ja4plus nest enabled under ja4plus key for defaults

ja4plus cleanup
2026-03-23 21:12:39 +01:00 · 2026-03-19 12:39:37 -04:00 · 2026-03-19 11:12:24 -04:00 · 2026-03-19 11:01:40 -04:00 · 2026-03-19 09:46:33 -04:00 · 2026-03-19 09:42:39 -04:00
44 changed files with 601 additions and 385 deletions
--- a/salt/common/files/daemon.json
+++ b/salt/common/files/daemon.json
@@ -1,19 +0,0 @@
-{
-  "registry-mirrors": [
-    "https://:5000"
-  ],
-  "bip": "172.17.0.1/24",
-  "default-address-pools": [
-    {
-      "base": "172.17.0.0/24",
-      "size": 24
-    }
-  ],
-  "default-ulimits": {
-      "nofile": {
-        "Name": "nofile",
-        "Soft": 1048576,
-        "Hard": 1048576
-      }
-  }
-}
--- a/salt/common/tools/sbin/so-common
+++ b/salt/common/tools/sbin/so-common
@@ -545,6 +545,22 @@ retry() {
        return $exitcode
 }

+rollover_index() {
+  idx=$1
+  exists=$(so-elasticsearch-query $idx -o /dev/null -w "%{http_code}")
+  if [[ $exists -eq 200 ]]; then
+    rollover=$(so-elasticsearch-query $idx/_rollover -o /dev/null -w "%{http_code}" -XPOST)
+
+    if [[ $rollover -eq 200 ]]; then
+      echo "Successfully triggered rollover for $idx..."
+    else
+      echo "Could not trigger rollover for $idx..."
+    fi
+  else
+    echo "Could not find index $idx..."
+  fi
+}
+
 run_check_net_err() {
 	local cmd=$1
 	local err_msg=${2:-"Unknown error occured, please check /root/$WHATWOULDYOUSAYYAHDOHERE.log for details."} # Really need to rename that variable
--- a/salt/docker/defaults.yaml
+++ b/salt/docker/defaults.yaml
@@ -1,6 +1,10 @@
 docker:
  range: '172.17.1.0/24'
  gateway: '172.17.1.1'
+  ulimits:
+    - name: nofile
+      soft: 1048576
+      hard: 1048576
  containers:
    'so-dockerregistry':
      final_octet: 20
@@ -9,6 +13,7 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
+      ulimits: []
    'so-elastic-fleet':
      final_octet: 21
      port_bindings:
@@ -16,6 +21,7 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
+      ulimits: []
    'so-elasticsearch':
      final_octet: 22
      port_bindings:
@@ -24,6 +30,16 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
+      ulimits:
+        - name: memlock
+          soft: -1
+          hard: -1
+        - name: nofile
+          soft: 65536
+          hard: 65536
+        - name: nproc
+          soft: 4096
+          hard: 4096
    'so-influxdb':
      final_octet: 26
      port_bindings:
@@ -31,6 +47,7 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
+      ulimits: []
    'so-kibana':
      final_octet: 27
      port_bindings:
@@ -38,6 +55,7 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
+      ulimits: []
    'so-kratos':
      final_octet: 28
      port_bindings:
@@ -46,6 +64,7 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
+      ulimits: []
    'so-hydra':
      final_octet: 30
      port_bindings:
@@ -54,6 +73,7 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
+      ulimits: []
    'so-logstash':
      final_octet: 29
      port_bindings:
@@ -70,6 +90,7 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
+      ulimits: []
    'so-nginx':
      final_octet: 31
      port_bindings:
@@ -81,6 +102,7 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
+      ulimits: []
    'so-nginx-fleet-node':
      final_octet: 31
      port_bindings:
@@ -88,6 +110,7 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
+      ulimits: []
    'so-redis':
      final_octet: 33
      port_bindings:
@@ -96,11 +119,13 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
+      ulimits: []
    'so-sensoroni':
      final_octet: 99
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
+      ulimits: []
    'so-soc':
      final_octet: 34
      port_bindings:
@@ -108,16 +133,19 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
+      ulimits: []
    'so-strelka-backend':
      final_octet: 36
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
+      ulimits: []
    'so-strelka-filestream':
      final_octet: 37
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
+      ulimits: []
    'so-strelka-frontend':
      final_octet: 38
      port_bindings:
@@ -125,11 +153,13 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
+      ulimits: []
    'so-strelka-manager':
      final_octet: 39
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
+      ulimits: []
    'so-strelka-gatekeeper':
      final_octet: 40
      port_bindings:
@@ -137,6 +167,7 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
+      ulimits: []
    'so-strelka-coordinator':
      final_octet: 41
      port_bindings:
@@ -144,11 +175,13 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
+      ulimits: []
    'so-elastalert':
      final_octet: 42
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
+      ulimits: []
    'so-elastic-fleet-package-registry':
      final_octet: 44
      port_bindings:
@@ -156,11 +189,13 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
+      ulimits: []
    'so-idh':
      final_octet: 45
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
+      ulimits: []
    'so-elastic-agent':
      final_octet: 46
      port_bindings:
@@ -169,23 +204,28 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
+      ulimits: []
    'so-telegraf':
      final_octet: 99
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
+      ulimits: []
    'so-suricata':
      final_octet: 99
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
-      ulimits:
-        - memlock=524288000
+      ulimits: []
    'so-zeek':
      final_octet: 99
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
+      ulimits:
+        - name: core
+          soft: 0
+          hard: 0
    'so-kafka':
      final_octet: 88
      port_bindings:
@@ -196,3 +236,4 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
+      ulimits: []
--- a/salt/docker/docker.map.jinja
+++ b/salt/docker/docker.map.jinja
@@ -1,8 +1,8 @@
 {% import_yaml 'docker/defaults.yaml' as DOCKERDEFAULTS %}
-{% set DOCKER = salt['pillar.get']('docker', DOCKERDEFAULTS.docker, merge=True) %}
-{% set RANGESPLIT = DOCKER.range.split('.') %}
+{% set DOCKERMERGED = salt['pillar.get']('docker', DOCKERDEFAULTS.docker, merge=True) %}
+{% set RANGESPLIT = DOCKERMERGED.range.split('.') %}
 {% set FIRSTTHREE = RANGESPLIT[0] ~ '.' ~ RANGESPLIT[1] ~ '.' ~ RANGESPLIT[2] ~ '.' %}

-{% for container, vals in DOCKER.containers.items() %}
-{%   do DOCKER.containers[container].update({'ip': FIRSTTHREE ~ DOCKER.containers[container].final_octet}) %}
+{% for container, vals in DOCKERMERGED.containers.items() %}
+{%   do DOCKERMERGED.containers[container].update({'ip': FIRSTTHREE ~ DOCKERMERGED.containers[container].final_octet}) %}
 {% endfor %}
--- a/salt/docker/files/daemon.json.jinja
+++ b/salt/docker/files/daemon.json.jinja
@@ -0,0 +1,24 @@
+{% from 'docker/docker.map.jinja' import DOCKERMERGED -%}
+{
+  "registry-mirrors": [
+    "https://:5000"
+  ],
+  "bip": "172.17.0.1/24",
+  "default-address-pools": [
+    {
+      "base": "172.17.0.0/24",
+      "size": 24
+    }
+  ]
+{%- if DOCKERMERGED.ulimits %},
+  "default-ulimits": {
+{%-   for ULIMIT in DOCKERMERGED.ulimits %}
+      "{{ ULIMIT.name }}": {
+        "Name": "{{ ULIMIT.name }}",
+        "Soft": {{ ULIMIT.soft }},
+        "Hard": {{ ULIMIT.hard }}
+      }{{ "," if not loop.last else "" }}
+{%-   endfor %}
+  }
+{%- endif %}
+}
--- a/salt/docker/init.sls
+++ b/salt/docker/init.sls
@@ -3,7 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.

-{% from 'docker/docker.map.jinja' import DOCKER %}
+{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {% from 'vars/globals.map.jinja' import GLOBALS %}

 # docker service requires the ca.crt
@@ -41,10 +41,9 @@ dockeretc:
  file.directory:
    - name: /etc/docker

-# Manager daemon.json
 docker_daemon:
  file.managed:
-    - source: salt://common/files/daemon.json
+    - source: salt://docker/files/daemon.json.jinja
    - name: /etc/docker/daemon.json
    - template: jinja 

@@ -75,8 +74,8 @@ dockerreserveports:
 sos_docker_net:
  docker_network.present:
    - name: sobridge
-    - subnet: {{ DOCKER.range }}
-    - gateway: {{ DOCKER.gateway }}
+    - subnet: {{ DOCKERMERGED.range }}
+    - gateway: {{ DOCKERMERGED.gateway }}
    - options:
        com.docker.network.bridge.name: 'sobridge'
        com.docker.network.driver.mtu: '1500'
--- a/salt/docker/soc_docker.yaml
+++ b/salt/docker/soc_docker.yaml
@@ -7,6 +7,25 @@ docker:
    description: Default docker IP range for containers.
    helpLink: docker
    advanced: True
+  ulimits:
+    description: |
+      Default ulimit settings applied to all containers via the Docker daemon. Each entry specifies a resource name (e.g. nofile, memlock, core, nproc) with soft and hard limits. Individual container ulimits override these defaults. Valid resource names include: cpu, fsize, data, stack, core, rss, nproc, nofile, memlock, as, locks, sigpending, msgqueue, nice, rtprio, rttime.
+    forcedType: "[]{}"
+    syntax: json
+    advanced: True
+    helpLink: docker.html
+    uiElements:
+    - field: name
+      label: Resource Name
+      required: True
+      regex: ^(cpu|fsize|data|stack|core|rss|nproc|nofile|memlock|as|locks|sigpending|msgqueue|nice|rtprio|rttime)$
+      regexFailureMessage: You must enter a valid ulimit name (cpu, fsize, data, stack, core, rss, nproc, nofile, memlock, as, locks, sigpending, msgqueue, nice, rtprio, rttime).
+    - field: soft
+      label: Soft Limit
+      forcedType: int
+    - field: hard
+      label: Hard Limit
+      forcedType: int
  containers:
    so-dockerregistry: &dockerOptions
      final_octet:
@@ -39,6 +58,25 @@ docker:
        helpLink: docker
        multiline: True
        forcedType: "[]string"
+      ulimits:
+        description: |
+          Ulimit settings for the container. Each entry specifies a resource name (e.g. nofile, memlock, core, nproc) with optional soft and hard limits. Valid resource names include: cpu, fsize, data, stack, core, rss, nproc, nofile, memlock, as, locks, sigpending, msgqueue, nice, rtprio, rttime.
+        advanced: True
+        helpLink: docker.html
+        forcedType: "[]{}"
+        syntax: json
+        uiElements:
+        - field: name
+          label: Resource Name
+          required: True
+          regex: ^(cpu|fsize|data|stack|core|rss|nproc|nofile|memlock|as|locks|sigpending|msgqueue|nice|rtprio|rttime)$
+          regexFailureMessage: You must enter a valid ulimit name (cpu, fsize, data, stack, core, rss, nproc, nofile, memlock, as, locks, sigpending, msgqueue, nice, rtprio, rttime).
+        - field: soft
+          label: Soft Limit
+          forcedType: int
+        - field: hard
+          label: Hard Limit
+          forcedType: int
    so-elastic-fleet: *dockerOptions
    so-elasticsearch: *dockerOptions
    so-influxdb: *dockerOptions
@@ -62,42 +100,6 @@ docker:
    so-idh: *dockerOptions
    so-elastic-agent: *dockerOptions
    so-telegraf: *dockerOptions
-    so-suricata:
-      final_octet:
-        description: Last octet of the container IP address.
-        helpLink: docker
-        readonly: True
-        advanced: True
-        global: True
-      port_bindings:
-        description: List of port bindings for the container.
-        helpLink: docker
-        advanced: True
-        multiline: True
-        forcedType: "[]string"
-      custom_bind_mounts:
-        description: List of custom local volume bindings.
-        advanced: True
-        helpLink: docker
-        multiline: True
-        forcedType: "[]string"
-      extra_hosts:
-        description: List of additional host entries for the container.
-        advanced: True
-        helpLink: docker
-        multiline: True
-        forcedType: "[]string"
-      extra_env:
-        description: List of additional ENV entries for the container.
-        advanced: True
-        helpLink: docker
-        multiline: True
-        forcedType: "[]string"
-      ulimits:
-        description: Ulimits for the container, in bytes.
-        advanced: True
-        helpLink: docker
-        multiline: True
-        forcedType: "[]string"
+    so-suricata: *dockerOptions
    so-zeek: *dockerOptions
    so-kafka: *dockerOptions
--- a/salt/elastalert/enabled.sls
+++ b/salt/elastalert/enabled.sls
@@ -6,7 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}

 include:
  - elastalert.config
@@ -24,7 +24,7 @@ so-elastalert:
    - user: so-elastalert
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-elastalert'].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers['so-elastalert'].ip }}
    - detach: True
    - binds:
      - /opt/so/rules/elastalert:/opt/elastalert/rules/:ro
@@ -33,24 +33,30 @@ so-elastalert:
      - /opt/so/conf/elastalert/predefined/:/opt/elastalert/predefined/:ro
      - /opt/so/conf/elastalert/custom/:/opt/elastalert/custom/:ro
      - /opt/so/conf/elastalert/elastalert_config.yaml:/opt/elastalert/config.yaml:ro
-      {% if DOCKER.containers['so-elastalert'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-elastalert'].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers['so-elastalert'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-elastalert'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
    - extra_hosts:
      - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
-      {% if DOCKER.containers['so-elastalert'].extra_hosts %}
-        {% for XTRAHOST in DOCKER.containers['so-elastalert'].extra_hosts %}
+      {% if DOCKERMERGED.containers['so-elastalert'].extra_hosts %}
+        {% for XTRAHOST in DOCKERMERGED.containers['so-elastalert'].extra_hosts %}
      - {{ XTRAHOST }}
        {% endfor %}
      {% endif %}
-      {% if DOCKER.containers['so-elastalert'].extra_env %}
+      {% if DOCKERMERGED.containers['so-elastalert'].extra_env %}
    - environment:
-        {% for XTRAENV in DOCKER.containers['so-elastalert'].extra_env %}
+        {% for XTRAENV in DOCKERMERGED.containers['so-elastalert'].extra_env %}
      - {{ XTRAENV }}
        {% endfor %}
      {% endif %}
+    {% if DOCKERMERGED.containers['so-elastalert'].ulimits %}
+    - ulimits:
+    {%   for ULIMIT in DOCKERMERGED.containers['so-elastalert'].ulimits %}
+      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
+    {%   endfor %}
+    {% endif %}
    - require:
      - cmd: wait_for_elasticsearch
      - file: elastarules
--- a/salt/elastic-fleet-package-registry/enabled.sls
+++ b/salt/elastic-fleet-package-registry/enabled.sls
@@ -6,7 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}

 include:
  - elastic-fleet-package-registry.config
@@ -21,30 +21,36 @@ so-elastic-fleet-package-registry:
    - user: 948
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-elastic-fleet-package-registry'].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers['so-elastic-fleet-package-registry'].ip }}
    - extra_hosts:
        - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
-        {% if DOCKER.containers['so-elastic-fleet-package-registry'].extra_hosts %}
-          {% for XTRAHOST in DOCKER.containers['so-elastic-fleet-package-registry'].extra_hosts %}
+        {% if DOCKERMERGED.containers['so-elastic-fleet-package-registry'].extra_hosts %}
+          {% for XTRAHOST in DOCKERMERGED.containers['so-elastic-fleet-package-registry'].extra_hosts %}
        - {{ XTRAHOST }}
          {% endfor %}
        {% endif %}
    - port_bindings:
-      {% for BINDING in DOCKER.containers['so-elastic-fleet-package-registry'].port_bindings %}
+      {% for BINDING in DOCKERMERGED.containers['so-elastic-fleet-package-registry'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
-    {% if DOCKER.containers['so-elastic-fleet-package-registry'].custom_bind_mounts %}
+    {% if DOCKERMERGED.containers['so-elastic-fleet-package-registry'].custom_bind_mounts %}
    - binds:
-        {% for BIND in DOCKER.containers['so-elastic-fleet-package-registry'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-elastic-fleet-package-registry'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
    {% endif %}
-    {% if DOCKER.containers['so-elastic-fleet-package-registry'].extra_env %}
+    {% if DOCKERMERGED.containers['so-elastic-fleet-package-registry'].extra_env %}
    - environment:
-        {% for XTRAENV in DOCKER.containers['so-elastic-fleet-package-registry'].extra_env %}
+        {% for XTRAENV in DOCKERMERGED.containers['so-elastic-fleet-package-registry'].extra_env %}
      - {{ XTRAENV }}
        {% endfor %}
      {% endif %}
+    {% if DOCKERMERGED.containers['so-elastic-fleet-package-registry'].ulimits %}
+    - ulimits:
+    {%   for ULIMIT in DOCKERMERGED.containers['so-elastic-fleet-package-registry'].ulimits %}
+      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
+    {%   endfor %}
+    {% endif %}
 delete_so-elastic-fleet-package-registry_so-status.disabled:
  file.uncomment:
    - name: /opt/so/conf/so-status/so-status.conf
--- a/salt/elasticagent/enabled.sls
+++ b/salt/elasticagent/enabled.sls
@@ -6,7 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}

 include:
  - ca
@@ -22,17 +22,17 @@ so-elastic-agent:
    - user: 949
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-elastic-agent'].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers['so-elastic-agent'].ip }}
    - extra_hosts:
        - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
        - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
-        {% if DOCKER.containers['so-elastic-agent'].extra_hosts %}
-          {% for XTRAHOST in DOCKER.containers['so-elastic-agent'].extra_hosts %}
+        {% if DOCKERMERGED.containers['so-elastic-agent'].extra_hosts %}
+          {% for XTRAHOST in DOCKERMERGED.containers['so-elastic-agent'].extra_hosts %}
        - {{ XTRAHOST }}
          {% endfor %}
        {% endif %}
    - port_bindings:
-      {% for BINDING in DOCKER.containers['so-elastic-agent'].port_bindings %}
+      {% for BINDING in DOCKERMERGED.containers['so-elastic-agent'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
    - binds:
@@ -41,19 +41,25 @@ so-elastic-agent:
      - /etc/pki/tls/certs/intca.crt:/etc/pki/tls/certs/intca.crt:ro 
      - /nsm:/nsm:ro
      - /opt/so/log:/opt/so/log:ro
-     {% if DOCKER.containers['so-elastic-agent'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-elastic-agent'].custom_bind_mounts %}
+     {% if DOCKERMERGED.containers['so-elastic-agent'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-elastic-agent'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
    - environment:
      - FLEET_CA=/etc/pki/tls/certs/intca.crt
      - LOGS_PATH=logs
-      {% if DOCKER.containers['so-elastic-agent'].extra_env %}
-        {% for XTRAENV in DOCKER.containers['so-elastic-agent'].extra_env %}
+      {% if DOCKERMERGED.containers['so-elastic-agent'].extra_env %}
+        {% for XTRAENV in DOCKERMERGED.containers['so-elastic-agent'].extra_env %}
      - {{ XTRAENV }}
        {% endfor %}
      {% endif %}
+    {% if DOCKERMERGED.containers['so-elastic-agent'].ulimits %}
+    - ulimits:
+    {%   for ULIMIT in DOCKERMERGED.containers['so-elastic-agent'].ulimits %}
+      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
+    {%   endfor %}
+    {% endif %}
    - require:
      - file: create-elastic-agent-config
      - file: trusttheca
--- a/salt/elasticfleet/enabled.sls
+++ b/salt/elasticfleet/enabled.sls
@@ -6,7 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%   from 'elasticfleet/map.jinja' import ELASTICFLEETMERGED %}

 {#   This value is generated during node install and stored in minion pillar #}
@@ -94,17 +94,17 @@ so-elastic-fleet:
    - user: 947
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-elastic-fleet'].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers['so-elastic-fleet'].ip }}
    - extra_hosts:
        - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
        - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
-        {% if DOCKER.containers['so-elastic-fleet'].extra_hosts %}
-          {% for XTRAHOST in DOCKER.containers['so-elastic-fleet'].extra_hosts %}
+        {% if DOCKERMERGED.containers['so-elastic-fleet'].extra_hosts %}
+          {% for XTRAHOST in DOCKERMERGED.containers['so-elastic-fleet'].extra_hosts %}
        - {{ XTRAHOST }}
          {% endfor %}
        {% endif %}
    - port_bindings:
-      {% for BINDING in DOCKER.containers['so-elastic-fleet'].port_bindings %}
+      {% for BINDING in DOCKERMERGED.containers['so-elastic-fleet'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
    - binds:
@@ -112,8 +112,8 @@ so-elastic-fleet:
      - /etc/pki/elasticfleet-server.key:/etc/pki/elasticfleet-server.key:ro
      - /etc/pki/tls/certs/intca.crt:/etc/pki/tls/certs/intca.crt:ro
      - /opt/so/log/elasticfleet:/usr/share/elastic-agent/logs 
-     {% if DOCKER.containers['so-elastic-fleet'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-elastic-fleet'].custom_bind_mounts %}
+     {% if DOCKERMERGED.containers['so-elastic-fleet'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-elastic-fleet'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}      
@@ -128,11 +128,17 @@ so-elastic-fleet:
      - FLEET_CA=/etc/pki/tls/certs/intca.crt     
      - FLEET_SERVER_ELASTICSEARCH_CA=/etc/pki/tls/certs/intca.crt
      - LOGS_PATH=logs
-      {% if DOCKER.containers['so-elastic-fleet'].extra_env %}
-        {% for XTRAENV in DOCKER.containers['so-elastic-fleet'].extra_env %}
+      {% if DOCKERMERGED.containers['so-elastic-fleet'].extra_env %}
+        {% for XTRAENV in DOCKERMERGED.containers['so-elastic-fleet'].extra_env %}
      - {{ XTRAENV }}
        {% endfor %}
      {% endif %}
+    {% if DOCKERMERGED.containers['so-elastic-fleet'].ulimits %}
+    - ulimits:
+    {%   for ULIMIT in DOCKERMERGED.containers['so-elastic-fleet'].ulimits %}
+      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
+    {%   endfor %}
+    {% endif %}
    - watch:
      - file: trusttheca
      - x509: etc_elasticfleet_key
--- a/salt/elasticsearch/defaults.yaml
+++ b/salt/elasticsearch/defaults.yaml
@@ -119,7 +119,7 @@ elasticsearch:
        ignore_missing_component_templates: []
        index_patterns:
        - so-case*
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -131,8 +131,6 @@ elasticsearch:
                match_mapping_type: string
          settings:
            index:
-              lifecycle:
-                name: so-case-logs
              mapping:
                total_fields:
                  limit: 1500
@@ -143,14 +141,7 @@ elasticsearch:
              sort:
                field: '@timestamp'
                order: desc
-      policy:
-        phases:
-          hot:
-            actions: {}
-            min_age: 0ms
    so-common:
-      close: 30
-      delete: 365
      index_sorting: false
      index_template:
        composed_of:
@@ -214,7 +205,9 @@ elasticsearch:
        - common-settings
        - common-dynamic-mappings
        - winlog-mappings
-        data_stream: {}
+        data_stream:
+          allow_custom_routing: false
+          hidden: false
        ignore_missing_component_templates: []
        index_patterns:
        - logs-*-so*
@@ -274,7 +267,7 @@ elasticsearch:
        ignore_missing_component_templates: []
        index_patterns:
        - so-detection*
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -286,8 +279,6 @@ elasticsearch:
                match_mapping_type: string
          settings:
            index:
-              lifecycle:
-                name: so-detection-logs
              mapping:
                total_fields:
                  limit: 1500
@@ -298,11 +289,6 @@ elasticsearch:
              sort:
                field: '@timestamp'
                order: desc
-      policy:
-        phases:
-          hot:
-            actions: {}
-            min_age: 0ms
    sos-backup:
      index_sorting: false
      index_template:
@@ -462,7 +448,7 @@ elasticsearch:
        ignore_missing_component_templates: []
        index_patterns:
        - endgame*
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -510,8 +496,6 @@ elasticsearch:
                priority: 50
            min_age: 30d
    so-idh:
-      close: 30
-      delete: 365
      index_sorting: false
      index_template:
        composed_of:
@@ -566,10 +550,13 @@ elasticsearch:
        - dtc-user_agent-mappings
        - common-settings
        - common-dynamic-mappings
+        data_stream:
+          allow_custom_routing: false
+          hidden: false
        ignore_missing_component_templates: []
        index_patterns:
-        - so-idh-*
-        priority: 500
+        - logs-idh-so*
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -679,11 +666,13 @@ elasticsearch:
        - common-dynamic-mappings
        - winlog-mappings
        - hash-mappings
-        data_stream: {}
+        data_stream:
+          allow_custom_routing: false
+          hidden: false
        ignore_missing_component_templates: []
        index_patterns:
        - logs-import-so*
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -738,7 +727,7 @@ elasticsearch:
        ignore_missing_component_templates: []
        index_patterns:
        - so-ip*
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -753,19 +742,12 @@ elasticsearch:
              mapping:
                total_fields:
                  limit: 1500
-              lifecycle:
-                name: so-ip-mappings-logs
              number_of_replicas: 0
              number_of_shards: 1
              refresh_interval: 30s
              sort:
                field: '@timestamp'
                order: desc
-      policy:
-        phases:
-          hot:
-            actions: {}
-            min_age: 0ms
    so-items:
      index_sorting: false
      index_template:
@@ -774,7 +756,7 @@ elasticsearch:
        ignore_missing_component_templates: []
        index_patterns:
        - .items-default-**
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -853,8 +835,6 @@ elasticsearch:
                priority: 50
            min_age: 30d
    so-kratos:
-      close: 30
-      delete: 365
      index_sorting: false
      index_template:
        composed_of:
@@ -875,7 +855,7 @@ elasticsearch:
        ignore_missing_component_templates: []
        index_patterns:
        - logs-kratos-so*
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -923,8 +903,6 @@ elasticsearch:
                priority: 50
            min_age: 30d
    so-hydra:
-      close: 30
-      delete: 365
      index_sorting: false
      index_template:
        composed_of:
@@ -985,7 +963,7 @@ elasticsearch:
        ignore_missing_component_templates: []
        index_patterns:
        - logs-hydra-so*
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -1040,7 +1018,7 @@ elasticsearch:
        ignore_missing_component_templates: []
        index_patterns:
        - .lists-default-**
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -1526,6 +1504,9 @@ elasticsearch:
        - so-fleet_integrations.ip_mappings-1
        - so-fleet_globals-1
        - so-fleet_agent_id_verification-1
+        data_stream:
+          allow_custom_routing: false
+          hidden: false
        ignore_missing_component_templates:
        - logs-elastic_agent.cloudbeat@custom
        index_patterns:
@@ -1761,6 +1742,9 @@ elasticsearch:
        - so-fleet_integrations.ip_mappings-1
        - so-fleet_globals-1
        - so-fleet_agent_id_verification-1
+        data_stream:
+          allow_custom_routing: false
+          hidden: false
        ignore_missing_component_templates:
        - logs-elastic_agent.heartbeat@custom
        index_patterns:
@@ -3020,8 +3004,6 @@ elasticsearch:
                priority: 50
            min_age: 30d
    so-logs-soc:
-      close: 30
-      delete: 365
      index_sorting: false
      index_template:
        composed_of:
@@ -3076,11 +3058,13 @@ elasticsearch:
        - dtc-user_agent-mappings
        - common-settings
        - common-dynamic-mappings
-        data_stream: {}
+        data_stream:
+          allow_custom_routing: false
+          hidden: false
        ignore_missing_component_templates: []
        index_patterns:
        - logs-soc-so*
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -3670,10 +3654,13 @@ elasticsearch:
        - vulnerability-mappings
        - common-settings
        - common-dynamic-mappings
+        data_stream:
+          allow_custom_routing: false
+          hidden: false
        ignore_missing_component_templates: []
        index_patterns:
        - logs-logstash-default*
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -3971,10 +3958,13 @@ elasticsearch:
        - vulnerability-mappings
        - common-settings
        - common-dynamic-mappings
+        data_stream:
+          allow_custom_routing: false
+          hidden: false
        ignore_missing_component_templates: []
        index_patterns:
-        - logs-redis-default*
-        priority: 500
+        - logs-redis.log*
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -4085,11 +4075,13 @@ elasticsearch:
        - common-settings
        - common-dynamic-mappings
        - hash-mappings
-        data_stream: {}
+        data_stream:
+          allow_custom_routing: false
+          hidden: false
        ignore_missing_component_templates: []
        index_patterns:
        - logs-strelka-so*
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -4199,11 +4191,13 @@ elasticsearch:
        - common-settings
        - common-dynamic-mappings
        - hash-mappings
-        data_stream: {}
+        data_stream:
+          allow_custom_routing: false
+          hidden: false
        ignore_missing_component_templates: []
        index_patterns:
        - logs-suricata-so*
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -4313,11 +4307,13 @@ elasticsearch:
        - common-settings
        - common-dynamic-mappings
        - hash-mappings
-        data_stream: {}
+        data_stream:
+          allow_custom_routing: false
+          hidden: false
        ignore_missing_component_templates: []
        index_patterns:
        - logs-suricata.alerts-*
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -4427,11 +4423,13 @@ elasticsearch:
        - vulnerability-mappings
        - common-settings
        - common-dynamic-mappings
-        data_stream: {}
+        data_stream:
+          allow_custom_routing: false
+          hidden: false
        ignore_missing_component_templates: []
        index_patterns:
        - logs-syslog-so*
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
@@ -4543,11 +4541,13 @@ elasticsearch:
        - common-settings
        - common-dynamic-mappings
        - hash-mappings
-        data_stream: {}
+        data_stream:
+          allow_custom_routing: false
+          hidden: false
        ignore_missing_component_templates: []
        index_patterns:
        - logs-zeek-so*
-        priority: 500
+        priority: 501
        template:
          mappings:
            date_detection: false
--- a/salt/elasticsearch/enabled.sls
+++ b/salt/elasticsearch/enabled.sls
@@ -6,7 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%   from 'elasticsearch/config.map.jinja' import ELASTICSEARCH_NODES %}
 {%   from 'elasticsearch/config.map.jinja' import ELASTICSEARCH_SEED_HOSTS %}
 {%   from 'elasticsearch/config.map.jinja' import ELASTICSEARCHMERGED %}
@@ -28,15 +28,15 @@ so-elasticsearch:
    - user: elasticsearch
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-elasticsearch'].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers['so-elasticsearch'].ip }}
    - extra_hosts:
    {% for node in ELASTICSEARCH_NODES %}
    {%   for hostname, ip in node.items() %}
      - {{hostname}}:{{ip}}
    {%   endfor %}
    {% endfor %}
-    {% if DOCKER.containers['so-elasticsearch'].extra_hosts %}
-      {% for XTRAHOST in DOCKER.containers['so-elasticsearch'].extra_hosts %}
+    {% if DOCKERMERGED.containers['so-elasticsearch'].extra_hosts %}
+      {% for XTRAHOST in DOCKERMERGED.containers['so-elasticsearch'].extra_hosts %}
      - {{ XTRAHOST }}
      {% endfor %}
    {% endif %}
@@ -45,17 +45,19 @@ so-elasticsearch:
      - discovery.type=single-node
      {% endif %}
      - ES_JAVA_OPTS=-Xms{{ GLOBALS.elasticsearch.es_heap }} -Xmx{{ GLOBALS.elasticsearch.es_heap }} -Des.transport.cname_in_publish_address=true -Dlog4j2.formatMsgNoLookups=true
-      ulimits:
-      - memlock=-1:-1
-      - nofile=65536:65536
-      - nproc=4096
-      {% if DOCKER.containers['so-elasticsearch'].extra_env %}
-        {% for XTRAENV in DOCKER.containers['so-elasticsearch'].extra_env %}
+      {% if DOCKERMERGED.containers['so-elasticsearch'].extra_env %}
+        {% for XTRAENV in DOCKERMERGED.containers['so-elasticsearch'].extra_env %}
      - {{ XTRAENV }}
        {% endfor %}
      {% endif %}
+    {% if DOCKERMERGED.containers['so-elasticsearch'].ulimits %}
+    - ulimits:
+    {%   for ULIMIT in DOCKERMERGED.containers['so-elasticsearch'].ulimits %}
+      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
+    {%   endfor %}
+    {% endif %}
    - port_bindings:
-      {% for BINDING in DOCKER.containers['so-elasticsearch'].port_bindings %}
+      {% for BINDING in DOCKERMERGED.containers['so-elasticsearch'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
    - binds:
@@ -75,8 +77,8 @@ so-elasticsearch:
      - {{ repo }}:{{ repo }}:rw
        {% endfor %}
      {% endif %}
-      {% if DOCKER.containers['so-elasticsearch'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-elasticsearch'].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers['so-elasticsearch'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-elasticsearch'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
--- a/salt/firewall/iptables.jinja
+++ b/salt/firewall/iptables.jinja
@@ -1,5 +1,5 @@
 {%- from 'vars/globals.map.jinja' import GLOBALS %}
-{%- from 'docker/docker.map.jinja' import DOCKER %}
+{%- from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%- from 'firewall/map.jinja' import FIREWALL_MERGED %}
 {%- set role = GLOBALS.role.split('-')[1] %}
 {%- from 'firewall/containers.map.jinja' import NODE_CONTAINERS %}
@@ -8,9 +8,9 @@
 {%- set D1 = [] %}
 {%- set D2 = [] %}
 {%- for container in NODE_CONTAINERS %}
-{%-   set IP = DOCKER.containers[container].ip %}
-{%-   if DOCKER.containers[container].port_bindings is defined %}
-{%-     for binding in DOCKER.containers[container].port_bindings %}
+{%-   set IP = DOCKERMERGED.containers[container].ip %}
+{%-   if DOCKERMERGED.containers[container].port_bindings is defined %}
+{%-     for binding in DOCKERMERGED.containers[container].port_bindings %}
 {#-       cant split int so we convert to string #}
 {%-       set binding = binding|string %}
 {#-          split the port binding by /. if proto not specified, default is tcp #}
@@ -33,13 +33,13 @@
 {%-           set hostPort = bsa[0] %}
 {%-           set containerPort = bsa[1] %}
 {%-         endif %}
-{%-         do PR.append("-A POSTROUTING -s " ~ DOCKER.containers[container].ip ~ "/32 -d " ~ DOCKER.containers[container].ip ~ "/32 -p " ~  proto ~ " -m " ~ proto  ~ " --dport " ~ containerPort ~ " -j MASQUERADE") %}
+{%-         do PR.append("-A POSTROUTING -s " ~ DOCKERMERGED.containers[container].ip ~ "/32 -d " ~ DOCKERMERGED.containers[container].ip ~ "/32 -p " ~  proto ~ " -m " ~ proto  ~ " --dport " ~ containerPort ~ " -j MASQUERADE") %}
 {%-         if bindip | length and bindip != '0.0.0.0' %}
-{%-           do D1.append("-A DOCKER -d " ~ bindip ~ "/32 ! -i sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ hostPort ~ " -j DNAT --to-destination " ~ DOCKER.containers[container].ip ~ ":" ~ containerPort) %}
+{%-           do D1.append("-A DOCKER -d " ~ bindip ~ "/32 ! -i sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ hostPort ~ " -j DNAT --to-destination " ~ DOCKERMERGED.containers[container].ip ~ ":" ~ containerPort) %}
 {%-         else %}
-{%-           do D1.append("-A DOCKER ! -i sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ hostPort ~ " -j DNAT --to-destination " ~ DOCKER.containers[container].ip ~ ":" ~ containerPort) %}
+{%-           do D1.append("-A DOCKER ! -i sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ hostPort ~ " -j DNAT --to-destination " ~ DOCKERMERGED.containers[container].ip ~ ":" ~ containerPort) %}
 {%-         endif %}
-{%-         do D2.append("-A DOCKER -d " ~ DOCKER.containers[container].ip ~ "/32 ! -i sobridge -o sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ containerPort ~ " -j ACCEPT") %}
+{%-         do D2.append("-A DOCKER -d " ~ DOCKERMERGED.containers[container].ip ~ "/32 ! -i sobridge -o sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ containerPort ~ " -j ACCEPT") %}
 {%-     endfor %}
 {%-   endif %}
 {%- endfor %}
@@ -52,7 +52,7 @@
 :DOCKER - [0:0]
 -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
 -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s {{DOCKER.range}} ! -o sobridge -j MASQUERADE
+-A POSTROUTING -s {{DOCKERMERGED.range}} ! -o sobridge -j MASQUERADE
 {%- for rule in PR %}
 {{ rule }}
 {%- endfor %}
--- a/salt/firewall/map.jinja
+++ b/salt/firewall/map.jinja
@@ -1,11 +1,11 @@
 {% from 'vars/globals.map.jinja' import GLOBALS %}
-{% from 'docker/docker.map.jinja' import DOCKER %}
+{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {% import_yaml 'firewall/defaults.yaml' as FIREWALL_DEFAULT %}

