From f1135342a93848c392b5e126315f55977a6d6496 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 14 Nov 2022 11:17:48 -0500 Subject: [PATCH 01/24] Add Docker IP Skeleton --- salt/docker/defaults.yaml | 6 ++++++ salt/docker/docker.map.jinja | 8 ++++++++ 2 files changed, 14 insertions(+) create mode 100644 salt/docker/defaults.yaml create mode 100644 salt/docker/docker.map.jinja diff --git a/salt/docker/defaults.yaml b/salt/docker/defaults.yaml new file mode 100644 index 000000000..486c9ebb4 --- /dev/null +++ b/salt/docker/defaults.yaml @@ -0,0 +1,6 @@ +docker: + bip: 172.17.0.1/24 + range: 172.17.0.0/24 + containers: + 'so-elasticsearch': + final_octet: 22 \ No newline at end of file diff --git a/salt/docker/docker.map.jinja b/salt/docker/docker.map.jinja new file mode 100644 index 000000000..9dd813566 --- /dev/null +++ b/salt/docker/docker.map.jinja @@ -0,0 +1,8 @@ +{% import_yaml 'docker/defaults.yaml' as DOCKERDEFAULTS %} +{% set DOCKER = salt['pillar.get']('docker', DOCKERDEFAULTS.docker, merge=True) %} +{% set RANGESPLIT = DOCKER.range.split('.') %} +{% set FIRSTTHREE = RANGESPLIT[0] ~ '.' ~ RANGESPLIT[1] ~ '.' ~ RANGESPLIT[2] ~ '.' %} + +{% for container, vals in DOCKER.containers.items() %} +{% do DOCKER.containers[container].update({'ip': FIRSTTHREE ~ DOCKER.containers[container].final_octect}) %} +{% endfor %} From 5c50fdb74cb23e3b5c921cd2a28aa498bd1e35d9 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 14 Nov 2022 13:00:56 -0500 Subject: [PATCH 02/24] Add Docker IP Skeleton --- salt/elasticsearch/init.sls | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls index c1610dfd6..314ff5575 100644 --- a/salt/elasticsearch/init.sls +++ b/salt/elasticsearch/init.sls @@ -10,6 +10,7 @@ include: - ssl {% from 'vars/globals.map.jinja' import GLOBALS %} +{% from 'docker/docker.map.jinja' import DOCKER %} {% set TEMPLATES = salt['pillar.get']('elasticsearch:templates', {}) %} {% set ROLES = salt['pillar.get']('elasticsearch:roles', {}) %} {% from 'elasticsearch/config.map.jinja' import ESCONFIG with context %} From a2d3b95e92a00e78a914a2351cf26f84743e8042 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 14 Nov 2022 13:04:31 -0500 Subject: [PATCH 03/24] Add Docker IP Skeleton --- salt/elasticsearch/init.sls | 2 ++ 1 file changed, 2 insertions(+) diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls index 314ff5575..166b4b6d7 100644 --- a/salt/elasticsearch/init.sls +++ b/salt/elasticsearch/init.sls @@ -290,6 +290,8 @@ so-elasticsearch: - hostname: elasticsearch - name: so-elasticsearch - user: elasticsearch + - bridge: + - ipv4_address: {{ SOMETHING }} - extra_hosts: {{ REDIS_NODES }} - environment: {% if REDIS_NODES | length == 1 %} From 3378f5830014122dccd47192819911fa3f395085 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 14 Nov 2022 17:07:42 -0500 Subject: [PATCH 04/24] Add Docker IP Skeleton --- salt/elasticsearch/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls index 166b4b6d7..e6afb5444 100644 --- a/salt/elasticsearch/init.sls +++ b/salt/elasticsearch/init.sls @@ -291,7 +291,7 @@ so-elasticsearch: - name: so-elasticsearch - user: elasticsearch - bridge: - - ipv4_address: {{ SOMETHING }} + - ipv4_address: {{ DOCKER.containers['so-elasticsearch'].ip }} - extra_hosts: {{ REDIS_NODES }} - environment: {% if REDIS_NODES | length == 1 %} From a40e10da832892b1f13d09bca73ec008ff800b1f Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 14 Nov 2022 17:41:38 -0500 Subject: [PATCH 05/24] Add Docker IP Skeleton --- salt/docker/docker.map.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/docker/docker.map.jinja b/salt/docker/docker.map.jinja index 9dd813566..61416f7a4 100644 --- a/salt/docker/docker.map.jinja +++ b/salt/docker/docker.map.jinja @@ -4,5 +4,5 @@ {% set FIRSTTHREE = RANGESPLIT[0] ~ '.' ~ RANGESPLIT[1] ~ '.' ~ RANGESPLIT[2] ~ '.' %} {% for container, vals in DOCKER.containers.items() %} -{% do DOCKER.containers[container].update({'ip': FIRSTTHREE ~ DOCKER.containers[container].final_octect}) %} +{% do DOCKER.containers[container].update({'ip': FIRSTTHREE ~ DOCKER.containers[container].final_octet}) %} {% endfor %} From e41361e127f1369d41a049ed1cbc96c9374f2d77 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 14 Nov 2022 17:43:14 -0500 Subject: [PATCH 06/24] Add Docker IP Skeleton --- salt/elasticsearch/init.sls | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls index e6afb5444..9c95422d4 100644 --- a/salt/elasticsearch/init.sls +++ b/salt/elasticsearch/init.sls @@ -290,8 +290,7 @@ so-elasticsearch: - hostname: elasticsearch - name: so-elasticsearch - user: elasticsearch - - bridge: - - ipv4_address: {{ DOCKER.containers['so-elasticsearch'].ip }} + - ipv4_address: {{ DOCKER.containers['so-elasticsearch'].ip }} - extra_hosts: {{ REDIS_NODES }} - environment: {% if REDIS_NODES | length == 1 %} From 6016b0e38a6b9a1198cde39bf689af33e65b085d Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 14 Nov 2022 20:20:38 -0500 Subject: [PATCH 07/24] Add dynamic ability for IP range for sosnet --- salt/docker/defaults.yaml | 4 +++- salt/docker/init.sls | 6 ++++++ salt/elasticsearch/init.sls | 4 +++- setup/so-functions | 17 +++++++++++++++-- setup/so-setup | 4 ++++ setup/so-whiptail | 16 ++++++++++++++-- 6 files changed, 45 insertions(+), 6 deletions(-) diff --git a/salt/docker/defaults.yaml b/salt/docker/defaults.yaml index 486c9ebb4..ae41918e9 100644 --- a/salt/docker/defaults.yaml +++ b/salt/docker/defaults.yaml @@ -1,6 +1,8 @@ docker: - bip: 172.17.0.1/24 + bip: 172.17.0.1 range: 172.17.0.0/24 + sosrange: 172.17.1.0/24 + sosbip: 172.17.1.1 containers: 'so-elasticsearch': final_octet: 22 \ No newline at end of file diff --git a/salt/docker/init.sls b/salt/docker/init.sls index 8b698c281..2497ddae5 100644 --- a/salt/docker/init.sls +++ b/salt/docker/init.sls @@ -3,6 +3,8 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. +{% from 'docker/docker.map.jinja' import DOCKER %} + dockergroup: group.present: - name: docker @@ -50,3 +52,7 @@ dockerreserveports: - source: salt://common/files/99-reserved-ports.conf - name: /etc/sysctl.d/99-reserved-ports.conf +sosnet: + docker_network.present: + - subnet: {{ DOCKER.sosnet }} + - gateway: {{ DOCKER.sosbip }} diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls index 9c95422d4..fc26991a3 100644 --- a/salt/elasticsearch/init.sls +++ b/salt/elasticsearch/init.sls @@ -290,7 +290,9 @@ so-elasticsearch: - hostname: elasticsearch - name: so-elasticsearch - user: elasticsearch - - ipv4_address: {{ DOCKER.containers['so-elasticsearch'].ip }} + - networks: + - sosnet: + - ipv4_address: {{ DOCKER.containers['so-elasticsearch'].ip }} - extra_hosts: {{ REDIS_NODES }} - environment: {% if REDIS_NODES | length == 1 %} diff --git a/setup/so-functions b/setup/so-functions index 56d2a0394..4941f48ad 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -254,11 +254,16 @@ collect_dns_domain() { collect_dockernet() { if ! whiptail_dockernet_check; then - whiptail_dockernet_net "172.17.0.0" + whiptail_dockernet_sosnet "172.17.1.0" + whiptail_dockernet_nososnet "172.17.0.0" while ! valid_ip4 "$DOCKERNET"; do whiptail_invalid_input - whiptail_dockernet_net "$DOCKERNET" + whiptail_dockernet_nonsosnet "$DOCKERNET" + done + while ! valid_ip4 "$DOCKERNET2"; do + whiptail_invalid_input + whiptail_dockernet_sosnet "$DOCKERNET2" done fi } @@ -996,6 +1001,9 @@ docker_registry() { if [ -z "$DOCKERNET" ]; then DOCKERNET=172.17.0.0 fi + if [ -z "$DOCKERNET2" ]; then + DOCKERNET2=172.17.1.0 + fi # Make the host use the manager docker registry DNETBIP=$(echo $DOCKERNET | awk -F'.' '{print $1,$2,$3,1}' OFS='.')/24 if [ -n "$TURBO" ]; then local proxy="$TURBO"; else local proxy="https://$MSRV"; fi @@ -1376,9 +1384,12 @@ create_global() { if [ -z "$DOCKERNET" ]; then DOCKERNET=172.17.0.0 + DOCKERNET2=172.17.1.0 DOCKERBIP=$(echo $DOCKERNET | awk -F'.' '{print $1,$2,$3,1}' OFS='.')/24 + DOCKER2BIP=$(echo $DOCKERNET2 | awk -F'.' '{print $1,$2,$3,1}' OFS='.')/24 else DOCKERBIP=$(echo $DOCKERNET | awk -F'.' '{print $1,$2,$3,1}' OFS='.')/24 + DOCKER2BIP=$(echo $DOCKERNET2 | awk -F'.' '{print $1,$2,$3,1}' OFS='.')/24 fi if [ -f "$global_pillar_file" ]; then @@ -1462,6 +1473,8 @@ docker_pillar() { touch $adv_docker_pillar_file printf '%s\n'\ "docker:"\ + " sosrange: '$DOCKERNET2/24'"\ + " sosbip: '$DOCKER2BIP'"\ " range: '$DOCKERNET/24'"\ " bip: '$DOCKERBIP'" > $docker_pillar_file } diff --git a/setup/so-setup b/setup/so-setup index a114233d6..9bdf2bc33 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -319,6 +319,7 @@ if ! [[ -f $install_opt_file ]]; then check_elastic_license check_requirements "manager" networking_needful + collect_dockernet whiptail_airgap detect_cloud set_minion_info @@ -339,6 +340,7 @@ if ! [[ -f $install_opt_file ]]; then check_elastic_license check_requirements "manager" networking_needful + collect_dockernet whiptail_airgap detect_cloud set_minion_info @@ -357,6 +359,7 @@ if ! [[ -f $install_opt_file ]]; then waitforstate=true check_requirements "manager" networking_needful + collect_dockernet whiptail_airgap detect_cloud set_default_log_size >> $setup_log 2>&1 @@ -373,6 +376,7 @@ if ! [[ -f $install_opt_file ]]; then waitforstate=true check_requirements "manager" networking_needful + collect_dockernet whiptail_airgap detect_cloud set_default_log_size >> $setup_log 2>&1 diff --git a/setup/so-whiptail b/setup/so-whiptail index d7f3bd535..88635216b 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -325,12 +325,24 @@ whiptail_dockernet_check(){ } -whiptail_dockernet_net() { +whiptail_dockernet_sosnet() { + + [ -n "$TESTING" ] && return + + DOCKERNET2=$(whiptail --title "$whiptail_title" --inputbox \ + "\nEnter a /24 size network range for SOS containers to use WITHOUT the /24 suffix. This range will be used on ALL nodes." 11 65 "$1" 3>&1 1>&2 2>&3) + + local exitstatus=$? + whiptail_check_exitstatus $exitstatus + +} + +whiptail_dockernet_nososnet() { [ -n "$TESTING" ] && return DOCKERNET=$(whiptail --title "$whiptail_title" --inputbox \ - "\nEnter a /24 size network range for docker to use WITHOUT the /24 suffix. This range will be used on ALL nodes." 