diff --git a/salt/libvirt/bridge.sls b/salt/libvirt/bridge.sls index b8f720993..cc28bd8b7 100644 --- a/salt/libvirt/bridge.sls +++ b/salt/libvirt/bridge.sls @@ -4,6 +4,9 @@ # Elastic License 2.0. # We do not import GLOBALS in this state because it is called during setup +include: + - salt.minion.service_file + - salt.mine_functions down_original_mgmt_interface: cmd.run: @@ -28,29 +31,14 @@ wait_for_br0_ip: - timeout: 95 - onchanges: - cmd: down_original_mgmt_interface - -{% if grains.role == 'so-hypervisor' %} - -update_mine_functions: - file.managed: - - name: /etc/salt/minion.d/mine_functions.conf - - contents: | - mine_interval: 25 - mine_functions: - network.ip_addrs: - - interface: br0 - {%- if role in ['so-eval','so-import','so-manager','so-managerhype','so-managersearch','so-standalone'] %} - x509.get_pem_entries: - - glob_path: '/etc/pki/ca.crt' - {% endif %} - - onchanges: - - cmd: wait_for_br0_ip + - onchanges_in: + - file: salt_minion_service_unit_file + - file: mine_functions restart_salt_minion_service: service.running: - name: salt-minion - enable: True - listen: - - file: update_mine_functions - -{% endif %} + - file: salt_minion_service_unit_file + - file: mine_functions diff --git a/salt/manager/tools/sbin/so-user b/salt/manager/tools/sbin/so-user index 92b3ba385..060dcf3a4 100755 --- a/salt/manager/tools/sbin/so-user +++ b/salt/manager/tools/sbin/so-user @@ -387,7 +387,7 @@ function syncElastic() { if [[ -z "$SKIP_STATE_APPLY" ]]; then echo "Elastic state will be re-applied to affected minions. This will run in the background and may take several minutes to complete." echo "Applying elastic state to elastic minions at $(date)" >> /opt/so/log/soc/sync.log 2>&1 - salt --async -C 'G@role:so-standalone or G@role:so-eval or G@role:so-import or G@role:so-manager or G@role:so-managersearch or G@role:so-searchnode or G@role:so-heavynode' state.apply elasticsearch queue=True >> /opt/so/log/soc/sync.log 2>&1 + salt --async -C 'I@elasticsearch:enabled:true' state.apply elasticsearch queue=True >> /opt/so/log/soc/sync.log 2>&1 fi else echo "Newly generated users/roles files are incomplete; aborting." diff --git a/salt/salt/map.jinja b/salt/salt/map.jinja index 1e3b200f4..62b7f1b18 100644 --- a/salt/salt/map.jinja +++ b/salt/salt/map.jinja @@ -4,7 +4,10 @@ Elastic License 2.0. #} {% set role = salt['grains.get']('role', '') %} -{% if role in ['so-hypervisor','so-managerhype'] and salt['network.ip_addrs']('br0')|length > 0 %} +{# We are using usebr0 mostly for setup of the so-managerhype node and controlling when we use br0 vs the physical interface #} +{% set usebr0 = salt['pillar.get']('usebr0', True) %} + +{% if role in ['so-hypervisor','so-managerhype'] and usebr0 %} {% set interface = 'br0' %} {% else %} {% set interface = pillar.host.mainint %} diff --git a/salt/salt/mine_functions.sls b/salt/salt/mine_functions.sls index ed786e997..ae3df1ce9 100644 --- a/salt/salt/mine_functions.sls +++ b/salt/salt/mine_functions.sls @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -# this state was seperated from salt.minion state since it is called during setup +# this state was separated from salt.minion state since it is called during setup # GLOBALS are imported in the salt.minion state and that is not available at that point in setup # this state is included in the salt.minion state diff --git a/salt/salt/minion.sls b/salt/salt/minion/init.sls similarity index 86% rename from salt/salt/minion.sls rename to salt/salt/minion/init.sls index b85fad1c0..374e6954c 100644 --- a/salt/salt/minion.sls +++ b/salt/salt/minion/init.sls @@ -1,18 +1,22 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'salt/map.jinja' import UPGRADECOMMAND with context %} {% from 'salt/map.jinja' import SALTVERSION %} {% from 'salt/map.jinja' import INSTALLEDSALTVERSION %} {% from 'salt/map.jinja' import SALTPACKAGES %} -{% from 'salt/map.jinja' import SYSTEMD_UNIT_FILE %} {% import_yaml 'salt/minion.defaults.yaml' as SALTMINION %} include: - salt.python_modules - salt.patch.x509_v2 - salt - - systemd.reload - repo.client - salt.mine_functions + - salt.minion.service_file {% if GLOBALS.role in GLOBALS.manager_roles %} - ca {% endif %} @@ -94,17 +98,6 @@ enable_startup_states: - regex: '^startup_states: highstate$' - unless: pgrep so-setup -# prior to 2.4.30 this managed file would restart the salt-minion service when updated -# since this file is currently only adding a delay service start -# it is not required to restart the service -salt_minion_service_unit_file: - file.managed: - - name: {{ SYSTEMD_UNIT_FILE }} - - source: salt://salt/service/salt-minion.service.jinja - - template: jinja - - onchanges_in: - - module: systemd_reload - {% endif %} # this has to be outside the if statement above since there are _in calls to this state diff --git a/salt/salt/minion/service_file.sls b/salt/salt/minion/service_file.sls new file mode 100644 index 000000000..8aded2d60 --- /dev/null +++ b/salt/salt/minion/service_file.sls @@ -0,0 +1,26 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'salt/map.jinja' import SALTVERSION %} +{% from 'salt/map.jinja' import INSTALLEDSALTVERSION %} +{% from 'salt/map.jinja' import SYSTEMD_UNIT_FILE %} + +include: + - systemd.reload + +{% if INSTALLEDSALTVERSION|string == SALTVERSION|string %} + +# prior to 2.4.30 this managed file would restart the salt-minion service when updated +# since this file is currently only adding a delay service start +# it is not required to restart the service +salt_minion_service_unit_file: + file.managed: + - name: {{ SYSTEMD_UNIT_FILE }} + - source: salt://salt/service/salt-minion.service.jinja + - template: jinja + - onchanges_in: + - module: systemd_reload + +{% endif %} diff --git a/setup/so-functions b/setup/so-functions index 9ab11a904..5847df704 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -541,8 +541,15 @@ configure_minion() { "log_file: /opt/so/log/salt/minion"\ "#startup_states: highstate" >> "$minion_config" - info "Running: salt-call state.apply salt.mine_functions --local --file-root=../salt/ -l info pillar='{"host": {"mainint": "$MNIC"}}'" - salt-call state.apply salt.mine_functions --local --file-root=../salt/ -l info pillar="{'host': {'mainint': $MNIC}}" + # At the time the so-managerhype node does not yet have the bridge configured. + # The so-hypervisor node doesn't either, but it doesn't cause issues here. + local usebr0=false + if [ "$minion_type" == 'hypervisor' ]; then + usebr0=true + fi + local pillar_json="{\"host\": {\"mainint\": \"$MNIC\"}, \"usebr0\": $usebr0}" + info "Running: salt-call state.apply salt.mine_functions --local --file-root=../salt/ -l info pillar='$pillar_json'" + salt-call state.apply salt.mine_functions --local --file-root=../salt/ -l info pillar="$pillar_json" { logCmd "systemctl enable salt-minion"; @@ -1194,10 +1201,7 @@ hypervisor_local_states() { info "Running libvirt states for hypervisor" logCmd "salt-call state.apply libvirt.64962 --local --file-root=../salt/ -l info queue=True" info "Setting up bridge for $MNIC" - salt-call state.apply libvirt.bridge --local --file-root=../salt/ -l info pillar='{"host": {"mainint": "'$MNIC'"}}' queue=True - if [ $is_managerhype ]; then - logCmd "salt-call state.apply salt.minion queue=True" - fi + salt-call state.apply libvirt.bridge --local --file-root=../salt/ -l info pillar='{"host": {"mainint": "'$MNIC'"}}' queue=True fi } diff --git a/setup/so-setup b/setup/so-setup index 347a7165c..ab055fd2d 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -762,6 +762,7 @@ if ! [[ -f $install_opt_file ]]; then fi logCmd "salt-call state.apply common.packages" logCmd "salt-call state.apply common" + hypervisor_local_states # this will apply the salt.minion state first since salt.master includes salt.minion logCmd "salt-call state.apply salt.master" # wait here until we get a response from the salt-master since it may have just restarted @@ -826,7 +827,6 @@ if ! [[ -f $install_opt_file ]]; then checkin_at_boot set_initial_firewall_access logCmd "salt-call schedule.enable -linfo --local" - hypervisor_local_states verify_setup else touch /root/accept_changes