Merge pull request #10823 from Security-Onion-Solutions/2.4/dockerips

2.4/dockerips

salt/common/files/daemon.json

@@ -1,13 +1,11 @@
-{%- set DOCKERRANGE = salt['pillar.get']('docker:range', '172.17.0.0/24') %}
-{%- set DOCKERBIND = salt['pillar.get']('docker:bip', '172.17.0.1/24') %}
 {
   "registry-mirrors": [
     "https://:5000"
   ],
-  "bip": "{{ DOCKERBIND }}",
+  "bip": "172.17.0.1/24",
   "default-address-pools": [
     {
-      "base": "{{ DOCKERRANGE }}",
+      "base": "172.17.0.0/24",
       "size": 24
     }
   ]

salt/docker/defaults.yaml

@@ -1,8 +1,6 @@
 docker:
-  bip: '172.17.0.1'
-  range: '172.17.0.0/24'
-  sorange: '172.17.1.0/24'
-  sobip: '172.17.1.1'
+  range: '172.17.1.0/24'
+  gateway: '172.17.1.1'
   containers:
     'so-dockerregistry':
       final_octet: 20
@@ -202,4 +200,4 @@ docker:
       final_octet: 99
       custom_bind_mounts: []
       extra_hosts: []
-      extra_env: []
+      extra_env: []

salt/docker/docker.map.jinja

@@ -1,6 +1,6 @@
 {% import_yaml 'docker/defaults.yaml' as DOCKERDEFAULTS %}
 {% set DOCKER = salt['pillar.get']('docker', DOCKERDEFAULTS.docker, merge=True) %}
-{% set RANGESPLIT = DOCKER.sorange.split('.') %}
+{% set RANGESPLIT = DOCKER.range.split('.') %}
 {% set FIRSTTHREE = RANGESPLIT[0] ~ '.' ~ RANGESPLIT[1] ~ '.' ~ RANGESPLIT[2] ~ '.' %}
 
 {% for container, vals in DOCKER.containers.items() %}

salt/docker/init.sls

@@ -102,8 +102,8 @@ dockerreserveports:
 sos_docker_net:
   docker_network.present:
     - name: sobridge
-    - subnet: {{ DOCKER.sorange }}
-    - gateway: {{ DOCKER.sobip }}
+    - subnet: {{ DOCKER.range }}
+    - gateway: {{ DOCKER.gateway }}
     - options:
         com.docker.network.bridge.name: 'sobridge'
         com.docker.network.driver.mtu: '1500'

salt/docker/soc_docker.yaml

@@ -1,20 +1,12 @@
 docker:
-  bip:
-    description: Bind IP for the default docker interface.
+  gateway:
+    description: Gateway for the default docker interface.
     helpLink: docker.html
     advanced: True
   range:
     description: Default docker IP range for containers.
     helpLink: docker.html
     advanced: True
-  sobip:
-    description: Bind IP for the SO docker interface.
-    helpLink: docker.html
-    advanced: True
-  sorange:
-    description: IP range for the SO docker containers.
-    helpLink: docker.html
-    advanced: True
   containers:
     so-curator: &dockerOptions
       final_octet:
@@ -68,4 +60,4 @@ docker:
     so-strelka-filestream: *dockerOptions
     so-strelka-frontend: *dockerOptions
     so-strelka-gatekeeper: *dockerOptions
-    so-strelka-manager: *dockerOptions
+    so-strelka-manager: *dockerOptions

salt/firewall/iptables.jinja

@@ -52,7 +52,7 @@
 :DOCKER - [0:0]
 -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
 -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
--A POSTROUTING -s {{DOCKER.sorange}} ! -o sobridge -j MASQUERADE
+-A POSTROUTING -s {{DOCKER.range}} ! -o sobridge -j MASQUERADE
 {%- for rule in PR %}
 {{ rule }}
 {%- endfor %}

salt/firewall/map.jinja

@@ -5,7 +5,7 @@
 {# add our ip to self #}
 {% do FIREWALL_DEFAULT.firewall.hostgroups.self.append(GLOBALS.node_ip) %}
 {# add dockernet range #}
-{% do FIREWALL_DEFAULT.firewall.hostgroups.dockernet.append(DOCKER.sorange) %}
+{% do FIREWALL_DEFAULT.firewall.hostgroups.dockernet.append(DOCKER.range) %}
 
