diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index 43fdb8e01..93b13ec44 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -50,4 +50,116 @@ check_password() { local password=$1 echo "$password" | egrep -v "'|\"|\\$|\\\\" > /dev/null 2>&1 return $? +} + +container_list() { + MANAGERCHECK=$(cat /etc/salt/grains | grep role | awk '{print $2}') + if [ $MANAGERCHECK == 'so-import' ]; then + TRUSTED_CONTAINERS=( \ + "so-idstools" \ + "so-nginx" \ + "so-filebeat" \ + "so-suricata" \ + "so-soc" \ + "so-elasticsearch" \ + "so-kibana" \ + "so-kratos" \ + "so-suricata" \ + "so-registry" \ + "so-pcaptools" \ + "so-zeek" ) + elif [ $MANAGERCHECK != 'so-helix' ]; then + TRUSTED_CONTAINERS=( \ + "so-acng" \ + "so-thehive-cortex" \ + "so-curator" \ + "so-domainstats" \ + "so-elastalert" \ + "so-elasticsearch" \ + "so-filebeat" \ + "so-fleet" \ + "so-fleet-launcher" \ + "so-freqserver" \ + "so-grafana" \ + "so-idstools" \ + "so-influxdb" \ + "so-kibana" \ + "so-kratos" \ + "so-logstash" \ + "so-minio" \ + "so-mysql" \ + "so-nginx" \ + "so-pcaptools" \ + "so-playbook" \ + "so-redis" \ + "so-soc" \ + "so-soctopus" \ + "so-steno" \ + "so-strelka-frontend" \ + "so-strelka-manager" \ + "so-strelka-backend" \ + "so-strelka-filestream" \ + "so-suricata" \ + "so-telegraf" \ + "so-thehive" \ + "so-thehive-es" \ + "so-wazuh" \ + "so-zeek" ) + else + TRUSTED_CONTAINERS=( \ + "so-filebeat" \ + "so-idstools" \ + "so-logstash" \ + "so-nginx" \ + "so-redis" \ + "so-steno" \ + "so-suricata" \ + "so-telegraf" \ + "so-zeek" ) + fi +} + +update_docker_containers() { + # Let's make sure we have the public key + curl -sSL https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS | gpg --import - + + CONTAINER_REGISTRY=quay.io + SIGNPATH=/root/sosigs + rm -rf $SIGNPATH + mkdir -p $SIGNPATH + if [ -z "$BRANCH" ]; then + BRANCH="master" + fi + # Download the containers from the interwebs + for i in "${TRUSTED_CONTAINERS[@]}" + do + # Pull down the trusted docker image + echo "Downloading $i" + docker pull $CONTAINER_REGISTRY/$IMAGEREPO/$i + + # Get signature + curl https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/$BRANCH/sigs/images/$i.gpg --output $SIGNPATH/$i.gpg + if [[ $? -ne 0 ]]; then + echo "Unable to pull signature file for $i" + exit 1 + fi + # Dump our hash values + docker inspect $CONTAINER_REGISTRY/$IMAGEREPO/$i | jq '.[0].Created, .[0].Id, .[0].Size, .[0].RootFS.Layers' > $SIGNPATH/$i.txt + if [[ $? -ne 0 ]]; then + echo "Unable to inspect $i" + exit 1 + fi + GPGTEST=$(gpg --verify $SIGNPATH/$i.gpg $SIGNPATH/$i.txt 2>&1) + if [[ $? -eq 0 ]]; then + # Tag it with the new registry destination + docker tag $CONTAINER_REGISTRY/$IMAGEREPO/$i $HOSTNAME:5000/$IMAGEREPO/$i + docker push $HOSTNAME:5000/$IMAGEREPO/$i + else + echo "There is a problem downloading the $i image. Details: " + echo "" + echo $GPGTEST + exit 1 + fi + done + } \ No newline at end of file diff --git a/salt/common/tools/sbin/so-docker-refresh b/salt/common/tools/sbin/so-docker-refresh index f651b115f..37908fffc 100755 --- a/salt/common/tools/sbin/so-docker-refresh +++ b/salt/common/tools/sbin/so-docker-refresh @@ -28,46 +28,6 @@ manager_check() { fi } -update_docker_containers() { - SIGNPATH=/root/sosigs - rm -rf $SIGNPATH - mkdir -p $SIGNPATH - if [ -z "$BRANCH" ]; then - BRANCH="master" - fi - # Download the containers from the interwebs - for i in "${TRUSTED_CONTAINERS[@]}" - do - # Pull down the trusted docker image - echo "Downloading $i" - docker pull quay.io/$IMAGEREPO/$i - - # Get signature - curl https://github.com/Security-Onion-Solutions/securityonion/blob/$BRANCH/sigs/images/$i.gpg --output $SIGNPATH/$i.gpg - if [[ $? -ne 0 ]] - echo "Unable to pull signature file for $i" - exit 1 - fi - # Dump our hash values - docker inspect quay.io/$IMAGEREPO/$i | jq '.[0].Created, .[0].Id, .[0].Size, .[0].RootFS.Layers' > $SIGNPATH/$i.txt - if [[ $? -ne 0 ]] - echo "Unable to inspect $i" - exit 1 - fi - GPGTEST=$(gpg --verify $SIGNPATH/$i.gpg $SIGNPATH/$i.txt 2>&1) - if [[ $? -eq 0 ]] - # Tag it with the new registry destination - docker tag $IMAGEREPO/$i $HOSTNAME:5000/$IMAGEREPO/$i - docker push $HOSTNAME:5000/$IMAGEREPO/$i - else - echo "There is a problem downloading the $i image. Details: " - echo "" - echo $GPGTEST - exit 1 - done - -} - version_check() { if [ -f /etc/soversion ]; then VERSION=$(cat /etc/soversion) @@ -83,54 +43,5 @@ version_check # Use the hostname HOSTNAME=$(hostname) # List all the containers -if [ $MANAGERCHECK != 'so-helix' ]; then - TRUSTED_CONTAINERS=( \ - "so-acng:$VERSION" \ - "so-thehive-cortex:$VERSION" \ - "so-curator:$VERSION" \ - "so-domainstats:$VERSION" \ - "so-elastalert:$VERSION" \ - "so-elasticsearch:$VERSION" \ - "so-filebeat:$VERSION" \ - "so-fleet:$VERSION" \ - "so-fleet-launcher:$VERSION" \ - "so-freqserver:$VERSION" \ - "so-grafana:$VERSION" \ - "so-idstools:$VERSION" \ - "so-influxdb:$VERSION" \ - "so-kibana:$VERSION" \ - "so-kratos:$VERSION" \ - "so-logstash:$VERSION" \ - "so-minio:$VERSION" \ - "so-mysql:$VERSION" \ - "so-nginx:$VERSION" \ - "so-pcaptools:$VERSION" \ - "so-playbook:$VERSION" \ - "so-redis:$VERSION" \ - "so-soc:$VERSION" \ - "so-soctopus:$VERSION" \ - "so-steno:$VERSION" \ - "so-strelka-frontend:$VERSION" \ - "so-strelka-manager:$VERSION" \ - "so-strelka-backend:$VERSION" \ - "so-strelka-filestream:$VERSION" \ - "so-suricata:$VERSION" \ - "so-telegraf:$VERSION" \ - "so-thehive:$VERSION" \ - "so-thehive-es:$VERSION" \ - "so-wazuh:$VERSION" \ - "so-zeek:$VERSION" ) - else - TRUSTED_CONTAINERS=( \ - "so-filebeat:$VERSION" \ - "so-idstools:$VERSION" \ - "so-logstash:$VERSION" \ - "so-nginx:$VERSION" \ - "so-redis:$VERSION" \ - "so-steno:$VERSION" \ - "so-suricata:$VERSION" \ - "so-telegraf:$VERSION" \ - "so-zeek:$VERSION" ) - fi - +container_list update_docker_containers diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index c75f89255..ab90653d1 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -79,6 +79,24 @@ airgap_mounted() { fi } +airgap_update_dockers() { + if [ $is_airgap -eq 0 ]; then + # Let's copy the tarball + if [ ! -f $AGDOCKER/registry.tar ]; then + echo "Unable to locate registry. Exiting" + exit 1 + else + echo "Stopping the registry