.conf
 		logCmd "mkdir -p /opt/so/conf/so-status/ "
@@ -560,7 +565,6 @@ if ! [[ -f $install_opt_file ]]; then
 		docker_seed_registry
 		title "Applying the manager state"
 		logCmd "salt-call state.apply -l info manager" 
-		logCmd "salt-call state.apply -l info firewall"
 		logCmd "salt-call state.highstate -l info"
 		add_web_user
 		info "Restarting SOC to pick up initial user"
--- a/setup/so-whiptail
+++ b/setup/so-whiptail
@@ -325,12 +325,24 @@ whiptail_dockernet_check(){

 }

-whiptail_dockernet_net() {
+whiptail_dockernet_sosnet() {
+
+	[ -n "$TESTING" ] && return
+
+	DOCKERNET2=$(whiptail --title "$whiptail_title" --inputbox \
+	"\nEnter a /24 size network range for SOS containers to use WITHOUT the /24 suffix. This range will be used on ALL nodes." 11 65 "$1" 3>&1 1>&2 2>&3)
+
+	local exitstatus=$?
+	whiptail_check_exitstatus $exitstatus
+
+}
+
+whiptail_dockernet_nososnet() {

 	[ -n "$TESTING" ] && return

 	DOCKERNET=$(whiptail --title "$whiptail_title" --inputbox \
-	"\nEnter a /24 size network range for docker to use WITHOUT the /24 suffix. This range will be used on ALL nodes." 11 65 "$1" 3>&1 1>&2 2>&3)
+	"\nEnter a /24 size network range for NON SOS containers to use WITHOUT the /24 suffix. This range will be used on ALL nodes." 11 65 "$1" 3>&1 1>&2 2>&3)

 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus