Merge pull request #15082 from Security-Onion-Solutions/vlb2

fix hypervisor bridge setup

salt/libvirt/bridge.sls

@@ -4,6 +4,9 @@
 # Elastic License 2.0.
 
 # We do not import GLOBALS in this state because it is called during setup
+include:
+  - salt.minion.service_file
+  - salt.mine_functions
 
 down_original_mgmt_interface:
   cmd.run:
@@ -28,29 +31,14 @@ wait_for_br0_ip:
     - timeout: 95
     - onchanges:
       - cmd: down_original_mgmt_interface
-
+    - onchanges_in:
-{% if grains.role == 'so-hypervisor' %}
+      - file: salt_minion_service_unit_file
-
+      - file: mine_functions
-update_mine_functions:
-  file.managed:
-    - name: /etc/salt/minion.d/mine_functions.conf
-    - contents: |
-        mine_interval: 25
-        mine_functions:
-          network.ip_addrs:
-            - interface: br0
-        {%- if role in ['so-eval','so-import','so-manager','so-managerhype','so-managersearch','so-standalone'] %}
-          x509.get_pem_entries:
-            - glob_path: '/etc/pki/ca.crt'
-        {% endif %}
-    - onchanges:
-      - cmd: wait_for_br0_ip
 
 restart_salt_minion_service:
   service.running:
     - name: salt-minion
     - enable: True
     - listen:
-      - file: update_mine_functions
+      - file: salt_minion_service_unit_file
-
+      - file: mine_functions
-{% endif %}

salt/manager/tools/sbin/so-user

@@ -387,7 +387,7 @@ function syncElastic() {
     if [[ -z "$SKIP_STATE_APPLY" ]]; then
       echo "Elastic state will be re-applied to affected minions. This will run in the background and may take several minutes to complete."
       echo "Applying elastic state to elastic minions at $(date)" >> /opt/so/log/soc/sync.log 2>&1
-      salt --async -C 'G@role:so-standalone or G@role:so-eval or G@role:so-import or G@role:so-manager or G@role:so-managersearch or G@role:so-searchnode or G@role:so-heavynode' state.apply elasticsearch queue=True >> /opt/so/log/soc/sync.log 2>&1
+      salt --async -C 'I@elasticsearch:enabled:true' state.apply elasticsearch queue=True >> /opt/so/log/soc/sync.log 2>&1
     fi
   else
     echo "Newly generated users/roles files are incomplete; aborting."

salt/salt/map.jinja

@@ -4,7 +4,10 @@
    Elastic License 2.0. #}
 
 {% set role = salt['grains.get']('role', '') %}
-{% if role in ['so-hypervisor','so-managerhype'] and salt['network.ip_addrs']('br0')|length > 0 %}
+{# We are using usebr0 mostly for setup of the so-managerhype node and controlling when we use br0 vs the physical interface #}
+{% set usebr0 = salt['pillar.get']('usebr0', True) %}
+
+{% if role in ['so-hypervisor','so-managerhype'] and usebr0 %}
 {%   set interface = 'br0' %}
 {% else %}
 {%   set interface = pillar.host.mainint %}

salt/salt/mine_functions.sls

@@ -3,7 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-# this state was seperated from salt.minion state since it is called during setup
+# this state was separated from salt.minion state since it is called during setup
 # GLOBALS are imported in the salt.minion state and that is not available at that point in setup
 # this state is included in the salt.minion state
 

salt/salt/minion/init.sls

@@ -1,18 +1,22 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 {% from 'salt/map.jinja' import UPGRADECOMMAND with context %}
 {% from 'salt/map.jinja' import SALTVERSION %}
 {% from 'salt/map.jinja' import INSTALLEDSALTVERSION %}
 {% from 'salt/map.jinja' import SALTPACKAGES %}
-{% from 'salt/map.jinja' import SYSTEMD_UNIT_FILE %}
 {% import_yaml 'salt/minion.defaults.yaml' as SALTMINION %}
 
 include:
   - salt.python_modules
   - salt.patch.x509_v2
   - salt
-  - systemd.reload
   - repo.client
   - salt.mine_functions
+  - salt.minion.service_file
 {% if GLOBALS.role in GLOBALS.manager_roles %}
   - ca
 {% endif %}
@@ -94,17 +98,6 @@ enable_startup_states:
     - regex: '^startup_states: highstate$'
     - unless: pgrep so-setup
 