 {# add our ip to self #}
 {% do FIREWALL_DEFAULT.firewall.hostgroups.self.append(GLOBALS.node_ip) %}
 {# add dockernet range #}
-{% do FIREWALL_DEFAULT.firewall.hostgroups.dockernet.append(DOCKER.range) %}
+{% do FIREWALL_DEFAULT.firewall.hostgroups.dockernet.append(DOCKERMERGED.range) %}

 {% if GLOBALS.role == 'so-idh' %}
 {%   from 'idh/opencanary_config.map.jinja' import IDH_PORTGROUPS %}
--- a/salt/hydra/enabled.sls
+++ b/salt/hydra/enabled.sls
@@ -11,7 +11,7 @@

 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
 {%   if 'api' in salt['pillar.get']('features', []) %}

@@ -26,32 +26,38 @@ so-hydra:
    - name: so-hydra
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-hydra'].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers['so-hydra'].ip }}
    - binds:
      - /opt/so/conf/hydra/:/hydra-conf:ro
      - /opt/so/log/hydra/:/hydra-log:rw
      - /nsm/hydra/db:/hydra-data:rw
-      {% if DOCKER.containers['so-hydra'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-hydra'].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers['so-hydra'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-hydra'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
    - port_bindings:
-      {% for BINDING in DOCKER.containers['so-hydra'].port_bindings %}
+      {% for BINDING in DOCKERMERGED.containers['so-hydra'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
-    {% if DOCKER.containers['so-hydra'].extra_hosts %}
+    {% if DOCKERMERGED.containers['so-hydra'].extra_hosts %}
    - extra_hosts:
-      {% for XTRAHOST in DOCKER.containers['so-hydra'].extra_hosts %}
+      {% for XTRAHOST in DOCKERMERGED.containers['so-hydra'].extra_hosts %}
      - {{ XTRAHOST }}
      {% endfor %}
    {% endif %}
-    {% if DOCKER.containers['so-hydra'].extra_env %}
+    {% if DOCKERMERGED.containers['so-hydra'].extra_env %}
    - environment:
-      {% for XTRAENV in DOCKER.containers['so-hydra'].extra_env %}
+      {% for XTRAENV in DOCKERMERGED.containers['so-hydra'].extra_env %}
      - {{ XTRAENV }}
      {% endfor %}
    {% endif %}
+    {% if DOCKERMERGED.containers['so-hydra'].ulimits %}
+    - ulimits:
+    {%   for ULIMIT in DOCKERMERGED.containers['so-hydra'].ulimits %}
+      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
+    {%   endfor %}
+    {% endif %}
    - restart_policy: unless-stopped
    - watch:
      - file: hydraconfig
--- a/salt/idh/enabled.sls
+++ b/salt/idh/enabled.sls
@@ -6,7 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}

 include:
  - idh.config
@@ -22,23 +22,29 @@ so-idh:
      - /nsm/idh:/var/tmp:rw
      - /opt/so/conf/idh/http-skins:/usr/local/lib/python3.12/site-packages/opencanary/modules/data/http/skin:ro
      - /opt/so/conf/idh/opencanary.conf:/etc/opencanaryd/opencanary.conf:ro
-      {% if DOCKER.containers['so-idh'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-idh'].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers['so-idh'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-idh'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
-    {% if DOCKER.containers['so-idh'].extra_hosts %}
+    {% if DOCKERMERGED.containers['so-idh'].extra_hosts %}
    - extra_hosts:
-      {% for XTRAHOST in DOCKER.containers['so-idh'].extra_hosts %}
+      {% for XTRAHOST in DOCKERMERGED.containers['so-idh'].extra_hosts %}
      - {{ XTRAHOST }}
      {% endfor %}
    {% endif %}
-    {% if DOCKER.containers['so-idh'].extra_env %}
+    {% if DOCKERMERGED.containers['so-idh'].extra_env %}
    - environment:
-      {% for XTRAENV in DOCKER.containers['so-idh'].extra_env %}
+      {% for XTRAENV in DOCKERMERGED.containers['so-idh'].extra_env %}
      - {{ XTRAENV }}
      {% endfor %}
    {% endif %}
+    {% if DOCKERMERGED.containers['so-idh'].ulimits %}
+    - ulimits:
+    {%   for ULIMIT in DOCKERMERGED.containers['so-idh'].ulimits %}
+      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
+    {%   endfor %}
+    {% endif %}
    - watch:
      - file: opencanary_config
    - require:
--- a/salt/influxdb/enabled.sls
+++ b/salt/influxdb/enabled.sls
@@ -6,7 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%   set PASSWORD = salt['pillar.get']('secrets:influx_pass') %}
 {%   set TOKEN = salt['pillar.get']('influxdb:token') %}

@@ -21,7 +21,7 @@ so-influxdb:
    - hostname: influxdb
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-influxdb'].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers['so-influxdb'].ip }}
    - environment:
      - INFLUXD_CONFIG_PATH=/conf/config.yaml
      - INFLUXDB_HTTP_LOG_ENABLED=false
@@ -31,8 +31,8 @@ so-influxdb:
      - DOCKER_INFLUXDB_INIT_ORG=Security Onion
      - DOCKER_INFLUXDB_INIT_BUCKET=telegraf/so_short_term
      - DOCKER_INFLUXDB_INIT_ADMIN_TOKEN={{ TOKEN }}
-      {% if DOCKER.containers['so-influxdb'].extra_env %}
-        {% for XTRAENV in DOCKER.containers['so-influxdb'].extra_env %}
+      {% if DOCKERMERGED.containers['so-influxdb'].extra_env %}
+        {% for XTRAENV in DOCKERMERGED.containers['so-influxdb'].extra_env %}
      - {{ XTRAENV }}
        {% endfor %}
      {% endif %}
@@ -43,21 +43,27 @@ so-influxdb:
      - /nsm/influxdb:/var/lib/influxdb2:rw
      - /etc/pki/influxdb.crt:/conf/influxdb.crt:ro
      - /etc/pki/influxdb.key:/conf/influxdb.key:ro
-      {% if DOCKER.containers['so-influxdb'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-influxdb'].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers['so-influxdb'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-influxdb'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
    - port_bindings:
-      {% for BINDING in DOCKER.containers['so-influxdb'].port_bindings %}
+      {% for BINDING in DOCKERMERGED.containers['so-influxdb'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
-    {% if DOCKER.containers['so-influxdb'].extra_hosts %}
+    {% if DOCKERMERGED.containers['so-influxdb'].extra_hosts %}
    - extra_hosts:
-      {% for XTRAHOST in DOCKER.containers['so-influxdb'].extra_hosts %}
+      {% for XTRAHOST in DOCKERMERGED.containers['so-influxdb'].extra_hosts %}
      - {{ XTRAHOST }}
      {% endfor %}
    {% endif %}
+    {% if DOCKERMERGED.containers['so-influxdb'].ulimits %}
+    - ulimits:
+    {%   for ULIMIT in DOCKERMERGED.containers['so-influxdb'].ulimits %}
+      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
+    {%   endfor %}
+    {% endif %}
    - watch:
      - file: influxdbconf
      - x509: influxdb_key
--- a/salt/kafka/enabled.sls
+++ b/salt/kafka/enabled.sls
@@ -12,7 +12,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%   set KAFKANODES = salt['pillar.get']('kafka:nodes') %}
 {%   set KAFKA_EXTERNAL_ACCESS = salt['pillar.get']('kafka:config:external_access:enabled', default=False) %}
 {%   if 'gmd' in salt['pillar.get']('features', []) %}
@@ -31,22 +31,22 @@ so-kafka:
    - name: so-kafka
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-kafka'].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers['so-kafka'].ip }}
    - user: kafka
    - environment:
        KAFKA_HEAP_OPTS: -Xmx2G -Xms1G
-        KAFKA_OPTS: "-javaagent:/opt/jolokia/agents/jolokia-agent-jvm-javaagent.jar=port=8778,host={{ DOCKER.containers['so-kafka'].ip }},policyLocation=file:/opt/jolokia/jolokia.xml {%- if KAFKA_EXTERNAL_ACCESS %} -Djava.security.auth.login.config=/opt/kafka/config/kafka_server_jaas.conf {% endif -%}"
+        KAFKA_OPTS: "-javaagent:/opt/jolokia/agents/jolokia-agent-jvm-javaagent.jar=port=8778,host={{ DOCKERMERGED.containers['so-kafka'].ip }},policyLocation=file:/opt/jolokia/jolokia.xml {%- if KAFKA_EXTERNAL_ACCESS %} -Djava.security.auth.login.config=/opt/kafka/config/kafka_server_jaas.conf {% endif -%}"
    - extra_hosts:
      {% for node in KAFKANODES %}
      - {{ node }}:{{ KAFKANODES[node].ip }}
      {% endfor %}
-      {% if DOCKER.containers['so-kafka'].extra_hosts %}
-      {%   for XTRAHOST in DOCKER.containers['so-kafka'].extra_hosts %}
+      {% if DOCKERMERGED.containers['so-kafka'].extra_hosts %}
+      {%   for XTRAHOST in DOCKERMERGED.containers['so-kafka'].extra_hosts %}
      - {{ XTRAHOST }}
      {%   endfor %}
      {% endif %}
    - port_bindings:
-      {% for BINDING in DOCKER.containers['so-kafka'].port_bindings %}
+      {% for BINDING in DOCKERMERGED.containers['so-kafka'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
    - binds:
@@ -60,6 +60,12 @@ so-kafka:
      {% if KAFKA_EXTERNAL_ACCESS %}
      - /opt/so/conf/kafka/kafka_server_jaas.conf:/opt/kafka/config/kafka_server_jaas.conf:ro
      {% endif %}
+    {% if DOCKERMERGED.containers['so-kafka'].ulimits %}
+    - ulimits:
+    {%   for ULIMIT in DOCKERMERGED.containers['so-kafka'].ulimits %}
+      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
+    {%   endfor %}
+    {% endif %}
    - watch:
      {% for sc in ['server', 'client'] %}
      - file: kafka_kraft_{{sc}}_properties
--- a/salt/kibana/enabled.sls
+++ b/salt/kibana/enabled.sls
@@ -5,7 +5,7 @@

