From d56e66917a8ba2da676cee3044657734520bb0ab Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 26 Apr 2021 09:18:15 -0400 Subject: [PATCH 01/24] 2.3.50 sig files --- VERIFY_ISO.md | 22 +++++++++++----------- sigs/securityonion-2.3.50.iso.sig | Bin 0 -> 543 bytes 2 files changed, 11 insertions(+), 11 deletions(-) create mode 100644 sigs/securityonion-2.3.50.iso.sig diff --git a/VERIFY_ISO.md b/VERIFY_ISO.md index 774116411..bd29a864e 100644 --- a/VERIFY_ISO.md +++ b/VERIFY_ISO.md @@ -1,16 +1,16 @@ -### 2.3.40 ISO image built on 2021/03/22 +### 2.3.50 ISO image built on 2021/04/25 ### Download and Verify -2.3.40 ISO image: -https://download.securityonion.net/file/securityonion/securityonion-2.3.40.iso +2.3.50 ISO image: +https://download.securityonion.net/file/securityonion/securityonion-2.3.50.iso -MD5: FB72C0675F262A714B287BB33CE82504 -SHA1: E8F5A9AA23990DF794611F9A178D88414F5DA81C -SHA256: DB125D6E770F75C3FD35ABE3F8A8B21454B7A7618C2B446D11B6AC8574601070 +MD5: 8B74AF6F29DB156E3D467B25E1D46449 +SHA1: 99A0A96C5F206471E4F1D26A8A2D577A8ECDAED5 +SHA256: CA0EE3793FC1356FB5C50D36107FA3BB39DE6C40EBE6C7C90075D5C189BB3083 Signature for ISO image: -https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.40.iso.sig +https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.50.iso.sig Signing key: https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS @@ -24,22 +24,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/ma Download the signature file for the ISO: ``` -wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.40.iso.sig +wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.50.iso.sig ``` Download the ISO image: ``` -wget https://download.securityonion.net/file/securityonion/securityonion-2.3.40.iso +wget https://download.securityonion.net/file/securityonion/securityonion-2.3.50.iso ``` Verify the downloaded ISO image using the signature file: ``` -gpg --verify securityonion-2.3.40.iso.sig securityonion-2.3.40.iso +gpg --verify securityonion-2.3.50.iso.sig securityonion-2.3.50.iso ``` The output should show "Good signature" and the Primary key fingerprint should match what's shown below: ``` -gpg: Signature made Mon 22 Mar 2021 09:35:50 AM EDT using RSA key ID FE507013 +gpg: Signature made Sun 25 Apr 2021 01:01:35 PM EDT using RSA key ID FE507013 gpg: Good signature from "Security Onion Solutions, LLC " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. diff --git a/sigs/securityonion-2.3.50.iso.sig b/sigs/securityonion-2.3.50.iso.sig new file mode 100644 index 0000000000000000000000000000000000000000..05d0d01628f4cc4ce32b0d49cb57937d6a64747f GIT binary patch literal 543 zcmV+)0^t3L0vrSY0RjL91p;7&pl<*Q2@re`V7LBIa1(075B(nuX|)-z2+BYNjp#JV zwG*X@!I*qu0;DHkt_(+G{1bx~=74ROQ|+^>iQ=eq30|oU$B|6zn7a;l6~_#8TWrFJ z#pv%-j>;urN7F1K>I?1*A3h$x+uX&u~; zR;Iz2peomHkFY@}XLP`^$fPQi7yfGmF#8Ut$kQ?DI!8UCUJSCv5%OeWD~!UF=RMOU zCyBZDsV1-9LZWO5u!M|T7|rLeiUNMIp?-aKzdvLfh5I_$j6nBM_jzszPS0A@mbQ-! z0&AK6zt_clEB5r5%p?#=7<^TH!vbk%Rmxak4^j?UR#<+G6rLq|_bMP$uupz){3HLK z1ziwXGXcyc$d*M;BgRN*+64@Kz6x;NpvxH^AeUiRFC2!>CjzZ363vg*q5pHIVn^h9 zq}nOvd;OV?mVma6M{!Eh{FV_g8jI}(?;WTg*3KlPQGS+4-IO#W;jD!mE2okD=jS|# zd@eLnP!+GyJteB893Q(0)}X}u;!nRY81Wpc!2CP2_ZD+%*zl-Ctm;*PE(C-QThdOj hcQvOU(|8|fj`^ZuqH_3q3de7e;9z+|B+g|eSJ)6+1Kj`s literal 0 HcmV?d00001 From a6b2eefee1ac6bcd13f0d95e6a1a45d10d018863 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 27 Apr 2021 15:33:52 -0400 Subject: [PATCH 02/24] Prompt airgap to update --- VERIFY_ISO.md | 51 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 VERIFY_ISO.md diff --git a/VERIFY_ISO.md b/VERIFY_ISO.md new file mode 100644 index 000000000..ca819a403 --- /dev/null +++ b/VERIFY_ISO.md @@ -0,0 +1,51 @@ +### 2.3.50 ISO image built on 2021/04/26 + + +### Download and Verify + +2.3.50 ISO image: +https://download.securityonion.net/file/securityonion/securityonion-2.3.50.iso + +MD5: 1FF774520D3B1323D83BBF90BD9EFACE +SHA1: 0F323335459A11850B68BB82E062F581225303EE +SHA256: 2AACD535E0EACE17E8DC7B560353D43111A287C59C23827612B720D742DFD994 + +Signature for ISO image: +https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.50.iso.sig + +Signing key: +https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS + +For example, here are the steps you can use on most Linux distributions to download and verify our Security Onion ISO image. + +Download and import the signing key: +``` +wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS -O - | gpg --import - +``` + +Download the signature file for the ISO: +``` +wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.50.iso.sig +``` + +Download the ISO image: +``` +wget https://download.securityonion.net/file/securityonion/securityonion-2.3.50.iso +``` + +Verify the downloaded ISO image using the signature file: +``` +gpg --verify securityonion-2.3.50.iso.sig securityonion-2.3.50.iso +``` + +The output should show "Good signature" and the Primary key fingerprint should match what's shown below: +``` +gpg: Signature made Mon 26 Apr 2021 03:54:51 PM EDT using RSA key ID FE507013 +gpg: Good signature from "Security Onion Solutions, LLC " +gpg: WARNING: This key is not certified with a trusted signature! +gpg: There is no indication that the signature belongs to the owner. +Primary key fingerprint: C804 A93D 36BE 0C73 3EA1 9644 7C10 60B7 FE50 7013 +``` + +Once you've verified the ISO image, you're ready to proceed to our Installation guide: +https://docs.securityonion.net/en/2.3/installation.html From 77533f78734ee7b1106e5a7500c1538b4b7bef7a Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 27 Apr 2021 15:45:35 -0400 Subject: [PATCH 03/24] Repo Fix --- sigs/securityonion-2.3.50.iso.sig | Bin 0 -> 543 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 sigs/securityonion-2.3.50.iso.sig diff --git a/sigs/securityonion-2.3.50.iso.sig b/sigs/securityonion-2.3.50.iso.sig new file mode 100644 index 0000000000000000000000000000000000000000..d8405a0421e494f77a03bee88e5207e9f73c1e29 GIT binary patch literal 543 zcmV+)0^t3L0vrSY0RjL91p;7*RW$$#2@re`V7LBIa1$Um5CESxa#R+gq=PYL1RQjp zIUjoz5JIvAI&fTWU%o>h~+eB02ca8Fb5cDUR*+^E@ z`nMVQYSe6b-cVv-tuz_HMkKDGT76lmx(uDa5)|)sD?MLv{R* z1E#5Ie<@~K-Zay`EJ1)0fqS55MnW%AwIRWoN&_XyX$rPwU}^qQ1m*+fU}lY}1jLZC h24TfxOI&zaA^x(3X|swT8BU^s0 Date: Fri, 2 Jul 2021 08:55:49 -0400 Subject: [PATCH 04/24] ECS hotfix --- HOTFIX | 2 +- VERSION | 2 +- salt/elasticsearch/files/ingest/ossec | 3 +-- salt/elasticsearch/files/ingest/strelka.file | 3 +-- 4 files changed, 4 insertions(+), 6 deletions(-) diff --git a/HOTFIX b/HOTFIX index d3f5a12fa..f32bc0381 100644 --- a/HOTFIX +++ b/HOTFIX @@ -1 +1 @@ - +ECSFIX diff --git a/VERSION b/VERSION index e183d6a6c..678d59d4f 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.3.70 +2.3.60 diff --git a/salt/elasticsearch/files/ingest/ossec b/salt/elasticsearch/files/ingest/ossec index 1c5a0fd42..868de2798 100644 --- a/salt/elasticsearch/files/ingest/ossec +++ b/salt/elasticsearch/files/ingest/ossec @@ -63,8 +63,7 @@ { "rename": { "field": "fields.module", "target_field": "event.module", "ignore_failure": true, "ignore_missing": true } }, { "pipeline": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational'", "name": "sysmon" } }, { "pipeline": { "if": "ctx.winlog?.channel != 'Microsoft-Windows-Sysmon/Operational'", "name":"win.eventlogs" } }, - { "set": { "if": "ctx.rule != null && ctx.rule.name != null", "field": "event.dataset", "value": "ossec.alert", "override": true } }, - { "set": { "if": "ctx.rule != null && ctx.rule.name != null", "field": "event.kind", "value": "alert", "override": true } }, + { "set": { "if": "ctx.rule != null && ctx.rule.name != null", "field": "event.dataset", "value": "alert", "override": true } }, { "pipeline": { "name": "common" } } ] } diff --git a/salt/elasticsearch/files/ingest/strelka.file b/salt/elasticsearch/files/ingest/strelka.file index cf2772305..e5e8560f8 100644 --- a/salt/elasticsearch/files/ingest/strelka.file +++ b/salt/elasticsearch/files/ingest/strelka.file @@ -53,8 +53,7 @@ { "set": { "if": "ctx.exiftool?.FileDirectory != null", "field": "file.directory", "value": "{{exiftool.FileDirectory}}", "ignore_failure": true }}, { "set": { "if": "ctx.exiftool?.Subsystem != null", "field": "host.subsystem", "value": "{{exiftool.Subsystem}}", "ignore_failure": true }}, { "set": { "if": "ctx.scan?.yara?.matches != null", "field": "rule.name", "value": "{{scan.yara.matches.0}}" }}, - { "set": { "if": "ctx.scan?.yara?.matches != null", "field": "dataset", "value": "strelka.alert", "override": true }}, - { "set": { "if": "ctx.scan?.yara?.matches != null", "field": "event.kind", "value": "alert", "override": true }}, + { "set": { "if": "ctx.scan?.yara?.matches != null", "field": "dataset", "value": "alert", "override": true }}, { "rename": { "field": "file.flavors.mime", "target_field": "file.mime_type", "ignore_missing": true }}, { "set": { "if": "ctx.rule?.name != null && ctx.rule?.score == null", "field": "event.severity", "value": 3, "override": true } }, { "convert" : { "if": "ctx.rule?.score != null", "field" : "rule.score","type": "integer"}}, From 22aa695508be3df25f7c91160218d36bb4c11a44 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 2 Jul 2021 09:47:31 -0400 Subject: [PATCH 05/24] Update telegraf.conf --- salt/telegraf/etc/telegraf.conf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/salt/telegraf/etc/telegraf.conf b/salt/telegraf/etc/telegraf.conf index 44e78ecda..abb928a76 100644 --- a/salt/telegraf/etc/telegraf.conf +++ b/salt/telegraf/etc/telegraf.conf @@ -630,8 +630,10 @@ {% elif grains['role'] in ['so-node', 'so-hotnode', 'so-warmnode', 'so-heavynode'] %} [[inputs.elasticsearch]] servers = ["https://{{ NODEIP }}:9200"] +{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} username = "{{ ES_USER }}" password = "{{ ES_PASS }}" +{% endif %} insecure_skip_verify = true {% endif %} From 0a91f571c1f19958511a8880c7fbcfbb4ccb719e Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 2 Jul 2021 10:41:15 -0400 Subject: [PATCH 06/24] 2.3.60 ECSFIX --- VERIFY_ISO.md | 22 +++++++++++----------- sigs/securityonion-2.3.60-ECSFIX.iso.sig | Bin 0 -> 543 bytes 2 files changed, 11 insertions(+), 11 deletions(-) create mode 100644 sigs/securityonion-2.3.60-ECSFIX.iso.sig diff --git a/VERIFY_ISO.md b/VERIFY_ISO.md index cd1dfa825..d64b20075 100644 --- a/VERIFY_ISO.md +++ b/VERIFY_ISO.md @@ -1,18 +1,18 @@ -### 2.3.60 ISO image built on 2021/04/27 +### 2.3.60-ECSFIX ISO image built on 2021/07/02 ### Download and Verify -2.3.60 ISO image: -https://download.securityonion.net/file/securityonion/securityonion-2.3.60.iso +2.3.60-ECSFIX ISO image: +https://download.securityonion.net/file/securityonion/securityonion-2.3.60-ECSFIX.iso -MD5: 0470325615C42C206B028EE37A1AD897 -SHA1: 496E70BD529D3B8A02D0B32F68B8F7527C953612 -SHA256: 417E34DFCD63D84A16FF2041DC712F02D9E0515C8B78BDF0EE1037DD13C32030 +MD5: BCD2C449BD3B65D96A0D1E479C0414F9 +SHA1: 18FB8F33C19980992B291E5A7EC23D5E13853933 +SHA256: AD3B750E7FC4CA0D58946D8FEB703AE9B01508E314967566B06CFE5D8A8086E9 Signature for ISO image: -https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.60.iso.sig +https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.60-ECSFIX.iso.sig Signing key: https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS @@ -26,22 +26,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/ma Download the signature file for the ISO: ``` -wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.60.iso.sig +wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.60-ECSFIX.iso.sig ``` Download the ISO image: ``` -wget https://download.securityonion.net/file/securityonion/securityonion-2.3.60.iso +wget https://download.securityonion.net/file/securityonion/securityonion-2.3.60-ECSFIX.iso ``` Verify the downloaded ISO image using the signature file: ``` -gpg --verify securityonion-2.3.60.iso.sig securityonion-2.3.60.iso +gpg --verify securityonion-2.3.60-ECSFIX.iso.sig securityonion-2.3.60-ECSFIX.iso ``` The output should show "Good signature" and the Primary key fingerprint should match what's shown below: ``` -gpg: Signature made Thu 01 Jul 2021 10:59:24 AM EDT using RSA key ID FE507013 +gpg: Signature made Fri 02 Jul 2021 10:15:04 AM EDT using RSA key ID FE507013 gpg: Good signature from "Security Onion Solutions, LLC " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. diff --git a/sigs/securityonion-2.3.60-ECSFIX.iso.sig b/sigs/securityonion-2.3.60-ECSFIX.iso.sig new file mode 100644 index 0000000000000000000000000000000000000000..cc55927fa51558aa37f22edf51f0e4d673d0176d GIT binary patch literal 543 zcmV+)0^t3L0vrSY0RjL91p;8-A7}sy2@re`V7LBIa1%wI5CFR1D4`vbrDu+;!sTS* zE!py=ZSCBYZV&cUPU9O^iSLFIgJqf7<;>XyJT$j|tglSD5kcE>_xLjiFsSzhsq-pm@2~( z`ODPPDm?sgWAKH%=TtyCuKCRJ{8xw>=H^BMk&XcvQxadMMc$nF6c1%Pja`$8Pekn$aUMi3 zo#Ljw5X3_uxJ%t&R}YR7e}gbg4%L_f$+yf1`eXf^2m*6P`j~mh%fqTxYKxt@Y5{y5*5@Ghj3)zUivs_ zfKQf#=)m(F*^B<*&D&adjU26cS|(#5N}FU= zGgWoFWNPvIBQ6!3p37o?om4$H^C&lJwhZzzyx@6{^Err2-8rXYiQ*PLnjA^do)(oY h$e~h9tfW>;@LmY}O&&)QYg-Ckik79+CJ{}Ek~!yY3sV39 literal 0 HcmV?d00001 From 4946f32d88b4fca0083c369c81131b41402fa244 Mon Sep 17 00:00:00 2001 From: weslambert Date: Tue, 6 Jul 2021 14:14:58 -0400 Subject: [PATCH 07/24] Add extra_hosts entry for local instance when running as heavy node --- salt/logstash/init.sls | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls index bfd08e4fe..86405fa79 100644 --- a/salt/logstash/init.sls +++ b/salt/logstash/init.sls @@ -145,7 +145,12 @@ so-logstash: - name: so-logstash - user: logstash - extra_hosts: + {% if grains.role in ['so-heavynode'] %} + {% set MANAGER = salt['grains.get']('nodename') %} + {% set MANAGERIP = salt['pillar.get']('sensor:mainip') %} + {% else %} - {{ MANAGER }}:{{ MANAGERIP }} + {% endif %} - environment: - LS_JAVA_OPTS=-Xms{{ lsheap }} -Xmx{{ lsheap }} - port_bindings: @@ -205,4 +210,4 @@ append_so-logstash_so-status.conf: test.fail_without_changes: - name: {{sls}}_state_not_allowed -{% endif %} \ No newline at end of file +{% endif %} From 10b1829830cc37b897fadf3d57468b49d57a6202 Mon Sep 17 00:00:00 2001 From: weslambert Date: Tue, 6 Jul 2021 14:16:34 -0400 Subject: [PATCH 08/24] Add conditional for heavynode --- salt/logstash/pipelines/config/so/0900_input_redis.conf.jinja | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/salt/logstash/pipelines/config/so/0900_input_redis.conf.jinja b/salt/logstash/pipelines/config/so/0900_input_redis.conf.jinja index 60229422b..4b108d1b6 100644 --- a/salt/logstash/pipelines/config/so/0900_input_redis.conf.jinja +++ b/salt/logstash/pipelines/config/so/0900_input_redis.conf.jinja @@ -1,4 +1,8 @@ +{%- if grains.role in ['so-heavynode'] %} +{%- set MANAGER = salt['grains.get']('host') %} +{%- else %} {%- set MANAGER = salt['grains.get']('master') %} +{%- endif %} {%- set THREADS = salt['pillar.get']('logstash_settings:ls_input_threads', '') %} {% set BATCH = salt['pillar.get']('logstash_settings:ls_pipeline_batch_size', 125) %} From 2e91f2733626a4befc5e55364a4c318d1ad8845d Mon Sep 17 00:00:00 2001 From: weslambert Date: Tue, 6 Jul 2021 14:17:49 -0400 Subject: [PATCH 09/24] Add conditional for heavynode --- .../logstash/pipelines/config/so/9999_output_redis.conf.jinja | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja b/salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja index 626ed62c3..a70e309e4 100644 --- a/salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja +++ b/salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja @@ -1,4 +1,8 @@ +{%- if grains.role in ['so-heavynode'] %} +{%- set MANAGER = salt['grains.get']('host') %} +{%- else %} {%- set MANAGER = salt['grains.get']('master') %} +{%- endif %} {% set