Merge remote-tracking branch 'origin/2.4/dev' into vlb2

salt/salt/map.jinja

@@ -4,7 +4,8 @@
    Elastic License 2.0. #}
 
 {% import_yaml 'salt/minion.defaults.yaml' as saltminion %}
-{% set SALTVERSION = saltminion.salt.minion.version %}
+{% set SALTVERSION = saltminion.salt.minion.version | string %}
+{% set INSTALLEDSALTVERSION = grains.saltversion | string %}
 
 {% if grains.os_family == 'Debian' %}
   {% set SPLITCHAR = '+' %}
@@ -16,9 +17,7 @@
   {% set SYSTEMD_UNIT_FILE = '/usr/lib/systemd/system/salt-minion.service' %}
 {% endif %}
 
-{% set INSTALLEDSALTVERSION = grains.saltversion %}
-
-{% if grains.saltversion|string != SALTVERSION|string %}
+{% if INSTALLEDSALTVERSION != SALTVERSION %}
   {% if grains.os_family|lower == 'redhat' %}
       {% set UPGRADECOMMAND = 'yum clean all ; /usr/sbin/bootstrap-salt.sh -s 120 -r -F stable ' ~ SALTVERSION %}
   {% elif grains.os_family|lower == 'debian' %}

salt/salt/master.defaults.yaml

@@ -1,4 +1,4 @@
 # version cannot be used elsewhere in this pillar as soup is grepping for it to determine if Salt needs to be patched
 salt:
   master:
-    version: 3006.9
+    version: '3006.9'

salt/salt/master/mine_update_highstate.sls

@@ -0,0 +1,26 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+# This state should only be run on managers and should never be run manually
+
+{% set MINION_ID = grains.id %}
+
+# Run mine.update on all minions
+salt.master.mine_update_highstate.update_mine_all_minions:
+  salt.function:
+    - name: mine.update
+    - tgt: '*'
+    - batch: 50
+    - retry:
+        attempts: 3
+        interval: 1
+
+# Run highstate on the original minion
+# we can use concurrent on this highstate because no other highstate would be running when this is called
+salt.master.mine_update_highstate.run_highstate_on_{{ MINION_ID }}:
+  salt.state:
+    - tgt: {{ MINION_ID }}
+    - highstate: True
+    - concurrent: True

salt/salt/minion.defaults.yaml

@@ -1,6 +1,5 @@
 # version cannot be used elsewhere in this pillar as soup is grepping for it to determine if Salt needs to be patched
 salt:
   minion:
-    version: 3006.9
+    version: '3006.9'
     check_threshold: 3600 # in seconds, threshold used for so-salt-minion-check. any value less than 600 seconds may cause a lot of salt-minion restarts since the job to touch the file occurs every 5-8 minutes by default
-    service_start_delay: 30 # in seconds.

salt/salt/minion.sls

@@ -5,10 +5,10 @@
 {% from 'salt/map.jinja' import SALTPACKAGES %}
 {% from 'salt/map.jinja' import SYSTEMD_UNIT_FILE %}
 {% import_yaml 'salt/minion.defaults.yaml' as SALTMINION %}
-{% set service_start_delay = SALTMINION.salt.minion.service_start_delay %}
 
 include:
   - salt.python_modules
+  - salt.patch.x509_v2
   - salt
   - systemd.reload
   - repo.client
@@ -91,8 +91,6 @@ salt_minion_service_unit_file:
     - name: {{ SYSTEMD_UNIT_FILE }}
     - source: salt://salt/service/salt-minion.service.jinja
     - template: jinja
-    - defaults:
-        service_start_delay: {{ service_start_delay }}
     - onchanges_in:
       - module: systemd_reload
 

salt/salt/patch/x509_v2/init.sls

@@ -0,0 +1,6 @@
+patch_x509_v2_state_module:
+  file.replace:
+    - name: /opt/saltstack/salt/lib/python3.10/site-packages/salt/states/x509_v2.py
+    - pattern: 'res = __salt__\["state.single"\]\("file.managed", name, test=test, \*\*kwargs\)'
+    - repl: 'res = __salt__["state.single"]("file.managed", name, test=test, concurrent=True, **kwargs)'
+    - backup: .bak

salt/salt/service/salt-minion.service.jinja

@@ -8,8 +8,9 @@ KillMode=process
 Type=notify
 NotifyAccess=all
 LimitNOFILE=8192
+ExecStartPre=/bin/bash -c 'until /sbin/ip -4 addr show dev {{ salt["pillar.get"]("host:mainint") }} | grep -q "inet "; do sleep 1; done'
 ExecStart=/usr/bin/salt-minion
-ExecStartPre=/bin/sleep {{ salt['pillar.get']('salt:minion:service_start_delay', service_start_delay) }}
+TimeoutStartSec=120
 
 [Install]
 WantedBy=multi-user.target