 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}

 include:
@@ -20,20 +20,20 @@ so-kibana:
    - user: kibana
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-kibana'].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers['so-kibana'].ip }}
    - environment:
      - ELASTICSEARCH_HOST={{ GLOBALS.manager }}
      - ELASTICSEARCH_PORT=9200
      - MANAGER={{ GLOBALS.manager }}
-      {% if DOCKER.containers['so-kibana'].extra_env %}
-        {% for XTRAENV in DOCKER.containers['so-kibana'].extra_env %}
+      {% if DOCKERMERGED.containers['so-kibana'].extra_env %}
+        {% for XTRAENV in DOCKERMERGED.containers['so-kibana'].extra_env %}
      - {{ XTRAENV }}
        {% endfor %}
      {% endif %}
    - extra_hosts:
      - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
-    {% if DOCKER.containers['so-kibana'].extra_hosts %}
-      {% for XTRAHOST in DOCKER.containers['so-kibana'].extra_hosts %}
+    {% if DOCKERMERGED.containers['so-kibana'].extra_hosts %}
+      {% for XTRAHOST in DOCKERMERGED.containers['so-kibana'].extra_hosts %}
      - {{ XTRAHOST }}
      {% endfor %}
    {% endif %}
@@ -42,15 +42,21 @@ so-kibana:
      - /opt/so/log/kibana:/var/log/kibana:rw
      - /opt/so/conf/kibana/customdashboards:/usr/share/kibana/custdashboards:ro
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
-      {% if DOCKER.containers['so-kibana'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-kibana'].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers['so-kibana'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-kibana'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
    - port_bindings:
-      {% for BINDING in DOCKER.containers['so-kibana'].port_bindings %}
+      {% for BINDING in DOCKERMERGED.containers['so-kibana'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
+    {% if DOCKERMERGED.containers['so-kibana'].ulimits %}
+    - ulimits:
+    {%   for ULIMIT in DOCKERMERGED.containers['so-kibana'].ulimits %}
+      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
+    {%   endfor %}
+    {% endif %}
    - watch:
      - file: kibanaconfig

--- a/salt/kratos/enabled.sls
+++ b/salt/kratos/enabled.sls
@@ -5,7 +5,7 @@

 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}

 include:
@@ -19,32 +19,38 @@ so-kratos:
    - name: so-kratos
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-kratos'].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers['so-kratos'].ip }}
    - binds:
      - /opt/so/conf/kratos/:/kratos-conf:ro
      - /opt/so/log/kratos/:/kratos-log:rw
      - /nsm/kratos/db:/kratos-data:rw
-      {% if DOCKER.containers['so-kratos'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-kratos'].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers['so-kratos'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-kratos'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
    - port_bindings:
-      {% for BINDING in DOCKER.containers['so-kratos'].port_bindings %}
+      {% for BINDING in DOCKERMERGED.containers['so-kratos'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
-    {% if DOCKER.containers['so-kratos'].extra_hosts %}
+    {% if DOCKERMERGED.containers['so-kratos'].extra_hosts %}
    - extra_hosts:
-      {% for XTRAHOST in DOCKER.containers['so-kratos'].extra_hosts %}
+      {% for XTRAHOST in DOCKERMERGED.containers['so-kratos'].extra_hosts %}
      - {{ XTRAHOST }}
      {% endfor %}
    {% endif %}
-    {% if DOCKER.containers['so-kratos'].extra_env %}
+    {% if DOCKERMERGED.containers['so-kratos'].extra_env %}
    - environment:
-      {% for XTRAENV in DOCKER.containers['so-kratos'].extra_env %}
+      {% for XTRAENV in DOCKERMERGED.containers['so-kratos'].extra_env %}
      - {{ XTRAENV }}
      {% endfor %}
    {% endif %}
+    {% if DOCKERMERGED.containers['so-kratos'].ulimits %}
+    - ulimits:
+    {%   for ULIMIT in DOCKERMERGED.containers['so-kratos'].ulimits %}
+      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
+    {%   endfor %}
+    {% endif %}
    - restart_policy: unless-stopped
    - watch:
      - file: kratosschema
--- a/salt/logstash/enabled.sls
+++ b/salt/logstash/enabled.sls
@@ -6,7 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%   from 'logstash/map.jinja' import LOGSTASH_MERGED %}
 {%   from 'logstash/map.jinja' import LOGSTASH_NODES %}
 {%   set lsheap = LOGSTASH_MERGED.settings.lsheap %}
@@ -32,7 +32,7 @@ so-logstash:
    - name: so-logstash
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-logstash'].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers['so-logstash'].ip }}
    - user: logstash
    - extra_hosts:
    {% for node in LOGSTASH_NODES %}
@@ -40,20 +40,20 @@ so-logstash:
      - {{hostname}}:{{ip}}
    {%   endfor %}
    {% endfor %}
-    {% if DOCKER.containers['so-logstash'].extra_hosts %}
-    {%   for XTRAHOST in DOCKER.containers['so-logstash'].extra_hosts %}
+    {% if DOCKERMERGED.containers['so-logstash'].extra_hosts %}
+    {%   for XTRAHOST in DOCKERMERGED.containers['so-logstash'].extra_hosts %}
      - {{ XTRAHOST }}
    {%   endfor %}
    {% endif %}
    - environment:
      - LS_JAVA_OPTS=-Xms{{ lsheap }} -Xmx{{ lsheap }}
-    {% if DOCKER.containers['so-logstash'].extra_env %}
-    {%   for XTRAENV in DOCKER.containers['so-logstash'].extra_env %}
+    {% if DOCKERMERGED.containers['so-logstash'].extra_env %}
+    {%   for XTRAENV in DOCKERMERGED.containers['so-logstash'].extra_env %}
      - {{ XTRAENV }}
    {%   endfor %}
    {% endif %}
    - port_bindings:
-      {% for BINDING in DOCKER.containers['so-logstash'].port_bindings %}
+      {% for BINDING in DOCKERMERGED.containers['so-logstash'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
    - binds:
@@ -91,11 +91,17 @@ so-logstash:
      - /opt/so/log/fleet/:/osquery/logs:ro
      - /opt/so/log/strelka:/strelka:ro
      {% endif %}
-      {% if DOCKER.containers['so-logstash'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-logstash'].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers['so-logstash'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-logstash'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
+    {% if DOCKERMERGED.containers['so-logstash'].ulimits %}
+    - ulimits:
+    {%   for ULIMIT in DOCKERMERGED.containers['so-logstash'].ulimits %}
+      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
+    {%   endfor %}
+    {% endif %}
    - watch:
      - file: lsetcsync
      - file: trusttheca
--- a/salt/manager/tools/sbin/soup
+++ b/salt/manager/tools/sbin/soup
@@ -403,7 +403,15 @@ migrate_pcap_to_suricata() {
 }

 post_to_3.0.0() {
-  echo "Nothing to apply"
+  for idx in "logs-idh-so" "logs-redis.log-default"; do
+    rollover_index "$idx"
+  done
+
+  # Remove ILM for so-case and so-detection indices
+  for idx in "so-case" "so-casehistory" "so-detection" "so-detectionhistory"; do
+    so-elasticsearch-query $idx/_ilm/remove -XPOST
+  done
+
  POSTVERSION=3.0.0
 }

--- a/salt/nginx/enabled.sls
+++ b/salt/nginx/enabled.sls
@@ -6,7 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%   from 'nginx/map.jinja' import NGINXMERGED %}

 include:
@@ -37,11 +37,11 @@ so-nginx:
    - hostname: so-nginx
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKER.containers[container_config].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers[container_config].ip }}
    - extra_hosts:
      - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
-    {% if DOCKER.containers[container_config].extra_hosts %}
-      {% for XTRAHOST in DOCKER.containers[container_config].extra_hosts %}
+    {% if DOCKERMERGED.containers[container_config].extra_hosts %}
+      {% for XTRAHOST in DOCKERMERGED.containers[container_config].extra_hosts %}
      - {{ XTRAHOST }}
      {% endfor %}
    {% endif %}
@@ -64,20 +64,26 @@ so-nginx:
      - /opt/so/rules/nids/suri:/surirules:ro
      {%   endif %}
      {% endif %}
-      {% if DOCKER.containers[container_config].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers[container_config].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers[container_config].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers[container_config].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
-    {% if DOCKER.containers[container_config].extra_env %}
+    {% if DOCKERMERGED.containers[container_config].extra_env %}
    - environment:
-      {% for XTRAENV in DOCKER.containers[container_config].extra_env %}
+      {% for XTRAENV in DOCKERMERGED.containers[container_config].extra_env %}
      - {{ XTRAENV }}
      {% endfor %}
    {% endif %}
+    {% if DOCKERMERGED.containers[container_config].ulimits %}
+    - ulimits:
+    {%   for ULIMIT in DOCKERMERGED.containers[container_config].ulimits %}
+      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
+    {%   endfor %}
+    {% endif %}
    - cap_add: NET_BIND_SERVICE
    - port_bindings:
-      {% for BINDING in DOCKER.containers[container_config].port_bindings %}
+      {% for BINDING in DOCKERMERGED.containers[container_config].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
    - watch:
--- a/salt/nginx/etc/nginx.conf
+++ b/salt/nginx/etc/nginx.conf
@@ -1,5 +1,5 @@
 {%- from 'vars/globals.map.jinja' import GLOBALS %}
-{%- from 'docker/docker.map.jinja' import DOCKER %}
+{%- from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%- from 'nginx/map.jinja' import NGINXMERGED %}
 {%- set role = grains.id.split('_') | last %}
 {%- set influxpass = salt['pillar.get']('secrets:influx_pass') %}
@@ -387,7 +387,7 @@ http {
 		error_page 429 = @error429;

 		location @error401 {
-			if ($request_uri ~* (^/api/.*|^/connect/.*|^/oauth2/.*|^/.*\.map$)) {
+			if ($request_uri ~* (^/api/.*|^/connect/.*|^/oauth2/.*)) {
 				return    401;
 			}

--- a/salt/redis/enabled.sls
+++ b/salt/redis/enabled.sls
@@ -5,7 +5,7 @@

 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}

 include:
@@ -21,9 +21,9 @@ so-redis:
    - user: socore
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-redis'].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers['so-redis'].ip }}
    - port_bindings:
-      {% for BINDING in DOCKER.containers['so-redis'].port_bindings %}
+      {% for BINDING in DOCKERMERGED.containers['so-redis'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
    - binds:
@@ -34,23 +34,29 @@ so-redis:
      - /etc/pki/redis.crt:/certs/redis.crt:ro
      - /etc/pki/redis.key:/certs/redis.key:ro
      - /etc/pki/tls/certs/intca.crt:/certs/ca.crt:ro
-      {% if DOCKER.containers['so-redis'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-redis'].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers['so-redis'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-redis'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
-    {% if DOCKER.containers['so-redis'].extra_hosts %}
+    {% if DOCKERMERGED.containers['so-redis'].extra_hosts %}
    - extra_hosts:
-      {% for XTRAHOST in DOCKER.containers['so-redis'].extra_hosts %}
+      {% for XTRAHOST in DOCKERMERGED.containers['so-redis'].extra_hosts %}
      - {{ XTRAHOST }}
      {% endfor %}
    {% endif %}
-    {% if DOCKER.containers['so-redis'].extra_env %}
+    {% if DOCKERMERGED.containers['so-redis'].extra_env %}
    - environment:
-      {% for XTRAENV in DOCKER.containers['so-redis'].extra_env %}
+      {% for XTRAENV in DOCKERMERGED.containers['so-redis'].extra_env %}
      - {{ XTRAENV }}
      {% endfor %}
    {% endif %}
+    {% if DOCKERMERGED.containers['so-redis'].ulimits %}
+    - ulimits:
+    {%   for ULIMIT in DOCKERMERGED.containers['so-redis'].ulimits %}
+      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
+    {%   endfor %}
+    {% endif %}
    - entrypoint: "redis-server /usr/local/etc/redis/redis.conf"
    - watch:
      - file: trusttheca
--- a/salt/registry/enabled.sls
+++ b/salt/registry/enabled.sls
@@ -6,7 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}

 include:
  - registry.ssl
@@ -20,10 +20,10 @@ so-dockerregistry:
    - hostname: so-registry
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-dockerregistry'].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers['so-dockerregistry'].ip }}
    - restart_policy: always
    - port_bindings:
-      {% for BINDING in DOCKER.containers['so-dockerregistry'].port_bindings %}
+      {% for BINDING in DOCKERMERGED.containers['so-dockerregistry'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
    - binds:
@@ -32,25 +32,31 @@ so-dockerregistry:
      - /nsm/docker-registry/docker:/var/lib/registry/docker:rw
      - /etc/pki/registry.crt:/etc/pki/registry.crt:ro
      - /etc/pki/registry.key:/etc/pki/registry.key:ro
-      {% if DOCKER.containers['so-dockerregistry'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-dockerregistry'].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers['so-dockerregistry'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-dockerregistry'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
-    {% if DOCKER.containers['so-dockerregistry'].extra_hosts %}
+    {% if DOCKERMERGED.containers['so-dockerregistry'].extra_hosts %}
    - extra_hosts:
-      {% for XTRAHOST in DOCKER.containers['so-dockerregistry'].extra_hosts %}
+      {% for XTRAHOST in DOCKERMERGED.containers['so-dockerregistry'].extra_hosts %}
      - {{ XTRAHOST }}
      {% endfor %}
    {% endif %}
    - client_timeout: 180
    - environment:
      - HOME=/root
-      {% if DOCKER.containers['so-dockerregistry'].extra_env %}
-        {% for XTRAENV in DOCKER.containers['so-dockerregistry'].extra_env %}
+      {% if DOCKERMERGED.containers['so-dockerregistry'].extra_env %}
+        {% for XTRAENV in DOCKERMERGED.containers['so-dockerregistry'].extra_env %}
      - {{ XTRAENV }}
        {% endfor %}
      {% endif %}
+    {% if DOCKERMERGED.containers['so-dockerregistry'].ulimits %}
+    - ulimits:
+    {%   for ULIMIT in DOCKERMERGED.containers['so-dockerregistry'].ulimits %}
+      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
+    {%   endfor %}
+    {% endif %}
    - retry:
        attempts: 5
        interval: 30
--- a/salt/sensoroni/enabled.sls
+++ b/salt/sensoroni/enabled.sls
@@ -4,7 +4,7 @@
 # Elastic License 2.0.

 {% from 'vars/globals.map.jinja' import GLOBALS %}
-{% from 'docker/docker.map.jinja' import DOCKER %}
+{% from 'docker/docker.map.jinja' import DOCKERMERGED %}


 include:
@@ -23,23 +23,29 @@ so-sensoroni:
      - /opt/so/conf/sensoroni/templates:/opt/sensoroni/templates:ro
      - /opt/so/log/sensoroni:/opt/sensoroni/logs:rw
      - /nsm/suripcap/:/nsm/suripcap:rw
-      {% if DOCKER.containers['so-sensoroni'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-sensoroni'].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers['so-sensoroni'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-sensoroni'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
-    {% if DOCKER.containers['so-sensoroni'].extra_hosts %}
+    {% if DOCKERMERGED.containers['so-sensoroni'].extra_hosts %}
    - extra_hosts:
-      {% for XTRAHOST in DOCKER.containers['so-sensoroni'].extra_hosts %}
+      {% for XTRAHOST in DOCKERMERGED.containers['so-sensoroni'].extra_hosts %}
      - {{ XTRAHOST }}
      {% endfor %}
    {% endif %}
-    {% if DOCKER.containers['so-sensoroni'].extra_env %}
+    {% if DOCKERMERGED.containers['so-sensoroni'].extra_env %}
    - environment:
-      {% for XTRAENV in DOCKER.containers['so-sensoroni'].extra_env %}
+      {% for XTRAENV in DOCKERMERGED.containers['so-sensoroni'].extra_env %}
      - {{ XTRAENV }}
      {% endfor %}
    {% endif %}
+    {% if DOCKERMERGED.containers['so-sensoroni'].ulimits %}
+    - ulimits:
+    {%   for ULIMIT in DOCKERMERGED.containers['so-sensoroni'].ulimits %}
+      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
+    {%   endfor %}
+    {% endif %}
    - watch:
      - file: /opt/so/conf/sensoroni/sensoroni.json
    - require:
--- a/salt/soc/defaults.map.jinja
+++ b/salt/soc/defaults.map.jinja
@@ -5,7 +5,7 @@

 {% import_yaml 'soc/defaults.yaml' as SOCDEFAULTS %}
 {% from 'vars/globals.map.jinja' import GLOBALS %}
-{% from 'docker/docker.map.jinja' import DOCKER -%}
+{% from 'docker/docker.map.jinja' import DOCKERMERGED -%}
 {% set INFLUXDB_TOKEN = salt['pillar.get']('influxdb:token') %}
 {% import_text 'influxdb/metrics_link.txt' as METRICS_LINK %}

@@ -32,7 +32,7 @@
 {%   endif %}
 {% endfor %}

-{% do SOCDEFAULTS.soc.config.server.modules.statickeyauth.update({'anonymousCidr': DOCKER.range, 'apiKey': pillar.sensoroni.config.sensoronikey}) %}
+{% do SOCDEFAULTS.soc.config.server.modules.statickeyauth.update({'anonymousCidr': DOCKERMERGED.range, 'apiKey': pillar.sensoroni.config.sensoronikey}) %}

 {% do SOCDEFAULTS.soc.config.server.client.case.update({'analyzerNodeId': GLOBALS.hostname}) %}
 {% do SOCDEFAULTS.soc.config.server.client.update({'exportNodeId': GLOBALS.hostname}) %}
--- a/salt/soc/enabled.sls
+++ b/salt/soc/enabled.sls
@@ -6,7 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%   from 'soc/merged.map.jinja' import DOCKER_EXTRA_HOSTS %}
 {%   from 'soc/merged.map.jinja' import SOCMERGED %}

@@ -22,7 +22,7 @@ so-soc:
    - name: so-soc
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-soc'].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers['so-soc'].ip }}
    - binds:
      - /nsm/rules:/nsm/rules:rw
      - /opt/so/conf/strelka:/opt/sensoroni/yara:rw
@@ -63,21 +63,27 @@ so-soc:
      - {{hostname}}:{{ip}}
    {%   endfor %}
    {% endfor %}
-    {% if DOCKER.containers['so-soc'].extra_hosts %}
-    {%   for XTRAHOST in DOCKER.containers['so-soc'].extra_hosts %}
+    {% if DOCKERMERGED.containers['so-soc'].extra_hosts %}
+    {%   for XTRAHOST in DOCKERMERGED.containers['so-soc'].extra_hosts %}
      - {{ XTRAHOST }}
    {%   endfor %}
    {% endif %}
    - port_bindings:
-    {% for BINDING in DOCKER.containers['so-soc'].port_bindings %}
+    {% for BINDING in DOCKERMERGED.containers['so-soc'].port_bindings %}
      - {{ BINDING }}
    {% endfor %}
-    {% if DOCKER.containers['so-soc'].extra_env %}
+    {% if DOCKERMERGED.containers['so-soc'].extra_env %}
    - environment:
-    {%   for XTRAENV in DOCKER.containers['so-soc'].extra_env %}
+    {%   for XTRAENV in DOCKERMERGED.containers['so-soc'].extra_env %}
      - {{ XTRAENV }}
    {%   endfor %}
    {% endif %}
+    {% if DOCKERMERGED.containers['so-soc'].ulimits %}
+    - ulimits:
+    {%   for ULIMIT in DOCKERMERGED.containers['so-soc'].ulimits %}
+      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
+    {%   endfor %}
+    {% endif %}
    - watch:
      - file: trusttheca
      - file: /opt/so/conf/soc/*
--- a/salt/strelka/backend/enabled.sls
+++ b/salt/strelka/backend/enabled.sls
@@ -5,7 +5,7 @@

 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}

 include:
@@ -18,29 +18,35 @@ strelka_backend:
    - binds:
      - /opt/so/conf/strelka/backend/:/etc/strelka/:ro
      - /opt/so/conf/strelka/rules/compiled/:/etc/yara/:ro
-      {% if DOCKER.containers['so-strelka-backend'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-strelka-backend'].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers['so-strelka-backend'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-strelka-backend'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
    - name: so-strelka-backend
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-strelka-backend'].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers['so-strelka-backend'].ip }}
    - command: strelka-backend
    - extra_hosts:
      - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
-      {% if DOCKER.containers['so-strelka-backend'].extra_hosts %}
-        {% for XTRAHOST in DOCKER.containers['so-strelka-backend'].extra_hosts %}
+      {% if DOCKERMERGED.containers['so-strelka-backend'].extra_hosts %}
+        {% for XTRAHOST in DOCKERMERGED.containers['so-strelka-backend'].extra_hosts %}
      - {{ XTRAHOST }}
        {% endfor %}
      {% endif %}
-    {% if DOCKER.containers['so-strelka-backend'].extra_env %}
+    {% if DOCKERMERGED.containers['so-strelka-backend'].extra_env %}
    - environment:
-      {% for XTRAENV in DOCKER.containers['so-strelka-backend'].extra_env %}
+      {% for XTRAENV in DOCKERMERGED.containers['so-strelka-backend'].extra_env %}
      - {{ XTRAENV }}
      {% endfor %}
    {% endif %}
+    {% if DOCKERMERGED.containers['so-strelka-backend'].ulimits %}
+    - ulimits:
+    {%   for ULIMIT in DOCKERMERGED.containers['so-strelka-backend'].ulimits %}
+      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
+    {%   endfor %}
+    {% endif %}
    - restart_policy: on-failure
    - watch:
      - file: strelkasensorcompiledrules
--- a/salt/strelka/coordinator/enabled.sls
+++ b/salt/strelka/coordinator/enabled.sls
@@ -5,7 +5,7 @@

 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}

 include:
@@ -18,32 +18,38 @@ strelka_coordinator:
    - name: so-strelka-coordinator
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-strelka-coordinator'].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers['so-strelka-coordinator'].ip }}
    - entrypoint: redis-server --save "" --appendonly no
    - extra_hosts:
      - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
-      {% if DOCKER.containers['so-strelka-coordinator'].extra_hosts %}
-        {% for XTRAHOST in DOCKER.containers['so-strelka-coordinator'].extra_hosts %}
+      {% if DOCKERMERGED.containers['so-strelka-coordinator'].extra_hosts %}
+        {% for XTRAHOST in DOCKERMERGED.containers['so-strelka-coordinator'].extra_hosts %}
      - {{ XTRAHOST }}
        {% endfor %}
      {% endif %}
    - port_bindings:
-      {% for BINDING in DOCKER.containers['so-strelka-coordinator'].port_bindings %}
+      {% for BINDING in DOCKERMERGED.containers['so-strelka-coordinator'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
-  {% if DOCKER.containers['so-strelka-coordinator'].extra_env %}
+  {% if DOCKERMERGED.containers['so-strelka-coordinator'].extra_env %}
    - environment:
-      {% for XTRAENV in DOCKER.containers['so-strelka-coordinator'].extra_env %}
+      {% for XTRAENV in DOCKERMERGED.containers['so-strelka-coordinator'].extra_env %}
      - {{ XTRAENV }}
      {% endfor %}
    {% endif %}
    - binds:
      - /nsm/strelka/coord-redis-data:/data:rw
-      {% if DOCKER.containers['so-strelka-coordinator'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-strelka-coordinator'].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers['so-strelka-coordinator'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-strelka-coordinator'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
+    {% if DOCKERMERGED.containers['so-strelka-coordinator'].ulimits %}
+    - ulimits:
+    {%   for ULIMIT in DOCKERMERGED.containers['so-strelka-coordinator'].ulimits %}
+      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
+    {%   endfor %}
+    {% endif %}
 delete_so-strelka-coordinator_so-status.disabled:
  file.uncomment:
    - name: /opt/so/conf/so-status/so-status.conf
--- a/salt/strelka/filestream/enabled.sls
+++ b/salt/strelka/filestream/enabled.sls
@@ -5,7 +5,7 @@

 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}

 include:
@@ -18,29 +18,35 @@ strelka_filestream:
    - binds:
      - /opt/so/conf/strelka/filestream/:/etc/strelka/:ro
      - /nsm/strelka:/nsm/strelka
-      {% if DOCKER.containers['so-strelka-filestream'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-strelka-filestream'].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers['so-strelka-filestream'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-strelka-filestream'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
    - name: so-strelka-filestream
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-strelka-filestream'].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers['so-strelka-filestream'].ip }}
    - command: strelka-filestream
    - extra_hosts:
      - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
-      {% if DOCKER.containers['so-strelka-filestream'].extra_hosts %}
-        {% for XTRAHOST in DOCKER.containers['so-strelka-filestream'].extra_hosts %}
+      {% if DOCKERMERGED.containers['so-strelka-filestream'].extra_hosts %}
+        {% for XTRAHOST in DOCKERMERGED.containers['so-strelka-filestream'].extra_hosts %}
      - {{ XTRAHOST }}
        {% endfor %}
      {% endif %}
-    {% if DOCKER.containers['so-strelka-filestream'].extra_env %}
+    {% if DOCKERMERGED.containers['so-strelka-filestream'].extra_env %}
    - environment:
-      {% for XTRAENV in DOCKER.containers['so-strelka-filestream'].extra_env %}
+      {% for XTRAENV in DOCKERMERGED.containers['so-strelka-filestream'].extra_env %}
      - {{ XTRAENV }}
      {% endfor %}
    {% endif %}
+    {% if DOCKERMERGED.containers['so-strelka-filestream'].ulimits %}
+    - ulimits:
+    {%   for ULIMIT in DOCKERMERGED.containers['so-strelka-filestream'].ulimits %}
+      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
+    {%   endfor %}
+    {% endif %}
    - watch:
      - file: filestream_config