BATCH = salt['pillar.get']('logstash_settings:ls_pipeline_batch_size', 125) %} output { redis { From 2f3f04e4ca8363ec7f7de3ca8bcc11ca4ca2cef1 Mon Sep 17 00:00:00 2001 From: weslambert Date: Tue, 6 Jul 2021 14:18:39 -0400 Subject: [PATCH 10/24] Change from nodename to host --- salt/logstash/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls index 86405fa79..581d1349a 100644 --- a/salt/logstash/init.sls +++ b/salt/logstash/init.sls @@ -146,7 +146,7 @@ so-logstash: - user: logstash - extra_hosts: {% if grains.role in ['so-heavynode'] %} - {% set MANAGER = salt['grains.get']('nodename') %} + {% set MANAGER = salt['grains.get']('host') %} {% set MANAGERIP = salt['pillar.get']('sensor:mainip') %} {% else %} - {{ MANAGER }}:{{ MANAGERIP }} From ce0b0649723e7f85110f9a8bed4da185fc5a264f Mon Sep 17 00:00:00 2001 From: weslambert Date: Tue, 6 Jul 2021 14:21:29 -0400 Subject: [PATCH 11/24] Add conditional for heavynode for redis and elasticsearch --- salt/ssl/init.sls | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls index 5786437f6..d885a2721 100644 --- a/salt/ssl/init.sls +++ b/salt/ssl/init.sls @@ -9,6 +9,9 @@ {% set MAININT = salt['pillar.get']('host:mainint') %} {% set MAINIP = salt['grains.get']('ip_interfaces').get(MAININT)[0] %} {% set CUSTOM_FLEET_HOSTNAME = salt['pillar.get']('global:fleet_custom_hostname', None) %} +{% if grains.role in ['so-heavynode'] %} +{% set heavynode = salt['grains.get']('host') %} +{% endif %} {% if grains.id.split('_')|last in ['manager', 'eval', 'standalone', 'import', 'helixsensor'] %} {% set trusttheca_text = salt['cp.get_file_str']('/etc/pki/ca.crt')|replace('\n', '') %} @@ -103,7 +106,11 @@ influxkeyperms: # Create a cert for Redis encryption /etc/pki/redis.key: x509.private_key_managed: + {% if grains.role in ['so-heavynode'] %} + - CN: {{ heavynode }} + {% else %} - CN: {{ manager }} + {% endif %} - bits: 4096 - days_remaining: 0 - days_valid: 820 @@ -123,7 +130,11 @@ influxkeyperms: - ca_server: {{ ca_server }} - signing_policy: registry - public_key: /etc/pki/redis.key + {% if grains.role in ['so-heavynode'] %} + - CN: {{ heavynode }} + {% else %} - CN: {{ manager }} + {% endif %} - days_remaining: 0 - days_valid: 820 - backup: True @@ -315,7 +326,11 @@ miniokeyperms: # Create a cert for elasticsearch /etc/pki/elasticsearch.key: x509.private_key_managed: + {% if grains.role in ['so-heavynode'] %} + - CN: {{ heavynode }} + {% else %} - CN: {{ manager }} + {% endif %} - bits: 4096 - days_remaining: 0 - days_valid: 820 @@ -335,7 +350,11 @@ miniokeyperms: - ca_server: {{ ca_server }} - signing_policy: registry - public_key: /etc/pki/elasticsearch.key + {% if grains.role in ['so-heavynode'] %} + - CN: {{ heavynode }} + {% else %} - CN: {{ manager }} + {% endif %} - days_remaining: 0 - days_valid: 820 - backup: True @@ -677,4 +696,4 @@ elastickeyperms: test.fail_without_changes: - name: {{sls}}_state_not_allowed -{% endif %} \ No newline at end of file +{% endif %} From 0627ca2fc2e245e0b073062f2c1664067543503d Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 6 Jul 2021 15:32:39 -0400 Subject: [PATCH 12/24] use heavynode hostname for certs if heavynode. changes to logstash pipeline for redis if heavynode --- salt/logstash/init.sls | 15 ++-- .../config/so/0900_input_redis.conf.jinja | 11 ++- .../config/so/9999_output_redis.conf.jinja | 8 +-- salt/ssl/init.sls | 70 +++++++------------ 4 files changed, 42 insertions(+), 62 deletions(-) diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls index 581d1349a..cd6a8918c 100644 --- a/salt/logstash/init.sls +++ b/salt/logstash/init.sls @@ -36,6 +36,14 @@ {% set DOCKER_OPTIONS = salt['pillar.get']('logstash:docker_options', {}) %} {% set TEMPLATES = salt['pillar.get']('elasticsearch:templates', {}) %} +{% if grains.role in ['so-heavynode'] %} + {% set EXTRAHOSTHOSTNAME = salt['grains.get']('host') %} + {% set EXTRAHOSTIP = salt['pillar.get']('sensor:mainip') %} +{% else %} + {% set EXTRAHOSTHOSTNAME = MANAGER %} + {% set EXTRAHOSTIP = MANAGERIP %} +{% endif %} + include: - elasticsearch @@ -145,12 +153,7 @@ so-logstash: - name: so-logstash - user: logstash - extra_hosts: - {% if grains.role in ['so-heavynode'] %} - {% set MANAGER = salt['grains.get']('host') %} - {% set MANAGERIP = salt['pillar.get']('sensor:mainip') %} - {% else %} - - {{ MANAGER }}:{{ MANAGERIP }} - {% endif %} + - {{ EXTRAHOSTHOSTNAME }}:{{ EXTRAHOSTIP }} - environment: - LS_JAVA_OPTS=-Xms{{ lsheap }} -Xmx{{ lsheap }} - port_bindings: diff --git a/salt/logstash/pipelines/config/so/0900_input_redis.conf.jinja b/salt/logstash/pipelines/config/so/0900_input_redis.conf.jinja index 4b108d1b6..35f77c5a0 100644 --- a/salt/logstash/pipelines/config/so/0900_input_redis.conf.jinja +++ b/salt/logstash/pipelines/config/so/0900_input_redis.conf.jinja @@ -1,14 +1,13 @@ {%- if grains.role in ['so-heavynode'] %} -{%- set MANAGER = salt['grains.get']('host') %} + {%- set HOST = salt['grains.get']('host') %} {%- else %} -{%- set MANAGER = salt['grains.get']('master') %} + {%- set HOST = salt['grains.get']('master') %} {%- endif %} -{%- set THREADS = salt['pillar.get']('logstash_settings:ls_input_threads', '') %} -{% set BATCH = salt['pillar.get']('logstash_settings:ls_pipeline_batch_size', 125) %} - + {%- set THREADS = salt['pillar.get']('logstash_settings:ls_input_threads', '') %} +{%- set BATCH = salt['pillar.get']('logstash_settings:ls_pipeline_batch_size', 125) %} input { redis { - host => '{{ MANAGER }}' + host => '{{ HOST }}' port => 9696 ssl => true data_type => 'list' diff --git a/salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja b/salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja index a70e309e4..6b9c62e2f 100644 --- a/salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja +++ b/salt/logstash/pipelines/config/so/9999_output_redis.conf.jinja @@ -1,12 +1,12 @@ {%- if grains.role in ['so-heavynode'] %} -{%- set MANAGER = salt['grains.get']('host') %} + {%- set HOST = salt['grains.get']('host') %} {%- else %} -{%- set MANAGER = salt['grains.get']('master') %} + {%- set HOST = salt['grains.get']('master') %} {%- endif %} -{% set BATCH = salt['pillar.get']('logstash_settings:ls_pipeline_batch_size', 125) %} +{%- set BATCH = salt['pillar.get']('logstash_settings:ls_pipeline_batch_size', 125) %} output { redis { - host => '{{ MANAGER }}' + host => '{{ HOST }}' port => 6379 data_type => 'list' key => 'logstash:unparsed' diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls index d885a2721..aaa650f97 100644 --- a/salt/ssl/init.sls +++ b/salt/ssl/init.sls @@ -10,7 +10,9 @@ {% set MAINIP = salt['grains.get']('ip_interfaces').get(MAININT)[0] %} {% set CUSTOM_FLEET_HOSTNAME = salt['pillar.get']('global:fleet_custom_hostname', None) %} {% if grains.role in ['so-heavynode'] %} -{% set heavynode = salt['grains.get']('host') %} + {% set COMMONNAME = salt['grains.get']('host') %} +{% else %} + {% set COMMONNAME = manager %} {% endif %} {% if grains.id.split('_')|last in ['manager', 'eval', 'standalone', 'import', 'helixsensor'] %} @@ -60,7 +62,7 @@ removeesp12dir: /etc/pki/influxdb.key: x509.private_key_managed: - - CN: {{ manager }} + - CN: {{ COMMONNAME }} - bits: 4096 - days_remaining: 0 - days_valid: 820 @@ -81,7 +83,7 @@ removeesp12dir: - ca_server: {{ ca_server }} - signing_policy: influxdb - public_key: /etc/pki/influxdb.key - - CN: {{ manager }} + - CN: {{ COMMONNAME }} - subjectAltName: DNS:{{ HOSTNAME }} - days_remaining: 0 - days_valid: 820 @@ -106,11 +108,7 @@ influxkeyperms: # Create a cert for Redis encryption /etc/pki/redis.key: x509.private_key_managed: - {% if grains.role in ['so-heavynode'] %} - - CN: {{ heavynode }} - {% else %} - - CN: {{ manager }} - {% endif %} + - CN: {{ COMMONNAME }} - bits: 4096 - days_remaining: 0 - days_valid: 820 @@ -130,11 +128,7 @@ influxkeyperms: - ca_server: {{ ca_server }} - signing_policy: registry - public_key: /etc/pki/redis.key - {% if grains.role in ['so-heavynode'] %} - - CN: {{ heavynode }} - {% else %} - - CN: {{ manager }} - {% endif %} + - CN: {{ COMMONNAME }} - days_remaining: 0 - days_valid: 820 - backup: True @@ -158,7 +152,7 @@ rediskeyperms: {% if grains['role'] in ['so-manager', 'so-eval', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode'] %} /etc/pki/filebeat.key: x509.private_key_managed: - - CN: {{ manager }} + - CN: {{ COMMONNAME }} - bits: 4096 - days_remaining: 0 - days_valid: 820 @@ -179,11 +173,7 @@ rediskeyperms: - ca_server: {{ ca_server }} - signing_policy: filebeat - public_key: /etc/pki/filebeat.key -{% if grains.role == 'so-heavynode' %} - - CN: {{grains.host}} -{% else %} - - CN: {{manager}} -{% endif %} + - CN: {{ COMMONNAME }} - days_remaining: 0 - days_valid: 820 - backup: True @@ -239,7 +229,7 @@ fbcrtlink: /etc/pki/registry.key: x509.private_key_managed: - - CN: {{ manager }} + - CN: {{ COMMONNAME }} - bits: 4096 - days_remaining: 0 - days_valid: 820 @@ -260,7 +250,7 @@ fbcrtlink: - ca_server: {{ ca_server }} - signing_policy: registry - public_key: /etc/pki/registry.key - - CN: {{ manager }} + - CN: {{ COMMONNAME }} - days_remaining: 0 - days_valid: 820 - backup: True @@ -282,7 +272,7 @@ regkeyperms: /etc/pki/minio.key: x509.private_key_managed: - - CN: {{ manager }} + - CN: {{ COMMONNAME }} - bits: 4096 - days_remaining: 0 - days_valid: 820 @@ -303,7 +293,7 @@ regkeyperms: - ca_server: {{ ca_server }} - signing_policy: registry - public_key: /etc/pki/minio.key - - CN: {{ manager }} + - CN: {{ COMMONNAME }} - days_remaining: 0 - days_valid: 820 - backup: True @@ -326,11 +316,7 @@ miniokeyperms: # Create a cert for elasticsearch /etc/pki/elasticsearch.key: x509.private_key_managed: - {% if grains.role in ['so-heavynode'] %} - - CN: {{ heavynode }} - {% else %} - - CN: {{ manager }} - {% endif %} + - CN: {{ COMMONNAME }} - bits: 4096 - days_remaining: 0 - days_valid: 820 @@ -350,11 +336,7 @@ miniokeyperms: - ca_server: {{ ca_server }} - signing_policy: registry - public_key: /etc/pki/elasticsearch.key - {% if grains.role in ['so-heavynode'] %} - - CN: {{ heavynode }} - {% else %} - - CN: {{ manager }} - {% endif %} + - CN: {{ COMMONNAME }} - days_remaining: 0 - days_valid: 820 - backup: True @@ -387,7 +369,7 @@ elasticp12perms: /etc/pki/managerssl.key: x509.private_key_managed: - - CN: {{ manager }} + - CN: {{ COMMONNAME }} - bits: 4096 - days_remaining: 0 - days_valid: 820 @@ -408,7 +390,7 @@ elasticp12perms: - ca_server: {{ ca_server }} - signing_policy: managerssl - public_key: /etc/pki/managerssl.key - - CN: {{ manager }} + - CN: {{ COMMONNAME }} - subjectAltName: DNS:{{ HOSTNAME }}, IP:{{ MAINIP }} {% if CUSTOM_FLEET_HOSTNAME != None %},DNS:{{ CUSTOM_FLEET_HOSTNAME }} {% endif %} - days_remaining: 0 - days_valid: 820 @@ -432,7 +414,7 @@ msslkeyperms: # Create a private key and cert for OSQuery /etc/pki/fleet.key: x509.private_key_managed: - - CN: {{ manager }} + - CN: {{ COMMONNAME }} - bits: 4096 - days_remaining: 0 - days_valid: 820 @@ -450,7 +432,7 @@ msslkeyperms: /etc/pki/fleet.crt: x509.certificate_managed: - signing_private_key: /etc/pki/fleet.key - - CN: {{ manager }} + - CN: {{ COMMONNAME }} - subjectAltName: DNS:{{ manager }},IP:{{ managerip }} - days_remaining: 0 - days_valid: 820 @@ -481,7 +463,7 @@ fbcertdir: /opt/so/conf/filebeat/etc/pki/filebeat.key: x509.private_key_managed: - - CN: {{ manager }} + - CN: {{ COMMONNAME }} - bits: 4096 - days_remaining: 0 - days_valid: 820 @@ -502,11 +484,7 @@ fbcertdir: - ca_server: {{ ca_server }} - signing_policy: filebeat - public_key: /opt/so/conf/filebeat/etc/pki/filebeat.key -{% if grains.role == 'so-heavynode' %} - - CN: {{grains.id}} -{% else %} - - CN: {{manager}} -{% endif %} + - CN: {{ COMMONNAME }} - days_remaining: 0 - days_valid: 820 - backup: True @@ -547,7 +525,7 @@ chownfilebeatp8: /etc/pki/managerssl.key: x509.private_key_managed: - - CN: {{ manager }} + - CN: {{ COMMONNAME }} - bits: 4096 - days_remaining: 0 - days_valid: 820 @@ -592,7 +570,7 @@ msslkeyperms: # Create a private key and cert for Fleet /etc/pki/fleet.key: x509.private_key_managed: - - CN: {{ manager }} + - CN: {{ COMMONNAME }} - bits: 4096 - days_remaining: 0 - days_valid: 820 @@ -637,7 +615,7 @@ fleetkeyperms: # Create a cert for elasticsearch /etc/pki/elasticsearch.key: x509.private_key_managed: - - CN: {{ manager }} + - CN: {{ COMMONNAME }} - bits: 4096 - days_remaining: 0 - days_valid: 820 From c1d61dc6248f4eef24154846a9100c7610c467d7 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 6 Jul 2021 15:54:15 -0400 Subject: [PATCH 13/24] add to HOTFIX file --- HOTFIX | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/HOTFIX b/HOTFIX index f32bc0381..a87f12a32 100644 --- a/HOTFIX +++ b/HOTFIX @@ -1 +1 @@ -ECSFIX +HEAVYNODE_SSL_LOGSTASH_REDIS_PIPELINES From f8dc647b1f46fc1b8c41b9256c5017488aaeaf0d Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 6 Jul 2021 15:59:35 -0400 Subject: [PATCH 14/24] add to HOTFIX file --- HOTFIX | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/HOTFIX b/HOTFIX index a87f12a32..6e1406eb7 100644 --- a/HOTFIX +++ b/HOTFIX @@ -1 +1 @@ -HEAVYNODE_SSL_LOGSTASH_REDIS_PIPELINES +ECSFIX HEAVYNODE_SSL_LOGSTASH_REDIS_PIPELINES From 9c2ead16cc3bc7a53b5c59f99c64860f2ff97e64 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 7 Jul 2021 10:22:37 -0400 Subject: [PATCH 15/24] common name changes, allow cert to be managed regardless of expire date for heavy node --- salt/ssl/init.sls | 36 +++++++++++++++++++++++------------- 1 file changed, 23 insertions(+), 13 deletions(-) diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls index aaa650f97..f6cfaf4f4 100644 --- a/salt/ssl/init.sls +++ b/salt/ssl/init.sls @@ -62,7 +62,7 @@ removeesp12dir: /etc/pki/influxdb.key: x509.private_key_managed: - - CN: {{ COMMONNAME }} + - CN: {{ manager }} - bits: 4096 - days_remaining: 0 - days_valid: 820 @@ -83,15 +83,17 @@ removeesp12dir: - ca_server: {{ ca_server }} - signing_policy: influxdb - public_key: /etc/pki/influxdb.key - - CN: {{ COMMONNAME }} + - CN: {{ manager }} - subjectAltName: DNS:{{ HOSTNAME }} - days_remaining: 0 - days_valid: 820 - backup: True +{% if grains.role not in ['so-heavynode'] %} - unless: # https://github.com/saltstack/salt/issues/52167 # Will trigger 5 days (432000 sec) from cert expiration - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/influxdb.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' +{% endif %} - timeout: 30 - retry: attempts: 5 @@ -132,10 +134,12 @@ influxkeyperms: - days_remaining: 0 - days_valid: 820 - backup: True +{% if grains.role not in ['so-heavynode'] %} - unless: # https://github.com/saltstack/salt/issues/52167 # Will trigger 5 days (432000 sec) from cert expiration - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/redis.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' +{% endif %} - timeout: 30 - retry: attempts: 5 @@ -177,10 +181,12 @@ rediskeyperms: - days_remaining: 0 - days_valid: 820 - backup: True +{% if grains.role not in ['so-heavynode'] %} - unless: # https://github.com/saltstack/salt/issues/52167 # Will trigger 5 days (432000 sec) from cert expiration - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/filebeat.