Merge pull request #15593 from Security-Onion-Solutions/ulimit

set container ulimits to default
2026-03-12 07:45:34 +01:00 · 2026-03-11 14:40:40 -04:00 · 2026-03-11 14:37:43 -04:00 · 2026-03-11 12:16:49 -04:00 · 2026-03-11 12:16:21 -04:00 · 2026-03-11 12:14:48 -04:00
9 changed files with 38 additions and 9 deletions
--- a/.github/DISCUSSION_TEMPLATE/2-4.yml
+++ b/.github/DISCUSSION_TEMPLATE/2-4.yml
@@ -35,6 +35,7 @@ body:
        - 2.4.200
        - 2.4.201
        - 2.4.210
+        - 2.4.211
        - Other (please provide detail below)
    validations:
      required: true
--- a/1
+++ b/1
@@ -0,0 +1 @@
+
--- a/2
+++ b/2
@@ -1 +1 @@
-2.4.210
+2.4.211
--- a/salt/common/files/daemon.json
+++ b/salt/common/files/daemon.json
@@ -8,5 +8,12 @@
      "base": "172.17.0.0/24",
      "size": 24
    }
-  ]
+  ],
+  "default-ulimits": {
+      "nofile": {
+        "Name": "nofile",
+        "Soft": 1048576,
+        "Hard": 1048576
+      }
+  }
 }
--- a/salt/manager/tools/sbin/soup
+++ b/salt/manager/tools/sbin/soup
@@ -467,6 +467,7 @@ preupgrade_changes() {
    [[ "$INSTALLEDVERSION" == 2.4.190 ]] && up_to_2.4.200
    [[ "$INSTALLEDVERSION" == 2.4.200 ]] && up_to_2.4.201
    [[ "$INSTALLEDVERSION" == 2.4.201 ]] && up_to_2.4.210
+    [[ "$INSTALLEDVERSION" == 2.4.210 ]] && up_to_2.4.211
    true
 }

@@ -501,6 +502,7 @@ postupgrade_changes() {
    [[ "$POSTVERSION" == 2.4.190 ]] && post_to_2.4.200
    [[ "$POSTVERSION" == 2.4.200 ]] && post_to_2.4.201
    [[ "$POSTVERSION" == 2.4.201 ]] && post_to_2.4.210
+    [[ "$POSTVERSION" == 2.4.210 ]] && post_to_2.4.211
    true
 }

@@ -719,6 +721,11 @@ post_to_2.4.210() {
  POSTVERSION=2.4.210
 }

+post_to_2.4.211() {
+  echo "Nothing to apply"
+  POSTVERSION=2.4.211
+}
+
 repo_sync() {
  echo "Sync the local repo."
  su socore -c '/usr/sbin/so-repo-sync' || fail "Unable to complete so-repo-sync."
@@ -1009,6 +1016,12 @@ up_to_2.4.210() {
  INSTALLEDVERSION=2.4.210
 }

+up_to_2.4.211() {
+  echo "Nothing to do for 2.4.211"
+
+  INSTALLEDVERSION=2.4.211
+}
+
 add_hydra_pillars() {
  mkdir -p /opt/so/saltstack/local/pillar/hydra
  touch /opt/so/saltstack/local/pillar/hydra/soc_hydra.sls
--- a/salt/salt/cloud/cloud.profiles.d/socloud.conf.jinja
+++ b/salt/salt/cloud/cloud.profiles.d/socloud.conf.jinja
@@ -29,7 +29,11 @@ sool9_{{host}}:
    hypervisor_host: {{host ~ "_" ~ role}}
  preflight_cmds:
    - |
-      tee -a /etc/hosts <<< "{{ MANAGERIP }}    {{ MANAGERHOSTNAME }}"
+      {%- set hostnames = [MANAGERHOSTNAME] %}
+      {%- if not (URL_BASE | ipaddr) and URL_BASE != MANAGERHOSTNAME %}
+      {%-   do hostnames.append(URL_BASE) %}
+      {%- endif %}
+      tee -a /etc/hosts <<< "{{ MANAGERIP }}    {{ hostnames | join('  ') }}"
    - |
      timeout 600 bash -c 'trap "echo \"Preflight Check: Failed to establish repo connectivity\"; exit 1" TERM; \
        while ! dnf makecache --repoid=securityonion >/dev/null 2>&1; do echo "Preflight Check: Waiting for repo connectivity..."; \
--- a/salt/salt/cloud/config.sls
+++ b/salt/salt/cloud/config.sls
@@ -14,6 +14,7 @@
 {%   if 'vrt' in salt['pillar.get']('features', []) %}
 {%     set HYPERVISORS = salt['pillar.get']('hypervisor:nodes', {} ) %}
 {%     from 'salt/map.jinja' import SALTVERSION %}
+{%     from 'vars/globals.map.jinja' import GLOBALS %}

