From 48c3cb4816306d1c022995f09a8fe8622a65c2cd Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 18 Jun 2021 14:56:01 -0400 Subject: [PATCH 1/2] if the salt-minion service isnt running when the state is rendered, dont try to apply schedule - https://github.com/Security-Onion-Solutions/securityonion/issues/1333 --- salt/patch/os/schedule.sls | 2 +- salt/salt/minion-check.sls | 6 ++++-- salt/schedule.sls | 2 ++ 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/salt/patch/os/schedule.sls b/salt/patch/os/schedule.sls index a91e61dfe..a5445f3a9 100644 --- a/salt/patch/os/schedule.sls +++ b/salt/patch/os/schedule.sls @@ -1,4 +1,4 @@ -{% if salt['pillar.get']('patch:os:schedule_name') %} +{% if salt['pillar.get']('patch:os:schedule_name') and salt['service.status']('salt-minion', True) %} {% set patch_os_pillar = salt['pillar.get']('patch:os') %} {% set schedule_name = patch_os_pillar.schedule_name %} {% set splay = patch_os_pillar.get('splay', 300) %} diff --git a/salt/salt/minion-check.sls b/salt/salt/minion-check.sls index e8a0c2639..a9d2e8d8d 100644 --- a/salt/salt/minion-check.sls +++ b/salt/salt/minion-check.sls @@ -1,6 +1,7 @@ include: - salt.minion-state-apply-test - + +{% if salt['service.status']('salt-minion', True) %} state-apply-test: schedule.present: - name: salt-minion-state-apply-test @@ -16,4 +17,5 @@ state-apply-test: cron.present: - identifier: so-salt-minion-check - user: root - - minute: '*/5' \ No newline at end of file + - minute: '*/5' +{% endif %} diff --git a/salt/schedule.sls b/salt/schedule.sls index 12e1cd081..30b5f8608 100644 --- a/salt/schedule.sls +++ b/salt/schedule.sls @@ -1,5 +1,7 @@ +{% if salt['service.status']('salt-minion', True) %} schedule: schedule.present: - function: state.highstate - minutes: 15 - maxrunning: 1 +{% endif %} From c7a58816b68a940035c69a4d5bf84dcb62c34061 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 18 Jun 2021 15:30:51 -0400 Subject: [PATCH 2/2] move condition to avoid wrong notic about schedule not set in pillar --- salt/patch/os/schedule.sls | 40 ++++++++++++++++++++------------------ 1 file changed, 21 insertions(+), 19 deletions(-) diff --git a/salt/patch/os/schedule.sls b/salt/patch/os/schedule.sls index a5445f3a9..4e7820de1 100644 --- a/salt/patch/os/schedule.sls +++ b/salt/patch/os/schedule.sls @@ -1,12 +1,13 @@ -{% if salt['pillar.get']('patch:os:schedule_name') and salt['service.status']('salt-minion', True) %} - {% set patch_os_pillar = salt['pillar.get']('patch:os') %} - {% set schedule_name = patch_os_pillar.schedule_name %} - {% set splay = patch_os_pillar.get('splay', 300) %} +{% if salt['pillar.get']('patch:os:schedule_name') %} + {% if salt['service.status']('salt-minion', True) %} + {% set patch_os_pillar = salt['pillar.get']('patch:os') %} + {% set schedule_name = patch_os_pillar.schedule_name %} + {% set splay = patch_os_pillar.get('splay', 300) %} - {% if schedule_name != 'manual' and schedule_name != 'auto' %} - {% import_yaml "patch/os/schedules/"~schedule_name~".yml" as os_schedule %} + {% if schedule_name != 'manual' and schedule_name != 'auto' %} + {% import_yaml "patch/os/schedules/"~schedule_name~".yml" as os_schedule %} - {% if patch_os_pillar.enabled %} + {% if patch_os_pillar.enabled %} patch_os_schedule: schedule.present: @@ -14,28 +15,28 @@ patch_os_schedule: - job_args: - patch.os - when: - {% for days in os_schedule.patch.os.schedule %} - {% for day, times in days.items() %} - {% for time in times %} + {% for days in os_schedule.patch.os.schedule %} + {% for day, times in days.items() %} + {% for time in times %} - {{day}} {{time}} + {% endfor %} {% endfor %} {% endfor %} - {% endfor %} - splay: {{splay}} - return_job: True - {% else %} + {% else %} disable_patch_os_schedule: schedule.disabled: - name: patch_os_schedule - {% endif %} + {% endif %} - {% elif schedule_name == 'auto' %} + {% elif schedule_name == 'auto' %} - {% if patch_os_pillar.enabled %} + {% if patch_os_pillar.enabled %} patch_os_schedule: schedule.present: @@ -46,22 +47,23 @@ patch_os_schedule: - splay: {{splay}} - return_job: True - {% else %} + {% else %} disable_patch_os_schedule: schedule.disabled: - name: patch_os_schedule - {% endif %} + {% endif %} - {% elif schedule_name == 'manual' %} + {% elif schedule_name == 'manual' %} remove_patch_os_schedule: schedule.absent: - name: patch_os_schedule - {% endif %} + {% endif %} + {% endif %} {% else %} no_patch_os_schedule_name_set: