Merge pull request #10823 from Security-Onion-Solutions/2.4/dockerips

2.4/dockerips
2025-12-06 17:22:49 +01:00 · 2023-07-25 08:39:49 -04:00
parent 71a83c1fe9 b20fad2839
commit c1190064ad
14 changed files with 34 additions and 99 deletions
--- a/salt/common/files/daemon.json
+++ b/salt/common/files/daemon.json
@@ -1,13 +1,11 @@
 {%- set DOCKERRANGE = salt['pillar.get']('docker:range', '172.17.0.0/24') %}
 {%- set DOCKERBIND = salt['pillar.get']('docker:bip', '172.17.0.1/24') %}
 {
  "registry-mirrors": [
    "https://:5000"
  ],
-  "bip": "{{ DOCKERBIND }}",
+  "bip": "172.17.0.1/24",
  "default-address-pools": [
    {
-      "base": "{{ DOCKERRANGE }}",
+      "base": "172.17.0.0/24",
      "size": 24
    }
  ]
--- a/salt/docker/defaults.yaml
+++ b/salt/docker/defaults.yaml
@@ -1,8 +1,6 @@
 docker:
-  bip: '172.17.0.1'
+  range: '172.17.1.0/24'
-  range: '172.17.0.0/24'
+  gateway: '172.17.1.1'
  sorange: '172.17.1.0/24'
  sobip: '172.17.1.1'
  containers:
    'so-dockerregistry':
      final_octet: 20
--- a/salt/docker/docker.map.jinja
+++ b/salt/docker/docker.map.jinja
@@ -1,6 +1,6 @@
 {% import_yaml 'docker/defaults.yaml' as DOCKERDEFAULTS %}
 {% set DOCKER = salt['pillar.get']('docker', DOCKERDEFAULTS.docker, merge=True) %}
-{% set RANGESPLIT = DOCKER.sorange.split('.') %}
+{% set RANGESPLIT = DOCKER.range.split('.') %}
 {% set FIRSTTHREE = RANGESPLIT[0] ~ '.' ~ RANGESPLIT[1] ~ '.' ~ RANGESPLIT[2] ~ '.' %}
 {% for container, vals in DOCKER.containers.items() %}
--- a/salt/docker/init.sls
+++ b/salt/docker/init.sls
@@ -102,8 +102,8 @@ dockerreserveports:
 sos_docker_net:
  docker_network.present:
    - name: sobridge
-    - subnet: {{ DOCKER.sorange }}
+    - subnet: {{ DOCKER.range }}
-    - gateway: {{ DOCKER.sobip }}
+    - gateway: {{ DOCKER.gateway }}
    - options:
        com.docker.network.bridge.name: 'sobridge'
        com.docker.network.driver.mtu: '1500'
--- a/salt/docker/soc_docker.yaml
+++ b/salt/docker/soc_docker.yaml
@@ -1,20 +1,12 @@
 docker:
-  bip:
+  gateway:
-    description: Bind IP for the default docker interface.
+    description: Gateway for the default docker interface.
    helpLink: docker.html
    advanced: True
  range:
    description: Default docker IP range for containers.
    helpLink: docker.html
    advanced: True
  sobip:
    description: Bind IP for the SO docker interface.
    helpLink: docker.html
    advanced: True
  sorange:
    description: IP range for the SO docker containers.
