rework soup and docker refresh

salt/common/tools/sbin/so-common

@@ -51,3 +51,115 @@ check_password() {
     echo "$password" | egrep -v "'|\"|\\$|\\\\" > /dev/null 2>&1
     return $?
 }
+
+container_list() {
+    MANAGERCHECK=$(cat /etc/salt/grains | grep role | awk '{print $2}')
+    if [ $MANAGERCHECK == 'so-import' ]; then
+        TRUSTED_CONTAINERS=( \
+        "so-idstools" \
+        "so-nginx" \
+        "so-filebeat" \
+        "so-suricata" \
+        "so-soc" \
+        "so-elasticsearch" \
+        "so-kibana" \
+        "so-kratos" \
+        "so-suricata" \
+        "so-registry" \
+        "so-pcaptools" \
+        "so-zeek" )
+    elif [ $MANAGERCHECK != 'so-helix' ]; then
+        TRUSTED_CONTAINERS=( \
+        "so-acng" \
+        "so-thehive-cortex" \
+        "so-curator" \
+        "so-domainstats" \
+        "so-elastalert" \
+        "so-elasticsearch" \
+        "so-filebeat" \
+        "so-fleet" \
+        "so-fleet-launcher" \
+        "so-freqserver" \
+        "so-grafana" \
+        "so-idstools" \
+        "so-influxdb" \
+        "so-kibana" \
+        "so-kratos" \
+        "so-logstash" \
+        "so-minio" \
+        "so-mysql" \
+        "so-nginx" \
+        "so-pcaptools" \
+        "so-playbook" \
+        "so-redis" \
+        "so-soc" \
+        "so-soctopus" \
+        "so-steno" \
+        "so-strelka-frontend" \
+        "so-strelka-manager" \
+        "so-strelka-backend" \
+        "so-strelka-filestream" \
+        "so-suricata" \
+        "so-telegraf" \
+        "so-thehive" \
+        "so-thehive-es" \
+        "so-wazuh" \
+        "so-zeek" )
+    else
+        TRUSTED_CONTAINERS=( \
+        "so-filebeat" \
+        "so-idstools" \
+        "so-logstash" \
+        "so-nginx" \
+        "so-redis" \
+        "so-steno" \
+        "so-suricata" \
+        "so-telegraf" \
+        "so-zeek" )
+    fi
+}
+
+update_docker_containers() {
+  # Let's make sure we have the public key
+  curl -sSL https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS | gpg --import -
+  
+  CONTAINER_REGISTRY=quay.io
+  SIGNPATH=/root/sosigs
+  rm -rf $SIGNPATH
+  mkdir -p $SIGNPATH
+  if [ -z "$BRANCH" ]; then
+    BRANCH="master"
+  fi
+  # Download the containers from the interwebs
+  for i in "${TRUSTED_CONTAINERS[@]}"
+  do
+    # Pull down the trusted docker image
+    echo "Downloading $i"
+    docker pull $CONTAINER_REGISTRY/$IMAGEREPO/$i
+    
+    # Get signature
+    curl https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/$BRANCH/sigs/images/$i.gpg --output $SIGNPATH/$i.gpg
+    if [[ $? -ne 0 ]]; then
+      echo "Unable to pull signature file for $i"
+      exit 1
+    fi
+    # Dump our hash values
+    docker inspect $CONTAINER_REGISTRY/$IMAGEREPO/$i | jq '.[0].Created, .[0].Id, .[0].Size, .[0].RootFS.Layers' > $SIGNPATH/$i.txt
+    if [[ $? -ne 0 ]]; then
+      echo "Unable to inspect $i"
+      exit 1
+    fi
+    GPGTEST=$(gpg --verify $SIGNPATH/$i.gpg $SIGNPATH/$i.txt 2>&1)
+    if [[ $? -eq 0 ]]; then
+      # Tag it with the new registry destination
+      docker tag $CONTAINER_REGISTRY/$IMAGEREPO/$i $HOSTNAME:5000/$IMAGEREPO/$i
+      docker push $HOSTNAME:5000/$IMAGEREPO/$i
+    else
+      echo "There is a problem downloading the $i image. Details: "
+      echo ""
+      echo $GPGTEST
+      exit 1
+    fi
+  done
+  
+}