 {%     if HYPERVISORS %}
 cloud_providers:
@@ -34,6 +35,7 @@ cloud_profiles:
        MANAGERHOSTNAME: {{ grains.host }}
        MANAGERIP: {{ pillar.host.mainip }}
        SALTVERSION: {{ SALTVERSION }}
+        URL_BASE: {{ GLOBALS.url_base }}
    - template: jinja
    - makedirs: True
 {%     else %}
--- a/salt/salt/engines/master/virtual_node_manager.py
+++ b/salt/salt/engines/master/virtual_node_manager.py
@@ -805,11 +805,6 @@ def process_vm_creation(hypervisor_path: str, vm_config: dict) -> None:
                    mark_invalid_hardware(hypervisor_path, vm_name, vm_config,
                                        {'nsm_size': 'Invalid nsm_size: must be positive integer'})
                    return
-                if size > 10000:  # 10TB reasonable maximum
-                    log.error("VM: %s - nsm_size %dGB exceeds reasonable maximum (10000GB)", vm_name, size)
-                    mark_invalid_hardware(hypervisor_path, vm_name, vm_config,
-                                        {'nsm_size': f'Invalid nsm_size: {size}GB exceeds maximum (10000GB)'})
-                    return
                log.debug("VM: %s - nsm_size validated: %dGB", vm_name, size)
            except (ValueError, TypeError) as e:
                log.error("VM: %s - nsm_size must be a valid integer, got: %s", vm_name, vm_config.get('nsm_size'))
--- a/salt/suricata/map.jinja
+++ b/salt/suricata/map.jinja
@@ -16,7 +16,13 @@
 {%     do SURICATAMERGED.config.outputs['pcap-log'].update({'bpf-filter': PCAPBPF|join(" ")}) %}
 {%   endif %}

-{%   do SURICATAMERGED.config.outputs['pcap-log'].update({'enabled': 'yes'}) %}
+{%   set PCAP = salt['pillar.get']('pcap', {'enabled': false}) %}
+{%   if PCAP.enabled and GLOBALS.role != 'so-import'%}
+{%     do SURICATAMERGED.config.outputs['pcap-log'].update({'enabled': 'yes'}) %}
+{%   else %}
+{%     do SURICATAMERGED.config.outputs['pcap-log'].update({'enabled': 'no'}) %}
+{%   endif %}
+
 {#   move the items in suricata.pcap into suricata.config.outputs.pcap-log. these items were placed under suricata.config for ease of access in SOC #}
 {%   do SURICATAMERGED.config.outputs['pcap-log'].update({'compression': SURICATAMERGED.pcap.compression}) %}
 {%   do SURICATAMERGED.config.outputs['pcap-log'].update({'lz4-checksum': SURICATAMERGED.pcap['lz4-checksum']}) %}
Author	SHA1	Message	Date
Josh Patterson	810681c92e	Merge pull request #15593 from Security-Onion-Solutions/ulimit set container ulimits to default	2026-03-11 14:40:40 -04:00
Josh Patterson	51f9104d0f	set container ulimits to default	2026-03-11 14:37:43 -04:00
Mike Reeves	8da5ed673b	Merge pull request #15586 from Security-Onion-Solutions/TOoSmOotH-patch-4 Add support for version 2.4.211 in soup script	2026-03-11 12:16:49 -04:00
Josh Patterson	83ba40b548	Merge pull request #15588 from Security-Onion-Solutions/m0duspwnens-patch-1 clear HOTFIX file	2026-03-11 12:16:21 -04:00
Josh Patterson	7de8528b34	clear HOTFIX file	2026-03-11 12:14:48 -04:00
Mike Reeves	e6bd57e08d	Fix conditional check for POSTVERSION 2.4.211	2026-03-11 12:13:05 -04:00
Mike Reeves	06664440ad	Add support for version 2.4.211 in soup script	2026-03-11 12:10:28 -04:00
Josh Patterson	bd31f2898b	Merge pull request #15584 from Security-Onion-Solutions/hypefix remove 10T virtual disk limit. URL_BASE to vm hosts file	2026-03-11 11:58:46 -04:00
Josh Patterson	5bf9d92b52	add URL_BASE to vm hosts file	2026-03-11 11:55:42 -04:00
Josh Patterson	48c369ed11	remove 10T limit for virtual disk	2026-03-11 11:55:01 -04:00
Josh Patterson	7fec2d59a7	Merge pull request #15583 from Security-Onion-Solutions/m0duspwnens-patch-1 fix enable/disable suricata pcap	2026-03-11 11:52:53 -04:00
Mike Reeves	a0ad589c3a	Merge pull request #15582 from Security-Onion-Solutions/TOoSmOotH-patch-3 Bump version from 2.4.210 to 2.4.211	2026-03-11 11:48:51 -04:00
Mike Reeves	0bd54e2835	Add version 2.4.211 to discussion template	2026-03-11 11:44:57 -04:00
Mike Reeves	58f5c56b72	Bump version from 2.4.210 to 2.4.211	2026-03-11 11:43:42 -04:00
Josh Patterson	6472c610d0	fix enable/disable suricata pcap suricata pcap can now be enabled/disabled through pcap:enabled grid config / pillar	2026-03-10 11:01:11 -04:00
Mike Reeves	179c1ea7f7	Merge pull request #15570 from Security-Onion-Solutions/TOoSmOotH-patch-1 Add date to HOTFIX file	2026-03-10 10:20:16 -04:00
Mike Reeves	db964cad21	Add date to HOTFIX file	2026-03-10 10:18:25 -04:00
@@ -1 +1 @@
 .4.210
 .4.211