mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2026-07-18 23:03:39 +02:00
Compare commits
1
Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
|
cd8f7f99e3 |
@@ -5,239 +5,53 @@
|
|||||||
# https://securityonion.net/license; you may not use this file except in compliance with the
|
# https://securityonion.net/license; you may not use this file except in compliance with the
|
||||||
# Elastic License 2.0.
|
# Elastic License 2.0.
|
||||||
#
|
#
|
||||||
# so-kernel-upgrade — install the UEK8 (6.x) kernel and make it the boot default.
|
# so-kernel-upgrade — switch the boot default to the installed UEK8 (6.x) kernel.
|
||||||
#
|
#
|
||||||
# Security Onion is moving off the EL9 stock kernel (RHCK, 5.14) and UEK7 (5.15) onto UEK8
|
# Security Onion is moving off the EL9 stock kernel / UEK7 (5.x) onto UEK8 (6.x).
|
||||||
# (6.x). Three things have to happen, and the tool has to drive each one:
|
# Installing the kernel-uek-core package adds a UEK8 boot entry but does NOT make it the
|
||||||
|
# default: kernel-install/grubby only auto-promote a new kernel within the running
|
||||||
|
# kernel's flavor lineage, and we're crossing from a 5.x kernel to the new 6.x UEK flavor.
|
||||||
|
# So even with UPDATEDEFAULT=yes and DEFAULTKERNEL=kernel-uek-core the box keeps booting
|
||||||
|
# the old kernel. This tool finds the newest installed 6.x UEK kernel and makes it the
|
||||||
|
# GRUB default via grubby so the next boot comes up on UEK8.
|
||||||
#
|
#
|
||||||
# 1. Populate. The manager mirrors the UEK8 packages into /nsm/kernelrepo via so-repo-sync,
|
# Idempotent: if the UEK8 kernel is already the default it does nothing. It only sets the
|
||||||
# and serves them to the grid over https://<manager>/kernelrepo. Until that sync runs the
|
# boot default; it does NOT reboot — the admin reboots the node on their own schedule.
|
||||||
# repo is valid but EMPTY -- dnf resolves it happily and installs nothing, with no error.
|
|
||||||
# 2. Install. A node on RHCK has no kernel-uek* package at all, so there is nothing for
|
|
||||||
# 'dnf update' to upgrade. A node on UEK7 does have kernel-uek installed, so
|
|
||||||
# 'dnf install kernel-uek' reports "Nothing to do" and exits 0 without installing 6.x.
|
|
||||||
# Both cases need an explicit install of the UEK8 NEVRA.
|
|
||||||
# 3. Boot it. Whether a newly installed UEK8 kernel becomes the boot default depends on the
|
|
||||||
# RUNNING kernel's flavor. kernel-install/grubby (with UPDATEDEFAULT=yes) only auto-promote
|
|
||||||
# within the running kernel's flavor lineage:
|
|
||||||
# - From UEK7 (5.x, kernel-uek) the install stays in the kernel-uek lineage and IS
|
|
||||||
# auto-promoted, so no grubby change is needed -- just make sure the repo is populated
|
|
||||||
# and install UEK8.
|
|
||||||
# - From the stock EL9 kernel (RHCK, 5.14, no UEK) it is a flavor CROSS that is NOT
|
|
||||||
# auto-promoted, so the box keeps booting RHCK until grubby is told otherwise.
|
|
||||||
# This tool inspects the running kernel and only runs 'grubby --set-default' for RHCK.
|
|
||||||
#
|
|
||||||
# Every one of those failure modes is silent by default. This tool handles each case and fails
|
|
||||||
# loudly when it cannot, rather than reporting success while changing nothing.
|
|
||||||
#
|
|
||||||
# Manager vs minion: only the manager owns /nsm/kernelrepo, so only the manager can populate
|
|
||||||
# it. If the repo is empty here, a manager runs so-repo-sync itself; a minion has no way to
|
|
||||||
# fix it and exits non-zero telling the admin to sync the manager first.
|
|
||||||
#
|
|
||||||
# Idempotent: an already-installed, already-default UEK8 kernel is left alone. It only sets
|
|
||||||
# the boot default; it does NOT reboot -- the admin reboots the node on their own schedule.
|
|
||||||
|
|
||||||
. /usr/sbin/so-common
|
|
||||||
|
|
||||||
# Client-side repo id (what dnf enables on this node, from repo/client/oracle.sls) vs the
|
|
||||||
# reposync-side section in repodownload.conf that the manager mirrors from (mirrors the
|
|
||||||
# securityonion/securityonionsync split for the main repo).
|
|
||||||
KERNEL_REPO="securityonionkernel"
|
|
||||||
KERNEL_REPO_SYNC="securityonionkernelsync"
|
|
||||||
KERNEL_PKG="kernel-uek"
|
|
||||||
KERNEL_REPO_DIR="/nsm/kernelrepo"
|
|
||||||
REPOSYNC_CONF="/opt/so/conf/reposync/repodownload.conf"
|
|
||||||
GLOBAL_PILLAR="/opt/so/saltstack/local/pillar/global/soc_global.sls"
|
|
||||||
|
|
||||||
log() { echo "[so-kernel-upgrade] $*"; }
|
log() { echo "[so-kernel-upgrade] $*"; }
|
||||||
die() { echo "[so-kernel-upgrade] ERROR: $*" >&2; exit 1; }
|
|
||||||
|
|
||||||
command -v grubby >/dev/null 2>&1 || die "grubby not found"
|
[ "$(id -u)" -eq 0 ] || { log "must run as root"; exit 1; }
|
||||||
command -v dnf >/dev/null 2>&1 || die "dnf not found"
|
command -v grubby >/dev/null 2>&1 || { log "grubby not found"; exit 1; }
|
||||||
|
|
||||||
ARCH="$(rpm -E '%{_arch}')"
|
|
||||||
|
|
||||||
is_airgap() {
|
|
||||||
[ -f "$GLOBAL_PILLAR" ] && grep -q 'airgap: *[Tt]rue' "$GLOBAL_PILLAR"
|
|
||||||
}
|
|
||||||
|
|
||||||
# Newest installed UEK8 (6.x) kernel known to the bootloader. UEK8 vmlinuz paths look like
|
# Newest installed UEK8 (6.x) kernel known to the bootloader. UEK8 vmlinuz paths look like
|
||||||
# /boot/vmlinuz-6.12.0-204.92.4.2.el9uek.x86_64; UEK7 (5.15) and RHCK (5.14) won't match.
|
# /boot/vmlinuz-6.12.0-203.76.7.5.el9uek.x86_64; the 5.x UEK7 and 5.14 RHCK won't match.
|
||||||
find_uek8() {
|
target="$(grubby --info=ALL 2>/dev/null \
|
||||||
grubby --info=ALL 2>/dev/null \
|
| sed -n 's/^kernel="\(.*\)"$/\1/p' \
|
||||||
| sed -n 's/^kernel="\(.*\)"$/\1/p' \
|
| grep -E '/vmlinuz-6\.[0-9]+.*uek' \
|
||||||
| grep -E '/vmlinuz-6\.[0-9]+.*uek' \
|
| sort -V | tail -1)"
|
||||||
| sort -V | tail -1
|
|
||||||
}
|
|
||||||
|
|
||||||
# Classify the RUNNING kernel (uname -r) -- this, not what's installed, is what decides whether
|
if [ -z "$target" ]; then
|
||||||
# a UEK8 install auto-promotes to the boot default:
|
log "no installed 6.x UEK (UEK8) kernel found — confirm the kernel repo is assigned and"
|
||||||
# uek8 6.x UEK already on the target line; nothing to do
|
log "'dnf update' has installed kernel-uek-core. Nothing to do."
|
||||||
# uek7 5.x UEK a UEK8 install stays in the kernel-uek lineage and auto-promotes (no grubby)
|
|
||||||
# rhck 5.14 EL9 crossing into the UEK flavor does NOT auto-promote (needs grubby --set-default)
|
|
||||||
running_flavor() {
|
|
||||||
case "$(uname -r)" in
|
|
||||||
6.*uek*) echo uek8 ;;
|
|
||||||
*uek*) echo uek7 ;;
|
|
||||||
*) echo rhck ;;
|
|
||||||
esac
|
|
||||||
}
|
|
||||||
|
|
||||||
# Newest UEK8 kernel-uek NEVRA offered by the kernel repo, empty if the repo has none.
|
|
||||||
# Restricted to the kernel repo so a UEK7 kernel-uek in the main repo can't be picked up,
|
|
||||||
# and filtered to 6.x so we never "succeed" by reinstalling the 5.15 we already have.
|
|
||||||
uek8_available() {
|
|
||||||
dnf -q repoquery --disablerepo='*' --enablerepo="$KERNEL_REPO" \
|
|
||||||
--arch="$ARCH" --latest-limit=1 \
|
|
||||||
--qf '%{name}-%{evr}.%{arch}\n' "$KERNEL_PKG" 2>/dev/null \
|
|
||||||
| grep -E "^${KERNEL_PKG}-6\." | tail -1
|
|
||||||
}
|
|
||||||
|
|
||||||
kernelrepo_rpm_count() {
|
|
||||||
find "$KERNEL_REPO_DIR" -maxdepth 1 -name '*.rpm' 2>/dev/null | wc -l
|
|
||||||
}
|
|
||||||
|
|
||||||
# The kernel repo starts life as valid-but-empty (kernelrepo_init_empty in
|
|
||||||
# salt/manager/init.sls) and is filled by so-repo-sync. During a soup, so-repo-sync runs
|
|
||||||
# BEFORE the highstate deploys the [securityonionkernelsync] section into repodownload.conf, so
|
|
||||||
# the first kernel-aware soup leaves the repo empty until the next nightly sync.
|
|
||||||
sync_kernel_repo() {
|
|
||||||
if is_airgap; then
|
|
||||||
log "airgap install: $KERNEL_REPO_DIR is populated from the airgap ISO, not by so-repo-sync."
|
|
||||||
return 1
|
|
||||||
fi
|
|
||||||
if ! grep -q "^\[${KERNEL_REPO_SYNC}\]" "$REPOSYNC_CONF" 2>/dev/null; then
|
|
||||||
log "$REPOSYNC_CONF has no [${KERNEL_REPO_SYNC}] section -- run a highstate to deploy it."
|
|
||||||
return 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
log "populating $KERNEL_REPO_DIR with so-repo-sync (mirrors upstream; can take several minutes)"
|
|
||||||
su socore -c '/usr/sbin/so-repo-sync' || { log "so-repo-sync failed"; return 1; }
|
|
||||||
|
|
||||||
dnf -q clean expire-cache >/dev/null 2>&1
|
|
||||||
return 0
|
|
||||||
}
|
|
||||||
|
|
||||||
# Make the kernel repo actually able to serve a UEK8 package, or fail trying.
|
|
||||||
ensure_kernel_repo() {
|
|
||||||
# The repo is assigned by the repo.client highstate, and only once NICs are pinned by MAC
|
|
||||||
# (/opt/so/state/nic_names_pinned) so the kernel swap can't renumber interfaces SO binds
|
|
||||||
# by name. skip_if_unavailable=1 means a broken repo is silently ignored, so check first.
|
|
||||||
if ! dnf -q repolist --enabled 2>/dev/null | awk '{print $1}' | grep -qx "$KERNEL_REPO"; then
|
|
||||||
log "repo '$KERNEL_REPO' is not enabled on this node."
|
|
||||||
log "Run a highstate first; the repo is skipped until /opt/so/state/nic_names_pinned"
|
|
||||||
log "exists (run so-nic-pin) and this node's salt matches the version this release ships."
|
|
||||||
die "kernel repo unavailable"
|
|
||||||
fi
|
|
||||||
|
|
||||||
[ -n "$(uek8_available)" ] && return 0
|
|
||||||
|
|
||||||
log "repo '$KERNEL_REPO' is enabled but offers no UEK8 $KERNEL_PKG package"
|
|
||||||
|
|
||||||
if ! is_manager_node; then
|
|
||||||
log "This is a minion; it consumes the kernel repo from the manager and cannot populate it."
|
|
||||||
log "On the manager, run: su socore -c /usr/sbin/so-repo-sync"
|
|
||||||
log "then re-run this script here."
|
|
||||||
die "manager's kernel repo is empty"
|
|
||||||
fi
|
|
||||||
|
|
||||||
log "this is a manager and $KERNEL_REPO_DIR holds $(kernelrepo_rpm_count) rpm(s)"
|
|
||||||
sync_kernel_repo || die "could not populate $KERNEL_REPO_DIR"
|
|
||||||
|
|
||||||
[ -n "$(uek8_available)" ] \
|
|
||||||
|| die "so-repo-sync completed but $KERNEL_REPO still offers no UEK8 $KERNEL_PKG"
|
|
||||||
}
|
|
||||||
|
|
||||||
reboot_notice() {
|
|
||||||
[ "$(uname -r)" = "$(basename "$1" | sed 's/^vmlinuz-//')" ] \
|
|
||||||
|| log "REBOOT REQUIRED to start using the UEK8 kernel (currently running $(uname -r))."
|
|
||||||
}
|
|
||||||
|
|
||||||
# Keep future kernel updates on the UEK line rather than falling back to RHCK. Oracle ships
|
|
||||||
# /etc/sysconfig/kernel; only rewrite it when it's actually pointing somewhere else.
|
|
||||||
set_default_kernel_conf() {
|
|
||||||
if [ -f /etc/sysconfig/kernel ] && ! grep -q '^DEFAULTKERNEL=kernel-uek-core$' /etc/sysconfig/kernel; then
|
|
||||||
log "setting DEFAULTKERNEL=kernel-uek-core in /etc/sysconfig/kernel"
|
|
||||||
sed -i 's/^DEFAULTKERNEL=.*/DEFAULTKERNEL=kernel-uek-core/' /etc/sysconfig/kernel
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
# Make sure a UEK8 kernel is installed, leaving its boot entry in INSTALLED_UEK8. If one is
|
|
||||||
# already present we leave the repo alone -- it may be disabled or empty and we don't need it
|
|
||||||
# just to flip the boot default. Otherwise install the explicit NEVRA, not the bare package
|
|
||||||
# name: on a UEK7 node 'dnf install kernel-uek' sees 5.15 already present, prints "Nothing to
|
|
||||||
# do" and exits 0 without installing 6.x.
|
|
||||||
ensure_uek8_installed() {
|
|
||||||
INSTALLED_UEK8="$(find_uek8)"
|
|
||||||
if [ -n "$INSTALLED_UEK8" ]; then
|
|
||||||
log "UEK8 kernel already installed: $INSTALLED_UEK8"
|
|
||||||
return 0
|
|
||||||
fi
|
|
||||||
|
|
||||||
ensure_kernel_repo
|
|
||||||
local nevra; nevra="$(uek8_available)"
|
|
||||||
log "installing $nevra from $KERNEL_REPO"
|
|
||||||
dnf -y install "$nevra" || die "failed to install $nevra"
|
|
||||||
|
|
||||||
INSTALLED_UEK8="$(find_uek8)"
|
|
||||||
[ -n "$INSTALLED_UEK8" ] || die "$nevra installed but no 6.x UEK boot entry appeared -- check 'grubby --info=ALL'"
|
|
||||||
log "installed UEK8 kernel: $INSTALLED_UEK8"
|
|
||||||
}
|
|
||||||
|
|
||||||
case "$(running_flavor)" in
|
|
||||||
uek8)
|
|
||||||
# Already on the 6.x UEK line. A plain 'dnf update' keeps this node current within the
|
|
||||||
# lineage and auto-promotes newer builds, so there is nothing for this tool to do.
|
|
||||||
log "already running a UEK8 kernel ($(uname -r)); nothing to do."
|
|
||||||
exit 0
|
exit 0
|
||||||
;;
|
fi
|
||||||
|
|
||||||
uek7)
|
current="$(grubby --default-kernel 2>/dev/null)"
|
||||||
# On a 5.x UEK kernel. Installing UEK8 stays inside the kernel-uek lineage, so dnf/grubby
|
if [ "$current" = "$target" ]; then
|
||||||
# (UPDATEDEFAULT=yes) auto-promote it and we do NOT touch grubby. A node still on UEK7
|
log "UEK8 kernel is already the boot default: $target"
|
||||||
# usually means the kernel repo was empty when it last updated, so populate it and install.
|
exit 0
|
||||||
log "running UEK7 kernel ($(uname -r)); the kernel repo was likely not yet populated when"
|
fi
|
||||||
log "this node last updated. Populating it and installing UEK8 -- the update stays on the"
|
|
||||||
log "kernel-uek line, so it becomes the boot default automatically (no grubby change needed)."
|
|
||||||
set_default_kernel_conf
|
|
||||||
ensure_uek8_installed
|
|
||||||
|
|
||||||
now="$(grubby --default-kernel 2>/dev/null)"
|
log "current default kernel: ${current:-unknown}"
|
||||||
if [ "$now" = "$INSTALLED_UEK8" ]; then
|
log "switching boot default to UEK8 kernel: $target"
|
||||||
log "boot default auto-promoted to UEK8 kernel: $INSTALLED_UEK8"
|
grubby --set-default="$target" || { log "ERROR: grubby --set-default failed for $target"; exit 1; }
|
||||||
else
|
|
||||||
log "WARNING: expected the UEK8 kernel to auto-promote but the default is still"
|
|
||||||
log "'${now:-unknown}'. Run 'grubby --set-default=$INSTALLED_UEK8' to force it."
|
|
||||||
fi
|
|
||||||
reboot_notice "$INSTALLED_UEK8"
|
|
||||||
;;
|
|
||||||
|
|
||||||
rhck)
|
# Verify the change actually took before claiming success.
|
||||||
# On the stock EL9 kernel (5.14, no UEK installed). Crossing from RHCK into the UEK flavor
|
now="$(grubby --default-kernel 2>/dev/null)"
|
||||||
# does NOT auto-promote -- kernel-install/grubby only auto-promote within the running
|
if [ "$now" != "$target" ]; then
|
||||||
# kernel's flavor lineage -- so after installing we must set the boot default explicitly.
|
log "ERROR: default kernel is still '${now:-unknown}' after set-default"
|
||||||
log "running stock EL9 (RHCK) kernel ($(uname -r)); installing UEK8 and setting it as the"
|
exit 1
|
||||||
log "boot default explicitly (a RHCK->UEK flavor change does not auto-promote)."
|
fi
|
||||||
set_default_kernel_conf
|
|
||||||
ensure_uek8_installed
|
|
||||||
target="$INSTALLED_UEK8"
|
|
||||||
|
|
||||||
current="$(grubby --default-kernel 2>/dev/null)"
|
log "boot default is now $target"
|
||||||
if [ "$current" = "$target" ]; then
|
log "REBOOT REQUIRED to start using the UEK8 kernel (currently running $(uname -r))."
|
||||||
log "UEK8 kernel is already the boot default: $target"
|
|
||||||
reboot_notice "$target"
|
|
||||||
exit 0
|
|
||||||
fi
|
|
||||||
|
|
||||||
log "current default kernel: ${current:-unknown}"
|
|
||||||
log "switching boot default to UEK8 kernel: $target"
|
|
||||||
grubby --set-default="$target" || die "grubby --set-default failed for $target"
|
|
||||||
|
|
||||||
# Verify the change actually took before claiming success.
|
|
||||||
now="$(grubby --default-kernel 2>/dev/null)"
|
|
||||||
[ "$now" = "$target" ] || die "default kernel is still '${now:-unknown}' after set-default"
|
|
||||||
|
|
||||||
log "boot default is now $target"
|
|
||||||
reboot_notice "$target"
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
|
|||||||
@@ -0,0 +1,12 @@
|
|||||||
|
{% macro clear_stale_endpoint(container, network, ipv4, state_id=None) %}
|
||||||
|
{{ container }}_{{ network }}_stale_endpoint:
|
||||||
|
cmd.run:
|
||||||
|
- name: docker network disconnect -f {{ network }} {{ container }} || true
|
||||||
|
- onlyif: docker inspect {{ container }}
|
||||||
|
- unless: >-
|
||||||
|
docker inspect -f
|
||||||
|
'{{ '{{' }} with index .NetworkSettings.Networks "{{ network }}" {{ '}}' }}{{ '{{' }} .IPAMConfig.IPv4Address {{ '}}' }}{{ '{{' }} end {{ '}}' }}'
|
||||||
|
{{ container }} 2>/dev/null | grep -qx '{{ ipv4 }}'
|
||||||
|
- require_in:
|
||||||
|
- docker_container: {{ state_id or container }}
|
||||||
|
{% endmacro %}
|
||||||
@@ -7,6 +7,9 @@
|
|||||||
{% if sls.split('.')[0] in allowed_states %}
|
{% if sls.split('.')[0] in allowed_states %}
|
||||||
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
||||||
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
|
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
|
||||||
|
{% from 'docker/macros/docker_endpoint.jinja' import clear_stale_endpoint %}
|
||||||
|
|
||||||
|
{{ clear_stale_endpoint('so-elastalert', 'sobridge', DOCKERMERGED.containers['so-elastalert'].ip) }}
|
||||||
|
|
||||||
include:
|
include:
|
||||||
- elastalert.config
|
- elastalert.config
|
||||||
|
|||||||
@@ -7,6 +7,9 @@
|
|||||||
{% if sls.split('.')[0] in allowed_states %}
|
{% if sls.split('.')[0] in allowed_states %}
|
||||||
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
||||||
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
|
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
|
||||||
|
{% from 'docker/macros/docker_endpoint.jinja' import clear_stale_endpoint %}
|
||||||
|
|
||||||
|
{{ clear_stale_endpoint('so-elastic-fleet-package-registry', 'sobridge', DOCKERMERGED.containers['so-elastic-fleet-package-registry'].ip) }}
|
||||||
|
|
||||||
include:
|
include:
|
||||||
- elastic-fleet-package-registry.config
|
- elastic-fleet-package-registry.config
|
||||||
|
|||||||
@@ -7,6 +7,9 @@
|
|||||||
{% if sls.split('.')[0] in allowed_states %}
|
{% if sls.split('.')[0] in allowed_states %}
|
||||||
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
||||||
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
|
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
|
||||||
|
{% from 'docker/macros/docker_endpoint.jinja' import clear_stale_endpoint %}
|
||||||
|
|
||||||
|
{{ clear_stale_endpoint('so-elastic-agent', 'sobridge', DOCKERMERGED.containers['so-elastic-agent'].ip) }}
|
||||||
|
|
||||||
include:
|
include:
|
||||||
- ca
|
- ca
|
||||||
|
|||||||
@@ -1,5 +1,6 @@
|
|||||||
elasticfleet:
|
elasticfleet:
|
||||||
enabled: False
|
enabled: False
|
||||||
|
patch_version: 9.3.3+build202604082258 # Elastic Agent specific patch release.
|
||||||
enable_manager_output: True
|
enable_manager_output: True
|
||||||
config:
|
config:
|
||||||
server:
|
server:
|
||||||
|
|||||||
@@ -8,6 +8,7 @@
|
|||||||
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
||||||
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
|
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
|
||||||
{% from 'elasticfleet/map.jinja' import ELASTICFLEETMERGED %}
|
{% from 'elasticfleet/map.jinja' import ELASTICFLEETMERGED %}
|
||||||
|
{% from 'docker/macros/docker_endpoint.jinja' import clear_stale_endpoint %}
|
||||||
|
|
||||||
{# This value is generated during node install and stored in minion pillar #}
|
{# This value is generated during node install and stored in minion pillar #}
|
||||||
{% set SERVICETOKEN = salt['pillar.get']('elasticfleet:config:server:es_token','') %}
|
{% set SERVICETOKEN = salt['pillar.get']('elasticfleet:config:server:es_token','') %}
|
||||||
@@ -43,6 +44,8 @@ elasticagent_syncartifacts:
|
|||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
{% if SERVICETOKEN != '' %}
|
{% if SERVICETOKEN != '' %}
|
||||||
|
{{ clear_stale_endpoint('so-elastic-fleet', 'sobridge', DOCKERMERGED.containers['so-elastic-fleet'].ip) }}
|
||||||
|
|
||||||
so-elastic-fleet:
|
so-elastic-fleet:
|
||||||
docker_container.running:
|
docker_container.running:
|
||||||
- image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elastic-agent:{{ GLOBALS.so_version }}
|
- image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elastic-agent:{{ GLOBALS.so_version }}
|
||||||
|
|||||||
@@ -5,7 +5,7 @@
|
|||||||
"package": {
|
"package": {
|
||||||
"name": "endpoint",
|
"name": "endpoint",
|
||||||
"title": "Elastic Defend",
|
"title": "Elastic Defend",
|
||||||
"version": "9.3.1",
|
"version": "9.3.0",
|
||||||
"requires_root": true
|
"requires_root": true
|
||||||
},
|
},
|
||||||
"enabled": true,
|
"enabled": true,
|
||||||
|
|||||||
@@ -29,7 +29,7 @@
|
|||||||
"\\.gz$"
|
"\\.gz$"
|
||||||
],
|
],
|
||||||
"include_files": [],
|
"include_files": [],
|
||||||
"processors": "- dissect:\n tokenizer: \"/nsm/import/%{import.id}/evtx/%{import.file}\"\n field: \"log.file.path\"\n target_prefix: \"\"\n- decode_json_fields:\n fields: [\"message\"]\n target: \"\"\n- drop_fields:\n fields: [\"host\"]\n ignore_missing: true\n- add_fields:\n target: data_stream\n fields:\n type: logs\n dataset: system.security\n- add_fields:\n target: event\n fields:\n dataset: system.security\n module: system\n imported: true\n- add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.security-2.20.0\n- if:\n equals:\n winlog.channel: 'Microsoft-Windows-Sysmon/Operational'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: windows.sysmon_operational\n - add_fields:\n target: event\n fields:\n dataset: windows.sysmon_operational\n module: windows\n imported: true\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-windows.sysmon_operational-3.8.3\n- if:\n equals:\n winlog.channel: 'Application'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: system.application\n - add_fields:\n target: event\n fields:\n dataset: system.application\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.application-2.20.0\n- if:\n equals:\n winlog.channel: 'System'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: system.system\n - add_fields:\n target: event\n fields:\n dataset: system.system\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.system-2.20.0\n \n- if:\n equals:\n winlog.channel: 'Microsoft-Windows-PowerShell/Operational'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: windows.powershell_operational\n - add_fields:\n target: event\n fields:\n dataset: windows.powershell_operational\n module: windows\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-windows.powershell_operational-3.8.3\n- add_fields:\n target: data_stream\n fields:\n dataset: import",
|
"processors": "- dissect:\n tokenizer: \"/nsm/import/%{import.id}/evtx/%{import.file}\"\n field: \"log.file.path\"\n target_prefix: \"\"\n- decode_json_fields:\n fields: [\"message\"]\n target: \"\"\n- drop_fields:\n fields: [\"host\"]\n ignore_missing: true\n- add_fields:\n target: data_stream\n fields:\n type: logs\n dataset: system.security\n- add_fields:\n target: event\n fields:\n dataset: system.security\n module: system\n imported: true\n- add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.security-2.15.0\n- if:\n equals:\n winlog.channel: 'Microsoft-Windows-Sysmon/Operational'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: windows.sysmon_operational\n - add_fields:\n target: event\n fields:\n dataset: windows.sysmon_operational\n module: windows\n imported: true\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-windows.sysmon_operational-3.8.0\n- if:\n equals:\n winlog.channel: 'Application'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: system.application\n - add_fields:\n target: event\n fields:\n dataset: system.application\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.application-2.15.0\n- if:\n equals:\n winlog.channel: 'System'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: system.system\n - add_fields:\n target: event\n fields:\n dataset: system.system\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.system-2.15.0\n \n- if:\n equals:\n winlog.channel: 'Microsoft-Windows-PowerShell/Operational'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: windows.powershell_operational\n - add_fields:\n target: event\n fields:\n dataset: windows.powershell_operational\n module: windows\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-windows.powershell_operational-3.8.0\n- add_fields:\n target: data_stream\n fields:\n dataset: import",
|
||||||
"tags": [
|
"tags": [
|
||||||
"import"
|
"import"
|
||||||
],
|
],
|
||||||
|
|||||||
@@ -1,6 +1,6 @@
|
|||||||
elasticsearch:
|
elasticsearch:
|
||||||
enabled: false
|
enabled: false
|
||||||
version: 9.3.7
|
version: 9.3.3
|
||||||
index_clean: true
|
index_clean: true
|
||||||
data_retention_method: DLM
|
data_retention_method: DLM
|
||||||
vm:
|
vm:
|
||||||
|
|||||||
@@ -10,6 +10,9 @@
|
|||||||
{% from 'elasticsearch/config.map.jinja' import ELASTICSEARCH_NODES %}
|
{% from 'elasticsearch/config.map.jinja' import ELASTICSEARCH_NODES %}
|
||||||
{% from 'elasticsearch/config.map.jinja' import ELASTICSEARCH_SEED_HOSTS %}
|
{% from 'elasticsearch/config.map.jinja' import ELASTICSEARCH_SEED_HOSTS %}
|
||||||
{% from 'elasticsearch/config.map.jinja' import ELASTICSEARCHMERGED %}
|
{% from 'elasticsearch/config.map.jinja' import ELASTICSEARCHMERGED %}
|
||||||
|
{% from 'docker/macros/docker_endpoint.jinja' import clear_stale_endpoint %}
|
||||||
|
|
||||||
|
{{ clear_stale_endpoint('so-elasticsearch', 'sobridge', DOCKERMERGED.containers['so-elasticsearch'].ip) }}
|
||||||
|
|
||||||
include:
|
include:
|
||||||
- ca
|
- ca
|
||||||
|
|||||||
+10
-10
@@ -118,70 +118,70 @@
|
|||||||
{
|
{
|
||||||
"pipeline": {
|
"pipeline": {
|
||||||
"tag": "pipeline_e16851a7",
|
"tag": "pipeline_e16851a7",
|
||||||
"name": "logs-pfsense.log-1.25.4-firewall",
|
"name": "logs-pfsense.log-1.25.2-firewall",
|
||||||
"if": "ctx.event.provider == 'filterlog'"
|
"if": "ctx.event.provider == 'filterlog'"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"pipeline": {
|
"pipeline": {
|
||||||
"tag": "pipeline_828590b5",
|
"tag": "pipeline_828590b5",
|
||||||
"name": "logs-pfsense.log-1.25.4-openvpn",
|
"name": "logs-pfsense.log-1.25.2-openvpn",
|
||||||
"if": "ctx.event.provider == 'openvpn'"
|
"if": "ctx.event.provider == 'openvpn'"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"pipeline": {
|
"pipeline": {
|
||||||
"tag": "pipeline_9d37039c",
|
"tag": "pipeline_9d37039c",
|
||||||
"name": "logs-pfsense.log-1.25.4-ipsec",
|
"name": "logs-pfsense.log-1.25.2-ipsec",
|
||||||
"if": "ctx.event.provider == 'charon'"
|
"if": "ctx.event.provider == 'charon'"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"pipeline": {
|
"pipeline": {
|
||||||
"tag": "pipeline_ad56bbca",
|
"tag": "pipeline_ad56bbca",
|
||||||
"name": "logs-pfsense.log-1.25.4-dhcp",
|
"name": "logs-pfsense.log-1.25.2-dhcp",
|
||||||
"if": "[\"dhcpd\", \"dhclient\", \"dhcp6c\", \"dnsmasq-dhcp\"].contains(ctx.event.provider)"
|
"if": "[\"dhcpd\", \"dhclient\", \"dhcp6c\", \"dnsmasq-dhcp\"].contains(ctx.event.provider)"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"pipeline": {
|
"pipeline": {
|
||||||
"tag": "pipeline_dd85553d",
|
"tag": "pipeline_dd85553d",
|
||||||
"name": "logs-pfsense.log-1.25.4-unbound",
|
"name": "logs-pfsense.log-1.25.2-unbound",
|
||||||
"if": "ctx.event.provider == 'unbound'"
|
"if": "ctx.event.provider == 'unbound'"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"pipeline": {
|
"pipeline": {
|
||||||
"tag": "pipeline_720ed255",
|
"tag": "pipeline_720ed255",
|
||||||
"name": "logs-pfsense.log-1.25.4-haproxy",
|
"name": "logs-pfsense.log-1.25.2-haproxy",
|
||||||
"if": "ctx.event.provider == 'haproxy'"
|
"if": "ctx.event.provider == 'haproxy'"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"pipeline": {
|
"pipeline": {
|
||||||
"tag": "pipeline_456beba5",
|
"tag": "pipeline_456beba5",
|
||||||
"name": "logs-pfsense.log-1.25.4-php-fpm",
|
"name": "logs-pfsense.log-1.25.2-php-fpm",
|
||||||
"if": "ctx.event.provider == 'php-fpm'"
|
"if": "ctx.event.provider == 'php-fpm'"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"pipeline": {
|
"pipeline": {
|
||||||
"tag": "pipeline_a0d89375",
|
"tag": "pipeline_a0d89375",
|
||||||
"name": "logs-pfsense.log-1.25.4-squid",
|
"name": "logs-pfsense.log-1.25.2-squid",
|
||||||
"if": "ctx.event.provider == 'squid'"
|
"if": "ctx.event.provider == 'squid'"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"pipeline": {
|
"pipeline": {
|
||||||
"tag": "pipeline_c2f1ed55",
|
"tag": "pipeline_c2f1ed55",
|
||||||
"name": "logs-pfsense.log-1.25.4-snort",
|
"name": "logs-pfsense.log-1.25.2-snort",
|
||||||
"if": "ctx.event.provider == 'snort'"
|
"if": "ctx.event.provider == 'snort'"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"pipeline": {
|
"pipeline": {
|
||||||
"tag":"pipeline_33db1c9e",
|
"tag":"pipeline_33db1c9e",
|
||||||
"name": "logs-pfsense.log-1.25.4-suricata",
|
"name": "logs-pfsense.log-1.25.2-suricata",
|
||||||
"if": "ctx.event.provider == 'suricata'"
|
"if": "ctx.event.provider == 'suricata'"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
@@ -14,6 +14,9 @@
|
|||||||
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
|
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
|
||||||
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
||||||
{% if 'api' in salt['pillar.get']('features', []) %}
|
{% if 'api' in salt['pillar.get']('features', []) %}
|
||||||
|
{% from 'docker/macros/docker_endpoint.jinja' import clear_stale_endpoint %}
|
||||||
|
|
||||||
|
{{ clear_stale_endpoint('so-hydra', 'sobridge', DOCKERMERGED.containers['so-hydra'].ip) }}
|
||||||
|
|
||||||
include:
|
include:
|
||||||
- hydra.config
|
- hydra.config
|
||||||
|
|||||||
@@ -9,6 +9,9 @@
|
|||||||
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
|
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
|
||||||
{% set PASSWORD = salt['pillar.get']('secrets:influx_pass') %}
|
{% set PASSWORD = salt['pillar.get']('secrets:influx_pass') %}
|
||||||
{% set TOKEN = salt['pillar.get']('influxdb:token') %}
|
{% set TOKEN = salt['pillar.get']('influxdb:token') %}
|
||||||
|
{% from 'docker/macros/docker_endpoint.jinja' import clear_stale_endpoint %}
|
||||||
|
|
||||||
|
{{ clear_stale_endpoint('so-influxdb', 'sobridge', DOCKERMERGED.containers['so-influxdb'].ip) }}
|
||||||
|
|
||||||
include:
|
include:
|
||||||
- influxdb.ssl
|
- influxdb.ssl
|
||||||
|
|||||||
@@ -16,6 +16,9 @@
|
|||||||
{% set KAFKANODES = salt['pillar.get']('kafka:nodes') %}
|
{% set KAFKANODES = salt['pillar.get']('kafka:nodes') %}
|
||||||
{% set KAFKA_EXTERNAL_ACCESS = salt['pillar.get']('kafka:config:external_access:enabled', default=False) %}
|
{% set KAFKA_EXTERNAL_ACCESS = salt['pillar.get']('kafka:config:external_access:enabled', default=False) %}
|
||||||
{% if 'gmd' in salt['pillar.get']('features', []) %}
|
{% if 'gmd' in salt['pillar.get']('features', []) %}
|
||||||
|
{% from 'docker/macros/docker_endpoint.jinja' import clear_stale_endpoint %}
|
||||||
|
|
||||||
|
{{ clear_stale_endpoint('so-kafka', 'sobridge', DOCKERMERGED.containers['so-kafka'].ip) }}
|
||||||
|
|
||||||
include:
|
include:
|
||||||
- kafka.ca
|
- kafka.ca
|
||||||
|
|||||||
@@ -22,7 +22,7 @@ kibana:
|
|||||||
- default
|
- default
|
||||||
- file
|
- file
|
||||||
migrations:
|
migrations:
|
||||||
discardCorruptObjects: "9.3.7"
|
discardCorruptObjects: "9.3.3"
|
||||||
telemetry:
|
telemetry:
|
||||||
enabled: False
|
enabled: False
|
||||||
xpack:
|
xpack:
|
||||||
|
|||||||
@@ -8,6 +8,9 @@
|
|||||||
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
|
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
|
||||||
{% from 'elasticsearch/config.map.jinja' import ELASTICSEARCHMERGED %}
|
{% from 'elasticsearch/config.map.jinja' import ELASTICSEARCHMERGED %}
|
||||||
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
||||||
|
{% from 'docker/macros/docker_endpoint.jinja' import clear_stale_endpoint %}
|
||||||
|
|
||||||
|
{{ clear_stale_endpoint('so-kibana', 'sobridge', DOCKERMERGED.containers['so-kibana'].ip) }}
|
||||||
|
|
||||||
include:
|
include:
|
||||||
- kibana.config
|
- kibana.config
|
||||||
|
|||||||
@@ -7,6 +7,9 @@
|
|||||||
{% if sls.split('.')[0] in allowed_states %}
|
{% if sls.split('.')[0] in allowed_states %}
|
||||||
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
|
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
|
||||||
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
||||||
|
{% from 'docker/macros/docker_endpoint.jinja' import clear_stale_endpoint %}
|
||||||
|
|
||||||
|
{{ clear_stale_endpoint('so-kratos', 'sobridge', DOCKERMERGED.containers['so-kratos'].ip) }}
|
||||||
|
|
||||||
include:
|
include:
|
||||||
- kratos.config
|
- kratos.config
|
||||||
|
|||||||
@@ -10,6 +10,9 @@
|
|||||||
{% from 'logstash/map.jinja' import LOGSTASH_MERGED %}
|
{% from 'logstash/map.jinja' import LOGSTASH_MERGED %}
|
||||||
{% from 'logstash/map.jinja' import LOGSTASH_NODES %}
|
{% from 'logstash/map.jinja' import LOGSTASH_NODES %}
|
||||||
{% set lsheap = LOGSTASH_MERGED.settings.lsheap %}
|
{% set lsheap = LOGSTASH_MERGED.settings.lsheap %}
|
||||||
|
{% from 'docker/macros/docker_endpoint.jinja' import clear_stale_endpoint %}
|
||||||
|
|
||||||
|
{{ clear_stale_endpoint('so-logstash', 'sobridge', DOCKERMERGED.containers['so-logstash'].ip) }}
|
||||||
|
|
||||||
include:
|
include:
|
||||||
- ca
|
- ca
|
||||||
|
|||||||
@@ -12,17 +12,7 @@
|
|||||||
UPDATE_DIR=/tmp/sogh/securityonion
|
UPDATE_DIR=/tmp/sogh/securityonion
|
||||||
DEFAULT_SALT_DIR=/opt/so/saltstack/default
|
DEFAULT_SALT_DIR=/opt/so/saltstack/default
|
||||||
INSTALLEDVERSION=$(cat /etc/soversion)
|
INSTALLEDVERSION=$(cat /etc/soversion)
|
||||||
# /etc/sopostversion is a soup-owned marker (no salt state manages it) tracking how
|
POSTVERSION=$INSTALLEDVERSION
|
||||||
# far the post-upgrade walk has progressed. Its presence means a prior upgrade did
|
|
||||||
# not finish its post-upgrade steps; its contents are the resume point. It is read
|
|
||||||
# here before preupgrade_changes mutates INSTALLEDVERSION and before any highstate
|
|
||||||
# stamps /etc/soversion from the pillar.
|
|
||||||
POSTVERSION_FILE=/etc/sopostversion
|
|
||||||
if [ -f "$POSTVERSION_FILE" ]; then
|
|
||||||
POSTVERSION=$(cat "$POSTVERSION_FILE")
|
|
||||||
else
|
|
||||||
POSTVERSION=$INSTALLEDVERSION
|
|
||||||
fi
|
|
||||||
INSTALLEDSALTVERSION=$(salt --versions-report | grep Salt: | awk '{print $2}')
|
INSTALLEDSALTVERSION=$(salt --versions-report | grep Salt: | awk '{print $2}')
|
||||||
BATCHSIZE=5
|
BATCHSIZE=5
|
||||||
SOUP_LOG=/root/soup.log
|
SOUP_LOG=/root/soup.log
|
||||||
@@ -33,10 +23,6 @@ NOTIFYCUSTOMELASTICCONFIG=false
|
|||||||
TOPFILE=/opt/so/saltstack/default/salt/top.sls
|
TOPFILE=/opt/so/saltstack/default/salt/top.sls
|
||||||
BACKUPTOPFILE=/opt/so/saltstack/default/salt/top.sls.backup
|
BACKUPTOPFILE=/opt/so/saltstack/default/salt/top.sls.backup
|
||||||
SALTUPGRADED=false
|
SALTUPGRADED=false
|
||||||
# Set true once soup begins modifying the system (past the pre-flight checks), so the
|
|
||||||
# EXIT trap can tell the user the update did not finish and must be re-run. Only the
|
|
||||||
# pre-flight gates (ES compatibility, disk, network) fail before this is set.
|
|
||||||
SOUP_UPGRADE_STARTED=false
|
|
||||||
SALT_CLOUD_INSTALLED=false
|
SALT_CLOUD_INSTALLED=false
|
||||||
SALT_CLOUD_CONFIGURED=false
|
SALT_CLOUD_CONFIGURED=false
|
||||||
# Check if salt-cloud is installed
|
# Check if salt-cloud is installed
|
||||||
@@ -137,28 +123,6 @@ check_err() {
|
|||||||
|
|
||||||
echo "SOUP XTRACE debug log (if enabled) at $SOUP_DEBUG_LOG. Re-run soup with SOUP_DEBUG=1 to create $SOUP_DEBUG_LOG"
|
echo "SOUP XTRACE debug log (if enabled) at $SOUP_DEBUG_LOG. Re-run soup with SOUP_DEBUG=1 to create $SOUP_DEBUG_LOG"
|
||||||
|
|
||||||
# If soup had already started modifying the system, make it unmistakable that the
|
|
||||||
# update is incomplete and must be re-run. soup is resumable: a version upgrade
|
|
||||||
# picks up from the /etc/sopostversion marker, and a hotfix re-applies because
|
|
||||||
# /etc/sohotfix is only advanced after a successful highstate.
|
|
||||||
if [[ "$SOUP_UPGRADE_STARTED" == "true" ]]; then
|
|
||||||
echo ""
|
|
||||||
echo "=============================================================================="
|
|
||||||
echo " UPGRADE INCOMPLETE"
|
|
||||||
echo "=============================================================================="
|
|
||||||
echo " This soup run did NOT finish. Your Security Onion installation may be in a"
|
|
||||||
echo " partially-updated state and is not yet fully upgraded."
|
|
||||||
echo ""
|
|
||||||
echo " Review the error above and $SOUP_LOG, resolve the underlying problem, then"
|
|
||||||
echo " run soup again to resume and complete the update:"
|
|
||||||
echo ""
|
|
||||||
echo " sudo soup"
|
|
||||||
echo ""
|
|
||||||
echo " soup is resumable -- re-running it continues from where this run stopped."
|
|
||||||
echo "=============================================================================="
|
|
||||||
echo ""
|
|
||||||
fi
|
|
||||||
|
|
||||||
exit $exit_code
|
exit $exit_code
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@@ -327,30 +291,6 @@ check_pillar_items() {
|
|||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
check_cluster_health() {
|
|
||||||
echo "Checking Elasticsearch cluster health."
|
|
||||||
# Require a 'green' cluster before upgrading; anything less (yellow, red, or
|
|
||||||
# unreachable) blocks. Modeled on the wait used in so-elasticsearch-roles-load.
|
|
||||||
if so-elasticsearch-query "_cluster/health?wait_for_status=green&timeout=120s" --fail > /dev/null 2>&1; then
|
|
||||||
printf "\nThe Elasticsearch cluster is healthy (green). We can proceed with SOUP.\n\n"
|
|
||||||
else
|
|
||||||
printf "\nThe Elasticsearch cluster is not green. Please resolve the cluster health issue so the cluster is green before running SOUP again.\n\n"
|
|
||||||
exit 0
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
check_fleet_server() {
|
|
||||||
echo "Checking that Elastic Fleet Server is responding."
|
|
||||||
# Modeled on the wait_for_so-elastic-fleet state check in elasticfleet/enabled.sls,
|
|
||||||
# which waits for HTTP 200 from the Fleet Server status API.
|
|
||||||
if curl -sk --fail --retry 3 --retry-delay 10 --max-time 30 "https://localhost:8220/api/status" > /dev/null 2>&1; then
|
|
||||||
printf "\nElastic Fleet Server is responding. We can proceed with SOUP.\n\n"
|
|
||||||
else
|
|
||||||
printf "\nElastic Fleet Server is not responding at https://localhost:8220/api/status. Please ensure Elastic Fleet is healthy before running SOUP again.\n\n"
|
|
||||||
exit 0
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
check_saltmaster_status() {
|
check_saltmaster_status() {
|
||||||
set +e
|
set +e
|
||||||
echo "Waiting on the Salt Master service to be ready."
|
echo "Waiting on the Salt Master service to be ready."
|
||||||
@@ -474,13 +414,6 @@ preupgrade_changes() {
|
|||||||
true
|
true
|
||||||
}
|
}
|
||||||
|
|
||||||
set_postversion() {
|
|
||||||
# Persist post-upgrade walk progress so an interrupted upgrade can resume the
|
|
||||||
# remaining steps on the next soup run (see /etc/sopostversion handling).
|
|
||||||
POSTVERSION="$1"
|
|
||||||
echo "$POSTVERSION" > "$POSTVERSION_FILE"
|
|
||||||
}
|
|
||||||
|
|
||||||
postupgrade_changes() {
|
postupgrade_changes() {
|
||||||
# This function is to add any new pillar items if needed.
|
# This function is to add any new pillar items if needed.
|
||||||
echo "Running post upgrade processes."
|
echo "Running post upgrade processes."
|
||||||
@@ -488,8 +421,6 @@ postupgrade_changes() {
|
|||||||
[[ "$POSTVERSION" =~ ^2\.4\.21[0-9]+$ ]] && post_to_3.0.0
|
[[ "$POSTVERSION" =~ ^2\.4\.21[0-9]+$ ]] && post_to_3.0.0
|
||||||
[[ "$POSTVERSION" == "3.0.0" ]] && post_to_3.1.0
|
[[ "$POSTVERSION" == "3.0.0" ]] && post_to_3.1.0
|
||||||
[[ "$POSTVERSION" == "3.1.0" ]] && post_to_3.2.0
|
[[ "$POSTVERSION" == "3.1.0" ]] && post_to_3.2.0
|
||||||
# All applicable post-upgrade steps completed; clear the resume marker.
|
|
||||||
rm -f "$POSTVERSION_FILE"
|
|
||||||
true
|
true
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -582,7 +513,7 @@ post_to_3.0.0() {
|
|||||||
# convert yes/no in suricata pillars to true/false
|
# convert yes/no in suricata pillars to true/false
|
||||||
convert_suricata_yes_no
|
convert_suricata_yes_no
|
||||||
|
|
||||||
set_postversion 3.0.0
|
POSTVERSION=3.0.0
|
||||||
}
|
}
|
||||||
|
|
||||||
### 3.0.0 End ###
|
### 3.0.0 End ###
|
||||||
@@ -809,6 +740,7 @@ fix_logstash_0013_lumberjack_pipeline_name() {
|
|||||||
up_to_3.1.0() {
|
up_to_3.1.0() {
|
||||||
ensure_postgres_local_pillar
|
ensure_postgres_local_pillar
|
||||||
ensure_postgres_secret
|
ensure_postgres_secret
|
||||||
|
determine_elastic_agent_upgrade
|
||||||
elasticsearch_backup_index_templates
|
elasticsearch_backup_index_templates
|
||||||
# Clear existing component template state file.
|
# Clear existing component template state file.
|
||||||
rm -f /opt/so/state/esfleet_component_templates.json
|
rm -f /opt/so/state/esfleet_component_templates.json
|
||||||
@@ -845,7 +777,7 @@ post_to_3.1.0() {
|
|||||||
# Check for unhealthy / unauthorized integration transform jobs and attempt reauthorizations
|
# Check for unhealthy / unauthorized integration transform jobs and attempt reauthorizations
|
||||||
check_transform_health_and_reauthorize || true
|
check_transform_health_and_reauthorize || true
|
||||||
|
|
||||||
set_postversion 3.1.0
|
POSTVERSION=3.1.0
|
||||||
}
|
}
|
||||||
|
|
||||||
### 3.1.0 End ###
|
### 3.1.0 End ###
|
||||||
@@ -956,9 +888,6 @@ update_kafka_metadata() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
up_to_3.2.0() {
|
up_to_3.2.0() {
|
||||||
# download 9.3.7 elastic agent packages
|
|
||||||
determine_elastic_agent_upgrade
|
|
||||||
|
|
||||||
fix_logstash_0013_lumberjack_pipeline_name
|
fix_logstash_0013_lumberjack_pipeline_name
|
||||||
|
|
||||||
pin_elasticsearch_data_retention_method
|
pin_elasticsearch_data_retention_method
|
||||||
@@ -972,7 +901,7 @@ post_to_3.2.0() {
|
|||||||
|
|
||||||
bootstrap_so_soc_database
|
bootstrap_so_soc_database
|
||||||
|
|
||||||
# Generate 9.3.7 elastic agent installers
|
# Including agent regen script here since it was missed in post_to_3.1.0
|
||||||
echo "Regenerating Elastic Agent Installers"
|
echo "Regenerating Elastic Agent Installers"
|
||||||
/sbin/so-elastic-agent-gen-installers
|
/sbin/so-elastic-agent-gen-installers
|
||||||
|
|
||||||
@@ -980,7 +909,7 @@ post_to_3.2.0() {
|
|||||||
|
|
||||||
update_kafka_metadata "4.3"
|
update_kafka_metadata "4.3"
|
||||||
|
|
||||||
set_postversion 3.2.0
|
POSTVERSION=3.2.0
|
||||||
}
|
}
|
||||||
|
|
||||||
### 3.2.0 End ###
|
### 3.2.0 End ###
|
||||||
@@ -1132,20 +1061,8 @@ upgrade_check() {
|
|||||||
fi
|
fi
|
||||||
[[ -f /etc/sohotfix ]] && CURRENTHOTFIX=$(cat /etc/sohotfix)
|
[[ -f /etc/sohotfix ]] && CURRENTHOTFIX=$(cat /etc/sohotfix)
|
||||||
if [ "$INSTALLEDVERSION" == "$NEWVERSION" ]; then
|
if [ "$INSTALLEDVERSION" == "$NEWVERSION" ]; then
|
||||||
# A leftover post-version marker means a previous upgrade to this version
|
|
||||||
# advanced /etc/soversion (the highstate stamps it from the pillar) but did not
|
|
||||||
# finish its post-upgrade steps. Resume the upgrade instead of reporting "latest".
|
|
||||||
if [ -f "$POSTVERSION_FILE" ] && [ "$(cat "$POSTVERSION_FILE")" != "$NEWVERSION" ]; then
|
|
||||||
echo "A previous upgrade to $NEWVERSION did not complete its post-upgrade steps; resuming."
|
|
||||||
is_hotfix=false
|
|
||||||
return 0
|
|
||||||
fi
|
|
||||||
echo "Checking to see if there are hotfixes needed"
|
echo "Checking to see if there are hotfixes needed"
|
||||||
if [ "$HOTFIXVERSION" == "$CURRENTHOTFIX" ]; then
|
if [ "$HOTFIXVERSION" == "$CURRENTHOTFIX" ]; then
|
||||||
# Reaching here means we are at the target version and NOT resuming (the resume
|
|
||||||
# check above returned otherwise). Clear any stale resume marker so a completed
|
|
||||||
# upgrade is never mistaken for a partial one and re-run on a later invocation.
|
|
||||||
rm -f "$POSTVERSION_FILE"
|
|
||||||
echo "You are already running the latest version of Security Onion."
|
echo "You are already running the latest version of Security Onion."
|
||||||
exit 0
|
exit 0
|
||||||
else
|
else
|
||||||
@@ -1257,8 +1174,7 @@ verify_es_version_compatibility() {
|
|||||||
["8.18.4"]="8.18.6 8.18.8 9.0.8"
|
["8.18.4"]="8.18.6 8.18.8 9.0.8"
|
||||||
["8.18.6"]="8.18.8 9.0.8"
|
["8.18.6"]="8.18.8 9.0.8"
|
||||||
["8.18.8"]="9.0.8"
|
["8.18.8"]="9.0.8"
|
||||||
["9.0.8"]="9.3.3 9.3.7"
|
["9.0.8"]="9.3.3"
|
||||||
["9.3.3"]="9.3.7"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
# Elasticsearch MUST upgrade through these versions
|
# Elasticsearch MUST upgrade through these versions
|
||||||
@@ -1841,15 +1757,6 @@ main() {
|
|||||||
set_minionid
|
set_minionid
|
||||||
MINION_ROLE=$(lookup_role)
|
MINION_ROLE=$(lookup_role)
|
||||||
echo "Found that Security Onion $INSTALLEDVERSION is currently installed."
|
echo "Found that Security Onion $INSTALLEDVERSION is currently installed."
|
||||||
# /etc/soversion is stamped to the target version before the upgrade fully
|
|
||||||
# completes, so a lingering resume marker means this grid is only partially
|
|
||||||
# upgraded even though the line above shows the target version. Make that explicit
|
|
||||||
# so it is not mistaken for a finished upgrade.
|
|
||||||
if [ -f "$POSTVERSION_FILE" ] && [ "$(cat "$POSTVERSION_FILE")" != "$INSTALLEDVERSION" ]; then
|
|
||||||
echo ""
|
|
||||||
echo "NOTE: A previous upgrade to $INSTALLEDVERSION did not finish. This grid is"
|
|
||||||
echo " partially upgraded and this soup run will resume and complete it."
|
|
||||||
fi
|
|
||||||
echo ""
|
echo ""
|
||||||
check_minimum_version
|
check_minimum_version
|
||||||
|
|
||||||
@@ -1878,12 +1785,6 @@ main() {
|
|||||||
echo "Verifying Elasticsearch version compatibility across the grid before upgrading."
|
echo "Verifying Elasticsearch version compatibility across the grid before upgrading."
|
||||||
verify_es_version_compatibility
|
verify_es_version_compatibility
|
||||||
|
|
||||||
# Pre-flight health checks: confirm the grid is in a good state before we change
|
|
||||||
# anything. These run before any modifications, so a failure exits cleanly and the
|
|
||||||
# operator can fix the issue and re-run soup.
|
|
||||||
check_cluster_health
|
|
||||||
check_fleet_server
|
|
||||||
|
|
||||||
echo "Checking for Salt Master and Minion updates."
|
echo "Checking for Salt Master and Minion updates."
|
||||||
upgrade_check_salt
|
upgrade_check_salt
|
||||||
set -e
|
set -e
|
||||||
@@ -1900,7 +1801,6 @@ main() {
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "$is_hotfix" == "true" ]; then
|
if [ "$is_hotfix" == "true" ]; then
|
||||||
SOUP_UPGRADE_STARTED=true
|
|
||||||
echo "Applying $HOTFIXVERSION hotfix"
|
echo "Applying $HOTFIXVERSION hotfix"
|
||||||
# since we don't run the backup.config_backup state on import we wont snapshot previous version states and pillars
|
# since we don't run the backup.config_backup state on import we wont snapshot previous version states and pillars
|
||||||
if [[ ! "$MINION_ROLE" == "import" ]]; then
|
if [[ ! "$MINION_ROLE" == "import" ]]; then
|
||||||
@@ -1911,16 +1811,10 @@ main() {
|
|||||||
create_local_directories "/opt/so/saltstack/default"
|
create_local_directories "/opt/so/saltstack/default"
|
||||||
apply_hotfix
|
apply_hotfix
|
||||||
echo "Hotfix applied"
|
echo "Hotfix applied"
|
||||||
|
update_version
|
||||||
enable_highstate
|
enable_highstate
|
||||||
highstate
|
highstate
|
||||||
# Record the hotfix only after the highstate succeeds. /etc/sohotfix is written
|
|
||||||
# solely by soup (no salt state manages it), so deferring the write means a failed
|
|
||||||
# hotfix highstate leaves the old hotfix value and re-running soup re-applies it,
|
|
||||||
# rather than reporting "already latest". The soversion/pillar writes in
|
|
||||||
# update_version are no-ops here since the version is unchanged for a hotfix.
|
|
||||||
update_version
|
|
||||||
else
|
else
|
||||||
SOUP_UPGRADE_STARTED=true
|
|
||||||
echo ""
|
echo ""
|
||||||
echo "Performing upgrade from Security Onion $INSTALLEDVERSION to Security Onion $NEWVERSION."
|
echo "Performing upgrade from Security Onion $INSTALLEDVERSION to Security Onion $NEWVERSION."