 {% if GLOBALS.role == 'so-idh' %}
 {%   from 'idh/opencanary_config.map.jinja' import IDH_PORTGROUPS %}

salt/mysql/enabled.sls

@@ -43,7 +43,7 @@ so-mysql:
       - {{ BINDING }}
       {% endfor %}
     - environment:
-      - MYSQL_ROOT_HOST={{ GLOBALS.so_docker_bip }}
+      - MYSQL_ROOT_HOST={{ GLOBALS.so_docker_gateway }}
       - MYSQL_ROOT_PASSWORD=/etc/mypass
       {% if DOCKER.containers['so-mysql'].extra_env %}
         {% for XTRAENV in DOCKER.containers['so-mysql'].extra_env %}

salt/playbook/config.sls

@@ -18,7 +18,7 @@ create_playbookdbuser:
   mysql_user.present:
     - name: playbookdbuser
     - password: {{ PLAYBOOKPASS }}
-    - host: "{{ DOCKER.sorange.split('/')[0] }}/255.255.255.0"
+    - host: "{{ DOCKER.range.split('/')[0] }}/255.255.255.0"
     - connection_host: {{ GLOBALS.manager }}
     - connection_port: 3306
     - connection_user: root
@@ -27,7 +27,7 @@ create_playbookdbuser:
 query_playbookdbuser_grants:
   mysql_query.run:
     - database: playbook
-    - query:    "GRANT ALL ON playbook.* TO 'playbookdbuser'@'{{ DOCKER.sorange.split('/')[0] }}/255.255.255.0';"
+    - query:    "GRANT ALL ON playbook.* TO 'playbookdbuser'@'{{ DOCKER.range.split('/')[0] }}/255.255.255.0';"
     - connection_host: {{ GLOBALS.manager }}
     - connection_port: 3306
     - connection_user: root

salt/podman/init.sls

@@ -44,8 +44,8 @@ podman_docker_symlink:
 sos_docker_net:
   docker_network.present:
     - name: sobridge
-    - subnet: {{ DOCKER.sorange }}
-    - gateway: {{ DOCKER.sobip }}
+    - subnet: {{ DOCKER.range }}
+    - gateway: {{ DOCKER.bip }}
     - options:
         com.docker.network.bridge.name: 'sobridge'
         com.docker.network.driver.mtu: '1500'

salt/soc/defaults.map.jinja

@@ -30,7 +30,7 @@
 {%   endif %}
 {% endfor %}
 
-{% do SOCDEFAULTS.soc.config.server.modules.statickeyauth.update({'anonymousCidr': DOCKER.sorange, 'apiKey': pillar.sensoroni.config.sensoronikey}) %}
+{% do SOCDEFAULTS.soc.config.server.modules.statickeyauth.update({'anonymousCidr': DOCKER.range, 'apiKey': pillar.sensoroni.config.sensoronikey}) %}
 
 {% do SOCDEFAULTS.soc.config.server.client.case.update({'analyzerNodeId': GLOBALS.hostname}) %}
 

salt/vars/globals.map.jinja

@@ -22,8 +22,8 @@
     'md_engine': INIT.PILLAR.global.mdengine,
     'pipeline': INIT.PILLAR.global.pipeline,
     'so_version': INIT.PILLAR.global.soversion,
-    'so_docker_bip': DOCKER.sobip,
-    'so_docker_range': DOCKER.sorange,
+    'so_docker_gateway': DOCKER.gateway,
+    'so_docker_range': DOCKER.range,
     'url_base': INIT.PILLAR.global.url_base,
     'so_model': INIT.GRAINS.get('sosmodel',''),
     'sensoroni_key': INIT.PILLAR.sensoroni.config.sensoronikey,

setup/so-functions

@@ -254,15 +254,10 @@ collect_dns_domain() {
 collect_dockernet() {
 	if ! whiptail_dockernet_check; then
 		whiptail_dockernet_sosnet "172.17.1.0"
-		whiptail_dockernet_nososnet "172.17.0.0"
 
-		while ! valid_ip4 "$DOCKERNET"; do
+		while ! valid_ip4 "$DOCKERNET" || [[ $DOCKERNET =~ "172.17.0." ]]; do
 			whiptail_invalid_input
-			whiptail_dockernet_nonsosnet "$DOCKERNET"
-		done
-		while ! valid_ip4 "$DOCKERNET2"; do
-			whiptail_invalid_input
-			whiptail_dockernet_sosnet "$DOCKERNET2"
+			whiptail_dockernet_sosnet "$DOCKERNET"
 		done
 	fi
 }
@@ -1099,35 +1094,6 @@ disable_ipv6() {
 	} >> /etc/sysctl.conf
 }
 
-docker_registry() {
-
-	title "Setting up Docker Registry"
-	logCmd "mkdir -p /etc/docker"
-	# This will get applied so docker can attempt to start
-	if [ -z "$DOCKERNET" ]; then
-		DOCKERNET=172.17.0.0
-	fi
-	if [ -z "$DOCKERNET2" ]; then
-		DOCKERNET2=172.17.1.0
-	fi
-	# Make the host use the manager docker registry
-	DNETBIP=$(echo $DOCKERNET | awk -F'.' '{print $1,$2,$3,1}' OFS='.')/24
-	if [ -n "$TURBO" ]; then local proxy="$TURBO"; else local proxy="https://$MSRV"; fi
-	printf '%s\n'\
-		"{"\
-		"  \"registry-mirrors\": [ \"$proxy:5000\" ],"\
-		"  \"bip\": \"$DNETBIP\","\
-		"  \"default-address-pools\": ["\
-		"    {"\
-		"      \"base\" : \"$DOCKERNET/24\","\
-		"      \"size\" : 24"\
-		"    }"\
-		"  ]"\
-		"}" > /etc/docker/daemon.json
-	info "Docker Registry Setup - Complete"
-
-}
-
 docker_seed_update() {
 	local name=$1
 	local percent_delta=1
@@ -1490,16 +1456,6 @@ create_global() {
 		fi
 	fi
 
-	if [ -z "$DOCKERNET" ]; then
-		DOCKERNET=172.17.0.0
-		DOCKERNET2=172.17.1.0
-		DOCKERBIP=$(echo $DOCKERNET | awk -F'.' '{print $1,$2,$3,1}' OFS='.')/24
-		DOCKER2BIP=$(echo $DOCKERNET2 | awk -F'.' '{print $1,$2,$3,1}' OFS='.')
-	else
-		DOCKERBIP=$(echo $DOCKERNET | awk -F'.' '{print $1,$2,$3,1}' OFS='.')/24
-		DOCKER2BIP=$(echo $DOCKERNET2 | awk -F'.' '{print $1,$2,$3,1}' OFS='.')
-	fi
-
 	if [ -f "$global_pillar_file" ]; then
 		rm $global_pillar_file
 	fi
@@ -1560,12 +1516,15 @@ soctopus_pillar() {
 docker_pillar() {
 	title "Create the docker pillar file"
 	touch $adv_docker_pillar_file
-	printf '%s\n'\
-		"docker:"\
-		"  sorange: '$DOCKERNET2/24'"\
-		"  sobip: '$DOCKER2BIP'"\
-		"  range: '$DOCKERNET/24'"\
-		"  bip: '$DOCKERBIP'" > $docker_pillar_file
+	touch $docker_pillar_file
+
+	if [ ! -z "$DOCKERNET" ]; then
+		DOCKERGATEWAY=$(echo $DOCKERNET | awk -F'.' '{print $1,$2,$3,1}' OFS='.')
+		printf '%s\n'\
+			"docker:"\
+			"  range: '$DOCKERNET/24'"\
+			"  gateway: '$DOCKERGATEWAY'" > $docker_pillar_file
+	fi
 }
 
 redis_pillar() {

setup/so-whiptail

@@ -329,20 +329,8 @@ whiptail_dockernet_sosnet() {
 
 	[ -n "$TESTING" ] && return
 
-	DOCKERNET2=$(whiptail --title "$whiptail_title" --inputbox \
-	"\nEnter a /24 size network range for SOS containers to use WITHOUT the /24 suffix. This range will be used on ALL nodes." 11 65 "$1" 3>&1 1>&2 2>&3)
-
-	local exitstatus=$?
-	whiptail_check_exitstatus $exitstatus
-
-}
-
-whiptail_dockernet_nososnet() {
-
-	[ -n "$TESTING" ] && return
-
 	DOCKERNET=$(whiptail --title "$whiptail_title" --inputbox \
-	"\nEnter a /24 size network range for NON SOS containers to use WITHOUT the /24 suffix. This range will be used on ALL nodes." 11 65 "$1" 3>&1 1>&2 2>&3)
+	"\nEnter a /24 size network range for SOS containers to use WITHOUT the /24 suffix. This range will be used on ALL nodes. Any range within 172.17.0.0/24 cannot be used." 11 65 "$1" 3>&1 1>&2 2>&3)
 
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus
@@ -410,7 +398,7 @@ whiptail_end_settings() {
 
 	[[ -n $WEBUSER ]] && __append_end_msg "Web User: $WEBUSER"
 
-	[[ -n $DOCKERNET ]] && __append_end_msg "Docker network: $DOCKERNET"
+	[[ -n $DOCKERNET ]] && __append_end_msg "Docker network: $DOCKERNET/24"
 	if [[ ${#ntp_servers[@]} -gt 0 ]]; then
 		__append_end_msg "NTP Servers:"
 		for server in "${ntp_servers[@]}"; do