--- a/salt/strelka/frontend/enabled.sls
+++ b/salt/strelka/frontend/enabled.sls
@@ -5,7 +5,7 @@

 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}

 include:
@@ -18,8 +18,8 @@ strelka_frontend:
    - binds:
      - /opt/so/conf/strelka/frontend/:/etc/strelka/:ro
      - /nsm/strelka/log/:/var/log/strelka/:rw
-      {% if DOCKER.containers['so-strelka-frontend'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-strelka-frontend'].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers['so-strelka-frontend'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-strelka-frontend'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
@@ -27,25 +27,31 @@ strelka_frontend:
    - name: so-strelka-frontend
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-strelka-frontend'].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers['so-strelka-frontend'].ip }}
    - command: strelka-frontend
    - extra_hosts:
      - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
-      {% if DOCKER.containers['so-strelka-frontend'].extra_hosts %}
-        {% for XTRAHOST in DOCKER.containers['so-strelka-frontend'].extra_hosts %}
+      {% if DOCKERMERGED.containers['so-strelka-frontend'].extra_hosts %}
+        {% for XTRAHOST in DOCKERMERGED.containers['so-strelka-frontend'].extra_hosts %}
      - {{ XTRAHOST }}
        {% endfor %}
      {% endif %}
    - port_bindings:
-      {% for BINDING in DOCKER.containers['so-strelka-frontend'].port_bindings %}
+      {% for BINDING in DOCKERMERGED.containers['so-strelka-frontend'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
-    {% if DOCKER.containers['so-strelka-frontend'].extra_env %}
+    {% if DOCKERMERGED.containers['so-strelka-frontend'].extra_env %}
    - environment:
-      {% for XTRAENV in DOCKER.containers['so-strelka-frontend'].extra_env %}
+      {% for XTRAENV in DOCKERMERGED.containers['so-strelka-frontend'].extra_env %}
      - {{ XTRAENV }}
      {% endfor %}
    {% endif %}
+    {% if DOCKERMERGED.containers['so-strelka-frontend'].ulimits %}
+    - ulimits:
+    {%   for ULIMIT in DOCKERMERGED.containers['so-strelka-frontend'].ulimits %}
+      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
+    {%   endfor %}
+    {% endif %}
    - watch:
      - file: frontend_config

--- a/salt/strelka/gatekeeper/enabled.sls
+++ b/salt/strelka/gatekeeper/enabled.sls
@@ -5,7 +5,7 @@

 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}

 include:
@@ -18,32 +18,38 @@ strelka_gatekeeper:
    - name: so-strelka-gatekeeper
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-strelka-gatekeeper'].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers['so-strelka-gatekeeper'].ip }}
    - entrypoint: redis-server --save "" --appendonly no --maxmemory-policy allkeys-lru
    - extra_hosts:
      - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
-      {% if DOCKER.containers['so-strelka-gatekeeper'].extra_hosts %}
-        {% for XTRAHOST in DOCKER.containers['so-strelka-gatekeeper'].extra_hosts %}
+      {% if DOCKERMERGED.containers['so-strelka-gatekeeper'].extra_hosts %}
+        {% for XTRAHOST in DOCKERMERGED.containers['so-strelka-gatekeeper'].extra_hosts %}
      - {{ XTRAHOST }}
        {% endfor %}
      {% endif %}
    - port_bindings:
-      {% for BINDING in DOCKER.containers['so-strelka-gatekeeper'].port_bindings %}
+      {% for BINDING in DOCKERMERGED.containers['so-strelka-gatekeeper'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
    - binds:
      - /nsm/strelka/gk-redis-data:/data:rw
-      {% if DOCKER.containers['so-strelka-gatekeeper'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-strelka-gatekeeper'].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers['so-strelka-gatekeeper'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-strelka-gatekeeper'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
-    {% if DOCKER.containers['so-strelka-gatekeeper'].extra_env %}
+    {% if DOCKERMERGED.containers['so-strelka-gatekeeper'].extra_env %}
    - environment:
-      {% for XTRAENV in DOCKER.containers['so-strelka-gatekeeper'].extra_env %}
+      {% for XTRAENV in DOCKERMERGED.containers['so-strelka-gatekeeper'].extra_env %}
      - {{ XTRAENV }}
      {% endfor %}
-    {% endif %}   
+    {% endif %}
+    {% if DOCKERMERGED.containers['so-strelka-gatekeeper'].ulimits %}
+    - ulimits:
+    {%   for ULIMIT in DOCKERMERGED.containers['so-strelka-gatekeeper'].ulimits %}
+      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
+    {%   endfor %}
+    {% endif %}

 delete_so-strelka-gatekeeper_so-status.disabled:
  file.uncomment:
--- a/salt/strelka/manager/enabled.sls
+++ b/salt/strelka/manager/enabled.sls
@@ -5,7 +5,7 @@

 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}

 include:
@@ -17,29 +17,35 @@ strelka_manager:
    - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-strelka-manager:{{ GLOBALS.so_version }}
    - binds:
      - /opt/so/conf/strelka/manager/:/etc/strelka/:ro
-      {% if DOCKER.containers['so-strelka-manager'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-strelka-manager'].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers['so-strelka-manager'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-strelka-manager'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
    - name: so-strelka-manager
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-strelka-manager'].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers['so-strelka-manager'].ip }}
    - command: strelka-manager
    - extra_hosts:
      - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
-      {% if DOCKER.containers['so-strelka-manager'].extra_hosts %}
-        {% for XTRAHOST in DOCKER.containers['so-strelka-manager'].extra_hosts %}
+      {% if DOCKERMERGED.containers['so-strelka-manager'].extra_hosts %}
+        {% for XTRAHOST in DOCKERMERGED.containers['so-strelka-manager'].extra_hosts %}
      - {{ XTRAHOST }}
        {% endfor %}
      {% endif %}
-   {% if DOCKER.containers['so-strelka-manager'].extra_env %}
+   {% if DOCKERMERGED.containers['so-strelka-manager'].extra_env %}
    - environment:
-      {% for XTRAENV in DOCKER.containers['so-strelka-manager'].extra_env %}
+      {% for XTRAENV in DOCKERMERGED.containers['so-strelka-manager'].extra_env %}
      - {{ XTRAENV }}
      {% endfor %}
    {% endif %}
+    {% if DOCKERMERGED.containers['so-strelka-manager'].ulimits %}
+    - ulimits:
+    {%   for ULIMIT in DOCKERMERGED.containers['so-strelka-manager'].ulimits %}
+      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
+    {%   endfor %}
+    {% endif %}
    - watch:
      - file: manager_config

--- a/salt/suricata/enabled.sls
+++ b/salt/suricata/enabled.sls
@@ -6,7 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%   from 'suricata/map.jinja' import SURICATAMERGED %}


@@ -20,16 +20,15 @@ so-suricata:
    - privileged: True
    - environment:
      - INTERFACE={{ GLOBALS.sensor.interface }}
-      {% if DOCKER.containers['so-suricata'].extra_env %}
-        {% for XTRAENV in DOCKER.containers['so-suricata'].extra_env %}
+      {% if DOCKERMERGED.containers['so-suricata'].extra_env %}
+        {% for XTRAENV in DOCKERMERGED.containers['so-suricata'].extra_env %}
      - {{ XTRAENV }}
        {% endfor %}
      {% endif %}
-    {# we look at SURICATAMERGED.config['af-packet'][0] since we only allow one interface and therefore always the first list item #}
-    {% if SURICATAMERGED.config['af-packet'][0]['mmap-locked'] == "yes" and DOCKER.containers['so-suricata'].ulimits %}
+    {% if DOCKERMERGED.containers['so-suricata'].ulimits %}
    - ulimits:
-    {%   for ULIMIT in DOCKER.containers['so-suricata'].ulimits %}
-      - {{ ULIMIT }}
+    {%   for ULIMIT in DOCKERMERGED.containers['so-suricata'].ulimits %}
+      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
    {%   endfor %}
    {% endif %}
    - binds:
@@ -42,15 +41,15 @@ so-suricata:
      - /nsm/suricata/extracted:/var/log/suricata//filestore:rw
      - /opt/so/conf/suricata/bpf:/etc/suricata/bpf:ro
      - /nsm/suripcap/:/nsm/suripcap:rw
-      {% if DOCKER.containers['so-suricata'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-suricata'].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers['so-suricata'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-suricata'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
    - network_mode: host
-    {% if DOCKER.containers['so-suricata'].extra_hosts %}
+    {% if DOCKERMERGED.containers['so-suricata'].extra_hosts %}
    - extra_hosts:
-      {% for XTRAHOST in DOCKER.containers['so-suricata'].extra_hosts %}
+      {% for XTRAHOST in DOCKERMERGED.containers['so-suricata'].extra_hosts %}
      - {{ XTRAHOST }}
      {% endfor %}
    {% endif %}
--- a/salt/telegraf/enabled.sls
+++ b/salt/telegraf/enabled.sls
@@ -6,7 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%   from 'telegraf/map.jinja' import TELEGRAFMERGED %}

 include:
@@ -25,8 +25,8 @@ so-telegraf:
      - HOST_SYS=/host/sys
      - HOST_MOUNT_PREFIX=/host
      - GODEBUG=x509ignoreCN=0
-      {% if DOCKER.containers['so-telegraf'].extra_env %}
-        {% for XTRAENV in DOCKER.containers['so-telegraf'].extra_env %}
+      {% if DOCKERMERGED.containers['so-telegraf'].extra_env %}
+        {% for XTRAENV in DOCKERMERGED.containers['so-telegraf'].extra_env %}
      - {{ XTRAENV }}
        {% endfor %}
      {% endif %}
@@ -55,17 +55,23 @@ so-telegraf:
      {% if GLOBALS.is_manager or GLOBALS.role == 'so-heavynode' %}
      - /opt/so/conf/telegraf/etc/escurl.config:/etc/telegraf/elasticsearch.config:ro
      {% endif %}
-      {% if DOCKER.containers['so-telegraf'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-telegraf'].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers['so-telegraf'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-telegraf'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
-    {% if DOCKER.containers['so-telegraf'].extra_hosts %}
+    {% if DOCKERMERGED.containers['so-telegraf'].extra_hosts %}
    - extra_hosts:
-      {% for XTRAHOST in DOCKER.containers['so-telegraf'].extra_hosts %}
+      {% for XTRAHOST in DOCKERMERGED.containers['so-telegraf'].extra_hosts %}
      - {{ XTRAHOST }}
      {% endfor %}
    {% endif %}
+    {% if DOCKERMERGED.containers['so-telegraf'].ulimits %}
+    - ulimits:
+    {%   for ULIMIT in DOCKERMERGED.containers['so-telegraf'].ulimits %}
+      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
+    {%   endfor %}
+    {% endif %}
    - watch:
      - file: trusttheca
      - x509: telegraf_crt
--- a/salt/vars/globals.map.jinja
+++ b/salt/vars/globals.map.jinja
@@ -1,5 +1,5 @@
 {% import 'vars/init.map.jinja' as INIT %}
-{% from 'docker/docker.map.jinja' import DOCKER %}
+{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {% from 'global/map.jinja' import GLOBALMERGED %}

