use salt 3006.9

salt/elasticsearch/defaults.yaml

@@ -9101,7 +9101,7 @@ elasticsearch:
         - logs-system.auth@custom
         - so-fleet_globals-1
         - so-fleet_agent_id_verification-1
-        - so-system
+        - so-system-mappings
         data_stream:
           allow_custom_routing: false
           hidden: false
@@ -9196,7 +9196,7 @@ elasticsearch:
         - logs-system.syslog@custom
         - so-fleet_globals-1
         - so-fleet_agent_id_verification-1
-        - so-system
+        - so-system-mappings
         data_stream:
           allow_custom_routing: false
           hidden: false

salt/salt/master.defaults.yaml

@@ -1,4 +1,4 @@
 # version cannot be used elsewhere in this pillar as soup is grepping for it to determine if Salt needs to be patched
 salt:
   master:
-    version: 3006.1
+    version: 3006.9

salt/salt/minion.defaults.yaml

@@ -1,6 +1,6 @@
 # version cannot be used elsewhere in this pillar as soup is grepping for it to determine if Salt needs to be patched
 salt:
   minion:
-    version: 3006.1
+    version: 3006.9
     check_threshold: 3600 # in seconds, threshold used for so-salt-minion-check. any value less than 600 seconds may cause a lot of salt-minion restarts since the job to touch the file occurs every 5-8 minutes by default
     service_start_delay: 30 # in seconds.

salt/salt/minion.sls

@@ -9,6 +9,7 @@
 {% set service_start_delay = SALTMINION.salt.minion.service_start_delay %}
 
 include:
+  - salt.python_modules
   - salt
   - systemd.reload
   - repo.client

salt/salt/python_modules.sls

@@ -0,0 +1,21 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+docker_module_package:
+  file.recurse:
+    - name: /opt/so/conf/salt/module_packages/docker
+    - source: salt://salt/module_packages/docker
+    - clean: True
+    - makedirs: True
+
+# fail hard on this state so that soup would be cancelled on a manager (eventhough salt would have already updated)
+# on a non manager, failing hard here will prevent the minion from upgrading
+# we want to fail hard here to prevent the minion from upgrading and potetially being able to manager docker containers from a dep mismatch
+docker_python_module_install:
+  cmd.run:
+    - name: /opt/saltstack/salt/bin/python3.10 -m pip install docker --no-index --find-links=/opt/so/conf/salt/module_packages/docker/ --upgrade
+    - onchanges:
+      - file: docker_module_package
+    - failhard: True

setup/so-functions

@@ -1931,7 +1931,7 @@ saltify() {
 }
 
 salt_install_module_deps() {
-    logCmd "salt-pip install docker --no-index --only-binary=:all: --find-links files/salt_module_deps/docker/"
+    logCmd "salt-call state.apply salt.python_modules --local --file-root=../salt/"
 }
 
 salt_patch_x509_v2() {