Merge pull request #2348 from Security-Onion-Solutions/soup2320

SOUP Changes
2025-12-06 17:22:49 +01:00 · 2020-12-14 21:19:45 -05:00
parent efe44323cb cbd59ed86a
commit bf1f00d2fe
7 changed files with 64 additions and 3 deletions
--- a/salt/common/files/daemon.json
+++ b/salt/common/files/daemon.json
@@ -0,0 +1,12 @@
+{%- set DOCKERRANGE = salt['pillar.get']('docker:range') %}
+{%- set DOCKERBIND = salt['pillar.get']('docker:bip') %}
+{
+    "registry-mirrors": [ "https://:5000" ],
+    "bip": "{{ DOCKERBIND }}",
+    "default-address-pools": [
+      {
+        "base" : "{{ DOCKERRANGE }}",
+        "size" : 24
+      }
+    ]
+}
--- a/salt/common/init.sls
+++ b/salt/common/init.sls
@@ -244,10 +244,19 @@ commonlogrotateconf:
    - dayweek: '*'
 {% endif %}

+# Manager daemon.json
+docker_daemon:
+  file.managed:
+    - source: salt://common/files/daemon.json
+    - name: /etc/docker/daemon.json
+    - template: jinja 
+
 # Make sure Docker is always running
 docker:
  service.running:
    - enable: True
+    - watch:
+      - file: docker_daemon

 {% else %}

--- a/salt/common/tools/sbin/soup
+++ b/salt/common/tools/sbin/soup
@@ -204,6 +204,7 @@ pillar_changes() {
    [[ "$INSTALLEDVERSION" =~ rc.1 ]] && rc1_to_rc2
    [[ "$INSTALLEDVERSION" =~ rc.2 ]] && rc2_to_rc3
    [[ "$INSTALLEDVERSION" =~ rc.3 ]] && rc3_to_2.3.0
+    [[ "$INSTALLEDVERSION" == 2.3.0 ]] || [[ "$INSTALLEDVERSION" == 2.3.1 ]] || [[ "$INSTALLEDVERSION" == 2.3.2 ]] || [[ "$INSTALLEDVERSION" == 2.3.10 ]] && 2.3.0_to_2.3.20
 }

 rc1_to_rc2() {
@@ -285,6 +286,44 @@ rc3_to_2.3.0() {
    echo "playbook_admin: $(get_random_value)"
    echo "playbook_automation: $(get_random_value)"
  } >> /opt/so/saltstack/local/pillar/secrets.sls
+
+  INSTALLEDVERSION=2.3.0
+}
+
+2.3.0_to_2.3.20(){
+  # Remove PCAP from global
+  sed '/pcap:/d' /opt/so/saltstack/local/pillar/global.sls
+  sed '/sensor_checkin_interval_ms:/d' /opt/so/saltstack/local/pillar/global.sls
+
+  # Add checking interval to glbal
+  echo "sensoroni:" >> /opt/so/saltstack/local/pillar/global.sls
+  echo "  node_checkin_interval_ms: 10000" >> /opt/so/saltstack/local/pillar/global.sls
+
+  # Update pillar fiels for new sensoroni functionality
+  for file in /opt/so/saltstack/local/pillat/minions/*; do
+    echo "sensoroni:" >> $file
+    echo "  node_description:" >> $file
+    local SOMEADDRESS=$(cat $file | grep mainip | tail -n 1 | awk '{print $2'})
+    echo "  node_address: $SOMEADDRESS" >> $file
+  done
+
+  # Remove old firewall config to reduce confusion
+  rm -f /opt/so/saltstack/default/pillar/firewall/ports.sls
+
+  # Fix daemon.json by managing it
+  echo "docker:" >> /opt/so/saltstack/local/pillar/global.sls
+  DOCKERGREP=$(cat /etc/docker/daemon.json | grep base | awk {'print $3'} | cut -f1 -d"/")
+  if [ -z "$DOCKERGREP" ]; then
+    echo "  range: '172.17.0.0/24'" >> /opt/so/saltstack/local/pillar/global.sls
+    echo "  bip: '172.17.0.1/24'" >> /opt/so/saltstack/local/pillar/global.sls
+  else
+    DOCKERSTUFF="${DOCKERGREP//\"}"
+    DOCKERSTUFFBIP=$(echo $DOCKERSTUFF | awk -F'.' '{print $1,$2,$3,1}' OFS='.')/24
+    echo "  range: '$DOCKERSTUFF'/24" >> /opt/so/saltstack/local/pillar/global.sls
+    echo "  bip: '$DOCKERSTUFFBIP'"  >> /opt/so/saltstack/local/pillar/global.sls
+
+  fi
+
 }

 space_check() {
--- a/salt/docker_clean/init.sls
+++ b/salt/docker_clean/init.sls
@@ -1,6 +1,6 @@
 {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
 {% set MANAGER = salt['grains.get']('master') %}
-{% set OLDVERSIONS = ['2.0.0-rc.1','2.0.1-rc.1','2.0.2-rc.1','2.0.3-rc.1','2.1.0-rc.2','2.2.0-rc.3','2.3.0','2.3.1']%}
+{% set OLDVERSIONS = ['2.0.0-rc.1','2.0.1-rc.1','2.0.2-rc.1','2.0.3-rc.1','2.1.0-rc.2','2.2.0-rc.3','2.3.0','2.3.1','2.3.2']%}

 {% for VERSION in OLDVERSIONS %}
 remove_images_{{ VERSION }}:
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -911,6 +911,7 @@ docker_registry() {

 	echo "Setting up Docker Registry" >> "$setup_log" 2>&1
 	mkdir -p /etc/docker >> "$setup_log" 2>&1
+	# This will get applied so docker can attempt to start
 	if [ -z "$DOCKERNET" ]; then
            DOCKERNET=172.17.0.0
 	fi
--- a/setup/so-setup
+++ b/setup/so-setup
@@ -384,7 +384,6 @@ if [[ ! $is_import ]]; then
 fi

 whiptail_homenet_manager
-whiptail_dockernet_check

 if [[ $is_helix || $is_manager || $is_node || $is_import ]]; then
 	set_base_heapsizes
@@ -419,6 +418,7 @@ fi
 if [[ $is_manager ]]; then
 	whiptail_components_adv_warning
 	whiptail_enable_components
+	whiptail_dockernet_check
 fi

 if [[ $is_manager || $is_import ]]; then
--- a/setup/so-whiptail
+++ b/setup/so-whiptail
@@ -426,7 +426,7 @@ whiptail_dockernet_net() {
 	[ -n "$TESTING" ] && return

 	DOCKERNET=$(whiptail --title "Security Onion Setup" --inputbox \
-	"\nEnter a /24 network range for docker to use: \nThe same range MUST be used on ALL nodes \n(Default value is pre-populated.)" 10 75 172.17.0.0 3>&1 1>&2 2>&3)
+	"\nEnter a /24 size network range for docker to use WITHOUT the /24 notation: \nThis range will be used on ALL nodes \n(Default value is pre-populated.)" 10 75 172.17.0.0 3>&1 1>&2 2>&3)

 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus