mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2026-07-15 21:34:46 +02:00
Compare commits
1
Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
|
58672a0743 |
@@ -111,17 +111,6 @@ so-elastic-fleet:
|
|||||||
- file: eastatedir
|
- file: eastatedir
|
||||||
- x509: etc_elasticfleet_key
|
- x509: etc_elasticfleet_key
|
||||||
- x509: etc_elasticfleet_crt
|
- x509: etc_elasticfleet_crt
|
||||||
|
|
||||||
wait_for_so-elastic-fleet:
|
|
||||||
http.wait_for_successful_query:
|
|
||||||
- name: "https://localhost:8220/api/status"
|
|
||||||
- ssl: True
|
|
||||||
- verify_ssl: False
|
|
||||||
- status: 200
|
|
||||||
- wait_for: 300
|
|
||||||
- request_interval: 15
|
|
||||||
- require:
|
|
||||||
- docker_container: so-elastic-fleet
|
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
delete_so-elastic-fleet_so-status.disabled:
|
delete_so-elastic-fleet_so-status.disabled:
|
||||||
|
|||||||
@@ -12,17 +12,7 @@
|
|||||||
UPDATE_DIR=/tmp/sogh/securityonion
|
UPDATE_DIR=/tmp/sogh/securityonion
|
||||||
DEFAULT_SALT_DIR=/opt/so/saltstack/default
|
DEFAULT_SALT_DIR=/opt/so/saltstack/default
|
||||||
INSTALLEDVERSION=$(cat /etc/soversion)
|
INSTALLEDVERSION=$(cat /etc/soversion)
|
||||||
# /etc/sopostversion is a soup-owned marker (no salt state manages it) tracking how
|
POSTVERSION=$INSTALLEDVERSION
|
||||||
# far the post-upgrade walk has progressed. Its presence means a prior upgrade did
|
|
||||||
# not finish its post-upgrade steps; its contents are the resume point. It is read
|
|
||||||
# here before preupgrade_changes mutates INSTALLEDVERSION and before any highstate
|
|
||||||
# stamps /etc/soversion from the pillar.
|
|
||||||
POSTVERSION_FILE=/etc/sopostversion
|
|
||||||
if [ -f "$POSTVERSION_FILE" ]; then
|
|
||||||
POSTVERSION=$(cat "$POSTVERSION_FILE")
|
|
||||||
else
|
|
||||||
POSTVERSION=$INSTALLEDVERSION
|
|
||||||
fi
|
|
||||||
INSTALLEDSALTVERSION=$(salt --versions-report | grep Salt: | awk '{print $2}')
|
INSTALLEDSALTVERSION=$(salt --versions-report | grep Salt: | awk '{print $2}')
|
||||||
BATCHSIZE=5
|
BATCHSIZE=5
|
||||||
SOUP_LOG=/root/soup.log
|
SOUP_LOG=/root/soup.log
|
||||||
@@ -33,10 +23,6 @@ NOTIFYCUSTOMELASTICCONFIG=false
|
|||||||
TOPFILE=/opt/so/saltstack/default/salt/top.sls
|
TOPFILE=/opt/so/saltstack/default/salt/top.sls
|
||||||
BACKUPTOPFILE=/opt/so/saltstack/default/salt/top.sls.backup
|
BACKUPTOPFILE=/opt/so/saltstack/default/salt/top.sls.backup
|
||||||
SALTUPGRADED=false
|
SALTUPGRADED=false
|
||||||
# Set true once soup begins modifying the system (past the pre-flight checks), so the
|
|
||||||
# EXIT trap can tell the user the update did not finish and must be re-run. Only the
|
|
||||||
# pre-flight gates (ES compatibility, disk, network) fail before this is set.
|
|
||||||
SOUP_UPGRADE_STARTED=false
|
|
||||||
SALT_CLOUD_INSTALLED=false
|
SALT_CLOUD_INSTALLED=false
|
||||||
SALT_CLOUD_CONFIGURED=false
|
SALT_CLOUD_CONFIGURED=false
|
||||||
# Check if salt-cloud is installed
|
# Check if salt-cloud is installed
|
||||||
@@ -137,28 +123,6 @@ check_err() {
|
|||||||
|
|
||||||
echo "SOUP XTRACE debug log (if enabled) at $SOUP_DEBUG_LOG. Re-run soup with SOUP_DEBUG=1 to create $SOUP_DEBUG_LOG"
|
echo "SOUP XTRACE debug log (if enabled) at $SOUP_DEBUG_LOG. Re-run soup with SOUP_DEBUG=1 to create $SOUP_DEBUG_LOG"
|
||||||
|
|
||||||
# If soup had already started modifying the system, make it unmistakable that the
|
|
||||||
# update is incomplete and must be re-run. soup is resumable: a version upgrade
|
|
||||||
# picks up from the /etc/sopostversion marker, and a hotfix re-applies because
|
|
||||||
# /etc/sohotfix is only advanced after a successful highstate.
|
|
||||||
if [[ "$SOUP_UPGRADE_STARTED" == "true" ]]; then
|
|
||||||
echo ""
|
|
||||||
echo "=============================================================================="
|
|
||||||
echo " UPGRADE INCOMPLETE"
|
|
||||||
echo "=============================================================================="
|
|
||||||
echo " This soup run did NOT finish. Your Security Onion installation may be in a"
|
|
||||||
echo " partially-updated state and is not yet fully upgraded."
|
|
||||||
echo ""
|
|
||||||
echo " Review the error above and $SOUP_LOG, resolve the underlying problem, then"
|
|
||||||
echo " run soup again to resume and complete the update:"
|
|
||||||
echo ""
|
|
||||||
echo " sudo soup"
|
|
||||||
echo ""
|
|
||||||
echo " soup is resumable -- re-running it continues from where this run stopped."
|
|
||||||
echo "=============================================================================="
|
|
||||||
echo ""
|
|
||||||
fi
|
|
||||||
|
|
||||||
exit $exit_code
|
exit $exit_code
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@@ -327,30 +291,6 @@ check_pillar_items() {
|
|||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
check_cluster_health() {
|
|
||||||
echo "Checking Elasticsearch cluster health."
|
|
||||||
# Require a 'green' cluster before upgrading; anything less (yellow, red, or
|
|
||||||
# unreachable) blocks. Modeled on the wait used in so-elasticsearch-roles-load.
|
|
||||||
if so-elasticsearch-query "_cluster/health?wait_for_status=green&timeout=120s" --fail > /dev/null 2>&1; then
|
|
||||||
printf "\nThe Elasticsearch cluster is healthy (green). We can proceed with SOUP.\n\n"
|
|
||||||
else
|
|
||||||
printf "\nThe Elasticsearch cluster is not green. Please resolve the cluster health issue so the cluster is green before running SOUP again.\n\n"
|
|
||||||
exit 0
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
check_fleet_server() {
|
|
||||||
echo "Checking that Elastic Fleet Server is responding."
|
|
||||||
# Modeled on the wait_for_so-elastic-fleet state check in elasticfleet/enabled.sls,
|
|
||||||
# which waits for HTTP 200 from the Fleet Server status API.
|
|
||||||
if curl -sk --fail --retry 3 --retry-delay 10 --max-time 30 "https://localhost:8220/api/status" > /dev/null 2>&1; then
|
|
||||||
printf "\nElastic Fleet Server is responding. We can proceed with SOUP.\n\n"
|
|
||||||
else
|
|
||||||
printf "\nElastic Fleet Server is not responding at https://localhost:8220/api/status. Please ensure Elastic Fleet is healthy before running SOUP again.\n\n"
|
|
||||||
exit 0
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
check_saltmaster_status() {
|
check_saltmaster_status() {
|
||||||
set +e
|
set +e
|
||||||
echo "Waiting on the Salt Master service to be ready."
|
echo "Waiting on the Salt Master service to be ready."
|
||||||
@@ -474,13 +414,6 @@ preupgrade_changes() {
|
|||||||
true
|
true
|
||||||
}
|
}
|
||||||
|
|
||||||
set_postversion() {
|
|
||||||
# Persist post-upgrade walk progress so an interrupted upgrade can resume the
|
|
||||||
# remaining steps on the next soup run (see /etc/sopostversion handling).
|
|
||||||
POSTVERSION="$1"
|
|
||||||
echo "$POSTVERSION" > "$POSTVERSION_FILE"
|
|
||||||
}
|
|
||||||
|
|
||||||
postupgrade_changes() {
|
postupgrade_changes() {
|
||||||
# This function is to add any new pillar items if needed.
|
# This function is to add any new pillar items if needed.
|
||||||
echo "Running post upgrade processes."
|
echo "Running post upgrade processes."
|
||||||
@@ -488,8 +421,6 @@ postupgrade_changes() {
|
|||||||
[[ "$POSTVERSION" =~ ^2\.4\.21[0-9]+$ ]] && post_to_3.0.0
|
[[ "$POSTVERSION" =~ ^2\.4\.21[0-9]+$ ]] && post_to_3.0.0
|
||||||
[[ "$POSTVERSION" == "3.0.0" ]] && post_to_3.1.0
|
[[ "$POSTVERSION" == "3.0.0" ]] && post_to_3.1.0
|
||||||
[[ "$POSTVERSION" == "3.1.0" ]] && post_to_3.2.0
|
[[ "$POSTVERSION" == "3.1.0" ]] && post_to_3.2.0
|
||||||
# All applicable post-upgrade steps completed; clear the resume marker.
|
|
||||||
rm -f "$POSTVERSION_FILE"
|
|
||||||
true
|
true
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -582,7 +513,7 @@ post_to_3.0.0() {
|
|||||||
# convert yes/no in suricata pillars to true/false
|
# convert yes/no in suricata pillars to true/false
|
||||||
convert_suricata_yes_no
|
convert_suricata_yes_no
|
||||||
|
|
||||||
set_postversion 3.0.0
|
POSTVERSION=3.0.0
|
||||||
}
|
}
|
||||||
|
|
||||||
### 3.0.0 End ###
|
### 3.0.0 End ###
|
||||||
@@ -845,7 +776,7 @@ post_to_3.1.0() {
|
|||||||
# Check for unhealthy / unauthorized integration transform jobs and attempt reauthorizations
|
# Check for unhealthy / unauthorized integration transform jobs and attempt reauthorizations
|
||||||
check_transform_health_and_reauthorize || true
|
check_transform_health_and_reauthorize || true
|
||||||
|
|
||||||
set_postversion 3.1.0
|
POSTVERSION=3.1.0
|
||||||
}
|
}
|
||||||
|
|
||||||
### 3.1.0 End ###
|
### 3.1.0 End ###
|
||||||
@@ -980,7 +911,7 @@ post_to_3.2.0() {
|
|||||||
|
|
||||||
update_kafka_metadata "4.3"
|
update_kafka_metadata "4.3"
|
||||||
|
|
||||||
set_postversion 3.2.0
|
POSTVERSION=3.2.0
|
||||||
}
|
}
|
||||||
|
|
||||||
### 3.2.0 End ###
|
### 3.2.0 End ###
|
||||||
@@ -1132,20 +1063,8 @@ upgrade_check() {
|
|||||||
fi
|
fi
|
||||||
[[ -f /etc/sohotfix ]] && CURRENTHOTFIX=$(cat /etc/sohotfix)
|
[[ -f /etc/sohotfix ]] && CURRENTHOTFIX=$(cat /etc/sohotfix)
|
||||||
if [ "$INSTALLEDVERSION" == "$NEWVERSION" ]; then
|
if [ "$INSTALLEDVERSION" == "$NEWVERSION" ]; then
|
||||||
# A leftover post-version marker means a previous upgrade to this version
|
|
||||||
# advanced /etc/soversion (the highstate stamps it from the pillar) but did not
|
|
||||||
# finish its post-upgrade steps. Resume the upgrade instead of reporting "latest".
|
|
||||||
if [ -f "$POSTVERSION_FILE" ] && [ "$(cat "$POSTVERSION_FILE")" != "$NEWVERSION" ]; then
|
|
||||||
echo "A previous upgrade to $NEWVERSION did not complete its post-upgrade steps; resuming."
|
|
||||||
is_hotfix=false
|
|
||||||
return 0
|
|
||||||
fi
|
|
||||||
echo "Checking to see if there are hotfixes needed"
|
echo "Checking to see if there are hotfixes needed"
|
||||||
if [ "$HOTFIXVERSION" == "$CURRENTHOTFIX" ]; then
|
if [ "$HOTFIXVERSION" == "$CURRENTHOTFIX" ]; then
|
||||||
# Reaching here means we are at the target version and NOT resuming (the resume
|
|
||||||
# check above returned otherwise). Clear any stale resume marker so a completed
|
|
||||||
# upgrade is never mistaken for a partial one and re-run on a later invocation.
|
|
||||||
rm -f "$POSTVERSION_FILE"
|
|
||||||
echo "You are already running the latest version of Security Onion."
|
echo "You are already running the latest version of Security Onion."
|
||||||
exit 0
|
exit 0
|
||||||
else
|
else
|
||||||
@@ -1841,15 +1760,6 @@ main() {
|
|||||||
set_minionid
|
set_minionid
|
||||||
MINION_ROLE=$(lookup_role)
|
MINION_ROLE=$(lookup_role)
|
||||||
echo "Found that Security Onion $INSTALLEDVERSION is currently installed."
|
echo "Found that Security Onion $INSTALLEDVERSION is currently installed."
|
||||||
# /etc/soversion is stamped to the target version before the upgrade fully
|
|
||||||
# completes, so a lingering resume marker means this grid is only partially
|
|
||||||
# upgraded even though the line above shows the target version. Make that explicit
|
|
||||||
# so it is not mistaken for a finished upgrade.
|
|
||||||
if [ -f "$POSTVERSION_FILE" ] && [ "$(cat "$POSTVERSION_FILE")" != "$INSTALLEDVERSION" ]; then
|
|
||||||
echo ""
|
|
||||||
echo "NOTE: A previous upgrade to $INSTALLEDVERSION did not finish. This grid is"
|
|
||||||
echo " partially upgraded and this soup run will resume and complete it."
|
|
||||||
fi
|
|
||||||
echo ""
|
echo ""
|
||||||
check_minimum_version
|
check_minimum_version
|
||||||
|
|
||||||
@@ -1878,12 +1788,6 @@ main() {
|
|||||||
echo "Verifying Elasticsearch version compatibility across the grid before upgrading."
|
echo "Verifying Elasticsearch version compatibility across the grid before upgrading."
|
||||||
verify_es_version_compatibility
|
verify_es_version_compatibility
|
||||||
|
|
||||||
# Pre-flight health checks: confirm the grid is in a good state before we change
|
|
||||||
# anything. These run before any modifications, so a failure exits cleanly and the
|
|
||||||
# operator can fix the issue and re-run soup.
|
|
||||||
check_cluster_health
|
|
||||||
check_fleet_server
|
|
||||||
|
|
||||||
echo "Checking for Salt Master and Minion updates."
|
echo "Checking for Salt Master and Minion updates."
|
||||||
upgrade_check_salt
|
upgrade_check_salt
|
||||||
set -e
|
set -e
|
||||||
@@ -1900,7 +1804,6 @@ main() {
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "$is_hotfix" == "true" ]; then
|
if [ "$is_hotfix" == "true" ]; then
|
||||||
SOUP_UPGRADE_STARTED=true
|
|
||||||
echo "Applying $HOTFIXVERSION hotfix"
|
echo "Applying $HOTFIXVERSION hotfix"
|
||||||
# since we don't run the backup.config_backup state on import we wont snapshot previous version states and pillars
|
# since we don't run the backup.config_backup state on import we wont snapshot previous version states and pillars
|
||||||
if [[ ! "$MINION_ROLE" == "import" ]]; then
|
if [[ ! "$MINION_ROLE" == "import" ]]; then
|
||||||
@@ -1911,16 +1814,10 @@ main() {
|
|||||||
create_local_directories "/opt/so/saltstack/default"
|
create_local_directories "/opt/so/saltstack/default"
|
||||||
apply_hotfix
|
apply_hotfix
|
||||||
echo "Hotfix applied"
|
echo "Hotfix applied"
|
||||||
|
update_version
|
||||||
enable_highstate
|
enable_highstate
|
||||||
highstate
|
highstate
|
||||||
# Record the hotfix only after the highstate succeeds. /etc/sohotfix is written
|
|
||||||
# solely by soup (no salt state manages it), so deferring the write means a failed
|
|
||||||
# hotfix highstate leaves the old hotfix value and re-running soup re-applies it,
|
|
||||||
# rather than reporting "already latest". The soversion/pillar writes in
|
|
||||||
# update_version are no-ops here since the version is unchanged for a hotfix.
|
|
||||||
update_version
|
|
||||||
else
|
else
|
||||||
SOUP_UPGRADE_STARTED=true
|
|
||||||
echo ""
|
echo ""
|
||||||
echo "Performing upgrade from Security Onion $INSTALLEDVERSION to Security Onion $NEWVERSION."
|
echo "Performing upgrade from Security Onion $INSTALLEDVERSION to Security Onion $NEWVERSION."
|
||||||
echo ""
|
echo ""
|
||||||
@@ -1976,10 +1873,6 @@ main() {
|
|||||||
copy_new_files
|
copy_new_files
|
||||||
echo ""
|
echo ""
|
||||||
create_local_directories "/opt/so/saltstack/default"
|
create_local_directories "/opt/so/saltstack/default"
|
||||||
# Seed the resume marker before the highstate stamps /etc/soversion to the new
|
|
||||||
# version, so an interrupted upgrade is detectable as "not finished" on re-run.
|
|
||||||
# POSTVERSION still holds the pre-upgrade (or prior resume) version here.
|
|
||||||
[ -f "$POSTVERSION_FILE" ] || echo "$POSTVERSION" > "$POSTVERSION_FILE"
|
|
||||||
update_version
|
update_version
|
||||||
|
|
||||||
echo ""
|
echo ""
|
||||||
|
|||||||
Reference in New Issue
Block a user