    helpLink: docker.html
    advanced: True
  containers:
    so-curator: &dockerOptions
      final_octet:
--- a/salt/firewall/iptables.jinja
+++ b/salt/firewall/iptables.jinja
@@ -52,7 +52,7 @@
 :DOCKER - [0:0]
 -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
 -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s {{DOCKER.sorange}} ! -o sobridge -j MASQUERADE
+-A POSTROUTING -s {{DOCKER.range}} ! -o sobridge -j MASQUERADE
 {%- for rule in PR %}
 {{ rule }}
 {%- endfor %}
--- a/salt/firewall/map.jinja
+++ b/salt/firewall/map.jinja
@@ -5,7 +5,7 @@
 {# add our ip to self #}
 {% do FIREWALL_DEFAULT.firewall.hostgroups.self.append(GLOBALS.node_ip) %}
 {# add dockernet range #}
-{% do FIREWALL_DEFAULT.firewall.hostgroups.dockernet.append(DOCKER.sorange) %}
+{% do FIREWALL_DEFAULT.firewall.hostgroups.dockernet.append(DOCKER.range) %}
 {% if GLOBALS.role == 'so-idh' %}
 {%   from 'idh/opencanary_config.map.jinja' import IDH_PORTGROUPS %}
--- a/salt/mysql/enabled.sls
+++ b/salt/mysql/enabled.sls
@@ -43,7 +43,7 @@ so-mysql:
      - {{ BINDING }}
      {% endfor %}
    - environment:
-      - MYSQL_ROOT_HOST={{ GLOBALS.so_docker_bip }}
+      - MYSQL_ROOT_HOST={{ GLOBALS.so_docker_gateway }}
      - MYSQL_ROOT_PASSWORD=/etc/mypass
      {% if DOCKER.containers['so-mysql'].extra_env %}
        {% for XTRAENV in DOCKER.containers['so-mysql'].extra_env %}
--- a/salt/playbook/config.sls
+++ b/salt/playbook/config.sls
@@ -18,7 +18,7 @@ create_playbookdbuser:
  mysql_user.present:
    - name: playbookdbuser
    - password: {{ PLAYBOOKPASS }}
-    - host: "{{ DOCKER.sorange.split('/')[0] }}/255.255.255.0"
+    - host: "{{ DOCKER.range.split('/')[0] }}/255.255.255.0"
    - connection_host: {{ GLOBALS.manager }}
    - connection_port: 3306
    - connection_user: root
@@ -27,7 +27,7 @@ create_playbookdbuser:
 query_playbookdbuser_grants:
  mysql_query.run:
    - database: playbook
-    - query:    "GRANT ALL ON playbook.* TO 'playbookdbuser'@'{{ DOCKER.sorange.split('/')[0] }}/255.255.255.0';"
+    - query:    "GRANT ALL ON playbook.* TO 'playbookdbuser'@'{{ DOCKER.range.split('/')[0] }}/255.255.255.0';"
    - connection_host: {{ GLOBALS.manager }}
    - connection_port: 3306
    - connection_user: root
--- a/salt/podman/init.sls
+++ b/salt/podman/init.sls
@@ -44,8 +44,8 @@ podman_docker_symlink:
 sos_docker_net:
  docker_network.present:
    - name: sobridge
-    - subnet: {{ DOCKER.sorange }}
+    - subnet: {{ DOCKER.range }}
-    - gateway: {{ DOCKER.sobip }}
+    - gateway: {{ DOCKER.bip }}
    - options:
        com.docker.network.bridge.name: 'sobridge'
        com.docker.network.driver.mtu: '1500'
--- a/salt/soc/defaults.map.jinja
+++ b/salt/soc/defaults.map.jinja
@@ -30,7 +30,7 @@
 {%   endif %}
 {% endfor %}
-{% do SOCDEFAULTS.soc.config.server.modules.statickeyauth.update({'anonymousCidr': DOCKER.sorange, 'apiKey': pillar.sensoroni.config.sensoronikey}) %}
+{% do SOCDEFAULTS.soc.config.server.modules.statickeyauth.update({'anonymousCidr': DOCKER.range, 'apiKey': pillar.sensoroni.config.sensoronikey}) %}
 {% do SOCDEFAULTS.soc.config.server.client.case.update({'analyzerNodeId': GLOBALS.hostname}) %}
--- a/salt/vars/globals.map.jinja
+++ b/salt/vars/globals.map.jinja
@@ -22,8 +22,8 @@
    'md_engine': INIT.PILLAR.global.mdengine,
    'pipeline': INIT.PILLAR.global.pipeline,
    'so_version': INIT.PILLAR.global.soversion,
-    'so_docker_bip': DOCKER.sobip,
+    'so_docker_gateway': DOCKER.gateway,
-    'so_docker_range': DOCKER.sorange,
+    'so_docker_range': DOCKER.range,
    'url_base': INIT.PILLAR.global.url_base,
    'so_model': INIT.GRAINS.get('sosmodel',''),
    'sensoroni_key': INIT.PILLAR.sensoroni.config.sensoronikey,
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -254,15 +254,10 @@ collect_dns_domain() {