salt/common/tools/sbin/so-docker-refresh

@@ -28,46 +28,6 @@ manager_check() {
   fi
 }
 
-update_docker_containers() {
-  SIGNPATH=/root/sosigs
-  rm -rf $SIGNPATH
-  mkdir -p $SIGNPATH
-  if [ -z "$BRANCH" ]; then
-    BRANCH="master"
-  fi
-  # Download the containers from the interwebs
-  for i in "${TRUSTED_CONTAINERS[@]}"
-  do
-    # Pull down the trusted docker image
-    echo "Downloading $i"
-    docker pull quay.io/$IMAGEREPO/$i
-    
-    # Get signature
-    curl https://github.com/Security-Onion-Solutions/securityonion/blob/$BRANCH/sigs/images/$i.gpg --output $SIGNPATH/$i.gpg
-    if [[ $? -ne 0 ]]
-      echo "Unable to pull signature file for $i"
-      exit 1
-    fi
-    # Dump our hash values
-    docker inspect quay.io/$IMAGEREPO/$i | jq '.[0].Created, .[0].Id, .[0].Size, .[0].RootFS.Layers' > $SIGNPATH/$i.txt
-    if [[ $? -ne 0 ]]
-      echo "Unable to inspect $i"
-      exit 1
-    fi
-    GPGTEST=$(gpg --verify $SIGNPATH/$i.gpg $SIGNPATH/$i.txt 2>&1)
-    if [[ $? -eq 0 ]]
-      # Tag it with the new registry destination
-      docker tag $IMAGEREPO/$i $HOSTNAME:5000/$IMAGEREPO/$i
-      docker push $HOSTNAME:5000/$IMAGEREPO/$i
-    else
-      echo "There is a problem downloading the $i image. Details: "
-      echo ""
-      echo $GPGTEST
-      exit 1
-  done
-  
-}
-
 version_check() {
   if [ -f /etc/soversion ]; then
     VERSION=$(cat /etc/soversion)
@@ -83,54 +43,5 @@ version_check
 # Use the hostname
 HOSTNAME=$(hostname)
 # List all the containers
-if [ $MANAGERCHECK != 'so-helix' ]; then
-    TRUSTED_CONTAINERS=( \
-    "so-acng:$VERSION" \
-    "so-thehive-cortex:$VERSION" \
-    "so-curator:$VERSION" \
-    "so-domainstats:$VERSION" \
-    "so-elastalert:$VERSION" \
-    "so-elasticsearch:$VERSION" \
-    "so-filebeat:$VERSION" \
-    "so-fleet:$VERSION" \
-    "so-fleet-launcher:$VERSION" \
-    "so-freqserver:$VERSION" \
-    "so-grafana:$VERSION" \
-    "so-idstools:$VERSION" \
-    "so-influxdb:$VERSION" \
-    "so-kibana:$VERSION" \
-    "so-kratos:$VERSION" \
-    "so-logstash:$VERSION" \
-    "so-minio:$VERSION" \
-    "so-mysql:$VERSION" \
-    "so-nginx:$VERSION" \
-    "so-pcaptools:$VERSION" \
-    "so-playbook:$VERSION" \
-    "so-redis:$VERSION" \
-    "so-soc:$VERSION" \
-    "so-soctopus:$VERSION" \
-    "so-steno:$VERSION" \
-    "so-strelka-frontend:$VERSION" \
-		"so-strelka-manager:$VERSION" \
-		"so-strelka-backend:$VERSION" \
-		"so-strelka-filestream:$VERSION" \
-    "so-suricata:$VERSION" \
-    "so-telegraf:$VERSION" \
-    "so-thehive:$VERSION" \
-    "so-thehive-es:$VERSION" \
-    "so-wazuh:$VERSION" \
-    "so-zeek:$VERSION" )
-  else
-    TRUSTED_CONTAINERS=( \
-    "so-filebeat:$VERSION" \
-    "so-idstools:$VERSION" \
-    "so-logstash:$VERSION" \
-    "so-nginx:$VERSION" \
-    "so-redis:$VERSION" \
-    "so-steno:$VERSION" \
-    "so-suricata:$VERSION" \
-    "so-telegraf:$VERSION" \
-    "so-zeek:$VERSION" )
-  fi
-
+container_list
 update_docker_containers

salt/common/tools/sbin/soup

@@ -79,6 +79,24 @@ airgap_mounted() {
   fi
 }
 
+airgap_update_dockers() {
+  if [ $is_airgap -eq 0 ]; then
+    # Let's copy the tarball
+    if [ ! -f $AGDOCKER/registry.tar ]; then
+      echo "Unable to locate registry. Exiting"
+      exit 1
+    else
+      echo "Stopping the registry docker"
+      docker stop so-dockerregistry
+      docker rm so-dockerregistry
+      echo "Copying the new dockers over"
+      tar xvf $AGDOCKER/registry.tar -C /nsm/docker-registry/docker
+      echo "Add Registry back"
+      docker load -i $AGDOCKER/registry_image.tar
+    fi
+
+}
+
 check_airgap() {
   # See if this is an airgap install
   AIRGAP=$(cat /opt/so/saltstack/local/pillar/global.sls | grep airgap | awk '{print $2}')
@@ -290,103 +308,6 @@ update_centos_repo() {
   createrepo /nsm/repo
 }
 
