ensure valid ulimit names

remove .jinja from daemon.json
allow user defined ulimits
2026-03-22 04:35:29 +01:00 · 2026-03-18 12:49:46 -04:00 · 2026-03-18 11:08:33 -04:00 · 2026-03-18 10:38:15 -04:00 · 2026-03-17 16:19:36 -04:00 · 2026-03-17 16:19:02 -04:00
82 changed files with 729 additions and 1618 deletions
--- a/salt/_modules/needs_restarting.py
+++ b/salt/_modules/needs_restarting.py
@@ -1,24 +1,14 @@
 from os import path
 import subprocess
 def check():
  osfam = __grains__['os_family']
  retval = 'False'
-  if osfam == 'Debian':
+  cmd = 'needs-restarting -r > /dev/null 2>&1'
    if path.exists('/var/run/reboot-required'):
      retval = 'True'
-  elif osfam == 'RedHat':
+  try:
-    cmd = 'needs-restarting -r > /dev/null 2>&1'
+    needs_restarting = subprocess.check_call(cmd, shell=True)
-    
+  except subprocess.CalledProcessError:
-    try:
+    retval = 'True'
      needs_restarting = subprocess.check_call(cmd, shell=True)
    except subprocess.CalledProcessError:
      retval = 'True'
  else:
    retval = 'Unsupported OS: %s' % os
  return retval
--- a/salt/ca/trustca.sls
+++ b/salt/ca/trustca.sls
@@ -3,8 +3,6 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 include:
  - docker
@@ -18,9 +16,3 @@ trusttheca:
    - show_changes: False
    - makedirs: True
 {% if GLOBALS.os_family == 'Debian' %}
 symlinkca:
  file.symlink:
    - target: /etc/pki/tls/certs/intca.crt
    - name: /etc/ssl/certs/intca.crt
 {% endif %}
--- a/salt/common/files/daemon.json
+++ b/salt/common/files/daemon.json
@@ -1,19 +0,0 @@
 {
  "registry-mirrors": [
    "https://:5000"
  ],
  "bip": "172.17.0.1/24",
  "default-address-pools": [
    {
      "base": "172.17.0.0/24",
      "size": 24
    }
  ],
  "default-ulimits": {
      "nofile": {
        "Name": "nofile",
        "Soft": 1048576,
        "Hard": 1048576
      }
  }
 }
--- a/salt/common/init.sls
+++ b/salt/common/init.sls
@@ -20,11 +20,6 @@ kernel.printk:
  sysctl.present:
    - value: "3 4 1 3"
 # Remove variables.txt from /tmp - This is temp
 rmvariablesfile:
  file.absent:
    - name: /tmp/variables.txt
 # Add socore Group
 socoregroup:
  group.present:
@@ -149,28 +144,6 @@ common_sbin_jinja:
      - so-import-pcap
 {% endif %}
 {% if GLOBALS.role == 'so-heavynode' %}
 remove_so-pcap-import_heavynode:
  file.absent:
    - name: /usr/sbin/so-pcap-import
 remove_so-import-pcap_heavynode:
  file.absent:
    - name: /usr/sbin/so-import-pcap
 {% endif %}
 {% if not GLOBALS.is_manager%}
 # prior to 2.4.50 these scripts were in common/tools/sbin on the manager because of soup and distributed to non managers
 # these two states remove the scripts from non manager nodes
 remove_soup:
  file.absent:
    - name: /usr/sbin/soup
 remove_so-firewall:
  file.absent:
    - name: /usr/sbin/so-firewall
 {% endif %}
 so-status_script:
  file.managed:
    - name: /usr/sbin/so-status
--- a/salt/common/packages.sls
+++ b/salt/common/packages.sls
@@ -1,52 +1,5 @@
 # we cannot import GLOBALS from vars/globals.map.jinja in this state since it is called in setup.virt.init
 # since it is early in setup of a new VM, the pillars imported in GLOBALS are not yet defined
 {% if grains.os_family == 'Debian' %}
 commonpkgs:
  pkg.installed:
    - skip_suggestions: True
    - pkgs:
      - apache2-utils
      - wget
      - ntpdate
      - jq
      - curl
      - ca-certificates
      - software-properties-common
      - apt-transport-https
      - openssl
      - netcat-openbsd
      - sqlite3
      - libssl-dev
      - procps
      - python3-dateutil
      - python3-docker
      - python3-packaging
      - python3-lxml
      - git
      - rsync
      - vim
      - tar
      - unzip
      - bc
      {% if grains.oscodename != 'focal' %}
      - python3-rich
      {% endif %}
 {%     if grains.oscodename == 'focal' %}
 # since Ubuntu requires and internet connection we can use pip to install modules
 python3-pip:
  pkg.installed
 python-rich:
  pip.installed:
    - name: rich
    - target: /usr/local/lib/python3.8/dist-packages/
    - require:
      - pkg: python3-pip
 {%     endif %}
 {% endif %}
 {% if grains.os_family == 'RedHat' %}
 remove_mariadb:
  pkg.removed:
@@ -84,5 +37,3 @@ commonpkgs:
      - unzip
      - wget
      - yum-utils
 {% endif %}
--- a/salt/common/soup_scripts.sls
+++ b/salt/common/soup_scripts.sls
@@ -11,14 +11,6 @@
 {%   endif %}
 {%   set SOVERSION = salt['file.read']('/etc/soversion').strip() %}
 remove_common_soup:
  file.absent:
    - name: /opt/so/saltstack/default/salt/common/tools/sbin/soup
 remove_common_so-firewall:
  file.absent:
    - name: /opt/so/saltstack/default/salt/common/tools/sbin/so-firewall
 # This section is used to put the scripts in place in the Salt file system
 # in case a state run tries to overwrite what we do in the next section.
 copy_so-common_common_tools_sbin:
--- a/salt/common/tools/sbin/so-common
+++ b/salt/common/tools/sbin/so-common
@@ -349,21 +349,16 @@ get_random_value() {
 }
 gpg_rpm_import() {
-	if [[ $is_oracle ]]; then
+	if [[ "$WHATWOULDYOUSAYYAHDOHERE" == "setup" ]]; then
-	    if [[ "$WHATWOULDYOUSAYYAHDOHERE" == "setup" ]]; then
+		local RPMKEYSLOC="../salt/repo/client/files/$OS/keys"
-	        local RPMKEYSLOC="../salt/repo/client/files/$OS/keys"
+	else
-	    else
+		local RPMKEYSLOC="$UPDATE_DIR/salt/repo/client/files/$OS/keys"
 	        local RPMKEYSLOC="$UPDATE_DIR/salt/repo/client/files/$OS/keys"
 	    fi
 		RPMKEYS=('RPM-GPG-KEY-oracle' 'RPM-GPG-KEY-EPEL-9' 'SALT-PROJECT-GPG-PUBKEY-2023.pub' 'docker.pub' 'securityonion.pub')
 		for RPMKEY in "${RPMKEYS[@]}"; do
    	        rpm --import $RPMKEYSLOC/$RPMKEY
 	        echo "Imported $RPMKEY"
 	    done
 	elif [[ $is_rpm ]]; then
 		echo "Importing the security onion GPG key"
 		rpm --import ../salt/repo/client/files/oracle/keys/securityonion.pub
 	fi
 	RPMKEYS=('RPM-GPG-KEY-oracle' 'RPM-GPG-KEY-EPEL-9' 'SALT-PROJECT-GPG-PUBKEY-2023.pub' 'docker.pub' 'securityonion.pub')
 	for RPMKEY in "${RPMKEYS[@]}"; do
 		rpm --import $RPMKEYSLOC/$RPMKEY
 		echo "Imported $RPMKEY"
 	done
 }
 header() {
@@ -615,69 +610,19 @@ salt_minion_count() {
 }
 set_os() {
-	if [ -f /etc/redhat-release ]; then
+	if [ -f /etc/redhat-release ] && grep -q "Red Hat Enterprise Linux release 9" /etc/redhat-release && [ -f /etc/oracle-release ]; then
-		if grep -q "Rocky Linux release 9" /etc/redhat-release; then
+		OS=oracle
-			OS=rocky
+		OSVER=9
-			OSVER=9
+		is_oracle=true
-			is_rocky=true
+		is_rpm=true
 			is_rpm=true
 		elif grep -q "CentOS Stream release 9" /etc/redhat-release; then
 			OS=centos
 			OSVER=9
 			is_centos=true
 			is_rpm=true
 		elif grep -q "AlmaLinux release 9" /etc/redhat-release; then
 			OS=alma
 			OSVER=9
 			is_alma=true
 			is_rpm=true
 		elif grep -q "Red Hat Enterprise Linux release 9" /etc/redhat-release; then
 			if [ -f /etc/oracle-release ]; then
 				OS=oracle
 				OSVER=9
 				is_oracle=true
 				is_rpm=true
 			else
 				OS=rhel
 				OSVER=9
 				is_rhel=true
 				is_rpm=true
 			fi
 		fi
 		cron_service_name="crond"
 	elif [ -f /etc/os-release ]; then
 		if grep -q "UBUNTU_CODENAME=focal" /etc/os-release; then
 			OSVER=focal
 			UBVER=20.04
 			OS=ubuntu
 			is_ubuntu=true
 			is_deb=true
 		elif grep -q "UBUNTU_CODENAME=jammy" /etc/os-release; then
 			OSVER=jammy
 			UBVER=22.04
 			OS=ubuntu
 			is_ubuntu=true
 			is_deb=true
 		elif grep -q "VERSION_CODENAME=bookworm" /etc/os-release; then
 			OSVER=bookworm
 			DEBVER=12
 			is_debian=true
 			OS=debian
 			is_deb=true
 		fi
 		cron_service_name="cron"
 	fi
 	cron_service_name="crond"
 }
 set_minionid() {
 	MINIONID=$(lookup_grain id)
 }
 set_palette() {
 	if [[ $is_deb ]]; then
 	    update-alternatives --set newt-palette /etc/newt/palette.original
    fi
 }
 set_version() {
 	CURRENTVERSION=0.0.0
--- a/salt/curator/disabled.sls
+++ b/salt/curator/disabled.sls
@@ -1,34 +0,0 @@
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 so-curator:
  docker_container.absent:
    - force: True
 so-curator_so-status.disabled:
  file.line:
    - name: /opt/so/conf/so-status/so-status.conf
    - match: ^so-curator$
    - mode: delete
 so-curator-cluster-close:
  cron.absent:
    - identifier: so-curator-cluster-close
 so-curator-cluster-delete:
  cron.absent:
    - identifier: so-curator-cluster-delete
 delete_curator_configuration:
  file.absent:
    - name: /opt/so/conf/curator
    - recurse: True
 {% set files = salt.file.find(path='/usr/sbin', name='so-curator*') %}
 {% if files|length > 0 %}
 delete_curator_scripts:
  file.absent:
    - names: {{files|yaml}}
 {% endif %}
--- a/salt/docker/defaults.yaml
+++ b/salt/docker/defaults.yaml
@@ -1,6 +1,10 @@
 docker:
  range: '172.17.1.0/24'
  gateway: '172.17.1.1'
  ulimits:
    - name: nofile
      soft: 1048576
      hard: 1048576
  containers:
    'so-dockerregistry':
      final_octet: 20
@@ -9,6 +13,7 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits: []
    'so-elastic-fleet':
      final_octet: 21
      port_bindings:
@@ -16,6 +21,7 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits: []
    'so-elasticsearch':
      final_octet: 22
      port_bindings:
@@ -24,6 +30,16 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits:
        - name: memlock
          soft: -1
          hard: -1
        - name: nofile
          soft: 65536
          hard: 65536
        - name: nproc
          soft: 4096
          hard: 4096
    'so-influxdb':
      final_octet: 26
      port_bindings:
@@ -31,6 +47,7 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits: []
    'so-kibana':
      final_octet: 27
      port_bindings:
@@ -38,6 +55,7 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits: []
    'so-kratos':
      final_octet: 28
      port_bindings:
@@ -46,6 +64,7 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits: []
    'so-hydra':
      final_octet: 30
      port_bindings:
@@ -54,6 +73,7 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits: []
    'so-logstash':
      final_octet: 29
      port_bindings:
@@ -70,6 +90,7 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits: []
    'so-nginx':
      final_octet: 31
      port_bindings:
@@ -81,6 +102,7 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits: []
    'so-nginx-fleet-node':
      final_octet: 31
      port_bindings:
@@ -88,6 +110,7 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits: []
    'so-redis':
      final_octet: 33
      port_bindings:
@@ -96,11 +119,13 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits: []
    'so-sensoroni':
      final_octet: 99
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits: []
    'so-soc':
      final_octet: 34
      port_bindings:
@@ -108,16 +133,19 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits: []
    'so-strelka-backend':
      final_octet: 36
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits: []
    'so-strelka-filestream':
      final_octet: 37
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits: []
    'so-strelka-frontend':
      final_octet: 38
      port_bindings:
@@ -125,11 +153,13 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits: []
    'so-strelka-manager':
      final_octet: 39
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits: []
    'so-strelka-gatekeeper':
      final_octet: 40
      port_bindings:
@@ -137,6 +167,7 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits: []
    'so-strelka-coordinator':
      final_octet: 41
      port_bindings:
@@ -144,11 +175,13 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits: []
    'so-elastalert':
      final_octet: 42
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits: []
    'so-elastic-fleet-package-registry':
      final_octet: 44
      port_bindings:
@@ -156,11 +189,13 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits: []
    'so-idh':
      final_octet: 45
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits: []
    'so-elastic-agent':
      final_octet: 46
      port_bindings:
@@ -169,23 +204,34 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits: []
    'so-telegraf':
      final_octet: 99
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits: []
    'so-suricata':
      final_octet: 99
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits:
-        - memlock=524288000
+        - name: memlock
          soft: 524288000
          hard: 524288000
    'so-zeek':
      final_octet: 99
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits:
        - name: core
          soft: 0
          hard: 0
        - name: nofile
          soft: 1048576
          hard: 1048576
    'so-kafka':
      final_octet: 88
      port_bindings:
@@ -196,3 +242,4 @@ docker:
      custom_bind_mounts: []
      extra_hosts: []
      extra_env: []
      ulimits: []
--- a/salt/docker/docker.map.jinja
+++ b/salt/docker/docker.map.jinja
@@ -1,8 +1,8 @@
 {% import_yaml 'docker/defaults.yaml' as DOCKERDEFAULTS %}
-{% set DOCKER = salt['pillar.get']('docker', DOCKERDEFAULTS.docker, merge=True) %}
+{% set DOCKERMERGED = salt['pillar.get']('docker', DOCKERDEFAULTS.docker, merge=True) %}
-{% set RANGESPLIT = DOCKER.range.split('.') %}
+{% set RANGESPLIT = DOCKERMERGED.range.split('.') %}
 {% set FIRSTTHREE = RANGESPLIT[0] ~ '.' ~ RANGESPLIT[1] ~ '.' ~ RANGESPLIT[2] ~ '.' %}
-{% for container, vals in DOCKER.containers.items() %}
+{% for container, vals in DOCKERMERGED.containers.items() %}
-{%   do DOCKER.containers[container].update({'ip': FIRSTTHREE ~ DOCKER.containers[container].final_octet}) %}
+{%   do DOCKERMERGED.containers[container].update({'ip': FIRSTTHREE ~ DOCKERMERGED.containers[container].final_octet}) %}
 {% endfor %}
--- a/salt/docker/files/daemon.json.jinja
+++ b/salt/docker/files/daemon.json.jinja
@@ -0,0 +1,24 @@
 {% from 'docker/docker.map.jinja' import DOCKERMERGED -%}
 {
  "registry-mirrors": [
    "https://:5000"
  ],
  "bip": "172.17.0.1/24",
  "default-address-pools": [
    {
      "base": "172.17.0.0/24",
      "size": 24
    }
  ]
 {%- if DOCKERMERGED.ulimits %},
  "default-ulimits": {
 {%-   for ULIMIT in DOCKERMERGED.ulimits %}
    "{{ ULIMIT.name }}": {
      "Name": "{{ ULIMIT.name }}",
      "Soft": {{ ULIMIT.soft }},
      "Hard": {{ ULIMIT.hard }}
    }{{ "," if not loop.last else "" }}
 {%-   endfor %}
  }
 {%- endif %}
 }
--- a/salt/docker/init.sls
+++ b/salt/docker/init.sls
@@ -3,7 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
-{% from 'docker/docker.map.jinja' import DOCKER %}
+{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 # docker service requires the ca.crt
@@ -15,39 +15,6 @@ dockergroup:
    - name: docker
    - gid: 920
 {% if GLOBALS.os_family == 'Debian' %}
 {%    if grains.oscodename == 'bookworm' %}
 dockerheldpackages:
  pkg.installed:
    - pkgs:
      - containerd.io: 2.2.1-1~debian.12~bookworm
      - docker-ce: 5:29.2.1-1~debian.12~bookworm
      - docker-ce-cli: 5:29.2.1-1~debian.12~bookworm
      - docker-ce-rootless-extras: 5:29.2.1-1~debian.12~bookworm
    - hold: True
    - update_holds: True
 {%    elif grains.oscodename == 'jammy' %}
 dockerheldpackages:
  pkg.installed:
    - pkgs:
      - containerd.io: 2.2.1-1~ubuntu.22.04~jammy
      - docker-ce: 5:29.2.1-1~ubuntu.22.04~jammy
      - docker-ce-cli: 5:29.2.1-1~ubuntu.22.04~jammy
      - docker-ce-rootless-extras: 5:29.2.1-1~ubuntu.22.04~jammy
    - hold: True
    - update_holds: True
 {%    else %}
 dockerheldpackages:
  pkg.installed:
    - pkgs:
      - containerd.io: 1.7.21-1
      - docker-ce: 5:27.2.0-1~ubuntu.20.04~focal
      - docker-ce-cli: 5:27.2.0-1~ubuntu.20.04~focal
      - docker-ce-rootless-extras: 5:27.2.0-1~ubuntu.20.04~focal
    - hold: True
    - update_holds: True
 {%   endif %}
 {% else %}
 dockerheldpackages:
  pkg.installed:
    - pkgs:
@@ -57,7 +24,6 @@ dockerheldpackages:
      - docker-ce-rootless-extras: 29.2.1-1.el9
    - hold: True
    - update_holds: True
 {% endif %}
 #disable docker from managing iptables
 iptables_disabled:
@@ -75,10 +41,9 @@ dockeretc:
  file.directory:
    - name: /etc/docker
 # Manager daemon.json
 docker_daemon:
  file.managed:
-    - source: salt://common/files/daemon.json
+    - source: salt://docker/files/daemon.json.jinja
    - name: /etc/docker/daemon.json
    - template: jinja 
@@ -109,8 +74,8 @@ dockerreserveports:
 sos_docker_net:
  docker_network.present:
    - name: sobridge
-    - subnet: {{ DOCKER.range }}
+    - subnet: {{ DOCKERMERGED.range }}
-    - gateway: {{ DOCKER.gateway }}
+    - gateway: {{ DOCKERMERGED.gateway }}
    - options:
        com.docker.network.bridge.name: 'sobridge'
        com.docker.network.driver.mtu: '1500'
--- a/salt/docker/soc_docker.yaml
+++ b/salt/docker/soc_docker.yaml
@@ -7,6 +7,25 @@ docker:
    description: Default docker IP range for containers.
    helpLink: docker.html
    advanced: True
  ulimits:
    description: |
      Default ulimit settings applied to all containers via the Docker daemon. Each entry specifies a resource name (e.g. nofile, memlock, core, nproc) with soft and hard limits. Individual container ulimits override these defaults. Valid resource names include: cpu, fsize, data, stack, core, rss, nproc, nofile, memlock, as, locks, sigpending, msgqueue, nice, rtprio, rttime.
    forcedType: "[]{}"
    syntax: json
    advanced: True
    helpLink: docker.html
    uiElements:
    - field: name
      label: Resource Name
      required: True
      regex: ^(cpu|fsize|data|stack|core|rss|nproc|nofile|memlock|as|locks|sigpending|msgqueue|nice|rtprio|rttime)$
      regexFailureMessage: You must enter a valid ulimit name (cpu, fsize, data, stack, core, rss, nproc, nofile, memlock, as, locks, sigpending, msgqueue, nice, rtprio, rttime).
    - field: soft
      label: Soft Limit
      forcedType: int
    - field: hard
      label: Hard Limit
      forcedType: int
  containers:
    so-dockerregistry: &dockerOptions
      final_octet:
@@ -39,6 +58,25 @@ docker:
        helpLink: docker.html
        multiline: True
        forcedType: "[]string"
      ulimits:
        description: |
          Ulimit settings for the container. Each entry specifies a resource name (e.g. nofile, memlock, core, nproc) with optional soft and hard limits. Valid resource names include: cpu, fsize, data, stack, core, rss, nproc, nofile, memlock, as, locks, sigpending, msgqueue, nice, rtprio, rttime.
        advanced: True
        helpLink: docker.html
        forcedType: "[]{}"
        syntax: json
        uiElements:
        - field: name
          label: Resource Name
          required: True
          regex: ^(cpu|fsize|data|stack|core|rss|nproc|nofile|memlock|as|locks|sigpending|msgqueue|nice|rtprio|rttime)$
          regexFailureMessage: You must enter a valid ulimit name (cpu, fsize, data, stack, core, rss, nproc, nofile, memlock, as, locks, sigpending, msgqueue, nice, rtprio, rttime).
        - field: soft
          label: Soft Limit
          forcedType: int
        - field: hard
          label: Hard Limit
          forcedType: int
    so-elastic-fleet: *dockerOptions
    so-elasticsearch: *dockerOptions
    so-influxdb: *dockerOptions
@@ -62,42 +100,6 @@ docker:
    so-idh: *dockerOptions
    so-elastic-agent: *dockerOptions
    so-telegraf: *dockerOptions
-    so-suricata:
+    so-suricata: *dockerOptions
      final_octet:
        description: Last octet of the container IP address.
        helpLink: docker.html
        readonly: True
        advanced: True
        global: True
      port_bindings:
        description: List of port bindings for the container.
        helpLink: docker.html
        advanced: True
        multiline: True
        forcedType: "[]string"
      custom_bind_mounts:
        description: List of custom local volume bindings.
        advanced: True
        helpLink: docker.html
        multiline: True
        forcedType: "[]string"
      extra_hosts:
        description: List of additional host entries for the container.
        advanced: True
        helpLink: docker.html
        multiline: True
        forcedType: "[]string"
      extra_env:
        description: List of additional ENV entries for the container.
        advanced: True
        helpLink: docker.html
        multiline: True
        forcedType: "[]string"
      ulimits:
        description: Ulimits for the container, in bytes.
        advanced: True
        helpLink: docker.html
        multiline: True
        forcedType: "[]string"
    so-zeek: *dockerOptions
    so-kafka: *dockerOptions
--- a/salt/elastalert/enabled.sls
+++ b/salt/elastalert/enabled.sls
@@ -6,7 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 include:
  - elastalert.config
@@ -24,7 +24,7 @@ so-elastalert:
    - user: so-elastalert
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-elastalert'].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers['so-elastalert'].ip }}
    - detach: True
    - binds:
      - /opt/so/rules/elastalert:/opt/elastalert/rules/:ro
@@ -33,24 +33,30 @@ so-elastalert:
      - /opt/so/conf/elastalert/predefined/:/opt/elastalert/predefined/:ro
      - /opt/so/conf/elastalert/custom/:/opt/elastalert/custom/:ro
      - /opt/so/conf/elastalert/elastalert_config.yaml:/opt/elastalert/config.yaml:ro
-      {% if DOCKER.containers['so-elastalert'].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers['so-elastalert'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-elastalert'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-elastalert'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
    - extra_hosts:
      - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
-      {% if DOCKER.containers['so-elastalert'].extra_hosts %}
+      {% if DOCKERMERGED.containers['so-elastalert'].extra_hosts %}
-        {% for XTRAHOST in DOCKER.containers['so-elastalert'].extra_hosts %}
+        {% for XTRAHOST in DOCKERMERGED.containers['so-elastalert'].extra_hosts %}
      - {{ XTRAHOST }}
        {% endfor %}
      {% endif %}
-      {% if DOCKER.containers['so-elastalert'].extra_env %}
+      {% if DOCKERMERGED.containers['so-elastalert'].extra_env %}
    - environment:
-        {% for XTRAENV in DOCKER.containers['so-elastalert'].extra_env %}
+        {% for XTRAENV in DOCKERMERGED.containers['so-elastalert'].extra_env %}
      - {{ XTRAENV }}
        {% endfor %}
      {% endif %}
    {% if DOCKERMERGED.containers['so-elastalert'].ulimits %}
    - ulimits:
    {%   for ULIMIT in DOCKERMERGED.containers['so-elastalert'].ulimits %}
      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
    {%   endfor %}
    {% endif %}
    - require:
      - cmd: wait_for_elasticsearch
      - file: elastarules
--- a/salt/elasticfleet/files/certs/placeholder
+++ b/salt/elasticfleet/files/certs/placeholder
--- a/salt/elastalert/files/custom/placeholder
+++ b/salt/elastalert/files/custom/placeholder
@@ -1 +0,0 @@
 THIS IS A PLACEHOLDER FILE
--- a/salt/elastic-fleet-package-registry/enabled.sls
+++ b/salt/elastic-fleet-package-registry/enabled.sls
@@ -6,7 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 include:
  - elastic-fleet-package-registry.config
@@ -21,30 +21,36 @@ so-elastic-fleet-package-registry:
    - user: 948
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-elastic-fleet-package-registry'].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers['so-elastic-fleet-package-registry'].ip }}
    - extra_hosts:
        - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
-        {% if DOCKER.containers['so-elastic-fleet-package-registry'].extra_hosts %}
+        {% if DOCKERMERGED.containers['so-elastic-fleet-package-registry'].extra_hosts %}
-          {% for XTRAHOST in DOCKER.containers['so-elastic-fleet-package-registry'].extra_hosts %}
+          {% for XTRAHOST in DOCKERMERGED.containers['so-elastic-fleet-package-registry'].extra_hosts %}
        - {{ XTRAHOST }}
          {% endfor %}
        {% endif %}
    - port_bindings:
-      {% for BINDING in DOCKER.containers['so-elastic-fleet-package-registry'].port_bindings %}
+      {% for BINDING in DOCKERMERGED.containers['so-elastic-fleet-package-registry'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
-    {% if DOCKER.containers['so-elastic-fleet-package-registry'].custom_bind_mounts %}
+    {% if DOCKERMERGED.containers['so-elastic-fleet-package-registry'].custom_bind_mounts %}
    - binds:
-        {% for BIND in DOCKER.containers['so-elastic-fleet-package-registry'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-elastic-fleet-package-registry'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
    {% endif %}
-    {% if DOCKER.containers['so-elastic-fleet-package-registry'].extra_env %}
+    {% if DOCKERMERGED.containers['so-elastic-fleet-package-registry'].extra_env %}
    - environment:
-        {% for XTRAENV in DOCKER.containers['so-elastic-fleet-package-registry'].extra_env %}
+        {% for XTRAENV in DOCKERMERGED.containers['so-elastic-fleet-package-registry'].extra_env %}
      - {{ XTRAENV }}
        {% endfor %}
      {% endif %}
    {% if DOCKERMERGED.containers['so-elastic-fleet-package-registry'].ulimits %}
    - ulimits:
    {%   for ULIMIT in DOCKERMERGED.containers['so-elastic-fleet-package-registry'].ulimits %}
      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
    {%   endfor %}
    {% endif %}
 delete_so-elastic-fleet-package-registry_so-status.disabled:
  file.uncomment:
    - name: /opt/so/conf/so-status/so-status.conf
--- a/salt/elasticagent/enabled.sls
+++ b/salt/elasticagent/enabled.sls
@@ -6,7 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 include:
  - ca
@@ -22,17 +22,17 @@ so-elastic-agent:
    - user: 949
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-elastic-agent'].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers['so-elastic-agent'].ip }}
    - extra_hosts:
        - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
        - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
-        {% if DOCKER.containers['so-elastic-agent'].extra_hosts %}
+        {% if DOCKERMERGED.containers['so-elastic-agent'].extra_hosts %}
-          {% for XTRAHOST in DOCKER.containers['so-elastic-agent'].extra_hosts %}
+          {% for XTRAHOST in DOCKERMERGED.containers['so-elastic-agent'].extra_hosts %}
        - {{ XTRAHOST }}
          {% endfor %}
        {% endif %}
    - port_bindings:
-      {% for BINDING in DOCKER.containers['so-elastic-agent'].port_bindings %}
+      {% for BINDING in DOCKERMERGED.containers['so-elastic-agent'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
    - binds:
@@ -41,19 +41,25 @@ so-elastic-agent:
      - /etc/pki/tls/certs/intca.crt:/etc/pki/tls/certs/intca.crt:ro 
      - /nsm:/nsm:ro
      - /opt/so/log:/opt/so/log:ro
-     {% if DOCKER.containers['so-elastic-agent'].custom_bind_mounts %}
+     {% if DOCKERMERGED.containers['so-elastic-agent'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-elastic-agent'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-elastic-agent'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
    - environment:
      - FLEET_CA=/etc/pki/tls/certs/intca.crt
      - LOGS_PATH=logs
-      {% if DOCKER.containers['so-elastic-agent'].extra_env %}
+      {% if DOCKERMERGED.containers['so-elastic-agent'].extra_env %}
-        {% for XTRAENV in DOCKER.containers['so-elastic-agent'].extra_env %}
+        {% for XTRAENV in DOCKERMERGED.containers['so-elastic-agent'].extra_env %}
      - {{ XTRAENV }}
        {% endfor %}
      {% endif %}
    {% if DOCKERMERGED.containers['so-elastic-agent'].ulimits %}
    - ulimits:
    {%   for ULIMIT in DOCKERMERGED.containers['so-elastic-agent'].ulimits %}
      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
    {%   endfor %}
    {% endif %}
    - require:
      - file: create-elastic-agent-config
      - file: trusttheca
--- a/salt/elasticfleet/enabled.sls
+++ b/salt/elasticfleet/enabled.sls
@@ -6,7 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%   from 'elasticfleet/map.jinja' import ELASTICFLEETMERGED %}
 {#   This value is generated during node install and stored in minion pillar #}
@@ -94,17 +94,17 @@ so-elastic-fleet:
    - user: 947
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-elastic-fleet'].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers['so-elastic-fleet'].ip }}
    - extra_hosts:
        - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
        - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
-        {% if DOCKER.containers['so-elastic-fleet'].extra_hosts %}
+        {% if DOCKERMERGED.containers['so-elastic-fleet'].extra_hosts %}
-          {% for XTRAHOST in DOCKER.containers['so-elastic-fleet'].extra_hosts %}
+          {% for XTRAHOST in DOCKERMERGED.containers['so-elastic-fleet'].extra_hosts %}
        - {{ XTRAHOST }}
          {% endfor %}
        {% endif %}
    - port_bindings:
-      {% for BINDING in DOCKER.containers['so-elastic-fleet'].port_bindings %}
+      {% for BINDING in DOCKERMERGED.containers['so-elastic-fleet'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
    - binds:
@@ -112,8 +112,8 @@ so-elastic-fleet:
      - /etc/pki/elasticfleet-server.key:/etc/pki/elasticfleet-server.key:ro
      - /etc/pki/tls/certs/intca.crt:/etc/pki/tls/certs/intca.crt:ro
      - /opt/so/log/elasticfleet:/usr/share/elastic-agent/logs 
-     {% if DOCKER.containers['so-elastic-fleet'].custom_bind_mounts %}
+     {% if DOCKERMERGED.containers['so-elastic-fleet'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-elastic-fleet'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-elastic-fleet'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}      
@@ -128,11 +128,17 @@ so-elastic-fleet:
      - FLEET_CA=/etc/pki/tls/certs/intca.crt     
      - FLEET_SERVER_ELASTICSEARCH_CA=/etc/pki/tls/certs/intca.crt
      - LOGS_PATH=logs
-      {% if DOCKER.containers['so-elastic-fleet'].extra_env %}
+      {% if DOCKERMERGED.containers['so-elastic-fleet'].extra_env %}
-        {% for XTRAENV in DOCKER.containers['so-elastic-fleet'].extra_env %}
+        {% for XTRAENV in DOCKERMERGED.containers['so-elastic-fleet'].extra_env %}
      - {{ XTRAENV }}
        {% endfor %}
      {% endif %}
    {% if DOCKERMERGED.containers['so-elastic-fleet'].ulimits %}
    - ulimits:
    {%   for ULIMIT in DOCKERMERGED.containers['so-elastic-fleet'].ulimits %}
      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
    {%   endfor %}
    {% endif %}
    - watch:
      - file: trusttheca
      - x509: etc_elasticfleet_key
--- a/salt/elasticfleet/files/certs/.gitkeep
+++ b/salt/elasticfleet/files/certs/.gitkeep
--- a/salt/elasticsearch/config.map.jinja
+++ b/salt/elasticsearch/config.map.jinja
@@ -6,8 +6,6 @@
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 {% import_yaml 'elasticsearch/defaults.yaml' as ELASTICSEARCHDEFAULTS with context %}
 {% set HIGHLANDER = salt['pillar.get']('global:highlander', False) %}
 {# this is a list of dicts containing hostname:ip for elasticsearch nodes that need to know about each other for cluster #}
 {% set ELASTICSEARCH_SEED_HOSTS = [] %}
 {% set node_data = salt['pillar.get']('elasticsearch:nodes', {GLOBALS.role.split('-')[1]: {GLOBALS.hostname: {'ip': GLOBALS.node_ip}}}) %}
@@ -36,14 +34,8 @@
      {% endfor %}
    {% endif %}
 {% elif grains.id.split('_') | last == 'searchnode' %}
  {% if HIGHLANDER %}
        {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.node.roles.extend(['ml', 'master', 'transform']) %}
  {% endif %}
  {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.update({'discovery': {'seed_hosts': [GLOBALS.manager]}}) %}
 {% endif %}
 {% if HIGHLANDER %}
      {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.xpack.ml.update({'enabled': true}) %}
 {% endif %}
 {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.node.update({'name': GLOBALS.hostname}) %}
 {% do ELASTICSEARCHDEFAULTS.elasticsearch.config.cluster.update({'name': GLOBALS.hostname}) %}
--- a/salt/elasticsearch/config.sls
+++ b/salt/elasticsearch/config.sls
@@ -98,10 +98,6 @@ esrolesdir:
    - group: 939
    - makedirs: True
 eslibdir:
  file.absent:
    - name: /opt/so/conf/elasticsearch/lib
 esingestdynamicconf:
  file.recurse:
    - name: /opt/so/conf/elasticsearch/ingest
@@ -119,11 +115,6 @@ esingestconf:
    - group: 939
    - show_changes: False
 # Remove .fleet_final_pipeline-1 because we are using global@custom now
 so-fleet-final-pipeline-remove:
  file.absent:
    - name: /opt/so/conf/elasticsearch/ingest/.fleet_final_pipeline-1
 # Auto-generate Elasticsearch ingest node pipelines from pillar
 {% for pipeline, config in ELASTICSEARCHMERGED.pipelines.items() %}
 es_ingest_conf_{{pipeline}}:
--- a/salt/elasticsearch/enabled.sls
+++ b/salt/elasticsearch/enabled.sls
@@ -6,7 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%   from 'elasticsearch/config.map.jinja' import ELASTICSEARCH_NODES %}
 {%   from 'elasticsearch/config.map.jinja' import ELASTICSEARCH_SEED_HOSTS %}
 {%   from 'elasticsearch/config.map.jinja' import ELASTICSEARCHMERGED %}
@@ -28,15 +28,15 @@ so-elasticsearch:
    - user: elasticsearch
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-elasticsearch'].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers['so-elasticsearch'].ip }}
    - extra_hosts:
    {% for node in ELASTICSEARCH_NODES %}
    {%   for hostname, ip in node.items() %}
      - {{hostname}}:{{ip}}
    {%   endfor %}
    {% endfor %}
-    {% if DOCKER.containers['so-elasticsearch'].extra_hosts %}
+    {% if DOCKERMERGED.containers['so-elasticsearch'].extra_hosts %}
-      {% for XTRAHOST in DOCKER.containers['so-elasticsearch'].extra_hosts %}
+      {% for XTRAHOST in DOCKERMERGED.containers['so-elasticsearch'].extra_hosts %}
      - {{ XTRAHOST }}
      {% endfor %}
    {% endif %}
@@ -45,17 +45,19 @@ so-elasticsearch:
      - discovery.type=single-node
      {% endif %}
      - ES_JAVA_OPTS=-Xms{{ GLOBALS.elasticsearch.es_heap }} -Xmx{{ GLOBALS.elasticsearch.es_heap }} -Des.transport.cname_in_publish_address=true -Dlog4j2.formatMsgNoLookups=true
-      ulimits:
+      {% if DOCKERMERGED.containers['so-elasticsearch'].extra_env %}
-      - memlock=-1:-1
+        {% for XTRAENV in DOCKERMERGED.containers['so-elasticsearch'].extra_env %}
      - nofile=65536:65536
      - nproc=4096
      {% if DOCKER.containers['so-elasticsearch'].extra_env %}
        {% for XTRAENV in DOCKER.containers['so-elasticsearch'].extra_env %}
      - {{ XTRAENV }}
        {% endfor %}
      {% endif %}
    {% if DOCKERMERGED.containers['so-elasticsearch'].ulimits %}
    - ulimits:
    {%   for ULIMIT in DOCKERMERGED.containers['so-elasticsearch'].ulimits %}
      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
    {%   endfor %}
    {% endif %}
    - port_bindings:
-      {% for BINDING in DOCKER.containers['so-elasticsearch'].port_bindings %}
+      {% for BINDING in DOCKERMERGED.containers['so-elasticsearch'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
    - binds:
@@ -75,8 +77,8 @@ so-elasticsearch:
      - {{ repo }}:{{ repo }}:rw
        {% endfor %}
      {% endif %}
-      {% if DOCKER.containers['so-elasticsearch'].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers['so-elasticsearch'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-elasticsearch'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-elasticsearch'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
--- a/salt/elasticsearch/files/ingest-dynamic/.gitkeep
+++ b/salt/elasticsearch/files/ingest-dynamic/.gitkeep
--- a/salt/elasticsearch/files/ingest-dynamic/common
+++ b/salt/elasticsearch/files/ingest-dynamic/common
@@ -1,5 +1,3 @@
 {%- set HIGHLANDER = salt['pillar.get']('global:highlander', False) -%}
 {%- raw -%}
 {
  "description" : "common",
  "processors" : [
@@ -67,19 +65,7 @@
    { "append":          { "if": "ctx.dataset_tag_temp != null", "field": "tags", "value": "{{dataset_tag_temp.1}}"  } },
    { "grok":            { "if": "ctx.http?.response?.status_code != null", "field": "http.response.status_code", "patterns": ["%{NUMBER:http.response.status_code:long} %{GREEDYDATA}"]} },
    { "set":             { "if": "ctx?.metadata?.kafka != null" , "field": "kafka.id", "value": "{{metadata.kafka.partition}}{{metadata.kafka.offset}}{{metadata.kafka.timestamp}}", "ignore_failure": true } },
-    { "remove":          { "field": [ "message2", "type", "fields", "category", "module", "dataset", "dataset_tag_temp", "event.dataset_temp" ], "ignore_missing": true, "ignore_failure": true } }
+    { "remove":          { "field": [ "message2", "type", "fields", "category", "module", "dataset", "dataset_tag_temp", "event.dataset_temp" ], "ignore_missing": true, "ignore_failure": true } },
 {%- endraw %}
 {%- if HIGHLANDER %}
    ,
    {
      "pipeline": {
        "name": "ecs"
      }
    }
 {%- endif %}
 {%- raw %}
    ,
    { "pipeline": { "name": "global@custom", "ignore_missing_pipeline": true, "description": "[Fleet] Global pipeline for all data streams" } }
  ]
 }
 {% endraw %}
--- a/salt/firewall/init.sls
+++ b/salt/firewall/init.sls
@@ -27,14 +27,12 @@ iptables_config:
    - source: salt://firewall/iptables.jinja
    - template: jinja
 {%   if grains.os_family == 'RedHat' %}
 disable_firewalld:
  service.dead:
    - name: firewalld
    - enable: False
    - require:
      - file: iptables_config
 {%   endif %}
 iptables_restore:
  cmd.run:
@@ -44,7 +42,6 @@ iptables_restore:
    - onlyif:
      - iptables-restore --test {{ iptmap.configfile }}
 {%   if grains.os_family == 'RedHat' %}
 enable_firewalld:
  service.running:
    - name: firewalld
@@ -52,7 +49,6 @@ enable_firewalld:
    - onfail:
      - file: iptables_config
      - cmd: iptables_restore
 {%   endif %}
 {% else %}
--- a/salt/firewall/ipt.map.jinja
+++ b/salt/firewall/ipt.map.jinja
@@ -1,14 +1,6 @@
-{% set iptmap = salt['grains.filter_by']({
+{% set iptmap = {
-    'Debian': {
+    'service': 'iptables',
-        'service': 'netfilter-persistent',
+    'iptpkg': 'iptables-nft',
-        'iptpkg': 'iptables',
+    'persistpkg': 'iptables-nft-services',
-        'persistpkg': 'iptables-persistent',
+    'configfile': '/etc/sysconfig/iptables'
-        'configfile': '/etc/iptables/rules.v4'
+} %}
    },
    'RedHat': {
        'service': 'iptables',
        'iptpkg': 'iptables-nft',
        'persistpkg': 'iptables-nft-services',
        'configfile': '/etc/sysconfig/iptables'
    },
 }) %}
--- a/salt/firewall/iptables.jinja
+++ b/salt/firewall/iptables.jinja
@@ -1,5 +1,5 @@
 {%- from 'vars/globals.map.jinja' import GLOBALS %}
-{%- from 'docker/docker.map.jinja' import DOCKER %}
+{%- from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%- from 'firewall/map.jinja' import FIREWALL_MERGED %}
 {%- set role = GLOBALS.role.split('-')[1] %}
 {%- from 'firewall/containers.map.jinja' import NODE_CONTAINERS %}
@@ -8,9 +8,9 @@
 {%- set D1 = [] %}
 {%- set D2 = [] %}
 {%- for container in NODE_CONTAINERS %}
-{%-   set IP = DOCKER.containers[container].ip %}
+{%-   set IP = DOCKERMERGED.containers[container].ip %}
-{%-   if DOCKER.containers[container].port_bindings is defined %}
+{%-   if DOCKERMERGED.containers[container].port_bindings is defined %}
-{%-     for binding in DOCKER.containers[container].port_bindings %}
+{%-     for binding in DOCKERMERGED.containers[container].port_bindings %}
 {#-       cant split int so we convert to string #}
 {%-       set binding = binding|string %}
 {#-          split the port binding by /. if proto not specified, default is tcp #}
@@ -33,13 +33,13 @@
 {%-           set hostPort = bsa[0] %}
 {%-           set containerPort = bsa[1] %}
 {%-         endif %}
-{%-         do PR.append("-A POSTROUTING -s " ~ DOCKER.containers[container].ip ~ "/32 -d " ~ DOCKER.containers[container].ip ~ "/32 -p " ~  proto ~ " -m " ~ proto  ~ " --dport " ~ containerPort ~ " -j MASQUERADE") %}
+{%-         do PR.append("-A POSTROUTING -s " ~ DOCKERMERGED.containers[container].ip ~ "/32 -d " ~ DOCKERMERGED.containers[container].ip ~ "/32 -p " ~  proto ~ " -m " ~ proto  ~ " --dport " ~ containerPort ~ " -j MASQUERADE") %}
 {%-         if bindip | length and bindip != '0.0.0.0' %}
-{%-           do D1.append("-A DOCKER -d " ~ bindip ~ "/32 ! -i sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ hostPort ~ " -j DNAT --to-destination " ~ DOCKER.containers[container].ip ~ ":" ~ containerPort) %}
+{%-           do D1.append("-A DOCKER -d " ~ bindip ~ "/32 ! -i sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ hostPort ~ " -j DNAT --to-destination " ~ DOCKERMERGED.containers[container].ip ~ ":" ~ containerPort) %}
 {%-         else %}
-{%-           do D1.append("-A DOCKER ! -i sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ hostPort ~ " -j DNAT --to-destination " ~ DOCKER.containers[container].ip ~ ":" ~ containerPort) %}
+{%-           do D1.append("-A DOCKER ! -i sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ hostPort ~ " -j DNAT --to-destination " ~ DOCKERMERGED.containers[container].ip ~ ":" ~ containerPort) %}
 {%-         endif %}
-{%-         do D2.append("-A DOCKER -d " ~ DOCKER.containers[container].ip ~ "/32 ! -i sobridge -o sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ containerPort ~ " -j ACCEPT") %}
+{%-         do D2.append("-A DOCKER -d " ~ DOCKERMERGED.containers[container].ip ~ "/32 ! -i sobridge -o sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ containerPort ~ " -j ACCEPT") %}
 {%-     endfor %}
 {%-   endif %}
 {%- endfor %}
@@ -52,7 +52,7 @@
 :DOCKER - [0:0]
 -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
 -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s {{DOCKER.range}} ! -o sobridge -j MASQUERADE
+-A POSTROUTING -s {{DOCKERMERGED.range}} ! -o sobridge -j MASQUERADE
 {%- for rule in PR %}
 {{ rule }}
 {%- endfor %}
--- a/salt/firewall/map.jinja
+++ b/salt/firewall/map.jinja
@@ -1,11 +1,11 @@
 {% from 'vars/globals.map.jinja' import GLOBALS %}
-{% from 'docker/docker.map.jinja' import DOCKER %}
+{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {% import_yaml 'firewall/defaults.yaml' as FIREWALL_DEFAULT %}
 {# add our ip to self #}
 {% do FIREWALL_DEFAULT.firewall.hostgroups.self.append(GLOBALS.node_ip) %}
 {# add dockernet range #}
-{% do FIREWALL_DEFAULT.firewall.hostgroups.dockernet.append(DOCKER.range) %}
+{% do FIREWALL_DEFAULT.firewall.hostgroups.dockernet.append(DOCKERMERGED.range) %}
 {% if GLOBALS.role == 'so-idh' %}
 {%   from 'idh/opencanary_config.map.jinja' import IDH_PORTGROUPS %}
--- a/salt/hydra/enabled.sls
+++ b/salt/hydra/enabled.sls
@@ -11,7 +11,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
 {%   if 'api' in salt['pillar.get']('features', []) %}
@@ -26,32 +26,38 @@ so-hydra:
    - name: so-hydra
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-hydra'].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers['so-hydra'].ip }}
    - binds:
      - /opt/so/conf/hydra/:/hydra-conf:ro
      - /opt/so/log/hydra/:/hydra-log:rw
      - /nsm/hydra/db:/hydra-data:rw
-      {% if DOCKER.containers['so-hydra'].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers['so-hydra'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-hydra'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-hydra'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
    - port_bindings:
-      {% for BINDING in DOCKER.containers['so-hydra'].port_bindings %}
+      {% for BINDING in DOCKERMERGED.containers['so-hydra'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
-    {% if DOCKER.containers['so-hydra'].extra_hosts %}
+    {% if DOCKERMERGED.containers['so-hydra'].extra_hosts %}
    - extra_hosts:
-      {% for XTRAHOST in DOCKER.containers['so-hydra'].extra_hosts %}
+      {% for XTRAHOST in DOCKERMERGED.containers['so-hydra'].extra_hosts %}
      - {{ XTRAHOST }}
      {% endfor %}
    {% endif %}
-    {% if DOCKER.containers['so-hydra'].extra_env %}
+    {% if DOCKERMERGED.containers['so-hydra'].extra_env %}
    - environment:
-      {% for XTRAENV in DOCKER.containers['so-hydra'].extra_env %}
+      {% for XTRAENV in DOCKERMERGED.containers['so-hydra'].extra_env %}
      - {{ XTRAENV }}
      {% endfor %}
    {% endif %}
    {% if DOCKERMERGED.containers['so-hydra'].ulimits %}
    - ulimits:
    {%   for ULIMIT in DOCKERMERGED.containers['so-hydra'].ulimits %}
      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
    {%   endfor %}
    {% endif %}
    - restart_policy: unless-stopped
    - watch:
      - file: hydraconfig
--- a/salt/idh/enabled.sls
+++ b/salt/idh/enabled.sls
@@ -6,7 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 include:
  - idh.config
@@ -22,23 +22,29 @@ so-idh:
      - /nsm/idh:/var/tmp:rw
      - /opt/so/conf/idh/http-skins:/usr/local/lib/python3.12/site-packages/opencanary/modules/data/http/skin:ro
      - /opt/so/conf/idh/opencanary.conf:/etc/opencanaryd/opencanary.conf:ro
-      {% if DOCKER.containers['so-idh'].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers['so-idh'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-idh'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-idh'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
-    {% if DOCKER.containers['so-idh'].extra_hosts %}
+    {% if DOCKERMERGED.containers['so-idh'].extra_hosts %}
    - extra_hosts:
-      {% for XTRAHOST in DOCKER.containers['so-idh'].extra_hosts %}
+      {% for XTRAHOST in DOCKERMERGED.containers['so-idh'].extra_hosts %}
      - {{ XTRAHOST }}
      {% endfor %}
    {% endif %}
-    {% if DOCKER.containers['so-idh'].extra_env %}
+    {% if DOCKERMERGED.containers['so-idh'].extra_env %}
    - environment:
-      {% for XTRAENV in DOCKER.containers['so-idh'].extra_env %}
+      {% for XTRAENV in DOCKERMERGED.containers['so-idh'].extra_env %}
      - {{ XTRAENV }}
      {% endfor %}
    {% endif %}
    {% if DOCKERMERGED.containers['so-idh'].ulimits %}
    - ulimits:
    {%   for ULIMIT in DOCKERMERGED.containers['so-idh'].ulimits %}
      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
    {%   endfor %}
    {% endif %}
    - watch:
      - file: opencanary_config
    - require:
--- a/salt/idh/openssh/config.sls
+++ b/salt/idh/openssh/config.sls
@@ -3,7 +3,6 @@
 include:
  - idh.openssh
 {% if grains.os_family == 'RedHat' %}
 idh_sshd_selinux:
  selinux.port_policy_present:
    - port: {{ openssh_map.config.port }}
@@ -13,7 +12,6 @@ idh_sshd_selinux:
      - file: openssh_config
    - require:
      - pkg: python_selinux_mgmt_tools
 {% endif %}
 openssh_config:
  file.replace:
--- a/salt/idh/openssh/init.sls
+++ b/salt/idh/openssh/init.sls
@@ -16,8 +16,6 @@ openssh:
    - name: {{ openssh_map.service }}
  {% endif %}
 {% if grains.os_family == 'RedHat' %}
 python_selinux_mgmt_tools:
  pkg.installed:
    - name: policycoreutils-python-utils
 {% endif %}
--- a/salt/influxdb/enabled.sls
+++ b/salt/influxdb/enabled.sls
@@ -6,7 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%   set PASSWORD = salt['pillar.get']('secrets:influx_pass') %}
 {%   set TOKEN = salt['pillar.get']('influxdb:token') %}
@@ -21,7 +21,7 @@ so-influxdb:
    - hostname: influxdb
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-influxdb'].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers['so-influxdb'].ip }}
    - environment:
      - INFLUXD_CONFIG_PATH=/conf/config.yaml
      - INFLUXDB_HTTP_LOG_ENABLED=false
@@ -31,8 +31,8 @@ so-influxdb:
      - DOCKER_INFLUXDB_INIT_ORG=Security Onion
      - DOCKER_INFLUXDB_INIT_BUCKET=telegraf/so_short_term
      - DOCKER_INFLUXDB_INIT_ADMIN_TOKEN={{ TOKEN }}
-      {% if DOCKER.containers['so-influxdb'].extra_env %}
+      {% if DOCKERMERGED.containers['so-influxdb'].extra_env %}
-        {% for XTRAENV in DOCKER.containers['so-influxdb'].extra_env %}
+        {% for XTRAENV in DOCKERMERGED.containers['so-influxdb'].extra_env %}
      - {{ XTRAENV }}
        {% endfor %}
      {% endif %}
@@ -43,21 +43,27 @@ so-influxdb:
      - /nsm/influxdb:/var/lib/influxdb2:rw
      - /etc/pki/influxdb.crt:/conf/influxdb.crt:ro
      - /etc/pki/influxdb.key:/conf/influxdb.key:ro
-      {% if DOCKER.containers['so-influxdb'].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers['so-influxdb'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-influxdb'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-influxdb'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
    - port_bindings:
-      {% for BINDING in DOCKER.containers['so-influxdb'].port_bindings %}
+      {% for BINDING in DOCKERMERGED.containers['so-influxdb'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
-    {% if DOCKER.containers['so-influxdb'].extra_hosts %}
+    {% if DOCKERMERGED.containers['so-influxdb'].extra_hosts %}
    - extra_hosts:
-      {% for XTRAHOST in DOCKER.containers['so-influxdb'].extra_hosts %}
+      {% for XTRAHOST in DOCKERMERGED.containers['so-influxdb'].extra_hosts %}
      - {{ XTRAHOST }}
      {% endfor %}
    {% endif %}
    {% if DOCKERMERGED.containers['so-influxdb'].ulimits %}
    - ulimits:
    {%   for ULIMIT in DOCKERMERGED.containers['so-influxdb'].ulimits %}
      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
    {%   endfor %}
    {% endif %}
    - watch:
      - file: influxdbconf
      - x509: influxdb_key
--- a/salt/kafka/enabled.sls
+++ b/salt/kafka/enabled.sls
@@ -12,7 +12,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%   set KAFKANODES = salt['pillar.get']('kafka:nodes') %}
 {%   set KAFKA_EXTERNAL_ACCESS = salt['pillar.get']('kafka:config:external_access:enabled', default=False) %}
 {%   if 'gmd' in salt['pillar.get']('features', []) %}
@@ -31,22 +31,22 @@ so-kafka:
    - name: so-kafka
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-kafka'].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers['so-kafka'].ip }}
    - user: kafka
    - environment:
        KAFKA_HEAP_OPTS: -Xmx2G -Xms1G
-        KAFKA_OPTS: "-javaagent:/opt/jolokia/agents/jolokia-agent-jvm-javaagent.jar=port=8778,host={{ DOCKER.containers['so-kafka'].ip }},policyLocation=file:/opt/jolokia/jolokia.xml {%- if KAFKA_EXTERNAL_ACCESS %} -Djava.security.auth.login.config=/opt/kafka/config/kafka_server_jaas.conf {% endif -%}"
+        KAFKA_OPTS: "-javaagent:/opt/jolokia/agents/jolokia-agent-jvm-javaagent.jar=port=8778,host={{ DOCKERMERGED.containers['so-kafka'].ip }},policyLocation=file:/opt/jolokia/jolokia.xml {%- if KAFKA_EXTERNAL_ACCESS %} -Djava.security.auth.login.config=/opt/kafka/config/kafka_server_jaas.conf {% endif -%}"
    - extra_hosts:
      {% for node in KAFKANODES %}
      - {{ node }}:{{ KAFKANODES[node].ip }}
      {% endfor %}
-      {% if DOCKER.containers['so-kafka'].extra_hosts %}
+      {% if DOCKERMERGED.containers['so-kafka'].extra_hosts %}
-      {%   for XTRAHOST in DOCKER.containers['so-kafka'].extra_hosts %}
+      {%   for XTRAHOST in DOCKERMERGED.containers['so-kafka'].extra_hosts %}
      - {{ XTRAHOST }}
      {%   endfor %}
      {% endif %}
    - port_bindings:
-      {% for BINDING in DOCKER.containers['so-kafka'].port_bindings %}
+      {% for BINDING in DOCKERMERGED.containers['so-kafka'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
    - binds:
@@ -60,6 +60,12 @@ so-kafka:
      {% if KAFKA_EXTERNAL_ACCESS %}
      - /opt/so/conf/kafka/kafka_server_jaas.conf:/opt/kafka/config/kafka_server_jaas.conf:ro
      {% endif %}
    {% if DOCKERMERGED.containers['so-kafka'].ulimits %}
    - ulimits:
    {%   for ULIMIT in DOCKERMERGED.containers['so-kafka'].ulimits %}
      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
    {%   endfor %}
    {% endif %}
    - watch:
      {% for sc in ['server', 'client'] %}
      - file: kafka_kraft_{{sc}}_properties
--- a/salt/kibana/enabled.sls
+++ b/salt/kibana/enabled.sls
@@ -5,7 +5,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
 include:
@@ -20,20 +20,20 @@ so-kibana:
    - user: kibana
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-kibana'].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers['so-kibana'].ip }}
    - environment:
      - ELASTICSEARCH_HOST={{ GLOBALS.manager }}
      - ELASTICSEARCH_PORT=9200
      - MANAGER={{ GLOBALS.manager }}
-      {% if DOCKER.containers['so-kibana'].extra_env %}
+      {% if DOCKERMERGED.containers['so-kibana'].extra_env %}
-        {% for XTRAENV in DOCKER.containers['so-kibana'].extra_env %}
+        {% for XTRAENV in DOCKERMERGED.containers['so-kibana'].extra_env %}
      - {{ XTRAENV }}
        {% endfor %}
      {% endif %}
    - extra_hosts:
      - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
-    {% if DOCKER.containers['so-kibana'].extra_hosts %}
+    {% if DOCKERMERGED.containers['so-kibana'].extra_hosts %}
-      {% for XTRAHOST in DOCKER.containers['so-kibana'].extra_hosts %}
+      {% for XTRAHOST in DOCKERMERGED.containers['so-kibana'].extra_hosts %}
      - {{ XTRAHOST }}
      {% endfor %}
    {% endif %}
@@ -42,15 +42,21 @@ so-kibana:
      - /opt/so/log/kibana:/var/log/kibana:rw
      - /opt/so/conf/kibana/customdashboards:/usr/share/kibana/custdashboards:ro
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
-      {% if DOCKER.containers['so-kibana'].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers['so-kibana'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-kibana'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-kibana'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
    - port_bindings:
-      {% for BINDING in DOCKER.containers['so-kibana'].port_bindings %}
+      {% for BINDING in DOCKERMERGED.containers['so-kibana'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
    {% if DOCKERMERGED.containers['so-kibana'].ulimits %}
    - ulimits:
    {%   for ULIMIT in DOCKERMERGED.containers['so-kibana'].ulimits %}
      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
    {%   endfor %}
    {% endif %}
    - watch:
      - file: kibanaconfig
--- a/salt/kibana/map.jinja
+++ b/salt/kibana/map.jinja
@@ -5,7 +5,6 @@
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 {% import_yaml 'kibana/defaults.yaml' as KIBANADEFAULTS with context %}
 {% set HIGHLANDER = salt['pillar.get']('global:highlander', False) %}
 {% do KIBANADEFAULTS.kibana.config.server.update({'publicBaseUrl': 'https://' ~ GLOBALS.url_base ~ '/kibana'}) %}
 {% do KIBANADEFAULTS.kibana.config.elasticsearch.update({'hosts': ['https://' ~ GLOBALS.manager ~ ':9200']}) %}
--- a/salt/kibana/so_dashboard_load.sls
+++ b/salt/kibana/so_dashboard_load.sls
@@ -3,7 +3,6 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {% set HIGHLANDER = salt['pillar.get']('global:highlander', False) %}
 include:
  - kibana.enabled
@@ -29,27 +28,3 @@ so-kibana-dashboard-load:
    - require:
      - sls: kibana.enabled
      - file: dashboard_saved_objects_template
 {%- if HIGHLANDER %}
 dashboard_saved_objects_template_hl:
  file.managed:
    - name: /opt/so/conf/kibana/hl.ndjson.template
    - source: salt://kibana/files/hl.ndjson
    - user: 932
    - group: 939
    - show_changes: False
 dashboard_saved_objects_hl_changes:
  file.absent:
    - names:
      - /opt/so/state/kibana_hl.txt
    - onchanges:
      - file: dashboard_saved_objects_template_hl
 so-kibana-dashboard-load_hl:
  cmd.run:
    - name: /usr/sbin/so-kibana-config-load -i /opt/so/conf/kibana/hl.ndjson.template
    - cwd: /opt/so
    - require:
      - sls: kibana.enabled
      - file: dashboard_saved_objects_template_hl
 {%- endif %}
--- a/salt/kibana/tools/sbin_jinja/so-kibana-space-defaults
+++ b/salt/kibana/tools/sbin_jinja/so-kibana-space-defaults
@@ -1,6 +1,5 @@
 #!/bin/bash
 . /usr/sbin/so-common
 {% set HIGHLANDER = salt['pillar.get']('global:highlander', False) %}
 wait_for_web_response "http://localhost:5601/api/spaces/space/default" "default" 300 "curl -K /opt/so/conf/elasticsearch/curl.config"
 ## This hackery will be removed if using Elastic Auth ##
@@ -9,10 +8,6 @@ SESSIONCOOKIE=$(curl -K /opt/so/conf/elasticsearch/curl.config -c - -X GET http:
 # Disable certain Features from showing up in the Kibana UI
 echo
-echo "Setting up default Space:"
+echo "Setting up default Kibana Space:"
 {% if HIGHLANDER %}
 curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X PUT "localhost:5601/api/spaces/space/default" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' {"id":"default","name":"Default","disabledFeatures":["enterpriseSearch"]} ' >> /opt/so/log/kibana/misc.log
 {% else %}
 curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X PUT "localhost:5601/api/spaces/space/default" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' {"id":"default","name":"Default","disabledFeatures":["ml","enterpriseSearch","logs","infrastructure","apm","uptime","monitoring","stackAlerts","actions","securitySolutionCasesV3","inventory","dataQuality","searchSynonyms","enterpriseSearchApplications","enterpriseSearchAnalytics","securitySolutionTimeline","securitySolutionNotes","entityManager"]} ' >> /opt/so/log/kibana/misc.log
 {% endif %}
 echo
--- a/salt/kratos/enabled.sls
+++ b/salt/kratos/enabled.sls
@@ -5,7 +5,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
 include:
@@ -19,32 +19,38 @@ so-kratos:
    - name: so-kratos
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-kratos'].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers['so-kratos'].ip }}
    - binds:
      - /opt/so/conf/kratos/:/kratos-conf:ro
      - /opt/so/log/kratos/:/kratos-log:rw
      - /nsm/kratos/db:/kratos-data:rw
-      {% if DOCKER.containers['so-kratos'].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers['so-kratos'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-kratos'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-kratos'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
    - port_bindings:
-      {% for BINDING in DOCKER.containers['so-kratos'].port_bindings %}
+      {% for BINDING in DOCKERMERGED.containers['so-kratos'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
-    {% if DOCKER.containers['so-kratos'].extra_hosts %}
+    {% if DOCKERMERGED.containers['so-kratos'].extra_hosts %}
    - extra_hosts:
-      {% for XTRAHOST in DOCKER.containers['so-kratos'].extra_hosts %}
+      {% for XTRAHOST in DOCKERMERGED.containers['so-kratos'].extra_hosts %}
      - {{ XTRAHOST }}
      {% endfor %}
    {% endif %}
-    {% if DOCKER.containers['so-kratos'].extra_env %}
+    {% if DOCKERMERGED.containers['so-kratos'].extra_env %}
    - environment:
-      {% for XTRAENV in DOCKER.containers['so-kratos'].extra_env %}
+      {% for XTRAENV in DOCKERMERGED.containers['so-kratos'].extra_env %}
      - {{ XTRAENV }}
      {% endfor %}
    {% endif %}
    {% if DOCKERMERGED.containers['so-kratos'].ulimits %}
    - ulimits:
    {%   for ULIMIT in DOCKERMERGED.containers['so-kratos'].ulimits %}
      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
    {%   endfor %}
    {% endif %}
    - restart_policy: unless-stopped
    - watch:
      - file: kratosschema
--- a/salt/logstash/config.sls
+++ b/salt/logstash/config.sls
@@ -36,10 +36,6 @@ logstash:
    - gid: 931
    - home: /opt/so/conf/logstash
 lslibdir:
  file.absent:
    - name: /opt/so/conf/logstash/lib
 logstash_sbin:
  file.recurse:
    - name: /usr/sbin
--- a/salt/logstash/enabled.sls
+++ b/salt/logstash/enabled.sls
@@ -6,7 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%   from 'logstash/map.jinja' import LOGSTASH_MERGED %}
 {%   from 'logstash/map.jinja' import LOGSTASH_NODES %}
 {%   set lsheap = LOGSTASH_MERGED.settings.lsheap %}
@@ -32,7 +32,7 @@ so-logstash:
    - name: so-logstash
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-logstash'].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers['so-logstash'].ip }}
    - user: logstash
    - extra_hosts:
    {% for node in LOGSTASH_NODES %}
@@ -40,20 +40,20 @@ so-logstash:
      - {{hostname}}:{{ip}}
    {%   endfor %}
    {% endfor %}
-    {% if DOCKER.containers['so-logstash'].extra_hosts %}
+    {% if DOCKERMERGED.containers['so-logstash'].extra_hosts %}
-    {%   for XTRAHOST in DOCKER.containers['so-logstash'].extra_hosts %}
+    {%   for XTRAHOST in DOCKERMERGED.containers['so-logstash'].extra_hosts %}
      - {{ XTRAHOST }}
    {%   endfor %}
    {% endif %}
    - environment:
      - LS_JAVA_OPTS=-Xms{{ lsheap }} -Xmx{{ lsheap }}
-    {% if DOCKER.containers['so-logstash'].extra_env %}
+    {% if DOCKERMERGED.containers['so-logstash'].extra_env %}
-    {%   for XTRAENV in DOCKER.containers['so-logstash'].extra_env %}
+    {%   for XTRAENV in DOCKERMERGED.containers['so-logstash'].extra_env %}
      - {{ XTRAENV }}
    {%   endfor %}
    {% endif %}
    - port_bindings:
-      {% for BINDING in DOCKER.containers['so-logstash'].port_bindings %}
+      {% for BINDING in DOCKERMERGED.containers['so-logstash'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
    - binds:
@@ -91,11 +91,17 @@ so-logstash:
      - /opt/so/log/fleet/:/osquery/logs:ro
      - /opt/so/log/strelka:/strelka:ro
      {% endif %}
-      {% if DOCKER.containers['so-logstash'].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers['so-logstash'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-logstash'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-logstash'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
    {% if DOCKERMERGED.containers['so-logstash'].ulimits %}
    - ulimits:
    {%   for ULIMIT in DOCKERMERGED.containers['so-logstash'].ulimits %}
      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
    {%   endfor %}
    {% endif %}
    - watch:
      - file: lsetcsync
      - file: trusttheca
--- a/salt/manager/init.sls
+++ b/salt/manager/init.sls
@@ -63,11 +63,9 @@ yara_log_dir:
      - user
      - group
 {% if GLOBALS.os_family == 'RedHat' %}
 install_createrepo:
  pkg.installed:
    - name: createrepo_c
 {% endif %}
 repo_conf_dir:
  file.directory:
--- a/salt/manager/tools/sbin/soup
+++ b/salt/manager/tools/sbin/soup
@@ -576,78 +576,46 @@ upgrade_check_salt() {
 upgrade_salt() {
  echo "Performing upgrade of Salt from $INSTALLEDSALTVERSION to $NEWSALTVERSION."
