drop postgres module from soc defaults injection

The soc binary on 3/dev does not register a postgres module, so injecting postgres into soc.config.server.modules makes soc abort at launch with 'Module does not exist: postgres'. The soc-side module is staged on feature/postgres but is not landing this release. Drop the injection until the module ships; salt/postgres state and pillars are unchanged.
Merge pull request #15838 from Security-Onion-Solutions/fix/docker-refresh-multiarch-pull
2026-05-09 12:52:38 +02:00 · 2026-04-28 15:46:56 -04:00 · 2026-04-28 15:14:27 -04:00 · 2026-04-28 14:54:25 -04:00 · 2026-04-28 14:49:02 -04:00 · 2026-04-28 13:47:55 -05:00
5 changed files with 28 additions and 31 deletions
@@ -192,8 +192,21 @@ update_docker_containers() {
          echo "Unable to tag $image" >> "$LOG_FILE" 2>&1
          exit 1
        }
-        docker push $HOSTNAME:5000/$IMAGEREPO/$image >> "$LOG_FILE" 2>&1 || {
+        # Push to the embedded registry via a registry-to-registry copy. Avoids
-          echo "Unable to push $image" >> "$LOG_FILE" 2>&1 
+        # `docker push`, which on Docker 29.x with the containerd image store
        # represents freshly-pulled images as an index whose layer content
        # isn't reachable through the push path. The local `docker tag` above
        # is preserved so so-image-pull's `:5000` existence check still works.
        # Pin to the digest already gpg-verified above so we copy exactly the
        # bytes we approved.
        local VERIFIED_REF
        VERIFIED_REF=$(echo "$DOCKERINSPECT" | jq -r ".[0].RepoDigests[] | select(. | contains(\"$CONTAINER_REGISTRY\"))" | head -n 1)
        if [ -z "$VERIFIED_REF" ] || [ "$VERIFIED_REF" = "null" ]; then
          echo "Unable to determine verified digest for $image" >> "$LOG_FILE" 2>&1
          exit 1
        fi
        docker buildx imagetools create --tag $HOSTNAME:5000/$IMAGEREPO/$image "$VERIFIED_REF" >> "$LOG_FILE" 2>&1 || {
          echo "Unable to copy $image to embedded registry" >> "$LOG_FILE" 2>&1
          exit 1
        }
      fi
@@ -235,6 +235,16 @@ function update_kafka_outputs() {
 {% endif %}
 # Compare the current Elastic Fleet certificate against what is on disk
 POLICY_CERT_SHA=$(jq -r '.item.ssl.certificate' <<< $RAW_JSON | openssl x509 -noout -sha256 -fingerprint)
 DISK_CERT_SHA=$(openssl x509 -in /etc/pki/elasticfleet-logstash.crt -noout -sha256 -fingerprint)
 if [[ "$POLICY_CERT_SHA" != "$DISK_CERT_SHA" ]]; then
    printf "Certificate on disk doesn't match certificate in policy - forcing update\n"
    UPDATE_CERTS=true
    FORCE_UPDATE=true
 fi
 # Sort & hash the new list of Logstash Outputs
 NEW_LIST_JSON=$(jq --compact-output --null-input '$ARGS.positional' --args -- "${NEW_LIST[@]}")
 NEW_HASH=$(sha256sum <<< "$NEW_LIST_JSON" | awk '{print $1}')
@@ -24,11 +24,6 @@
 {% do SOCDEFAULTS.soc.config.server.modules.elastic.update({'username': GLOBALS.elasticsearch.auth.users.so_elastic_user.user, 'password': GLOBALS.elasticsearch.auth.users.so_elastic_user.pass}) %}
 {% if GLOBALS.postgres is defined and GLOBALS.postgres.auth is defined %}
 {%   set PG_ADMIN_PASS = salt['pillar.get']('secrets:postgres_pass', '') %}
 {% do SOCDEFAULTS.soc.config.server.modules.update({'postgres': {'hostUrl': GLOBALS.manager_ip, 'port': 5432, 'username': GLOBALS.postgres.auth.users.so_postgres_user.user, 'password': GLOBALS.postgres.auth.users.so_postgres_user.pass, 'adminUser': 'postgres', 'adminPassword': PG_ADMIN_PASS, 'dbname': 'securityonion', 'sslMode': 'require', 'assistantEnabled': true, 'esHostUrl': 'https://' ~ GLOBALS.manager_ip ~ ':9200', 'esUsername': GLOBALS.elasticsearch.auth.users.so_elastic_user.user, 'esPassword': GLOBALS.elasticsearch.auth.users.so_elastic_user.pass, 'esVerifyCert': false}}) %}
 {% endif %}
 {% do SOCDEFAULTS.soc.config.server.modules.influxdb.update({'hostUrl': 'https://' ~ GLOBALS.influxdb_host ~ ':8086'}) %}
 {% do SOCDEFAULTS.soc.config.server.modules.influxdb.update({'token': INFLUXDB_TOKEN}) %}
 {% for tool in SOCDEFAULTS.soc.config.server.client.tools %}
@@ -1701,24 +1701,6 @@ remove_package() {
 	fi
 }
 ensure_pyyaml() {
 	title "Ensuring python3-pyyaml is installed"
 	if rpm -q python3-pyyaml >/dev/null 2>&1; then
 		info "python3-pyyaml already installed"
 		return 0
 	fi
 	info "python3-pyyaml not found, attempting to install"
 	set -o pipefail
 	dnf -y install python3-pyyaml 2>&1 | tee -a "$setup_log"
 	local result=$?
 	set +o pipefail
 	if [[ $result -ne 0 ]] || ! rpm -q python3-pyyaml >/dev/null 2>&1; then
 		error "Failed to install python3-pyyaml (exit=$result)"
 		fail_setup
 	fi
 	info "python3-pyyaml installed successfully"
 }
 # When updating the salt version, also update the version in securityonion-builds/images/iso-task/Dockerfile and salt/salt/master.defaults.yaml and salt/salt/minion.defaults.yaml
 # CAUTION! SALT VERSION UDDATES - READ BELOW
 # When updating the salt version, also update the version in:
@@ -66,9 +66,6 @@ set_timezone
 # Let's see what OS we are dealing with here
 detect_os
 # Ensure python3-pyyaml is available before any code that may need so-yaml/PyYAML
 ensure_pyyaml
 # Check to see if this is the setup type of "desktop".
 is_desktop=
Author	SHA1	Message	Date
Mike Reeves	2dcded6cca	drop postgres module from soc defaults injection The soc binary on 3/dev does not register a postgres module, so injecting postgres into soc.config.server.modules makes soc abort at launch with 'Module does not exist: postgres'. The soc-side module is staged on feature/postgres but is not landing this release. Drop the injection until the module ships; salt/postgres state and pillars are unchanged.	2026-04-28 15:46:56 -04:00
Mike Reeves	8ca59e6f0c	Merge pull request #15838 from Security-Onion-Solutions/fix/docker-refresh-multiarch-pull Fix/docker refresh multiarch pull	2026-04-28 15:14:27 -04:00
Mike Reeves	82dac82d15	drop platform/digest pull resolution The digest-pull logic was added to make `docker push` work for multi-arch upstream tags. Now that the push step is `docker buildx imagetools create` pinned to the gpg-verified RepoDigest, the registry-to-registry copy handles single- and multi-arch sources without help. Reverts the pull back to the original line and removes the unused PLATFORM_OS/_ARCH detection.	2026-04-28 14:54:25 -04:00
Mike Reeves	288a823edf	push images via buildx imagetools create Replaces `docker push` with a registry-to-registry copy. On Docker 29.x with the containerd image store, `docker push` of a freshly-pulled image hits a path that wraps single-platform manifests in a synthetic index and then can't push the layers it claims to reference, producing `NotFound: content digest ...` even when the image is fully present. Keep the local `docker tag` so so-image-pull's `docker images \| grep :5000` existence check continues to work.	2026-04-28 14:49:02 -04:00
Jorge Reyes	f9e3d30a71	Merge pull request #15837 from Security-Onion-Solutions/reyesj2/elastic-fleet-cert-check check current fleet policy cert against cert on disk	2026-04-28 13:47:55 -05:00
reyesj2	9cec79b299	check current fleet policy cert against cert on disk Co-authored-by: Copilot <copilot@github.com>	2026-04-28 13:34:39 -05:00
Mike Reeves	c86399327b	fix so-docker-refresh push for multi-arch source images docker pull of a multi-arch tag on Docker 29.x leaves the local tag pointing at the image index rather than the platform-specific manifest. The subsequent docker push then tries to push every sub-manifest the index references and fails on layers we never fetched. Resolve the local-platform manifest digest from the upstream index via docker buildx imagetools inspect, pull by that digest, and re-tag locally to the canonical tag. The signing flow and the existing tag/push to the embedded registry are unchanged.	2026-04-28 14:27:59 -04:00