From be11c718f68867fa75bb0654f5964e99910b0480 Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Wed, 12 Nov 2025 18:06:55 -0500 Subject: [PATCH] configure salt then install it --- setup/so-functions | 85 ++++++++++++++++++---------------------------- setup/so-setup | 9 +++-- 2 files changed, 37 insertions(+), 57 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 88da7ee9e..2dd5a3b2e 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -502,6 +502,7 @@ configure_minion() { minion_type=desktop fi info "Configuring minion type as $minion_type" + logCmd "mkdir -p /etc/salt/minion.d" echo "role: so-$minion_type" > /etc/salt/grains local minion_config=/etc/salt/minion @@ -541,20 +542,6 @@ configure_minion() { "log_file: /opt/so/log/salt/minion"\ "#startup_states: highstate" >> "$minion_config" - # At the time the so-managerhype node does not yet have the bridge configured. - # The so-hypervisor node doesn't either, but it doesn't cause issues here. - local usebr0=false - if [ "$minion_type" == 'hypervisor' ]; then - usebr0=true - fi - local pillar_json="{\"host\": {\"mainint\": \"$MNIC\"}, \"usebr0\": $usebr0}" - info "Running: salt-call state.apply salt.mine_functions --local --file-root=../salt/ -l info pillar='$pillar_json'" - salt-call state.apply salt.mine_functions --local --file-root=../salt/ -l info pillar="$pillar_json" - - { - logCmd "systemctl enable salt-minion"; - logCmd "systemctl restart salt-minion"; - } >> "$setup_log" 2>&1 } checkin_at_boot() { @@ -798,25 +785,18 @@ configure_hyper_bridge() { } copy_salt_master_config() { - + logCmd "mkdir /etc/salt" title "Copy the Salt master config template to the proper directory" if [ "$setup_type" = 'iso' ]; then logCmd "cp /root/SecurityOnion/files/salt/master/master /etc/salt/master" - #logCmd "cp /root/SecurityOnion/files/salt/master/salt-master.service /usr/lib/systemd/system/salt-master.service" else logCmd "cp ../files/salt/master/master /etc/salt/master" - #logCmd "cp ../files/salt/master/salt-master.service /usr/lib/systemd/system/salt-master.service" fi info "Copying pillar and salt files in $temp_install_dir to $local_salt_dir" logCmd "cp -R $temp_install_dir/pillar/ $local_salt_dir/" if [ -d "$temp_install_dir"/salt ] ; then logCmd "cp -R $temp_install_dir/salt/ $local_salt_dir/" fi - - # Restart the service so it picks up the changes - logCmd "systemctl daemon-reload" - logCmd "systemctl enable salt-master" - logCmd "systemctl restart salt-master" } create_local_nids_rules() { @@ -1941,11 +1921,12 @@ repo_sync_local() { } saltify() { - info "Installing Salt" SALTVERSION=$(grep "version:" ../salt/salt/master.defaults.yaml | grep -o "[0-9]\+\.[0-9]\+") + info "Installing Salt $SALTVERSION" + chmod u+x ../salt/salt/scripts/bootstrap-salt.sh if [[ $is_deb ]]; then - DEBIAN_FRONTEND=noninteractive retry 150 20 "apt-get -y -o Dpkg::Options::=\"--force-confdef\" -o Dpkg::Options::=\"--force-confold\" upgrade" >> "$setup_log" 2>&1 || fail_setup + DEBIAN_FRONTEND=noninteractive retry 30 10 "apt-get -y -o Dpkg::Options::=\"--force-confdef\" -o Dpkg::Options::=\"--force-confold\" upgrade" >> "$setup_log" 2>&1 || fail_setup if [ $OSVER == "focal" ]; then update-alternatives --install /usr/bin/python python /usr/bin/python3.10 10; fi local pkg_arr=( 'apache2-utils' @@ -1958,16 +1939,11 @@ saltify() { 'jq' 'gnupg' ) - retry 150 20 "apt-get -y install ${pkg_arr[*]}" || fail_setup + retry 30 10 "apt-get -y install ${pkg_arr[*]}" || fail_setup logCmd "mkdir -vp /etc/apt/keyrings" logCmd "wget -q --inet4-only -O /etc/apt/keyrings/docker.pub https://download.docker.com/linux/ubuntu/gpg" - # Download public key - logCmd "curl -fsSL -o /etc/apt/keyrings/salt-archive-keyring-2023.pgp https://packages.broadcom.com/artifactory/api/security/keypair/SaltProjectKey/public" - # Create apt repo target configuration - echo "deb [signed-by=/etc/apt/keyrings/salt-archive-keyring-2023.pgp arch=amd64] https://packages.broadcom.com/artifactory/saltproject-deb/ stable main" | sudo tee /etc/apt/sources.list.d/salt.list - if [[ $is_ubuntu ]]; then # Add Docker Repo add-apt-repository -y "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" @@ -1978,45 +1954,50 @@ saltify() { echo "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $OSVER stable" > /etc/apt/sources.list.d/docker.list fi - logCmd "apt-key add /etc/apt/keyrings/salt-archive-keyring-2023.pgp" - - #logCmd "apt-key add /opt/so/gpg/SALTSTACK-GPG-KEY.pub" logCmd "apt-key add /etc/apt/keyrings/docker.pub" - # Add SO Saltstack Repo - #echo "deb https://repo.securityonion.net/file/securityonion-repo/ubuntu/20.04/amd64/salt3004.2/ focal main" > /etc/apt/sources.list.d/saltstack.list - - # Ain't nothing but a GPG - - retry 150 20 "apt-get update" "" "Err:" || fail_setup + retry 30 10 "apt-get update" "" "Err:" || fail_setup if [[ $waitforstate ]]; then - retry 150 20 "apt-get -y install salt-common=$SALTVERSION salt-minion=$SALTVERSION salt-master=$SALTVERSION" || fail_setup - retry 150 20 "apt-mark hold salt-minion salt-common salt-master" || fail_setup - retry 150 20 "apt-get -y install python3-pip python3-dateutil python3-m2crypto python3-packaging python3-influxdb python3-lxml" || exit 1 + retry 30 10 "bash ../salt/salt/scripts/bootstrap-salt.sh -M -X stable $SALTVERSION" || fail_setup + retry 30 10 "apt-mark hold salt-minion salt-common salt-master" || fail_setup + retry 30 10 "apt-get -y install python3-pip python3-dateutil python3-m2crypto python3-packaging python3-influxdb python3-lxml" || exit 1 else - retry 150 20 "apt-get -y install salt-common=$SALTVERSION salt-minion=$SALTVERSION" || fail_setup - retry 150 20 "apt-mark hold salt-minion salt-common" || fail_setup + retry 30 10 "bash ../salt/salt/scripts/bootstrap-salt.sh -X stable $SALTVERSION" || fail_setup + retry 30 10 "apt-mark hold salt-minion salt-common" || fail_setup fi fi if [[ $is_rpm ]]; then if [[ $waitforstate ]]; then # install all for a manager - logCmd "dnf -y install salt-$SALTVERSION salt-master-$SALTVERSION salt-minion-$SALTVERSION" + retry 30 10 "bash ../salt/salt/scripts/bootstrap-salt.sh -M -X stable $SALTVERSION" || fail_setup else - # We just need the minion - if [[ $is_airgap ]]; then - logCmd "dnf -y install salt salt-minion" - else - logCmd "dnf -y install salt-$SALTVERSION salt-minion-$SALTVERSION" - fi + # just a minion + retry 30 10 "bash ../salt/salt/scripts/bootstrap-salt.sh -X stable $SALTVERSION" || fail_setup fi fi - logCmd "mkdir -p /etc/salt/minion.d" salt_install_module_deps salt_patch_x509_v2 + # At the time the so-managerhype node does not yet have the bridge configured. + # The so-hypervisor node doesn't either, but it doesn't cause issues here. + local usebr0=false + if [ "$minion_type" == 'hypervisor' ]; then + usebr0=true + fi + local pillar_json="{\"host\": {\"mainint\": \"$MNIC\"}, \"usebr0\": $usebr0}" + info "Running: salt-call state.apply salt.mine_functions --local --file-root=../salt/ -l info pillar='$pillar_json'" + salt-call state.apply salt.mine_functions --local --file-root=../salt/ -l info pillar="$pillar_json" + + if [[ $waitforstate ]]; then + logCmd "systemctl enable salt-master"; + logCmd "systemctl start salt-master"; + fi + + logCmd "systemctl enable salt-minion"; + logCmd "systemctl restart salt-minion"; + } salt_install_module_deps() { diff --git a/setup/so-setup b/setup/so-setup index bdb1c38e2..91f1fa9aa 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -745,13 +745,12 @@ if ! [[ -f $install_opt_file ]]; then securityonion_repo # Update existing packages update_packages - # Install salt - saltify - # Start the master service + # Put salt-master config in place copy_salt_master_config configure_minion "$minion_type" + # Install salt + saltify check_sos_appliance - logCmd "salt-key -yd $MINION_ID" sleep 2 # Debug RSA Key format errors logCmd "salt-call state.show_top" @@ -852,8 +851,8 @@ if ! [[ -f $install_opt_file ]]; then gpg_rpm_import securityonion_repo update_packages - saltify configure_minion "$minion_type" + saltify check_sos_appliance drop_install_options hypervisor_local_states