11 65 "$1" 3>&1 1>&2 2>&3) + "\nEnter a /24 size network range for NON SOS containers to use WITHOUT the /24 suffix. This range will be used on ALL nodes." 11 65 "$1" 3>&1 1>&2 2>&3) local exitstatus=$? whiptail_check_exitstatus $exitstatus From efc8621524e50f83a071bd03e15d0e5b1aca254b Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 15 Nov 2022 10:31:37 -0500 Subject: [PATCH 08/24] Fix some settings and add all defaults --- salt/docker/defaults.yaml | 48 ++++++++++++++++++++++++++++++++---- salt/docker/docker.map.jinja | 2 +- 2 files changed, 44 insertions(+), 6 deletions(-) diff --git a/salt/docker/defaults.yaml b/salt/docker/defaults.yaml index ae41918e9..fdfb6ff70 100644 --- a/salt/docker/defaults.yaml +++ b/salt/docker/defaults.yaml @@ -1,8 +1,46 @@ docker: - bip: 172.17.0.1 - range: 172.17.0.0/24 - sosrange: 172.17.1.0/24 - sosbip: 172.17.1.1 + bip: '172.17.0.1' + range: '172.17.0.0/24' + sosrange: '172.17.1.0/24' + sosbip: '172.17.1.1' containers: + 'registry': + final_octet: 20 + 'so-elastic-agent': + final_octet: 21 'so-elasticsearch': - final_octet: 22 \ No newline at end of file + final_octet: 22 + 'so-filebeat': + final_octet: 23 + 'so-grafana': + final_octet: 24 + 'so-idh': + final_octet: 25 + 'so-influxdb': + final_octet: 26 + 'so-kibana': + final_octet: 27 + 'so-kratos': + final_octet: 28 + 'so-logstash': + final_octet: 29 + 'so-mysql': + final_octet: 30 + 'so-nginx': + final_octet: 31 + 'so-playbook': + final_octet: 32 + 'so-redis': + final_octet: 33 + 'so-soc': + final_octet: 34 + 'so-soctopus': + final_octet: 35 + 'so-strelka-backend': + final_octet: 36 + 'so-strelka-filestream': + final_octet: 37 + 'so-strelka-frontend': + final_octet: 38 + 'so-strelka-manager': + final_octet: 39 diff --git a/salt/docker/docker.map.jinja b/salt/docker/docker.map.jinja index 61416f7a4..7046fc196 100644 --- a/salt/docker/docker.map.jinja +++ b/salt/docker/docker.map.jinja @@ -1,6 +1,6 @@ {% import_yaml 'docker/defaults.yaml' as DOCKERDEFAULTS %} {% set DOCKER = salt['pillar.get']('docker', DOCKERDEFAULTS.docker, merge=True) %} -{% set RANGESPLIT = DOCKER.range.split('.') %} +{% set RANGESPLIT = DOCKER.sosrange.split('.') %} {% set FIRSTTHREE = RANGESPLIT[0] ~ '.' ~ RANGESPLIT[1] ~ '.' ~ RANGESPLIT[2] ~ '.' %} {% for container, vals in DOCKER.containers.items() %} From 591616fe5b8fa675696b6c7c91054c7b15fc768b Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 15 Nov 2022 11:05:17 -0500 Subject: [PATCH 09/24] Add statics to all containers --- salt/docker/defaults.yaml | 8 ++++++-- salt/elastic-fleet/init.sls | 4 ++++ salt/filebeat/init.sls | 4 ++++ salt/grafana/init.sls | 6 ++++-- salt/idh/init.sls | 1 + salt/idstools/init.sls | 4 ++++ salt/influxdb/init.sls | 4 ++++ salt/kibana/init.sls | 7 ++++--- salt/kratos/init.sls | 4 ++++ salt/logstash/init.sls | 23 +++++++++++++---------- salt/mysql/init.sls | 5 ++++- salt/nginx/init.sls | 4 ++++ salt/playbook/init.sls | 5 ++++- salt/redis/init.sls | 5 ++++- salt/registry/init.sls | 4 ++++ salt/soctopus/init.sls | 5 ++++- salt/strelka/init.sls | 20 +++++++++++++++++++- 17 files changed, 91 insertions(+), 22 deletions(-) diff --git a/salt/docker/defaults.yaml b/salt/docker/defaults.yaml index fdfb6ff70..fee8a5951 100644 --- a/salt/docker/defaults.yaml +++ b/salt/docker/defaults.yaml @@ -6,7 +6,7 @@ docker: containers: 'registry': final_octet: 20 - 'so-elastic-agent': + 'so-elastic-fleet': final_octet: 21 'so-elasticsearch': final_octet: 22 @@ -14,7 +14,7 @@ docker: final_octet: 23 'so-grafana': final_octet: 24 - 'so-idh': + 'so-idstools': final_octet: 25 'so-influxdb': final_octet: 26 @@ -44,3 +44,7 @@ docker: final_octet: 38 'so-strelka-manager': final_octet: 39 + 'so-strelka-gatekeeper': + final_octet: 40 + 'so-strelka-coordinator': + final_octet: 41 diff --git a/salt/elastic-fleet/init.sls b/salt/elastic-fleet/init.sls index 4b985c23f..45d15ad58 100644 --- a/salt/elastic-fleet/init.sls +++ b/salt/elastic-fleet/init.sls @@ -4,6 +4,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} {% from 'vars/globals.map.jinja' import GLOBALS %} +{% from 'docker/docker.map.jinja' import DOCKER %} # These values are generated during node install and stored in minion pillar {% set SERVICETOKEN = salt['pillar.get']('elasticfleet:server:es_token','') %} @@ -47,6 +48,9 @@ so-elastic-fleet: - hostname: Fleet-{{ GLOBALS.hostname }} - detach: True - user: 947 + - networks: + - sosnet: + - ipv4_address: {{ DOCKER.containers['so-elastic-fleet'].ip }} - extra_hosts: - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} - port_bindings: diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls index 3eed07696..908deba14 100644 --- a/salt/filebeat/init.sls +++ b/salt/filebeat/init.sls @@ -5,6 +5,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} +{% from 'docker/docker.map.jinja' import DOCKER %} {% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'filebeat/modules.map.jinja' import MODULESMERGED with context %} {% from 'filebeat/modules.map.jinja' import MODULESENABLED with context %} @@ -97,6 +98,9 @@ so-filebeat: - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-filebeat:{{ GLOBALS.so_version }} - hostname: so-filebeat - user: root + - networks: + - sosnet: + - ipv4_address: {{ DOCKER.containers['so-filebeat'].ip }} - extra_hosts: {{ FILEBEAT_EXTRA_HOSTS }} - binds: - /nsm:/nsm:ro diff --git a/salt/grafana/init.sls b/salt/grafana/init.sls index f20cdffff..901a8b6f7 100644 --- a/salt/grafana/init.sls +++ b/salt/grafana/init.sls @@ -1,8 +1,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} {% from 'vars/globals.map.jinja' import GLOBALS %} - - +{% from 'docker/docker.map.jinja' import DOCKER %} {% set GRAFANA = salt['pillar.get']('manager:grafana', '0') %} {% set ADMINPASS = salt['pillar.get']('secrets:grafana_admin') %} @@ -126,6 +125,9 @@ so-grafana: - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-grafana:{{ GLOBALS.so_version }} - hostname: grafana - user: socore + - networks: + - sosnet: + - ipv4_address: {{ DOCKER.containers['so-grafana'].ip }} - binds: - /nsm/grafana:/var/lib/grafana:rw - /opt/so/conf/grafana/etc/grafana.ini:/etc/grafana/grafana.ini:ro diff --git a/salt/idh/init.sls b/salt/idh/init.sls index 1d0d640f4..2cf22c358 100644 --- a/salt/idh/init.sls +++ b/salt/idh/init.sls @@ -5,6 +5,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} +{% import_yaml 'docker/defaults.yaml' as DOCKERDEFAULTS %} {% from 'vars/globals.map.jinja' import GLOBALS %} {% set RESTRICTIDHSERVICES = salt['pillar.get']('idh:restrict_management_ip', False) %} diff --git a/salt/idstools/init.sls b/salt/idstools/init.sls index 8a7aa6500..418ecec28 100644 --- a/salt/idstools/init.sls +++ b/salt/idstools/init.sls @@ -4,6 +4,7 @@ # Elastic License 2.0. {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} +{% from 'docker/docker.map.jinja' import DOCKER %} {% from 'vars/globals.map.jinja' import GLOBALS %} {% set proxy = salt['pillar.get']('manager:proxy') %} @@ -31,6 +32,9 @@ so-idstools: - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-idstools:{{ GLOBALS.so_version }} - hostname: so-idstools - user: socore + - networks: + - sosnet: + - ipv4_address: {{ DOCKER.containers['so-idstools'].ip }} {% if proxy %} - environment: - http_proxy={{ proxy }} diff --git a/salt/influxdb/init.sls b/salt/influxdb/init.sls index 321ce76d6..33aa87769 100644 --- a/salt/influxdb/init.sls +++ b/salt/influxdb/init.sls @@ -1,5 +1,6 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} +{% from 'docker/docker.map.jinja' import DOCKER %} {% from 'vars/globals.map.jinja' import GLOBALS %} {% set GRAFANA = salt['pillar.get']('manager:grafana', '0') %} @@ -47,6 +48,9 @@ so-influxdb: docker_container.running: - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-influxdb:{{ GLOBALS.so_version }} - hostname: influxdb + - networks: + - sosnet: + - ipv4_address: {{ DOCKER.containers['so-influxdb'].ip }} - environment: - INFLUXDB_HTTP_LOG_ENABLED=false - binds: diff --git a/salt/kibana/init.sls b/salt/kibana/init.sls index 9aac6bc37..9f45e2376 100644 --- a/salt/kibana/init.sls +++ b/salt/kibana/init.sls @@ -5,12 +5,10 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} +{% from 'docker/docker.map.jinja' import DOCKER %} {% from 'vars/globals.map.jinja' import GLOBALS %} - - {% import_yaml 'kibana/defaults.yaml' as default_settings %} {% set KIBANA_SETTINGS = salt['grains.filter_by'](default_settings, default='kibana', merge=salt['pillar.get']('kibana', {})) %} - {% from 'kibana/config.map.jinja' import KIBANACONFIG with context %} # Add ES Group @@ -84,6 +82,9 @@ so-kibana: - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-kibana:{{ GLOBALS.so_version }} - hostname: kibana - user: kibana + - networks: + - sosnet: + - ipv4_address: {{ DOCKER.containers['so-kibana'].ip }} - environment: - ELASTICSEARCH_HOST={{ GLOBALS.manager }} - ELASTICSEARCH_PORT=9200 diff --git a/salt/kratos/init.sls b/salt/kratos/init.sls index 6f3f3e19d..b58ecc8fa 100644 --- a/salt/kratos/init.sls +++ b/salt/kratos/init.sls @@ -5,6 +5,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} +{% from 'docker/docker.map.jinja' import DOCKER %} {% from 'vars/globals.map.jinja' import GLOBALS %} # Add Kratos Group @@ -58,6 +59,9 @@ so-kratos: - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-kratos:{{ GLOBALS.so_version }} - hostname: kratos - name: so-kratos + - networks: + - sosnet: + - ipv4_address: {{ DOCKER.containers['so-kratos'].ip }} - binds: - /opt/so/conf/kratos/schema.json:/kratos-conf/schema.json:ro - /opt/so/conf/kratos/kratos.yaml:/kratos-conf/kratos.yaml:ro diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls index bf4d03984..481f727e4 100644 --- a/salt/logstash/init.sls +++ b/salt/logstash/init.sls @@ -6,19 +6,19 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} +{% from 'docker/docker.map.jinja' import DOCKER %} +{% from 'logstash/map.jinja' import REDIS_NODES with context %} +{% from 'vars/globals.map.jinja' import GLOBALS %} - {% from 'logstash/map.jinja' import REDIS_NODES with context %} - {% from 'vars/globals.map.jinja' import GLOBALS %} - - # Logstash Section - Decide which pillar to use - {% set lsheap = salt['pillar.get']('logstash_settings:lsheap') %} - {% if GLOBALS.role in ['so-eval','so-managersearch', 'so-manager', 'so-standalone'] %} +# Logstash Section - Decide which pillar to use +{% set lsheap = salt['pillar.get']('logstash_settings:lsheap') %} +{% if GLOBALS.role in ['so-eval','so-managersearch', 'so-manager', 'so-standalone'] %} {% set nodetype = GLOBALS.role %} - {% endif %} +{% endif %} - {% set PIPELINES = salt['pillar.get']('logstash:pipelines', {}) %} - {% set DOCKER_OPTIONS = salt['pillar.get']('logstash:docker_options', {}) %} - {% set TEMPLATES = salt['pillar.get']('elasticsearch:templates', {}) %} +{% set PIPELINES = salt['pillar.get']('logstash:pipelines', {}) %} +{% set DOCKER_OPTIONS = salt['pillar.get']('logstash:docker_options', {}) %} +{% set TEMPLATES = salt['pillar.get']('elasticsearch:templates', {}) %} include: - ssl @@ -139,6 +139,9 @@ so-logstash: - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-logstash:{{ GLOBALS.so_version }} - hostname: so-logstash - name: so-logstash + - networks: + - sosnet: + - ipv4_address: {{ DOCKER.containers['so-logstash'].ip }} - user: logstash - extra_hosts: {{ REDIS_NODES }} - environment: diff --git a/salt/mysql/init.sls b/salt/mysql/init.sls index 04ab5b140..e9766ea83 100644 --- a/salt/mysql/init.sls +++ b/salt/mysql/init.sls @@ -5,8 +5,8 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} +{% from 'docker/docker.map.jinja' import DOCKER %} {% from 'vars/globals.map.jinja' import GLOBALS %} - {%- set MYSQLPASS = salt['pillar.get']('secrets:mysql') %} # MySQL Setup @@ -84,6 +84,9 @@ so-mysql: - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-mysql:{{ GLOBALS.so_version }} - hostname: so-mysql - user: socore + - networks: + - sosnet: + - ipv4_address: {{ DOCKER.containers['so-mysql'].ip }} - port_bindings: - 0.0.0.0:3306:3306 - environment: diff --git a/salt/nginx/init.sls b/salt/nginx/init.sls index 201a35704..69fc541fa 100644 --- a/salt/nginx/init.sls +++ b/salt/nginx/init.sls @@ -1,6 +1,7 @@ {% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} +{% from 'docker/docker.map.jinja' import DOCKER %} include: - ssl @@ -83,6 +84,9 @@ so-nginx: docker_container.running: - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-nginx:{{ GLOBALS.so_version }} - hostname: so-nginx + - networks: + - sosnet: + - ipv4_address: {{ DOCKER.containers['so-nginx'].ip }} - binds: - /opt/so/conf/nginx/nginx.conf:/etc/nginx/nginx.conf:ro - /opt/so/log/nginx/:/var/log/nginx:rw diff --git a/salt/playbook/init.sls b/salt/playbook/init.sls index 75b6b5b2e..6784422c3 100644 --- a/salt/playbook/init.sls +++ b/salt/playbook/init.sls @@ -5,8 +5,8 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} +{% from 'docker/docker.map.jinja' import DOCKER %} {% from 'vars/globals.map.jinja' import GLOBALS %} - {%- set MYSQLPASS = salt['pillar.get']('secrets:mysql') -%} {%- set PLAYBOOKPASS = salt['pillar.get']('secrets:playbook_db') -%} @@ -80,6 +80,9 @@ so-playbook: - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-playbook:{{ GLOBALS.so_version }} - hostname: playbook - name: so-playbook + - networks: + - sosnet: + - ipv4_address: {{ DOCKER.containers['so-playbook'].ip }} - binds: - /opt/so/log/playbook:/playbook/log:rw - environment: diff --git a/salt/redis/init.sls b/salt/redis/init.sls index 1a353a1f0..a481c989d 100644 --- a/salt/redis/init.sls +++ b/salt/redis/init.sls @@ -5,7 +5,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} - +{% from 'docker/docker.map.jinja' import DOCKER %} {% from 'vars/globals.map.jinja' import GLOBALS %} include: @@ -46,6 +46,9 @@ so-redis: - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-redis:{{ GLOBALS.so_version }} - hostname: so-redis - user: socore + - networks: + - sosnet: + - ipv4_address: {{ DOCKER.containers['so-redis'].ip }} - port_bindings: - 0.0.0.0:6379:6379 - 0.0.0.0:9696:9696 diff --git a/salt/registry/init.sls b/salt/registry/init.sls index 76ccbf070..c4ffc4800 100644 --- a/salt/registry/init.sls +++ b/salt/registry/init.sls @@ -1,5 +1,6 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} +{% from 'docker/docker.map.jinja' import DOCKER %} include: - ssl @@ -37,6 +38,9 @@ so-dockerregistry: docker_container.running: - image: ghcr.io/security-onion-solutions/registry:latest - hostname: so-registry + - networks: + - sosnet: + - ipv4_address: {{ DOCKER.containers['registry'].ip }} - restart_policy: always - port_bindings: - 0.0.0.0:5000:5000 diff --git a/salt/soctopus/init.sls b/salt/soctopus/init.sls index a2cba07ad..13559c626 100644 --- a/salt/soctopus/init.sls +++ b/salt/soctopus/init.sls @@ -1,6 +1,6 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} - +{% from 'docker/docker.map.jinja' import DOCKER %} {% from 'vars/globals.map.jinja' import GLOBALS %} include: @@ -63,6 +63,9 @@ so-soctopus: - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-soctopus:{{ GLOBALS.so_version }} - hostname: soctopus - name: so-soctopus + - networks: + - sosnet: + - ipv4_address: {{ DOCKER.containers['so-soctopus'].ip }} - binds: - /opt/so/conf/soctopus/SOCtopus.conf:/SOCtopus/SOCtopus.conf:ro - /opt/so/log/soctopus/:/var/log/SOCtopus/:rw diff --git a/salt/strelka/init.sls b/salt/strelka/init.sls index e3477dd9e..00bc33223 100644 --- a/salt/strelka/init.sls +++ b/salt/strelka/init.sls @@ -5,7 +5,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} - +{% from 'docker/docker.map.jinja' import DOCKER %} {% from 'vars/globals.map.jinja' import GLOBALS %} {% set STRELKA_RULES = salt['pillar.get']('strelka:rules', '1') %} {% import_yaml 'strelka/defaults.yaml' as strelka_config with context %} @@ -152,6 +152,9 @@ strelka_coordinator: docker_container.running: - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-redis:{{ GLOBALS.so_version }} - name: so-strelka-coordinator + - networks: + - sosnet: + - ipv4_address: {{ DOCKER.containers['so-strelka-coordinator'].ip }} - entrypoint: redis-server --save "" --appendonly no - port_bindings: - 0.0.0.0:6380:6379 @@ -165,6 +168,9 @@ strelka_gatekeeper: docker_container.running: - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-redis:{{ GLOBALS.so_version }} - name: so-strelka-gatekeeper + - networks: + - sosnet: + - ipv4_address: {{ DOCKER.containers['so-strelka-gatekeeper'].ip }} - entrypoint: redis-server --save "" --appendonly no --maxmemory-policy allkeys-lru - port_bindings: - 0.0.0.0:6381:6379 @@ -182,6 +188,9 @@ strelka_frontend: - /nsm/strelka/log/:/var/log/strelka/:rw - privileged: True - name: so-strelka-frontend + - networks: + - sosnet: + - ipv4_address: {{ DOCKER.containers['so-strelka-frontend'].ip }} - command: strelka-frontend - port_bindings: - 0.0.0.0:57314:57314 @@ -198,6 +207,9 @@ strelka_backend: - /opt/so/conf/strelka/backend/:/etc/strelka/:ro - /opt/so/conf/strelka/rules/:/etc/yara/:ro - name: so-strelka-backend + - networks: + - sosnet: + - ipv4_address: {{ DOCKER.containers['so-strelka-backend'].ip }} - command: strelka-backend - restart_policy: on-failure @@ -212,6 +224,9 @@ strelka_manager: - binds: - /opt/so/conf/strelka/manager/:/etc/strelka/:ro - name: so-strelka-manager + - networks: + - sosnet: + - ipv4_address: {{ DOCKER.containers['so-strelka-manager'].ip }} - command: strelka-manager append_so-strelka-manager_so-status.conf: @@ -226,6 +241,9 @@ strelka_filestream: - /opt/so/conf/strelka/filestream/:/etc/strelka/:ro - /nsm/strelka:/nsm/strelka - name: so-strelka-filestream + - networks: + - sosnet: + - ipv4_address: {{ DOCKER.containers['so-strelka-filestream'].ip }} - command: strelka-filestream append_so-strelka-filestream_so-status.conf: From c0afcca87a03470c0a71ea1e996c8c81cf8202e1 Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Tue, 15 Nov 2022 11:16:18 -0500 Subject: [PATCH 10/24] Update init.sls --- salt/docker/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/docker/init.sls b/salt/docker/init.sls index 2497ddae5..91d22949a 100644 --- a/salt/docker/init.sls +++ b/salt/docker/init.sls @@ -54,5 +54,5 @@ dockerreserveports: sosnet: docker_network.present: - - subnet: {{ DOCKER.sosnet }} + - subnet: {{ DOCKER.sosrange }} - gateway: {{ DOCKER.sosbip }} From 1c242fb7f3c552c188a3d8f422581f340e100e92 Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Tue, 15 Nov 2022 11:52:25 -0500 Subject: [PATCH 11/24] Update top.sls --- salt/top.sls | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/top.sls b/salt/top.sls index 973978537..6f72da687 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -35,6 +35,7 @@ base: '* and G@saltversion:{{saltversion}}': - match: compound + - docker - salt.minion - patch.os.schedule - motd From a371c89f380606cf0c110a0627d073b24fda2f21 Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Tue, 15 Nov 2022 11:52:51 -0500 Subject: [PATCH 12/24] Update top.sls --- salt/top.sls | 1 - 1 file changed, 1 deletion(-) diff --git a/salt/top.sls b/salt/top.sls index 6f72da687..973978537 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -35,7 +35,6 @@ base: '* and G@saltversion:{{saltversion}}': - match: compound - - docker - salt.minion - patch.os.schedule - motd From 813e59aa61f6e2552013c7461e786f34ccd19e35 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 15 Nov 2022 13:23:35 -0500 Subject: [PATCH 13/24] Add statics --- salt/docker/defaults.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/salt/docker/defaults.yaml b/salt/docker/defaults.yaml index fee8a5951..c02c5c757 100644 --- a/salt/docker/defaults.yaml +++ b/salt/docker/defaults.yaml @@ -48,3 +48,7 @@ docker: final_octet: 40 'so-strelka-coordinator': final_octet: 41 + 'so-soc': + final_octet: 42 + 'so-curator': + final_octet: 43 From edd993fd8208176c1cf4809b21e51138dad73fb8 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 15 Nov 2022 16:02:17 -0500 Subject: [PATCH 14/24] change dupe soc to elastalert --- salt/docker/defaults.