-# prior to 2.4.30 this managed file would restart the salt-minion service when updated
-# since this file is currently only adding a delay service start
-# it is not required to restart the service
-salt_minion_service_unit_file:
-  file.managed:
-    - name: {{ SYSTEMD_UNIT_FILE }}
-    - source: salt://salt/service/salt-minion.service.jinja
-    - template: jinja
-    - onchanges_in:
-      - module: systemd_reload
-
 {% endif %}
 
 # this has to be outside the if statement above since there are <requisite>_in calls to this state

salt/salt/minion/service_file.sls

@@ -0,0 +1,26 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'salt/map.jinja' import SALTVERSION %}
+{% from 'salt/map.jinja' import INSTALLEDSALTVERSION %}
+{% from 'salt/map.jinja' import SYSTEMD_UNIT_FILE %}
+
+include:
+  - systemd.reload
+
+{% if INSTALLEDSALTVERSION|string == SALTVERSION|string %}
+
+# prior to 2.4.30 this managed file would restart the salt-minion service when updated
+# since this file is currently only adding a delay service start
+# it is not required to restart the service
+salt_minion_service_unit_file:
+  file.managed:
+    - name: {{ SYSTEMD_UNIT_FILE }}
+    - source: salt://salt/service/salt-minion.service.jinja
+    - template: jinja
+    - onchanges_in:
+      - module: systemd_reload
+
+{% endif %}

setup/so-functions

@@ -541,8 +541,15 @@ configure_minion() {
 		"log_file: /opt/so/log/salt/minion"\
 		"#startup_states: highstate" >> "$minion_config"
 
-	info "Running: salt-call state.apply salt.mine_functions --local --file-root=../salt/ -l info pillar='{"host": {"mainint": "$MNIC"}}'"
+	# At the time the so-managerhype node does not yet have the bridge configured.
-	salt-call state.apply salt.mine_functions --local --file-root=../salt/ -l info pillar="{'host': {'mainint': $MNIC}}"
+	# The so-hypervisor node doesn't either, but it doesn't cause issues here.
+	local usebr0=false
+	if [ "$minion_type" == 'hypervisor' ]; then
+    	usebr0=true
+	fi
+	local pillar_json="{\"host\": {\"mainint\": \"$MNIC\"}, \"usebr0\": $usebr0}"
+	info "Running: salt-call state.apply salt.mine_functions --local --file-root=../salt/ -l info pillar='$pillar_json'"
+	salt-call state.apply salt.mine_functions --local --file-root=../salt/ -l info pillar="$pillar_json"
 
 	{
 		logCmd "systemctl enable salt-minion";
@@ -1195,9 +1202,6 @@ hypervisor_local_states() {
         logCmd "salt-call state.apply libvirt.64962 --local --file-root=../salt/ -l info queue=True"
         info "Setting up bridge for $MNIC"
 		salt-call state.apply libvirt.bridge --local --file-root=../salt/ -l info pillar='{"host": {"mainint": "'$MNIC'"}}' queue=True
-		    if [ $is_managerhype ]; then
-			    logCmd "salt-call state.apply salt.minion queue=True"
-		    fi
     fi
 }
 

setup/so-setup

@@ -762,6 +762,7 @@ if ! [[ -f $install_opt_file ]]; then
 		fi
 		logCmd "salt-call state.apply common.packages"
 		logCmd "salt-call state.apply common"
+		hypervisor_local_states
 		# this will apply the salt.minion state first since salt.master includes salt.minion
 		logCmd "salt-call state.apply salt.master"
 		# wait here until we get a response from the salt-master since it may have just restarted
@@ -826,7 +827,6 @@ if ! [[ -f $install_opt_file ]]; then
 		checkin_at_boot
 		set_initial_firewall_access
 		logCmd "salt-call schedule.enable -linfo --local"
-		hypervisor_local_states
 		verify_setup
 	else
 		touch /root/accept_changes