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' +{% endif %} - timeout: 30 - retry: attempts: 5 @@ -229,7 +235,7 @@ fbcrtlink: /etc/pki/registry.key: x509.private_key_managed: - - CN: {{ COMMONNAME }} + - CN: {{ manager }} - bits: 4096 - days_remaining: 0 - days_valid: 820 @@ -250,7 +256,7 @@ fbcrtlink: - ca_server: {{ ca_server }} - signing_policy: registry - public_key: /etc/pki/registry.key - - CN: {{ COMMONNAME }} + - CN: {{ manager }} - days_remaining: 0 - days_valid: 820 - backup: True @@ -272,7 +278,7 @@ regkeyperms: /etc/pki/minio.key: x509.private_key_managed: - - CN: {{ COMMONNAME }} + - CN: {{ manager }} - bits: 4096 - days_remaining: 0 - days_valid: 820 @@ -293,7 +299,7 @@ regkeyperms: - ca_server: {{ ca_server }} - signing_policy: registry - public_key: /etc/pki/minio.key - - CN: {{ COMMONNAME }} + - CN: {{ manager }} - days_remaining: 0 - days_valid: 820 - backup: True @@ -340,10 +346,12 @@ miniokeyperms: - days_remaining: 0 - days_valid: 820 - backup: True +{% if grains.role not in ['so-heavynode'] %} - unless: # https://github.com/saltstack/salt/issues/52167 # Will trigger 5 days (432000 sec) from cert expiration - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/elasticsearch.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' +{% endif %} - timeout: 30 - retry: attempts: 5 @@ -369,7 +377,7 @@ elasticp12perms: /etc/pki/managerssl.key: x509.private_key_managed: - - CN: {{ COMMONNAME }} + - CN: {{ manager }} - bits: 4096 - days_remaining: 0 - days_valid: 820 @@ -390,7 +398,7 @@ elasticp12perms: - ca_server: {{ ca_server }} - signing_policy: managerssl - public_key: /etc/pki/managerssl.key - - CN: {{ COMMONNAME }} + - CN: {{ manager }} - subjectAltName: DNS:{{ HOSTNAME }}, IP:{{ MAINIP }} {% if CUSTOM_FLEET_HOSTNAME != None %},DNS:{{ CUSTOM_FLEET_HOSTNAME }} {% endif %} - days_remaining: 0 - days_valid: 820 @@ -414,7 +422,7 @@ msslkeyperms: # Create a private key and cert for OSQuery /etc/pki/fleet.key: x509.private_key_managed: - - CN: {{ COMMONNAME }} + - CN: {{ manager }} - bits: 4096 - days_remaining: 0 - days_valid: 820 @@ -432,7 +440,7 @@ msslkeyperms: /etc/pki/fleet.crt: x509.certificate_managed: - signing_private_key: /etc/pki/fleet.key - - CN: {{ COMMONNAME }} + - CN: {{ manager }} - subjectAltName: DNS:{{ manager }},IP:{{ managerip }} - days_remaining: 0 - days_valid: 820 @@ -488,10 +496,12 @@ fbcertdir: - days_remaining: 0 - days_valid: 820 - backup: True +{% if grains.role not in ['so-heavynode'] %} - unless: # https://github.com/saltstack/salt/issues/52167 # Will trigger 5 days (432000 sec) from cert expiration - 'enddate=$(date -d "$(openssl x509 -in /opt/so/conf/filebeat/etc/pki/filebeat.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' +{% endif %} - timeout: 30 - retry: attempts: 5 @@ -525,7 +535,7 @@ chownfilebeatp8: /etc/pki/managerssl.key: x509.private_key_managed: - - CN: {{ COMMONNAME }} + - CN: {{ manager }} - bits: 4096 - days_remaining: 0 - days_valid: 820 @@ -570,7 +580,7 @@ msslkeyperms: # Create a private key and cert for Fleet /etc/pki/fleet.key: x509.private_key_managed: - - CN: {{ COMMONNAME }} + - CN: {{ manager }} - bits: 4096 - days_remaining: 0 - days_valid: 820 @@ -615,7 +625,7 @@ fleetkeyperms: # Create a cert for elasticsearch /etc/pki/elasticsearch.key: x509.private_key_managed: - - CN: {{ COMMONNAME }} + - CN: {{ manager }} - bits: 4096 - days_remaining: 0 - days_valid: 820 From 98fb5109d73d54e83b7230c644a3b8549a99fcf5 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 7 Jul 2021 12:05:38 -0400 Subject: [PATCH 16/24] tell heavys to update ssl and restart containers for HEAVYNODE_SSL_LOGSTASH_REDIS_PIPELINES hotfix --- salt/common/tools/sbin/soup | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index bc95c5428..8be0192c0 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -352,6 +352,8 @@ postupgrade_changes() { [[ "$POSTVERSION" == 2.3.20 || "$POSTVERSION" == 2.3.21 ]] && post_2.3.2X_to_2.3.30 [[ "$POSTVERSION" == 2.3.30 ]] && post_2.3.30_to_2.3.40 [[ "$POSTVERSION" == 2.3.50 ]] && post_2.3.5X_to_2.3.60 + [[ "$POSTVERSION" == 2.3.60 ]] && post_2.3.60_to_2.3.60-HEAVYNODE_SSL_LOGSTASH_REDIS_PIPELINES + true } @@ -377,6 +379,11 @@ post_2.3.5X_to_2.3.60() { POSTVERSION=2.3.60 } +post_2.3.60_to_2.3.60-HEAVYNODE_SSL_LOGSTASH_REDIS_PIPELINES() { + + salt G@role:so-heavynode -b 5% cmd.run 'salt-call state.apply ssl queue=True && so-redis-restart && so-elasticsearch-restart && so-filebeat-restart && so-logstash-restart' + +} rc1_to_rc2() { From 5eab57e50035f19d878d0548bf67487cee09d0c3 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 7 Jul 2021 13:58:52 -0400 Subject: [PATCH 17/24] remove soup control of heavy --- salt/common/tools/sbin/soup | 7 ------- 1 file changed, 7 deletions(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 8be0192c0..cb560b0d7 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -352,7 +352,6 @@ postupgrade_changes() { [[ "$POSTVERSION" == 2.3.20 || "$POSTVERSION" == 2.3.21 ]] && post_2.3.2X_to_2.3.30 [[ "$POSTVERSION" == 2.3.30 ]] && post_2.3.30_to_2.3.40 [[ "$POSTVERSION" == 2.3.50 ]] && post_2.3.5X_to_2.3.60 - [[ "$POSTVERSION" == 2.3.60 ]] && post_2.3.60_to_2.3.60-HEAVYNODE_SSL_LOGSTASH_REDIS_PIPELINES true } @@ -379,12 +378,6 @@ post_2.3.5X_to_2.3.60() { POSTVERSION=2.3.60 } -post_2.3.60_to_2.3.60-HEAVYNODE_SSL_LOGSTASH_REDIS_PIPELINES() { - - salt G@role:so-heavynode -b 5% cmd.run 'salt-call state.apply ssl queue=True && so-redis-restart && so-elasticsearch-restart && so-filebeat-restart && so-logstash-restart' - -} - rc1_to_rc2() { # Move the static file to global.sls From 313260a0c567fee01cb7b87d3b6e9e673d175340 Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Wed, 7 Jul 2021 14:22:45 -0400 Subject: [PATCH 18/24] add