 {% from 'vars/' ~ INIT.GRAINS.role.split('-')[1] ~ '.map.jinja' import ROLE_GLOBALS %} {# role is so-role so we have to split off the 'so' #}
@@ -25,8 +25,8 @@
    'pcap_engine': GLOBALMERGED.pcapengine,
    'pipeline': GLOBALMERGED.pipeline,
    'so_version': INIT.PILLAR.global.soversion,
-    'so_docker_gateway': DOCKER.gateway,
-    'so_docker_range': DOCKER.range,
+    'so_docker_gateway': DOCKERMERGED.gateway,
+    'so_docker_range': DOCKERMERGED.range,
    'url_base': INIT.PILLAR.global.url_base,
    'so_model': INIT.GRAINS.get('sosmodel',''),
    'sensoroni_key': INIT.PILLAR.sensoroni.config.sensoronikey,
--- a/salt/zeek/config.sls
+++ b/salt/zeek/config.sls
@@ -167,7 +167,7 @@ zeekja4cfg:
    - group: 939
    - template: jinja
    - defaults:
-        JA4PLUS_ENABLED: {{ ZEEKMERGED.ja4plus_enabled }}
+        JA4PLUS: {{ ZEEKMERGED.ja4plus.enabled }}

 # BPF compilation failed
 {% if ZEEKBPF and not ZEEK_BPF_STATUS %}
--- a/salt/zeek/defaults.yaml
+++ b/salt/zeek/defaults.yaml
@@ -1,6 +1,7 @@
 zeek:
  enabled: False
-  ja4plus_enabled: False
+  ja4plus:
+    enabled: False
  config:
    node:
      lb_procs: 0
--- a/salt/zeek/enabled.sls
+++ b/salt/zeek/enabled.sls
@@ -6,7 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}


 include:
@@ -18,9 +18,12 @@ so-zeek:
    - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-zeek:{{ GLOBALS.so_version }}
    - start: True
    - privileged: True
+    {% if DOCKERMERGED.containers['so-zeek'].ulimits %}
    - ulimits:
-      - core=0
-      - nofile=1048576:1048576
+    {%   for ULIMIT in DOCKERMERGED.containers['so-zeek'].ulimits %}
+      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
+    {%   endfor %}
+    {% endif %}
    - binds:
      - /nsm/zeek/logs:/nsm/zeek/logs:rw
      - /nsm/zeek/spool:/nsm/zeek/spool:rw
@@ -36,21 +39,21 @@ so-zeek:
      - /opt/so/conf/zeek/bpf:/opt/zeek/etc/bpf:ro
      - /opt/so/conf/zeek/config.zeek:/opt/zeek/share/zeek/site/packages/ja4/config.zeek:ro
      - /opt/so/conf/zeek/zkg:/opt/so/conf/zeek/zkg:ro
-      {% if DOCKER.containers['so-zeek'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-zeek'].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers['so-zeek'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-zeek'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %} 
    - network_mode: host
-    {% if DOCKER.containers['so-zeek'].extra_hosts %}
+    {% if DOCKERMERGED.containers['so-zeek'].extra_hosts %}
    - extra_hosts:
-      {% for XTRAHOST in DOCKER.containers['so-zeek'].extra_hosts %}
+      {% for XTRAHOST in DOCKERMERGED.containers['so-zeek'].extra_hosts %}
      - {{ XTRAHOST }}
      {% endfor %}
    {% endif %}
-    {% if DOCKER.containers['so-zeek'].extra_env %}
+    {% if DOCKERMERGED.containers['so-zeek'].extra_env %}
    - environment:
-      {% for XTRAENV in DOCKER.containers['so-zeek'].extra_env %}
+      {% for XTRAENV in DOCKERMERGED.containers['so-zeek'].extra_env %}
      - {{ XTRAENV }}
      {% endfor %}
    {% endif %}
--- a/salt/zeek/files/config.zeek.ja4
+++ b/salt/zeek/files/config.zeek.ja4
@@ -8,20 +8,20 @@ export {
  option JA4_raw:        bool = F;

  # FoxIO license required for JA4+
-  option JA4S_enabled:   bool = {{ 'T' if JA4PLUS_ENABLED else 'F' }};
+  option JA4S_enabled:   bool = {{ 'T' if JA4PLUS else 'F' }};
  option JA4S_raw:   bool = F;

-  option JA4D_enabled:  bool = {{ 'T' if JA4PLUS_ENABLED else 'F' }};
+  option JA4D_enabled:  bool = {{ 'T' if JA4PLUS else 'F' }};

-  option JA4H_enabled:   bool = {{ 'T' if JA4PLUS_ENABLED else 'F' }};
+  option JA4H_enabled:   bool = {{ 'T' if JA4PLUS else 'F' }};
  option JA4H_raw:   bool = F;

-  option JA4L_enabled:   bool = {{ 'T' if JA4PLUS_ENABLED else 'F' }};
+  option JA4L_enabled:   bool = {{ 'T' if JA4PLUS else 'F' }};

-  option JA4SSH_enabled: bool = {{ 'T' if JA4PLUS_ENABLED else 'F' }};
+  option JA4SSH_enabled: bool = {{ 'T' if JA4PLUS else 'F' }};

-  option JA4T_enabled: bool = {{ 'T' if JA4PLUS_ENABLED else 'F' }};
-  option JA4TS_enabled: bool = {{ 'T' if JA4PLUS_ENABLED else 'F' }};
+  option JA4T_enabled: bool = {{ 'T' if JA4PLUS else 'F' }};
+  option JA4TS_enabled: bool = {{ 'T' if JA4PLUS else 'F' }};

-  option JA4X_enabled:   bool = {{ 'T' if JA4PLUS_ENABLED else 'F' }};
+  option JA4X_enabled:   bool = {{ 'T' if JA4PLUS else 'F' }};
 }
--- a/salt/zeek/soc_zeek.yaml
+++ b/salt/zeek/soc_zeek.yaml
@@ -2,10 +2,12 @@ zeek:
  enabled:
    description: Controls whether the Zeek (network packet inspection) process runs. Disabling this process could result in loss of network protocol metadata. If Suricata was selected as the protocol metadata engine during setup then this will already be disabled.
    helpLink: zeek
-  ja4plus_enabled:
-    description: "Enables JA4+ fingerprinting (JA4S, JA4D, JA4H, JA4L, JA4SSH, JA4T, JA4TS, JA4X). By enabling this, you agree to the terms of the JA4+ license (https://github.com/FoxIO-LLC/ja4/blob/main/LICENSE-JA4)."
-    forcedType: bool
-    helpLink: zeek
+  ja4plus:
+    enabled:
+      description: "Enables JA4+ fingerprinting (JA4S, JA4D, JA4H, JA4L, JA4SSH, JA4T, JA4TS, JA4X). By enabling this, you agree to the terms of the JA4+ license  [https://github.com/FoxIO-LLC/ja4/blob/main/LICENSE-JA4](https://github.com/FoxIO-LLC/ja4/blob/main/LICENSE-JA4)."
+      forcedType: bool
+      helpLink: zeek
+      advanced: False
  config:
    local:
      load:
Author	SHA1	Message	Date
Mike Reeves	d3938b61d2	ja4plus nest enabled under ja4plus key for defaults	2026-03-19 12:39:37 -04:00
Mike Reeves	83b7fecbbc	ja4plus cleanup	2026-03-19 11:12:24 -04:00
Mike Reeves	d227cf71c8	ja4plus cleanup	2026-03-19 11:01:40 -04:00
Josh Patterson	020b9db610	Merge pull request #15641 from Security-Onion-Solutions/delta Support docker ulimit customization	2026-03-19 09:46:33 -04:00
Josh Patterson	cceaebe350	remove restriction of mmap locked on suricata ulimits	2026-03-19 09:42:39 -04:00
Josh Patterson	a982056363	Merge remote-tracking branch 'origin/3/dev' into delta	2026-03-18 15:45:15 -04:00
Josh Patterson	db81834e06	fix indentation to match prior indentation	2026-03-18 15:44:49 -04:00
Jason Ertel	318e4ec54b	Merge pull request #15643 from Security-Onion-Solutions/jertel/wip fix casing to match annotation docs	2026-03-18 15:36:47 -04:00
Jorge Reyes	20bf05e9f3	Merge pull request #15644 from Security-Onion-Solutions/reyesj2-361 fix so-idh and so-redis datastream config	2026-03-18 14:36:17 -05:00
Josh Patterson	4254769e68	Merge remote-tracking branch 'origin/3/dev' into delta	2026-03-18 15:32:52 -04:00
reyesj2	c16ff2bd99	so-idh and so-redis datastream config	2026-03-18 14:31:23 -05:00
Josh Patterson	0814f34f0e	don't define zeek nofile, already uses docker default	2026-03-18 13:13:06 -04:00
Jason Ertel	b6366e52ba	Merge pull request #15642 from Security-Onion-Solutions/jertel/wip more doc updates	2026-03-18 13:09:36 -04:00
Josh Patterson	74ad2990a7	Merge remote-tracking branch 'origin/3/dev' into delta	2026-03-18 13:05:02 -04:00
Josh Patterson	738ce62d35	Merge pull request #15640 from Security-Onion-Solutions/customulimit ensure valid ulimit names	2026-03-18 12:51:15 -04:00
Josh Patterson	057ec6f0f1	ensure valid ulimit names	2026-03-18 12:49:46 -04:00
Jorge Reyes	20c4da50b1	Merge pull request #15632 from Security-Onion-Solutions/reyesj2-15601 fix global override settings affecting non-data stream indices	2026-03-18 10:51:17 -05:00
Jason Ertel	5fb396fc09	Merge pull request #15637 from Security-Onion-Solutions/jertel/wip ignore redis restart warning in logstash log	2026-03-18 11:13:00 -04:00
Josh Patterson	a0b1e31717	Merge pull request #15638 from Security-Onion-Solutions/customulimit remove .jinja from daemon.json	2026-03-18 11:09:41 -04:00
Josh Patterson	cacae12ba3	remove .jinja from daemon.json	2026-03-18 11:08:33 -04:00
Josh Patterson	2a271b950b	Merge pull request #15636 from Security-Onion-Solutions/customulimit Customulimit	2026-03-18 10:42:19 -04:00
Josh Patterson	e19e83bebb	allow user defined ulimits	2026-03-18 10:38:15 -04:00
Josh Patterson	341471d38e	DOCKER to DOCKERMERGED	2026-03-17 16:19:36 -04:00
Josh Patterson	2349750e13	DOCKER to DOCKERMERGED	2026-03-17 16:19:02 -04:00
Josh Patterson	00986dc2fd	Merge remote-tracking branch 'origin/delta' into customulimit	2026-03-17 16:04:09 -04:00
Josh Patterson	d60bef1371	add spft/hard ulimits	2026-03-17 16:00:09 -04:00
Josh Patterson	5806a85214	Merge pull request #15629 from Security-Onion-Solutions/ulimits Add customizable ulimit settings for all Docker containers	2026-03-17 15:14:31 -04:00
Mike Reeves	2d97dfc8a1	Add customizable ulimit settings for all Docker containers Add ulimits as a configurable advanced setting for every container, allowing customization through the web UI. Move hardcoded ulimits from elasticsearch and zeek into defaults.yaml and fix elasticsearch ulimits that were incorrectly nested under the environment key. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-17 15:10:42 -04:00
Josh Patterson	d6263812a6	move daemon.json to docker/files	2026-03-17 15:09:09 -04:00
Josh Patterson	ef7d1771ab	DOCKER TO DOCKERMERGED	2026-03-17 15:08:10 -04:00
Josh Patterson	4dc377c99f	DOCKER to DOCKERMERGED	2026-03-17 15:06:06 -04:00
reyesj2	a52e5d0474	update index template priorities + explicity add datastream config options	2026-03-17 13:50:15 -05:00
reyesj2	1a943aefc5	rollover datastreams to get latest index templates + remove existing ilm policies from so-case / so-detection indices	2026-03-17 13:49:20 -05:00
reyesj2	eaf3f10adc	remove unused close/delete configs on datastream index templates	2026-03-16 17:26:45 -05:00
reyesj2	84f4e460f6	update index patterns	2026-03-16 16:53:22 -05:00
reyesj2	88841c9814	remove ilm configs from non-datastream indices	2026-03-16 16:52:42 -05:00