oracle 10 testing

salt/common/packages.sls

@@ -26,14 +26,33 @@ commonpkgs:
       - net-tools
       - nmap-ncat
       - procps-ng
+{# OL10 test path: python3-docker / python3-m2crypto are not packaged in EPEL 10 and are not
+   referenced by SO code (salt uses its bundled docker module from salt/python_modules.sls).
+   python3-rich is also unavailable on EL10 (its pygments dep is not packaged), so it is
+   installed via pip below. Gate on the grain because GLOBALS/pillars are not available this
+   early (see header note). #}
+{% if grains['osmajorrelease']|int < 10 %}
       - python3-docker
       - python3-m2crypto
+      - python3-rich
+{% else %}
+      - python3-pip
+{% endif %}
       - python3-packaging
       - python3-pyyaml
-      - python3-rich
       - rsync
       - sqlite
       - tcpdump
       - unzip
       - wget
       - yum-utils
+
+{% if grains['osmajorrelease']|int >= 10 %}
+# OL10 test path: rich is not packaged for EL10; install it into the system python3 for so-status.
+commonpkgs_pip_rich:
+  cmd.run:
+    - name: python3 -m pip install rich
+    - unless: python3 -c "import rich"
+    - require:
+      - pkg: commonpkgs
+{% endif %}

salt/common/tools/sbin/so-common

@@ -354,7 +354,12 @@ gpg_rpm_import() {
 	else
 		local RPMKEYSLOC="$UPDATE_DIR/salt/repo/client/files/$OS/keys"
 	fi
-	RPMKEYS=('RPM-GPG-KEY-oracle' 'RPM-GPG-KEY-EPEL-9' 'SALT-PROJECT-GPG-PUBKEY-2023.pub' 'docker.pub' 'securityonion.pub')
+	if [[ "$OSVER" == "10" ]]; then
+		# OL10 test path uses public repos; the public oracle-epel-release and docker repos provide their own keys
+		RPMKEYS=('RPM-GPG-KEY-oracle' 'SALT-PROJECT-GPG-PUBKEY-2023.pub')
+	else
+		RPMKEYS=('RPM-GPG-KEY-oracle' 'RPM-GPG-KEY-EPEL-9' 'SALT-PROJECT-GPG-PUBKEY-2023.pub' 'docker.pub' 'securityonion.pub')
+	fi
 	for RPMKEY in "${RPMKEYS[@]}"; do
 		rpm --import $RPMKEYSLOC/$RPMKEY
 		echo "Imported $RPMKEY"
@@ -626,9 +631,9 @@ salt_minion_count() {
 }
 
 set_os() {
-	if [ -f /etc/redhat-release ] && grep -q "Red Hat Enterprise Linux release 9" /etc/redhat-release && [ -f /etc/oracle-release ]; then
+	if [ -f /etc/oracle-release ] && grep -qE "release (9|10)\b" /etc/oracle-release; then
 		OS=oracle
-		OSVER=9
+		OSVER=$(grep -oE "release [0-9]+" /etc/oracle-release | grep -oE "[0-9]+")
 		is_oracle=true
 		is_rpm=true
 	fi

salt/common/tools/sbin/so-image-common

@@ -115,6 +115,21 @@ update_docker_containers() {
   rm -rf $SIGNPATH >> "$LOG_FILE" 2>&1
   mkdir -p $SIGNPATH >> "$LOG_FILE" 2>&1
 
+  # OL10 test path: GnuPG 2.4 enables the keybox daemon (keyboxd) by default, which deadlocks
+  # under the rapid sequential gpg --verify calls below ("waiting for lock ... keydb_search
+  # failed: Connection timed out ... No public key"). Editing the default homedir's common.conf
+  # is unreliable (gpg re-adds use-keyboxd when it re-initializes the homedir), so run all the
+  # image-signature gpg ops in a dedicated homedir whose pre-written common.conf leaves keyboxd
+  # off, forcing the classic keybox. Isolated from the system keyring and deterministic.
+  if [ "$OSVER" = "10" ]; then
+    export GNUPGHOME="$SIGNPATH/gnupg"
+    rm -rf "$GNUPGHOME" >> "$LOG_FILE" 2>&1
+    mkdir -p "$GNUPGHOME" >> "$LOG_FILE" 2>&1
+    chmod 700 "$GNUPGHOME"
+    echo "# keyboxd disabled for SO image signature verification on EL10" > "$GNUPGHOME/common.conf"
+    gpgconf --kill keyboxd gpg-agent >> "$LOG_FILE" 2>&1 || true
+  fi
+
   # Let's make sure we have the public key
   run_check_net_err \
   "curl --retry 5 --retry-delay 60 -sSL https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS -o $SIGNPATH/KEYS" \

salt/docker/init.sls

@@ -18,10 +18,18 @@ dockergroup:
 dockerheldpackages:
   pkg.installed:
     - pkgs:
+{% if GLOBALS.os_version|int >= 10 %}
+      # OL10 test path: install latest Docker CE from the public repo (no .el9 builds available)
+      - containerd.io
+      - docker-ce
+      - docker-ce-cli
+      - docker-ce-rootless-extras
+{% else %}
       - containerd.io: 2.2.1-1.el9
       - docker-ce: 3:29.2.1-1.el9
       - docker-ce-cli: 1:29.2.1-1.el9
       - docker-ce-rootless-extras: 29.2.1-1.el9
+{% endif %}
     - hold: True
     - update_holds: True
 

salt/repo/client/init.sls

@@ -1,5 +1,6 @@
 {% from 'vars/globals.map.jinja' import GLOBALS %}
-{% if GLOBALS.os == 'OEL' %}
+{# OL10 test path uses public repos; skip the SO repo state (which removes public repos and points at /nsm/repo) #}
+{% if GLOBALS.os == 'OEL' and GLOBALS.os_version|int == 9 %}
 include:
   - repo.client.oracle
 {% endif %}

salt/vars/globals.map.jinja

@@ -31,6 +31,7 @@
     'so_model': INIT.GRAINS.get('sosmodel',''),
     'sensoroni_key': INIT.PILLAR.sensoroni.config.sensoronikey,
     'os': INIT.GRAINS.os,
+    'os_version': INIT.GRAINS.osmajorrelease,
     'os_family': INIT.GRAINS.os_family,
     'application_urls': {},
     'manager_roles': [

setup/so-functions

@@ -903,14 +903,14 @@ detect_cloud() {
 
 detect_os() {
 	title "Detecting Base OS"
-	if [ -f /etc/redhat-release ] && grep -q "Red Hat Enterprise Linux release 9" /etc/redhat-release && [ -f /etc/oracle-release ]; then
+	if [ -f /etc/oracle-release ] && grep -qE "release (9|10)\b" /etc/oracle-release; then
 		OS=oracle
-		OSVER=9
+		OSVER=$(grep -oE "release [0-9]+" /etc/oracle-release | grep -oE "[0-9]+")
 		is_oracle=true
 		is_rpm=true
 		is_supported=true
 	else
-		info "This OS is not supported. Security Onion requires Oracle Linux 9."
+		info "This OS is not supported. Security Onion requires Oracle Linux 9 or 10."
 		fail_setup
 	fi
 
@@ -1783,6 +1783,15 @@ ensure_pyyaml() {
 # - securityonion/salt/salt/minion.defaults.yaml
 
 securityonion_repo() {
+	if [[ "$OSVER" == "10" ]]; then
+		# TEST PATH: Oracle Linux 10 uses the public OL10 + EPEL + Docker CE repos.
+		# Keep the stock /etc/yum.repos.d/* in place, skip the SO mirror and local reposync.
+		gpg_rpm_import
+		logCmd "dnf -y install oracle-epel-release-el10"
+		logCmd "dnf -y config-manager --add-repo https://download.docker.com/linux/rhel/docker-ce.repo"
+		logCmd "dnf repolist"
+		return
+	fi
 	# Remove all the current repos
 	logCmd "dnf -v clean all"
 	logCmd "mkdir -vp /root/oldrepos"
@@ -1877,12 +1886,19 @@ saltify() {
 	info "Installing Salt $SALTVERSION"
 	chmod u+x ../salt/salt/scripts/bootstrap-salt.sh
 
+	# Normally Salt packages come from the SO mirror, so -r disables the bootstrap's own repo setup.
+	# On the OL10 test path there is no SO mirror, so let bootstrap configure the public Salt repo.
+	local saltrepoflag="-r"
+	if [[ "$OSVER" == "10" ]]; then
+		saltrepoflag=""
+	fi
+
 	if [[ $waitforstate ]]; then
 		# install all for a manager
-		retry 30 10 "bash ../salt/salt/scripts/bootstrap-salt.sh -r -M -X stable $SALTVERSION" || fail_setup
+		retry 30 10 "bash ../salt/salt/scripts/bootstrap-salt.sh $saltrepoflag -M -X stable $SALTVERSION" || fail_setup
 	else
 		# just a minion
-		retry 30 10 "bash ../salt/salt/scripts/bootstrap-salt.sh -r -X stable $SALTVERSION" || fail_setup
+		retry 30 10 "bash ../salt/salt/scripts/bootstrap-salt.sh $saltrepoflag -X stable $SALTVERSION" || fail_setup
 	fi
 
 	salt_install_module_deps