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/docker/defaults.yaml b/salt/docker/defaults.yaml index c02c5c757..14c136145 100644 --- a/salt/docker/defaults.yaml +++ b/salt/docker/defaults.yaml @@ -48,7 +48,7 @@ docker: final_octet: 40 'so-strelka-coordinator': final_octet: 41 - 'so-soc': + 'so-elastalert': final_octet: 42 'so-curator': final_octet: 43 From 75825617da9349571d51a789d4e55c62716763ad Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 15 Nov 2022 17:13:25 -0500 Subject: [PATCH 15/24] add soc to sosnet --- salt/soc/init.sls | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/salt/soc/init.sls b/salt/soc/init.sls index 8356bd1d8..c38e60a4c 100644 --- a/salt/soc/init.sls +++ b/salt/soc/init.sls @@ -2,6 +2,7 @@ {% if sls in allowed_states %} {% from 'vars/globals.map.jinja' import GLOBALS %} +{% from 'docker/docker.map.jinja' import DOCKER %} include: - manager.sync_es_users @@ -92,6 +93,9 @@ so-soc: - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-soc:{{ GLOBALS.so_version }} - hostname: soc - name: so-soc + - networks: + - sosnet: + - ipv4_address: {{ DOCKER.containers['so-soc'].ip }} - binds: - /nsm/soc/jobs:/opt/sensoroni/jobs:rw - /opt/so/log/soc/:/opt/sensoroni/logs/:rw From d246aa6a80e813f2e4349de3774a92b7e79aa114 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 15 Nov 2022 17:14:33 -0500 Subject: [PATCH 16/24] we dont need default network config --- salt/common/files/daemon.json | 9 --------- 1 file changed, 9 deletions(-) diff --git a/salt/common/files/daemon.json b/salt/common/files/daemon.json index c2df49f34..d13a80e4b 100644 --- a/salt/common/files/daemon.json +++ b/salt/common/files/daemon.json @@ -1,12 +1,3 @@ -{%- set DOCKERRANGE = salt['pillar.get']('docker:range', '172.17.0.0/24') %} -{%- set DOCKERBIND = salt['pillar.get']('docker:bip', '172.17.0.1/24') %} { "registry-mirrors": [ "https://:5000" ], - "bip": "{{ DOCKERBIND }}", - "default-address-pools": [ - { - "base" : "{{ DOCKERRANGE }}", - "size" : 24 - } - ] } From 54e4749ddfc60e27d46dbeff2a97a1e20c9e2508 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 15 Nov 2022 17:30:55 -0500 Subject: [PATCH 17/24] remove comma --- salt/common/files/daemon.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/files/daemon.json b/salt/common/files/daemon.json index d13a80e4b..c2a2bfedb 100644 --- a/salt/common/files/daemon.json +++ b/salt/common/files/daemon.json @@ -1,3 +1,3 @@ { - "registry-mirrors": [ "https://:5000" ], + "registry-mirrors": [ "https://:5000" ] } From 19f043cfe2f7911cdbf38faa70513b545a16d68d Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 15 Nov 2022 17:39:08 -0500 Subject: [PATCH 18/24] add some options for sosnet --- salt/docker/init.sls | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/salt/docker/init.sls b/salt/docker/init.sls index 91d22949a..bbb7c6e4d 100644 --- a/salt/docker/init.sls +++ b/salt/docker/init.sls @@ -52,7 +52,12 @@ dockerreserveports: - source: salt://common/files/99-reserved-ports.conf - name: /etc/sysctl.d/99-reserved-ports.conf -sosnet: +sos_docker_net: docker_network.present: + - name: sosnet - subnet: {{ DOCKER.sosrange }} - - gateway: {{ DOCKER.sosbip }} + - gateway: {{ DOCKER.sosbip }} + - options: + com.docker.network.bridge.name: sosbridge + com.docker.network.driver.mtu: 1500 + com.docker.network.bridge.enable_ip_masquerade: true From 9ffde8bff523668cb652d226fb8d46132bad5a71 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 15 Nov 2022 17:46:08 -0500 Subject: [PATCH 19/24] ensure options are strings --- salt/docker/init.sls | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/salt/docker/init.sls b/salt/docker/init.sls index bbb7c6e4d..ae2fadb45 100644 --- a/salt/docker/init.sls +++ b/salt/docker/init.sls @@ -58,6 +58,6 @@ sos_docker_net: - subnet: {{ DOCKER.sosrange }} - gateway: {{ DOCKER.sosbip }} - options: - com.docker.network.bridge.name: sosbridge - com.docker.network.driver.mtu: 1500 - com.docker.network.bridge.enable_ip_masquerade: true + com.docker.network.bridge.name: 'sosbridge' + com.docker.network.driver.mtu: '1500' + com.docker.network.bridge.enable_ip_masquerade: 'true' From a3b505971b5b670eccb87a15132e0bed37f63273 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 16 Nov 2022 12:51:43 -0500 Subject: [PATCH 20/24] remove /24 from docker bip --- setup/so-functions | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 4941f48ad..98aee00ea 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1385,11 +1385,11 @@ create_global() { if [ -z "$DOCKERNET" ]; then DOCKERNET=172.17.0.0 DOCKERNET2=172.17.1.0 - DOCKERBIP=$(echo $DOCKERNET | awk -F'.' '{print $1,$2,$3,1}' OFS='.')/24 - DOCKER2BIP=$(echo $DOCKERNET2 | awk -F'.' '{print $1,$2,$3,1}' OFS='.')/24 + DOCKERBIP=$(echo $DOCKERNET | awk -F'.' '{print $1,$2,$3,1}' OFS='.') + DOCKER2BIP=$(echo $DOCKERNET2 | awk -F'.' '{print $1,$2,$3,1}' OFS='.') else - DOCKERBIP=$(echo $DOCKERNET | awk -F'.' '{print $1,$2,$3,1}' OFS='.')/24 - DOCKER2BIP=$(echo $DOCKERNET2 | awk -F'.' '{print $1,$2,$3,1}' OFS='.')