vm.max_map_count allow for minion specific values

Add version 3.0.0 to discussion template

.github/DISCUSSION_TEMPLATE/2-4.yml

@@ -35,7 +35,7 @@ body:
         - 2.4.200
         - 2.4.201
         - 2.4.210
-        - 2.4.211
+        - 3.0.0
         - Other (please provide detail below)
     validations:
       required: true

DOWNLOAD_AND_VERIFY_ISO.md

@@ -1,17 +1,17 @@
-### 2.4.211-20260312 ISO image released on 2026/03/12
+### 2.4.210-20260302 ISO image released on 2026/03/02
 
 
 ### Download and Verify
 
-2.4.211-20260312 ISO image:  
+2.4.210-20260302 ISO image:  
-https://download.securityonion.net/file/securityonion/securityonion-2.4.211-20260312.iso
+https://download.securityonion.net/file/securityonion/securityonion-2.4.210-20260302.iso
  
-MD5: 7082210AE9FF4D2634D71EAD4DC8F7A3  
+MD5: 575F316981891EBED2EE4E1F42A1F016  
-SHA1: F76E08C47FD786624B2385B4235A3D61A4C3E9DC  
+SHA1: 600945E8823221CBC5F1C056084A71355308227E  
-SHA256: CE6E61788DFC492E4897EEDC139D698B2EDBEB6B631DE0043F66E94AF8A0FF4E  
+SHA256: A6AA6471125F07FA6E2796430E94BEAFDEF728E833E9728FDFA7106351EBC47E  
 
 Signature for ISO image:  
-https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.211-20260312.iso.sig
+https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.210-20260302.iso.sig
 
 Signing key:  
 https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.4/main/KEYS  
@@ -25,22 +25,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.
 
 Download the signature file for the ISO:  
 ```
-wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.211-20260312.iso.sig
+wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.210-20260302.iso.sig
 ```
 
 Download the ISO image:  
 ```
-wget https://download.securityonion.net/file/securityonion/securityonion-2.4.211-20260312.iso
+wget https://download.securityonion.net/file/securityonion/securityonion-2.4.210-20260302.iso
 ```
 
 Verify the downloaded ISO image using the signature file:  
 ```
-gpg --verify securityonion-2.4.211-20260312.iso.sig securityonion-2.4.211-20260312.iso
+gpg --verify securityonion-2.4.210-20260302.iso.sig securityonion-2.4.210-20260302.iso
 ```
 