docker" + docker stop so-dockerregistry + docker rm so-dockerregistry + echo "Copying the new dockers over" + tar xvf $AGDOCKER/registry.tar -C /nsm/docker-registry/docker + echo "Add Registry back" + docker load -i $AGDOCKER/registry_image.tar + fi + +} + check_airgap() { # See if this is an airgap install AIRGAP=$(cat /opt/so/saltstack/local/pillar/global.sls | grep airgap | awk '{print $2}') @@ -290,103 +308,6 @@ update_centos_repo() { createrepo /nsm/repo } -update_dockers() { - if [ $is_airgap -eq 0 ]; then - # Let's copy the tarball - if [ ! -f $AGDOCKER/registry.tar ]; then - echo "Unable to locate registry. Exiting" - exit 0 - else - echo "Stopping the registry docker" - docker stop so-dockerregistry - docker rm so-dockerregistry - echo "Copying the new dockers over" - tar xvf $AGDOCKER/registry.tar -C /nsm/docker-registry/docker - fi - else - # List all the containers - if [ $MANAGERCHECK == 'so-import' ]; then - TRUSTED_CONTAINERS=( \ - "so-idstools" \ - "so-nginx" \ - "so-filebeat" \ - "so-suricata" \ - "so-soc" \ - "so-elasticsearch" \ - "so-kibana" \ - "so-kratos" \ - "so-suricata" \ - "so-registry" \ - "so-pcaptools" \ - "so-zeek" ) - elif [ $MANAGERCHECK != 'so-helix' ]; then - TRUSTED_CONTAINERS=( \ - "so-acng" \ - "so-thehive-cortex" \ - "so-curator" \ - "so-domainstats" \ - "so-elastalert" \ - "so-elasticsearch" \ - "so-filebeat" \ - "so-fleet" \ - "so-fleet-launcher" \ - "so-freqserver" \ - "so-grafana" \ - "so-idstools" \ - "so-influxdb" \ - "so-kibana" \ - "so-kratos" \ - "so-logstash" \ - "so-minio" \ - "so-mysql" \ - "so-nginx" \ - "so-pcaptools" \ - "so-playbook" \ - "so-redis" \ - "so-soc" \ - "so-soctopus" \ - "so-steno" \ - "so-strelka-frontend" \ - "so-strelka-manager" \ - "so-strelka-backend" \ - "so-strelka-filestream" \ - "so-suricata" \ - "so-telegraf" \ - "so-thehive" \ - "so-thehive-es" \ - "so-wazuh" \ - "so-zeek" ) - else - TRUSTED_CONTAINERS=( \ - "so-filebeat" \ - "so-idstools" \ - "so-logstash" \ - "so-nginx" \ - "so-redis" \ - "so-steno" \ - "so-suricata" \ - "so-telegraf" \ - "so-zeek" ) - fi - -# Download the containers from the interwebs - for i in "${TRUSTED_CONTAINERS[@]}" - do - # Pull down the trusted docker image - echo "Downloading $i:$NEWVERSION" - docker pull --disable-content-trust=false docker.io/$IMAGEREPO/$i:$NEWVERSION - # Tag it with the new registry destination - docker tag $IMAGEREPO/$i:$NEWVERSION $HOSTNAME:5000/$IMAGEREPO/$i:$NEWVERSION - docker push $HOSTNAME:5000/$IMAGEREPO/$i:$NEWVERSION - done - fi - echo "Add Registry back if airgap" - if [ $is_airgap -eq 0 ]; then - docker load -i $AGDOCKER/registry_image.tar - fi - -} - update_version() { # Update the version to the latest echo "Updating the Security Onion version file." @@ -513,7 +434,12 @@ echo "" echo "Performing upgrade from Security Onion $INSTALLEDVERSION to Security Onion $NEWVERSION." echo "" echo "Updating dockers to $NEWVERSION." -update_dockers +if [ $is_airgap -eq 0 ]; then + airgap_update_dockers +else + container_list + update_docker_containers +fi echo "" echo "Stopping Salt Minion service." systemctl stop salt-minion