/24 + DOCKERBIP=$(echo $DOCKERNET | awk -F'.' '{print $1,$2,$3,1}' OFS='.') + DOCKER2BIP=$(echo $DOCKERNET2 | awk -F'.' '{print $1,$2,$3,1}' OFS='.') fi if [ -f "$global_pillar_file" ]; then From d97e13b473a41b998705e62842dfcda2c2577dfe Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 16 Nov 2022 14:47:40 -0500 Subject: [PATCH 21/24] add /24 back to default bip, rever daemon.json --- salt/common/files/daemon.json | 13 ++++++++++++- setup/so-functions | 4 ++-- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/salt/common/files/daemon.json b/salt/common/files/daemon.json index c2a2bfedb..ff6f930bf 100644 --- a/salt/common/files/daemon.json +++ b/salt/common/files/daemon.json @@ -1,3 +1,14 @@ +{%- set DOCKERRANGE = salt['pillar.get']('docker:range', '172.17.0.0/24') %} +{%- set DOCKERBIND = salt['pillar.get']('docker:bip', '172.17.0.1/24') %} { - "registry-mirrors": [ "https://:5000" ] + "registry-mirrors": [ + "https://:5000" + ], + "bip": "{{ DOCKERBIND }}", + "default-address-pools": [ + { + "base": "{{ DOCKERRANGE }}", + "size": 24 + } + ] } diff --git a/setup/so-functions b/setup/so-functions index 98aee00ea..e3307bade 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1385,10 +1385,10 @@ create_global() { if [ -z "$DOCKERNET" ]; then DOCKERNET=172.17.0.0 DOCKERNET2=172.17.1.0 - DOCKERBIP=$(echo $DOCKERNET | awk -F'.' '{print $1,$2,$3,1}' OFS='.') + DOCKERBIP=$(echo $DOCKERNET | awk -F'.' '{print $1,$2,$3,1}' OFS='.')/24 DOCKER2BIP=$(echo $DOCKERNET2 | awk -F'.' '{print $1,$2,$3,1}' OFS='.') else - DOCKERBIP=$(echo $DOCKERNET | awk -F'.' '{print $1,$2,$3,1}' OFS='.') + DOCKERBIP=$(echo $DOCKERNET | awk -F'.' '{print $1,$2,$3,1}' OFS='.')/24 DOCKER2BIP=$(echo $DOCKERNET2 | awk -F'.' '{print $1,$2,$3,1}' OFS='.') fi From 4b6b42f9b93e3c843b0e3d62eeab28c6000070a0 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 22 Nov 2022 10:19:18 -0500 Subject: [PATCH 22/24] dont try to add sosnet if it exists --- .vscode/sftp.json | 12 ++++++++++++ salt/docker/init.sls | 1 + 2 files changed, 13 insertions(+) create mode 100644 .vscode/sftp.json diff --git a/.vscode/sftp.json b/.vscode/sftp.json new file mode 100644 index 000000000..7de9a4d41 --- /dev/null +++ b/.vscode/sftp.json @@ -0,0 +1,12 @@ +{ + "name": "10.66.166.230", + "host": "10.66.166.230", + "protocol": "sftp", + "port": 22, + "username": "onionuser", + "remotePath": "/home/onionuser/so/", + "uploadOnSave": false, + "useTempFile": false, + "autoDelete": true, + "openSsh": false +} diff --git a/salt/docker/init.sls b/salt/docker/init.sls index ae2fadb45..a121ef0d8 100644 --- a/salt/docker/init.sls +++ b/salt/docker/init.sls @@ -61,3 +61,4 @@ sos_docker_net: com.docker.network.bridge.name: 'sosbridge' com.docker.network.driver.mtu: '1500' com.docker.network.bridge.enable_ip_masquerade: 'true' + - unless: `docker network ls | grep sosnet` From 6d89d58c50fff6149a54ba0b3aaf4e789ffc282d Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 22 Nov 2022 11:10:30 -0500 Subject: [PATCH 23/24] ensure createrepo and yum-utils is installed from so repo --- .vscode/sftp.json | 12 ------------ setup/so-functions | 17 +++++++++-------- 2 files changed, 9 insertions(+), 20 deletions(-) delete mode 100644 .vscode/sftp.json diff --git a/.vscode/sftp.json b/.vscode/sftp.json deleted file mode 100644 index 7de9a4d41..000000000 --- a/.vscode/sftp.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "name": "10.66.166.230", - "host": "10.66.166.230", - "protocol": "sftp", - "port": 22, - "username": "onionuser", - "remotePath": "/home/onionuser/so/", - "uploadOnSave": false, - "useTempFile": false, - "autoDelete": true, - "openSsh": false -} diff --git a/setup/so-functions b/setup/so-functions index e3307bade..d233b3cb4 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1893,14 +1893,6 @@ securityonion_repo() { repo_sync_local() { # Sync the repo from the the SO repo locally. # Check for reposync - REPOSYNC=$(rpm -qa | grep createrepo | wc -l) - if [[ ! "$REPOSYNC" -gt 0 ]]; then - # Install reposync - info "Installing createrepo" - logCmd "yum -y install yum-utils createrepo" - else - info "We have what we need to sync" - fi info "Backing up old repos" mkdir -p /nsm/repo mkdir -p /root/reposync_cache @@ -1924,6 +1916,15 @@ repo_sync_local() { echo "gpgcheck=1" >> /root/repodownload.conf echo "gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/securityonion.pub" >> /root/repodownload.conf + REPOSYNC=$(rpm -qa | grep createrepo | wc -l) + if [[ ! "$REPOSYNC" -gt 0 ]]; then + # Install reposync + info "Installing createrepo" + logCmd "yum -y install -c /root/repodownload.conf yum-utils createrepo" + else + info "We have what we need to sync" + fi + logCmd "reposync --norepopath -n -g -l -d -m -c /root/repodownload.conf -r securityonionsync --download-metadata -p /nsm/repo/" From b05839bb9330980e4b72174698c2153dfd061334 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 22 Nov 2022 13:07:58 -0500 Subject: [PATCH 24/24] use single quote --- salt/docker/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/docker/init.sls b/salt/docker/init.sls index a121ef0d8..71ed4a153 100644 --- a/salt/docker/init.sls +++ b/salt/docker/init.sls @@ -61,4 +61,4 @@ sos_docker_net: com.docker.network.bridge.name: 'sosbridge' com.docker.network.driver.mtu: '1500' com.docker.network.bridge.enable_ip_masquerade: 'true' - - unless: `docker network ls | grep sosnet` + - unless: 'docker network ls | grep sosnet'