-update_dockers() {
-  if [ $is_airgap -eq 0 ]; then
-    # Let's copy the tarball
-    if [ ! -f $AGDOCKER/registry.tar ]; then
-      echo "Unable to locate registry. Exiting"
-      exit 0
-    else
-      echo "Stopping the registry docker"
-      docker stop so-dockerregistry
-      docker rm so-dockerregistry
-      echo "Copying the new dockers over"
-      tar xvf $AGDOCKER/registry.tar -C /nsm/docker-registry/docker
-    fi
-  else
-    # List all the containers
-    if [ $MANAGERCHECK == 'so-import' ]; then
-      TRUSTED_CONTAINERS=( \
-      "so-idstools" \
-      "so-nginx" \
-      "so-filebeat" \
-      "so-suricata" \
-      "so-soc" \
-      "so-elasticsearch" \
-      "so-kibana" \
-      "so-kratos" \
-      "so-suricata" \
-      "so-registry" \
-      "so-pcaptools" \
-      "so-zeek" )
-    elif [ $MANAGERCHECK != 'so-helix' ]; then
-      TRUSTED_CONTAINERS=( \
-      "so-acng" \
-      "so-thehive-cortex" \
-      "so-curator" \
-      "so-domainstats" \
-      "so-elastalert" \
-      "so-elasticsearch" \
-      "so-filebeat" \
-      "so-fleet" \
-      "so-fleet-launcher" \
-      "so-freqserver" \
-      "so-grafana" \
-      "so-idstools" \
-      "so-influxdb" \
-      "so-kibana" \
-      "so-kratos" \
-      "so-logstash" \
-      "so-minio" \
-      "so-mysql" \
-      "so-nginx" \
-      "so-pcaptools" \
-      "so-playbook" \
-      "so-redis" \
-      "so-soc" \
-      "so-soctopus" \
-      "so-steno" \
-      "so-strelka-frontend" \
-      "so-strelka-manager" \
-      "so-strelka-backend" \
-      "so-strelka-filestream" \
-      "so-suricata" \
-      "so-telegraf" \
-      "so-thehive" \
-      "so-thehive-es" \
-      "so-wazuh" \
-      "so-zeek" )
-    else
-      TRUSTED_CONTAINERS=( \
-      "so-filebeat" \
-      "so-idstools" \
-      "so-logstash" \
-      "so-nginx" \
-      "so-redis" \
-      "so-steno" \
-      "so-suricata" \
-      "so-telegraf" \
-      "so-zeek" )
-    fi
-    
-# Download the containers from the interwebs
-    for i in "${TRUSTED_CONTAINERS[@]}"
-    do
-      # Pull down the trusted docker image
-      echo "Downloading $i:$NEWVERSION"
-      docker pull --disable-content-trust=false docker.io/$IMAGEREPO/$i:$NEWVERSION
-      # Tag it with the new registry destination
-      docker tag $IMAGEREPO/$i:$NEWVERSION $HOSTNAME:5000/$IMAGEREPO/$i:$NEWVERSION
-      docker push $HOSTNAME:5000/$IMAGEREPO/$i:$NEWVERSION 
-    done
-  fi
-    echo "Add Registry back if airgap"
-    if [ $is_airgap -eq 0 ]; then
-      docker load -i $AGDOCKER/registry_image.tar
-    fi 
-
-}
-
 update_version() {
   # Update the version to the latest
   echo "Updating the Security Onion version file."
@@ -513,7 +434,12 @@ echo ""
 echo "Performing upgrade from Security Onion $INSTALLEDVERSION to Security Onion $NEWVERSION."
 echo ""
 echo "Updating dockers to $NEWVERSION."
-update_dockers
+if [ $is_airgap -eq 0 ]; then
+  airgap_update_dockers
+else
+  container_list
+  update_docker_containers
+fi
 echo ""
 echo "Stopping Salt Minion service."
 systemctl stop salt-minion