 The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
 ```
-gpg: Signature made Wed 11 Mar 2026 03:05:09 PM EDT using RSA key ID FE507013
+gpg: Signature made Mon 02 Mar 2026 11:55:24 AM EST using RSA key ID FE507013
 gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>"
 gpg: WARNING: This key is not certified with a trusted signature!
 gpg:          There is no indication that the signature belongs to the owner.

HOTFIX

@@ -1 +0,0 @@
-

VERSION

@@ -1 +1 @@
-2.4.211
+3.0.0

salt/common/files/daemon.json

@@ -8,12 +8,5 @@
       "base": "172.17.0.0/24",
       "size": 24
     }
-  ],
+  ]
-  "default-ulimits": {
-      "nofile": {
-        "Name": "nofile",
-        "Soft": 1048576,
-        "Hard": 1048576
-      }
-  }
 }

salt/elasticsearch/config.sls

@@ -10,7 +10,7 @@
 
 vm.max_map_count:
   sysctl.present:
-    - value: 262144
+    - value: {{ ELASTICSEARCHMERGED.vm.max_map_count }}
 
 # Add ES Group
 elasticsearchgroup:

salt/elasticsearch/defaults.yaml

@@ -2,6 +2,8 @@ elasticsearch:
   enabled: false
   version: 9.0.8
   index_clean: true
+  vm:
+    max_map_count: 1048576
   config:
     action:
       destructive_requires_name: true

salt/elasticsearch/soc_elasticsearch.yaml

@@ -15,6 +15,11 @@ elasticsearch:
     description: Determines if indices should be considered for deletion by available disk space in the cluster. Otherwise, indices will only be deleted by the age defined in the ILM settings. This setting only applies to EVAL, STANDALONE, and HEAVY NODE installations. Other installations can only use ILM settings.
     forcedType: bool
     helpLink: elasticsearch.html
+  vm:
+    max_map_count:
+      description: The maximum number of memory map areas a process may use. Elasticsearch uses a mmapfs directory by default to store its indices. The default operating system limits on mmap counts could be too low, which may result in out of memory exceptions.
+      forcedType: int
+      helpLink: elasticsearch.html
   retention: 
     retention_pct:
       decription: Total percentage of space used by Elasticsearch for multi node clusters

salt/manager/tools/sbin/soup

@@ -467,7 +467,6 @@ preupgrade_changes() {
     [[ "$INSTALLEDVERSION" == 2.4.190 ]] && up_to_2.4.200
     [[ "$INSTALLEDVERSION" == 2.4.200 ]] && up_to_2.4.201
     [[ "$INSTALLEDVERSION" == 2.4.201 ]] && up_to_2.4.210
-    [[ "$INSTALLEDVERSION" == 2.4.210 ]] && up_to_2.4.211
     true
 }
 
@@ -502,7 +501,6 @@ postupgrade_changes() {
     [[ "$POSTVERSION" == 2.4.190 ]] && post_to_2.4.200
     [[ "$POSTVERSION" == 2.4.200 ]] && post_to_2.4.201
     [[ "$POSTVERSION" == 2.4.201 ]] && post_to_2.4.210
-    [[ "$POSTVERSION" == 2.4.210 ]] && post_to_2.4.211
     true
 }
 
@@ -721,11 +719,6 @@ post_to_2.4.210() {
   POSTVERSION=2.4.210
 }
 
-post_to_2.4.211() {
-  echo "Nothing to apply"
-  POSTVERSION=2.4.211
-}
-
 repo_sync() {
   echo "Sync the local repo."
   su socore -c '/usr/sbin/so-repo-sync' || fail "Unable to complete so-repo-sync."
@@ -1016,12 +1009,6 @@ up_to_2.4.210() {
   INSTALLEDVERSION=2.4.210
 }
 
-up_to_2.4.211() {
-  echo "Nothing to do for 2.4.211"
-
-  INSTALLEDVERSION=2.4.211
-}
-
 add_hydra_pillars() {
   mkdir -p /opt/so/saltstack/local/pillar/hydra
   touch /opt/so/saltstack/local/pillar/hydra/soc_hydra.sls

salt/salt/cloud/cloud.profiles.d/socloud.conf.jinja

@@ -29,11 +29,7 @@ sool9_{{host}}:
     hypervisor_host: {{host ~ "_" ~ role}}
   preflight_cmds:
     - |
-      {%- set hostnames = [MANAGERHOSTNAME] %}
+      tee -a /etc/hosts <<< "{{ MANAGERIP }}    {{ MANAGERHOSTNAME }}"
-      {%- if not (URL_BASE | ipaddr) and URL_BASE != MANAGERHOSTNAME %}
-      {%-   do hostnames.append(URL_BASE) %}
-      {%- endif %}
-      tee -a /etc/hosts <<< "{{ MANAGERIP }}    {{ hostnames | join('  ') }}"
     - |
       timeout 600 bash -c 'trap "echo \"Preflight Check: Failed to establish repo connectivity\"; exit 1" TERM; \
         while ! dnf makecache --repoid=securityonion >/dev/null 2>&1; do echo "Preflight Check: Waiting for repo connectivity..."; \

salt/salt/cloud/config.sls

@@ -14,7 +14,6 @@
 {%   if 'vrt' in salt['pillar.get']('features', []) %}
 {%     set HYPERVISORS = salt['pillar.get']('hypervisor:nodes', {} ) %}
 {%     from 'salt/map.jinja' import SALTVERSION %}
-{%     from 'vars/globals.map.jinja' import GLOBALS %}
 
 {%     if HYPERVISORS %}
 cloud_providers:
@@ -35,7 +34,6 @@ cloud_profiles:
         MANAGERHOSTNAME: {{ grains.host }}
         MANAGERIP: {{ pillar.host.mainip }}
         SALTVERSION: {{ SALTVERSION }}
-        URL_BASE: {{ GLOBALS.url_base }}
     - template: jinja
     - makedirs: True
 {%     else %}

salt/salt/engines/master/virtual_node_manager.py

@@ -805,6 +805,11 @@ def process_vm_creation(hypervisor_path: str, vm_config: dict) -> None:
                     mark_invalid_hardware(hypervisor_path, vm_name, vm_config,
                                         {'nsm_size': 'Invalid nsm_size: must be positive integer'})
                     return
+                if size > 10000:  # 10TB reasonable maximum
+                    log.error("VM: %s - nsm_size %dGB exceeds reasonable maximum (10000GB)", vm_name, size)
+                    mark_invalid_hardware(hypervisor_path, vm_name, vm_config,
+                                        {'nsm_size': f'Invalid nsm_size: {size}GB exceeds maximum (10000GB)'})
+                    return
                 log.debug("VM: %s - nsm_size validated: %dGB", vm_name, size)
             except (ValueError, TypeError) as e:
                 log.error("VM: %s - nsm_size must be a valid integer, got: %s", vm_name, vm_config.get('nsm_size'))

salt/suricata/map.jinja

@@ -16,13 +16,7 @@
 {%     do SURICATAMERGED.config.outputs['pcap-log'].update({'bpf-filter': PCAPBPF|join(" ")}) %}
 {%   endif %}
 
-{%   set PCAP = salt['pillar.get']('pcap', {'enabled': false}) %}
+{%   do SURICATAMERGED.config.outputs['pcap-log'].update({'enabled': 'yes'}) %}
-{%   if PCAP.enabled and GLOBALS.role != 'so-import'%}
-{%     do SURICATAMERGED.config.outputs['pcap-log'].update({'enabled': 'yes'}) %}
-{%   else %}
-{%     do SURICATAMERGED.config.outputs['pcap-log'].update({'enabled': 'no'}) %}
-{%   endif %}
-
 {#   move the items in suricata.pcap into suricata.config.outputs.pcap-log. these items were placed under suricata.config for ease of access in SOC #}
 {%   do SURICATAMERGED.config.outputs['pcap-log'].update({'compression': SURICATAMERGED.pcap.compression}) %}
 {%   do SURICATAMERGED.config.outputs['pcap-log'].update({'lz4-checksum': SURICATAMERGED.pcap['lz4-checksum']}) %}