|
||||||
echo ""
|
echo ""
|
||||||
@@ -1976,10 +1870,6 @@ main() {
|
|||||||
copy_new_files
|
copy_new_files
|
||||||
echo ""
|
echo ""
|
||||||
create_local_directories "/opt/so/saltstack/default"
|
create_local_directories "/opt/so/saltstack/default"
|
||||||
# Seed the resume marker before the highstate stamps /etc/soversion to the new
|
|
||||||
# version, so an interrupted upgrade is detectable as "not finished" on re-run.
|
|
||||||
# POSTVERSION still holds the pre-upgrade (or prior resume) version here.
|
|
||||||
[ -f "$POSTVERSION_FILE" ] || echo "$POSTVERSION" > "$POSTVERSION_FILE"
|
|
||||||
update_version
|
update_version
|
||||||
|
|
||||||
echo ""
|
echo ""
|
||||||
|
|||||||
@@ -8,6 +8,7 @@
|
|||||||
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
||||||
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
|
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
|
||||||
{% from 'nginx/map.jinja' import NGINXMERGED %}
|
{% from 'nginx/map.jinja' import NGINXMERGED %}
|
||||||
|
{% from 'docker/macros/docker_endpoint.jinja' import clear_stale_endpoint %}
|
||||||
|
|
||||||
include:
|
include:
|
||||||
- nginx.ssl
|
- nginx.ssl
|
||||||
@@ -31,6 +32,8 @@ make-rule-dir-nginx:
|
|||||||
{% set container_config = 'so-nginx-fleet-node' %}
|
{% set container_config = 'so-nginx-fleet-node' %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
|
{{ clear_stale_endpoint('so-nginx', 'sobridge', DOCKERMERGED.containers[container_config].ip) }}
|
||||||
|
|
||||||
so-nginx:
|
so-nginx:
|
||||||
docker_container.running:
|
docker_container.running:
|
||||||
- image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-nginx:{{ GLOBALS.so_version }}
|
- image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-nginx:{{ GLOBALS.so_version }}
|
||||||
|
|||||||
@@ -399,7 +399,7 @@ http {
|
|||||||
error_page 429 = @error429;
|
error_page 429 = @error429;
|
||||||
|
|
||||||
location @error401 {
|
location @error401 {
|
||||||
if ($request_uri ~* (^.*/api/.*|^/connect/.*|^/oauth2/.*|^/.*\.map$)) {
|
if ($request_uri ~* (^/api/.*|^/connect/.*|^/oauth2/.*|^/.*\.map$)) {
|
||||||
return 401;
|
return 401;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -8,6 +8,9 @@
|
|||||||
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
||||||
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
|
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
|
||||||
{% set SO_POSTGRES_USER = salt['pillar.get']('postgres:auth:users:so_postgres_user:user', 'so_postgres') %}
|
{% set SO_POSTGRES_USER = salt['pillar.get']('postgres:auth:users:so_postgres_user:user', 'so_postgres') %}
|
||||||
|
{% from 'docker/macros/docker_endpoint.jinja' import clear_stale_endpoint %}
|
||||||
|
|
||||||
|
{{ clear_stale_endpoint('so-postgres', 'sobridge', DOCKERMERGED.containers['so-postgres'].ip) }}
|
||||||
|
|
||||||
include:
|
include:
|
||||||
- postgres.auth
|
- postgres.auth
|
||||||
|
|||||||
@@ -7,6 +7,9 @@
|
|||||||
{% if sls.split('.')[0] in allowed_states %}
|
{% if sls.split('.')[0] in allowed_states %}
|
||||||
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
|
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
|
||||||
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
||||||
|
{% from 'docker/macros/docker_endpoint.jinja' import clear_stale_endpoint %}
|
||||||
|
|
||||||
|
{{ clear_stale_endpoint('so-redis', 'sobridge', DOCKERMERGED.containers['so-redis'].ip) }}
|
||||||
|
|
||||||
include:
|
include:
|
||||||
- ca
|
- ca
|
||||||
|
|||||||
@@ -7,6 +7,9 @@
|
|||||||
{% if sls.split('.')[0] in allowed_states %}
|
{% if sls.split('.')[0] in allowed_states %}
|
||||||
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
||||||
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
|
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
|
||||||
|
{% from 'docker/macros/docker_endpoint.jinja' import clear_stale_endpoint %}
|
||||||
|
|
||||||
|
{{ clear_stale_endpoint('so-dockerregistry', 'sobridge', DOCKERMERGED.containers['so-dockerregistry'].ip) }}
|
||||||
|
|
||||||
include:
|
include:
|
||||||
- registry.ssl
|
- registry.ssl
|
||||||
|
|||||||
@@ -10,6 +10,9 @@
|
|||||||
{% from 'soc/merged.map.jinja' import DOCKER_EXTRA_HOSTS %}
|
{% from 'soc/merged.map.jinja' import DOCKER_EXTRA_HOSTS %}
|
||||||
{% from 'soc/merged.map.jinja' import SOCMERGED %}
|
{% from 'soc/merged.map.jinja' import SOCMERGED %}
|
||||||
|
|
||||||
|
{% from 'docker/macros/docker_endpoint.jinja' import clear_stale_endpoint %}
|
||||||
|
{{ clear_stale_endpoint('so-soc', 'sobridge', DOCKERMERGED.containers['so-soc'].ip) }}
|
||||||
|
|
||||||
include:
|
include:
|
||||||
- ca
|
- ca
|
||||||
- soc.config
|
- soc.config
|
||||||
|
|||||||
@@ -7,6 +7,9 @@
|
|||||||
{% if sls.split('.')[0] in allowed_states %}
|
{% if sls.split('.')[0] in allowed_states %}
|
||||||
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
|
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
|
||||||
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
||||||
|
{% from 'docker/macros/docker_endpoint.jinja' import clear_stale_endpoint %}
|
||||||
|
|
||||||
|
{{ clear_stale_endpoint('so-strelka-backend', 'sobridge', DOCKERMERGED.containers['so-strelka-backend'].ip, state_id='strelka_backend') }}
|
||||||
|
|
||||||
include:
|
include:
|
||||||
- strelka.backend.config
|
- strelka.backend.config
|
||||||
|
|||||||
@@ -7,6 +7,9 @@
|
|||||||
{% if sls.split('.')[0] in allowed_states %}
|
{% if sls.split('.')[0] in allowed_states %}
|
||||||
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
|
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
|
||||||
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
||||||
|
{% from 'docker/macros/docker_endpoint.jinja' import clear_stale_endpoint %}
|
||||||
|
|
||||||
|
{{ clear_stale_endpoint('so-strelka-coordinator', 'sobridge', DOCKERMERGED.containers['so-strelka-coordinator'].ip, state_id='strelka_coordinator') }}
|
||||||
|
|
||||||
include:
|
include:
|
||||||
- strelka.coordinator.config
|
- strelka.coordinator.config
|
||||||
|
|||||||
@@ -7,6 +7,9 @@
|
|||||||
{% if sls.split('.')[0] in allowed_states %}
|
{% if sls.split('.')[0] in allowed_states %}
|
||||||
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
|
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
|
||||||
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
||||||
|
{% from 'docker/macros/docker_endpoint.jinja' import clear_stale_endpoint %}
|
||||||
|
|
||||||
|
{{ clear_stale_endpoint('so-strelka-filestream', 'sobridge', DOCKERMERGED.containers['so-strelka-filestream'].ip, state_id='strelka_filestream') }}
|
||||||
|
|
||||||
include:
|
include:
|
||||||
- strelka.filestream.config
|
- strelka.filestream.config
|
||||||
|
|||||||
@@ -7,6 +7,9 @@
|
|||||||
{% if sls.split('.')[0] in allowed_states %}
|
{% if sls.split('.')[0] in allowed_states %}
|
||||||
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
|
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
|
||||||
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
||||||
|
{% from 'docker/macros/docker_endpoint.jinja' import clear_stale_endpoint %}
|
||||||
|
|
||||||
|
{{ clear_stale_endpoint('so-strelka-frontend', 'sobridge', DOCKERMERGED.containers['so-strelka-frontend'].ip, state_id='strelka_frontend') }}
|
||||||
|
|
||||||
include:
|
include:
|
||||||
- strelka.frontend.config
|
- strelka.frontend.config
|
||||||
|
|||||||
@@ -7,6 +7,9 @@
|
|||||||
{% if sls.split('.')[0] in allowed_states %}
|
{% if sls.split('.')[0] in allowed_states %}
|
||||||
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
|
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
|
||||||
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
||||||
|
{% from 'docker/macros/docker_endpoint.jinja' import clear_stale_endpoint %}
|
||||||
|
|
||||||
|
{{ clear_stale_endpoint('so-strelka-gatekeeper', 'sobridge', DOCKERMERGED.containers['so-strelka-gatekeeper'].ip, state_id='strelka_gatekeeper') }}
|
||||||
|
|
||||||
include:
|
include:
|
||||||
- strelka.gatekeeper.config
|
- strelka.gatekeeper.config
|
||||||
|
|||||||
@@ -7,6 +7,9 @@
|
|||||||
{% if sls.split('.')[0] in allowed_states %}
|
{% if sls.split('.')[0] in allowed_states %}
|
||||||
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
|
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
|
||||||
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
||||||
|
{% from 'docker/macros/docker_endpoint.jinja' import clear_stale_endpoint %}
|
||||||
|
|
||||||
|
{{ clear_stale_endpoint('so-strelka-manager', 'sobridge', DOCKERMERGED.containers['so-strelka-manager'].ip, state_id='strelka_manager') }}
|
||||||
|
|
||||||
include:
|
include:
|
||||||
- strelka.manager.config
|
- strelka.manager.config
|
||||||
|
|||||||
Reference in New Issue
Block a user