From cb3631da818d1be7cb3a8c1e495751c2af0a8575 Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Thu, 4 Jun 2026 15:07:27 -0400 Subject: [PATCH] Move setup-complete marker from /opt/so/conf to /opt/so/state The setup-complete marker is a runtime-state file, not config, so move it to /opt/so/state/setup-complete. Updates both writers (mark_setup_complete in setup/so-functions and the upgrade-path state in minion/init.sls) and the three readers (so-boot-highstate.service ConditionPathExists, boot_highstate.sls enable gate, and the so-user_sync cron gate). --- salt/manager/sync_es_users.sls | 4 ++-- salt/salt/minion/boot_highstate.sls | 2 +- salt/salt/minion/init.sls | 4 ++-- salt/salt/service/so-boot-highstate.service | 2 +- setup/so-functions | 2 +- 5 files changed, 7 insertions(+), 7 deletions(-) diff --git a/salt/manager/sync_es_users.sls b/salt/manager/sync_es_users.sls index f452ff5fe..8fc9c6bb4 100644 --- a/salt/manager/sync_es_users.sls +++ b/salt/manager/sync_es_users.sls @@ -32,7 +32,7 @@ sync_es_users: - file: so-user.lock # require so-user.lock file to be missing # we dont want this added too early in setup, so the onlyif gates on the -# /opt/so/conf/setup-complete marker. The marker is written by +# /opt/so/state/setup-complete marker. The marker is written by # mark_setup_complete in setup/so-functions just before the final setup # highstate (and by an upgrade-path state for systems set up under the old gate). so-user_sync: @@ -40,4 +40,4 @@ so-user_sync: - user: root - name: 'PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin /usr/sbin/so-user sync &>> /opt/so/log/soc/sync.log' - identifier: so-user_sync - - onlyif: "test -e /opt/so/conf/setup-complete" + - onlyif: "test -e /opt/so/state/setup-complete" diff --git a/salt/salt/minion/boot_highstate.sls b/salt/salt/minion/boot_highstate.sls index e489210f6..eb2596dad 100644 --- a/salt/salt/minion/boot_highstate.sls +++ b/salt/salt/minion/boot_highstate.sls @@ -25,7 +25,7 @@ so_boot_highstate_unit_file: so_boot_highstate_service: service.enabled: - name: so-boot-highstate.service - - onlyif: test -e /opt/so/conf/setup-complete + - onlyif: test -e /opt/so/state/setup-complete - require: - file: so_boot_highstate_unit_file - module: systemd_reload diff --git a/salt/salt/minion/init.sls b/salt/salt/minion/init.sls index 0d0eed22c..59dd0289c 100644 --- a/salt/salt/minion/init.sls +++ b/salt/salt/minion/init.sls @@ -94,14 +94,14 @@ remove_startup_states: - mode: delete # Upgrade-path bridge: systems that already passed setup under the old gate -# (`grep -x 'startup_states: highstate' /etc/salt/minion`) get a setup-complete +# (`grep -x 'startup_states: highstate' /etc/salt/minion`) get a /opt/so/state/setup-complete # marker so so-boot-highstate.service can be enabled and the so-user_sync cron # in sync_es_users.sls keeps installing. Setup-in-progress systems instead get # the marker from `mark_setup_complete` in setup/so-functions at the right # moment. `replace: false` means we never overwrite a marker once written. mark_setup_complete_for_upgrades: file.managed: - - name: /opt/so/conf/setup-complete + - name: /opt/so/state/setup-complete - replace: false - makedirs: True - onlyif: "grep -qx 'startup_states: highstate' /etc/salt/minion" diff --git a/salt/salt/service/so-boot-highstate.service b/salt/salt/service/so-boot-highstate.service index a770122d6..cc8c6a1c6 100644 --- a/salt/salt/service/so-boot-highstate.service +++ b/salt/salt/service/so-boot-highstate.service @@ -3,7 +3,7 @@ Description=Security Onion boot-time highstate (runs once per boot) After=salt-minion.service network-online.target docker.service Wants=network-online.target docker.service Requires=salt-minion.service -ConditionPathExists=/opt/so/conf/setup-complete +ConditionPathExists=/opt/so/state/setup-complete [Service] Type=oneshot diff --git a/setup/so-functions b/setup/so-functions index da8e31d73..5ce9a8fdc 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -547,7 +547,7 @@ mark_setup_complete() { # Writes the setup-complete marker. Salt's so-boot-highstate.service # (boot-time oneshot) and the so-user_sync cron gate in # salt/manager/sync_es_users.sls both key off this file. - local marker=/opt/so/conf/setup-complete + local marker=/opt/so/state/setup-complete info "Marking setup as complete" mkdir -p "$(dirname "$marker")"