mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2026-05-10 13:20:30 +02:00
Compare commits
1 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
 reyesj2
|
9cec79b299 |
@@ -192,21 +192,8 @@ update_docker_containers() {
|
|||||||
echo "Unable to tag $image" >> "$LOG_FILE" 2>&1
|
echo "Unable to tag $image" >> "$LOG_FILE" 2>&1
|
||||||
exit 1
|
exit 1
|
||||||
}
|
}
|
||||||
# Push to the embedded registry via a registry-to-registry copy. Avoids
|
docker push $HOSTNAME:5000/$IMAGEREPO/$image >> "$LOG_FILE" 2>&1 || {
|
||||||
# `docker push`, which on Docker 29.x with the containerd image store
|
echo "Unable to push $image" >> "$LOG_FILE" 2>&1
|
||||||
# represents freshly-pulled images as an index whose layer content
|
|
||||||
# isn't reachable through the push path. The local `docker tag` above
|
|
||||||
# is preserved so so-image-pull's `:5000` existence check still works.
|
|
||||||
# Pin to the digest already gpg-verified above so we copy exactly the
|
|
||||||
# bytes we approved.
|
|
||||||
local VERIFIED_REF
|
|
||||||
VERIFIED_REF=$(echo "$DOCKERINSPECT" | jq -r ".[0].RepoDigests[] | select(. | contains(\"$CONTAINER_REGISTRY\"))" | head -n 1)
|
|
||||||
if [ -z "$VERIFIED_REF" ] || [ "$VERIFIED_REF" = "null" ]; then
|
|
||||||
echo "Unable to determine verified digest for $image" >> "$LOG_FILE" 2>&1
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
docker buildx imagetools create --tag $HOSTNAME:5000/$IMAGEREPO/$image "$VERIFIED_REF" >> "$LOG_FILE" 2>&1 || {
|
|
||||||
echo "Unable to copy $image to embedded registry" >> "$LOG_FILE" 2>&1
|
|
||||||
exit 1
|
exit 1
|
||||||
}
|
}
|
||||||
fi
|
fi
|
||||||
|
|||||||
@@ -235,6 +235,16 @@ function update_kafka_outputs() {
|
|||||||
|
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
|
# Compare the current Elastic Fleet certificate against what is on disk
|
||||||
|
POLICY_CERT_SHA=$(jq -r '.item.ssl.certificate' <<< $RAW_JSON | openssl x509 -noout -sha256 -fingerprint)
|
||||||
|
DISK_CERT_SHA=$(openssl x509 -in /etc/pki/elasticfleet-logstash.crt -noout -sha256 -fingerprint)
|
||||||
|
|
||||||
|
if [[ "$POLICY_CERT_SHA" != "$DISK_CERT_SHA" ]]; then
|
||||||
|
printf "Certificate on disk doesn't match certificate in policy - forcing update\n"
|
||||||
|
UPDATE_CERTS=true
|
||||||
|
FORCE_UPDATE=true
|
||||||
|
fi
|
||||||
|
|
||||||
# Sort & hash the new list of Logstash Outputs
|
# Sort & hash the new list of Logstash Outputs
|
||||||
NEW_LIST_JSON=$(jq --compact-output --null-input '$ARGS.positional' --args -- "${NEW_LIST[@]}")
|
NEW_LIST_JSON=$(jq --compact-output --null-input '$ARGS.positional' --args -- "${NEW_LIST[@]}")
|
||||||
NEW_HASH=$(sha256sum <<< "$NEW_LIST_JSON" | awk '{print $1}')
|
NEW_HASH=$(sha256sum <<< "$NEW_LIST_JSON" | awk '{print $1}')
|
||||||
|
|||||||
Reference in New Issue
Block a user