heavy action in soup for ssl redis, es, ls, fb --- salt/common/tools/sbin/soup | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index cb560b0d7..2c09f681d 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -352,6 +352,7 @@ postupgrade_changes() { [[ "$POSTVERSION" == 2.3.20 || "$POSTVERSION" == 2.3.21 ]] && post_2.3.2X_to_2.3.30 [[ "$POSTVERSION" == 2.3.30 ]] && post_2.3.30_to_2.3.40 [[ "$POSTVERSION" == 2.3.50 ]] && post_2.3.5X_to_2.3.60 + [[ "$POSTVERSION" == 2.3.60 ]] && post_2.3.60_to_2.3.60-HEAVYNODE_SSL_LOGSTASH_REDIS_PIPELINES true } @@ -378,6 +379,10 @@ post_2.3.5X_to_2.3.60() { POSTVERSION=2.3.60 } +post_2.3.60_to_2.3.60-HEAVYNODE_SSL_LOGSTASH_REDIS_PIPELINES() { + salt G@role:so-heavynode -b 5% cmd.run 'salt-call state.apply ssl queue=True && so-redis-restart && so-elasticsearch-restart && so-filebeat-restart && so-logstash-restart' +} + rc1_to_rc2() { # Move the static file to global.sls From cfc5c2aef6797039615b853dc4f424d73fd074f8 Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Wed, 7 Jul 2021 14:32:57 -0400 Subject: [PATCH 19/24] do ; instead of && --- salt/common/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 2c09f681d..cef0b834c 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -380,7 +380,7 @@ post_2.3.5X_to_2.3.60() { } post_2.3.60_to_2.3.60-HEAVYNODE_SSL_LOGSTASH_REDIS_PIPELINES() { - salt G@role:so-heavynode -b 5% cmd.run 'salt-call state.apply ssl queue=True && so-redis-restart && so-elasticsearch-restart && so-filebeat-restart && so-logstash-restart' + salt G@role:so-heavynode -b 5% cmd.run 'salt-call state.apply ssl queue=True ; so-redis-restart ; so-elasticsearch-restart ; so-filebeat-restart ; so-logstash-restart' } rc1_to_rc2() { From a3c58d8445f43e56c814b84ce7ccf5008d8943ae Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Wed, 7 Jul 2021 14:42:38 -0400 Subject: [PATCH 20/24] remove heavy soup --- salt/common/tools/sbin/soup | 5 ----- 1 file changed, 5 deletions(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index cef0b834c..bc95c5428 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -352,8 +352,6 @@ postupgrade_changes() { [[ "$POSTVERSION" == 2.3.20 || "$POSTVERSION" == 2.3.21 ]] && post_2.3.2X_to_2.3.30 [[ "$POSTVERSION" == 2.3.30 ]] && post_2.3.30_to_2.3.40 [[ "$POSTVERSION" == 2.3.50 ]] && post_2.3.5X_to_2.3.60 - [[ "$POSTVERSION" == 2.3.60 ]] && post_2.3.60_to_2.3.60-HEAVYNODE_SSL_LOGSTASH_REDIS_PIPELINES - true } @@ -379,9 +377,6 @@ post_2.3.5X_to_2.3.60() { POSTVERSION=2.3.60 } -post_2.3.60_to_2.3.60-HEAVYNODE_SSL_LOGSTASH_REDIS_PIPELINES() { - salt G@role:so-heavynode -b 5% cmd.run 'salt-call state.apply ssl queue=True ; so-redis-restart ; so-elasticsearch-restart ; so-filebeat-restart ; so-logstash-restart' -} rc1_to_rc2() { From c1d7d8c55a94c55deecd3c1fb60e6a05ff778e6d Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Wed, 7 Jul 2021 14:43:20 -0400 Subject: [PATCH 21/24] add new line --- salt/common/tools/sbin/soup | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index bc95c5428..5ed312b8f 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -378,6 +378,7 @@ post_2.3.5X_to_2.3.60() { } + rc1_to_rc2() { # Move the static file to global.sls From ea2a748dba663a5de5b389f40f17b5cfc54d7d7b Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Wed, 7 Jul 2021 14:44:44 -0400 Subject: [PATCH 22/24] whitespace --- salt/common/tools/sbin/soup | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 5ed312b8f..510ff2c2e 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -352,6 +352,7 @@ postupgrade_changes() { [[ "$POSTVERSION" == 2.3.20 || "$POSTVERSION" == 2.3.21 ]] && post_2.3.2X_to_2.3.30 [[ "$POSTVERSION" == 2.3.30 ]] && post_2.3.30_to_2.3.40 [[ "$POSTVERSION" == 2.3.50 ]] && post_2.3.5X_to_2.3.60 + true } @@ -377,8 +378,6 @@ post_2.3.5X_to_2.3.60() { POSTVERSION=2.3.60 } - - rc1_to_rc2() { # Move the static file to global.sls From c32b5b54298cf21d71c57c1833938ed60d0360c4 Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Wed, 7 Jul 2021 14:47:16 -0400 Subject: [PATCH 23/24] whitespace --- salt/common/tools/sbin/soup | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 510ff2c2e..cb92a3ec3 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -352,10 +352,10 @@ postupgrade_changes() { [[ "$POSTVERSION" == 2.3.20 || "$POSTVERSION" == 2.3.21 ]] && post_2.3.2X_to_2.3.30 [[ "$POSTVERSION" == 2.3.30 ]] && post_2.3.30_to_2.3.40 [[ "$POSTVERSION" == 2.3.50 ]] && post_2.3.5X_to_2.3.60 - true } + post_rc1_to_2.3.21() { salt-call state.apply playbook.OLD_db_init rm -f /opt/so/rules/elastalert/playbook/*.yaml @@ -378,6 +378,7 @@ post_2.3.5X_to_2.3.60() { POSTVERSION=2.3.60 } + rc1_to_rc2() { # Move the static file to global.sls From 12b7fd3ab49d1945ee13bddb262f0c9db9ca6501 Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Wed, 7 Jul 2021 14:48:07 -0400 Subject: [PATCH 24/24] whitespace --- salt/common/tools/sbin/soup | 1 - 1 file changed, 1 deletion(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index cb92a3ec3..bc95c5428 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -355,7 +355,6 @@ postupgrade_changes() { true } - post_rc1_to_2.3.21() { salt-call state.apply playbook.OLD_db_init rm -f /opt/so/rules/elastalert/playbook/*.yaml