 collect_dockernet() {
 	if ! whiptail_dockernet_check; then
 		whiptail_dockernet_sosnet "172.17.1.0"
 		whiptail_dockernet_nososnet "172.17.0.0"
-		while ! valid_ip4 "$DOCKERNET"; do
+		while ! valid_ip4 "$DOCKERNET" || [[ $DOCKERNET =~ "172.17.0." ]]; do
 			whiptail_invalid_input
-			whiptail_dockernet_nonsosnet "$DOCKERNET"
+			whiptail_dockernet_sosnet "$DOCKERNET"
 		done
 		while ! valid_ip4 "$DOCKERNET2"; do
 			whiptail_invalid_input
 			whiptail_dockernet_sosnet "$DOCKERNET2"
 		done
 	fi
 }
@@ -1099,35 +1094,6 @@ disable_ipv6() {
 	} >> /etc/sysctl.conf
 }
 docker_registry() {
 	title "Setting up Docker Registry"
 	logCmd "mkdir -p /etc/docker"
 	# This will get applied so docker can attempt to start
 	if [ -z "$DOCKERNET" ]; then
 		DOCKERNET=172.17.0.0
 	fi
 	if [ -z "$DOCKERNET2" ]; then
 		DOCKERNET2=172.17.1.0
 	fi
 	# Make the host use the manager docker registry
 	DNETBIP=$(echo $DOCKERNET | awk -F'.' '{print $1,$2,$3,1}' OFS='.')/24
 	if [ -n "$TURBO" ]; then local proxy="$TURBO"; else local proxy="https://$MSRV"; fi
 	printf '%s\n'\
 		"{"\
 		"  \"registry-mirrors\": [ \"$proxy:5000\" ],"\
 		"  \"bip\": \"$DNETBIP\","\
 		"  \"default-address-pools\": ["\
 		"    {"\
 		"      \"base\" : \"$DOCKERNET/24\","\
 		"      \"size\" : 24"\
 		"    }"\
 		"  ]"\
 		"}" > /etc/docker/daemon.json
 	info "Docker Registry Setup - Complete"
 }
 docker_seed_update() {
 	local name=$1
 	local percent_delta=1
@@ -1490,16 +1456,6 @@ create_global() {
 		fi
 	fi
 	if [ -z "$DOCKERNET" ]; then
 		DOCKERNET=172.17.0.0
 		DOCKERNET2=172.17.1.0
 		DOCKERBIP=$(echo $DOCKERNET | awk -F'.' '{print $1,$2,$3,1}' OFS='.')/24
 		DOCKER2BIP=$(echo $DOCKERNET2 | awk -F'.' '{print $1,$2,$3,1}' OFS='.')
 	else
 		DOCKERBIP=$(echo $DOCKERNET | awk -F'.' '{print $1,$2,$3,1}' OFS='.')/24
 		DOCKER2BIP=$(echo $DOCKERNET2 | awk -F'.' '{print $1,$2,$3,1}' OFS='.')
 	fi
 	if [ -f "$global_pillar_file" ]; then
 		rm $global_pillar_file
 	fi
@@ -1560,12 +1516,15 @@ soctopus_pillar() {
 docker_pillar() {
 	title "Create the docker pillar file"
 	touch $adv_docker_pillar_file
 	touch $docker_pillar_file
 	if [ ! -z "$DOCKERNET" ]; then
 		DOCKERGATEWAY=$(echo $DOCKERNET | awk -F'.' '{print $1,$2,$3,1}' OFS='.')
 		printf '%s\n'\
 			"docker:"\
 		"  sorange: '$DOCKERNET2/24'"\
 		"  sobip: '$DOCKER2BIP'"\
 			"  range: '$DOCKERNET/24'"\
-		"  bip: '$DOCKERBIP'" > $docker_pillar_file
+			"  gateway: '$DOCKERGATEWAY'" > $docker_pillar_file
 	fi
 }
 redis_pillar() {
--- a/setup/so-whiptail
+++ b/setup/so-whiptail
@@ -329,20 +329,8 @@ whiptail_dockernet_sosnet() {
 	[ -n "$TESTING" ] && return
 	DOCKERNET2=$(whiptail --title "$whiptail_title" --inputbox \
 	"\nEnter a /24 size network range for SOS containers to use WITHOUT the /24 suffix. This range will be used on ALL nodes." 11 65 "$1" 3>&1 1>&2 2>&3)
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus
 }
 whiptail_dockernet_nososnet() {
 	[ -n "$TESTING" ] && return
 	DOCKERNET=$(whiptail --title "$whiptail_title" --inputbox \
-	"\nEnter a /24 size network range for NON SOS containers to use WITHOUT the /24 suffix. This range will be used on ALL nodes." 11 65 "$1" 3>&1 1>&2 2>&3)
+	"\nEnter a /24 size network range for SOS containers to use WITHOUT the /24 suffix. This range will be used on ALL nodes. Any range within 172.17.0.0/24 cannot be used." 11 65 "$1" 3>&1 1>&2 2>&3)
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus
@@ -410,7 +398,7 @@ whiptail_end_settings() {
 	[[ -n $WEBUSER ]] && __append_end_msg "Web User: $WEBUSER"
-	[[ -n $DOCKERNET ]] && __append_end_msg "Docker network: $DOCKERNET"
+	[[ -n $DOCKERNET ]] && __append_end_msg "Docker network: $DOCKERNET/24"
 	if [[ ${#ntp_servers[@]} -gt 0 ]]; then
 		__append_end_msg "NTP Servers:"
 		for server in "${ntp_servers[@]}"; do