  echo ""
-  # If rhel family
+  # Check if salt-cloud is installed
-  if [[ $is_rpm ]]; then
+  if rpm -q salt-cloud &>/dev/null; then
-    # Check if salt-cloud is installed
+    SALT_CLOUD_INSTALLED=true
-    if rpm -q salt-cloud &>/dev/null; then
+  fi
-      SALT_CLOUD_INSTALLED=true
+  # Check if salt-cloud is configured
-    fi
+  if [[ -f /etc/salt/cloud.profiles.d/socloud.conf ]]; then
-    # Check if salt-cloud is configured
+    SALT_CLOUD_CONFIGURED=true
-    if [[ -f /etc/salt/cloud.profiles.d/socloud.conf ]]; then
+  fi
-      SALT_CLOUD_CONFIGURED=true
+
-    fi
+  echo "Removing yum versionlock for Salt."
-    
+  echo ""
-    echo "Removing yum versionlock for Salt."
+  yum versionlock delete "salt"
-    echo ""
+  yum versionlock delete "salt-minion"
-    yum versionlock delete "salt"
+  yum versionlock delete "salt-master"
-    yum versionlock delete "salt-minion"
+  # Remove salt-cloud versionlock if installed
-    yum versionlock delete "salt-master"
+  if [[ $SALT_CLOUD_INSTALLED == true ]]; then
-    # Remove salt-cloud versionlock if installed
+    yum versionlock delete "salt-cloud"
-    if [[ $SALT_CLOUD_INSTALLED == true ]]; then
+  fi
-      yum versionlock delete "salt-cloud"
+  echo "Updating Salt packages."
-    fi
+  echo ""
-    echo "Updating Salt packages."
+  set +e
-    echo ""
+  # Run with -r to ignore repos set by bootstrap
-    set +e
+  if [[ $SALT_CLOUD_INSTALLED == true ]]; then
    # if oracle run with -r to ignore repos set by bootstrap
    if [[ $OS == 'oracle' ]]; then
      # Add -L flag only if salt-cloud is already installed
      if [[ $SALT_CLOUD_INSTALLED == true ]]; then
        run_check_net_err \
        "sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -X -r -L -F -M stable \"$NEWSALTVERSION\"" \
        "Could not update salt, please check $SOUP_LOG for details."
      else
        run_check_net_err \
        "sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -X -r -F -M stable \"$NEWSALTVERSION\"" \
        "Could not update salt, please check $SOUP_LOG for details."
      fi
    # if another rhel family variant we want to run without -r to allow the bootstrap script to manage repos
    else
      run_check_net_err \
      "sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -X -F -M stable \"$NEWSALTVERSION\"" \
      "Could not update salt, please check $SOUP_LOG for details."
    fi
    set -e
    echo "Applying yum versionlock for Salt."
    echo ""
    yum versionlock add "salt-0:$NEWSALTVERSION-0.*"
    yum versionlock add "salt-minion-0:$NEWSALTVERSION-0.*"
    yum versionlock add "salt-master-0:$NEWSALTVERSION-0.*"
    # Add salt-cloud versionlock if installed
    if [[ $SALT_CLOUD_INSTALLED == true ]]; then
      yum versionlock add "salt-cloud-0:$NEWSALTVERSION-0.*"
    fi
  # Else do Ubuntu things
  elif [[ $is_deb ]]; then
    # ensure these files don't exist when upgrading from 3006.9 to 3006.16
    rm -f /etc/apt/keyrings/salt-archive-keyring-2023.pgp /etc/apt/sources.list.d/salt.list
    echo "Removing apt hold for Salt."
    echo ""
    apt-mark unhold "salt-common"
    apt-mark unhold "salt-master"
    apt-mark unhold "salt-minion"
    echo "Updating Salt packages."
    echo ""
    set +e
    run_check_net_err \
-    "sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -X -F -M stable \"$NEWSALTVERSION\"" \
+    "sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -X -r -L -F -M stable \"$NEWSALTVERSION\"" \
    "Could not update salt, please check $SOUP_LOG for details."
-    set -e
+  else
-    echo "Applying apt hold for Salt."
+    run_check_net_err \
-    echo ""
+    "sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -X -r -F -M stable \"$NEWSALTVERSION\"" \
-    apt-mark hold "salt-common"
+    "Could not update salt, please check $SOUP_LOG for details."
-    apt-mark hold "salt-master"
+  fi
-    apt-mark hold "salt-minion"
+  set -e
  echo "Applying yum versionlock for Salt."
  echo ""
  yum versionlock add "salt-0:$NEWSALTVERSION-0.*"
  yum versionlock add "salt-minion-0:$NEWSALTVERSION-0.*"
  yum versionlock add "salt-master-0:$NEWSALTVERSION-0.*"
  # Add salt-cloud versionlock if installed
  if [[ $SALT_CLOUD_INSTALLED == true ]]; then
    yum versionlock add "salt-cloud-0:$NEWSALTVERSION-0.*"
  fi
  echo "Checking if Salt was upgraded."
@@ -1084,6 +1052,10 @@ main() {
  echo ""
  set_os
  if [[ ! $is_oracle ]]; then
    fail "This OS is not supported. Security Onion requires Oracle Linux 9."
  fi
  check_salt_master_status 1 || fail  "Could not talk to salt master: Please run 'systemctl status salt-master' to ensure the salt-master service is running and check the log at /opt/so/log/salt/master."
  echo "Checking to see if this is a manager."
@@ -1193,14 +1165,6 @@ main() {
      echo "Upgrading Salt"
      # Update the repo files so it can actually upgrade
      upgrade_salt
      # for Debian based distro, we need to stop salt again after upgrade output below is from bootstrap-salt
      # *  WARN: Not starting daemons on Debian based distributions
      #    is not working mostly because starting them is the default behaviour.
      if [[ $is_deb ]]; then
        stop_salt_minion
        stop_salt_master
      fi
    fi
    preupgrade_changes
--- a/salt/nginx/enabled.sls
+++ b/salt/nginx/enabled.sls
@@ -6,7 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%   from 'nginx/map.jinja' import NGINXMERGED %}
 include:
@@ -37,11 +37,11 @@ so-nginx:
    - hostname: so-nginx
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKER.containers[container_config].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers[container_config].ip }}
    - extra_hosts:
      - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
-    {% if DOCKER.containers[container_config].extra_hosts %}
+    {% if DOCKERMERGED.containers[container_config].extra_hosts %}
-      {% for XTRAHOST in DOCKER.containers[container_config].extra_hosts %}
+      {% for XTRAHOST in DOCKERMERGED.containers[container_config].extra_hosts %}
      - {{ XTRAHOST }}
      {% endfor %}
    {% endif %}
@@ -64,20 +64,26 @@ so-nginx:
      - /opt/so/rules/nids/suri:/surirules:ro
      {%   endif %}
      {% endif %}
-      {% if DOCKER.containers[container_config].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers[container_config].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers[container_config].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers[container_config].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
-    {% if DOCKER.containers[container_config].extra_env %}
+    {% if DOCKERMERGED.containers[container_config].extra_env %}
    - environment:
-      {% for XTRAENV in DOCKER.containers[container_config].extra_env %}
+      {% for XTRAENV in DOCKERMERGED.containers[container_config].extra_env %}
      - {{ XTRAENV }}
      {% endfor %}
    {% endif %}
    {% if DOCKERMERGED.containers[container_config].ulimits %}
    - ulimits:
    {%   for ULIMIT in DOCKERMERGED.containers[container_config].ulimits %}
      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
    {%   endfor %}
    {% endif %}
    - cap_add: NET_BIND_SERVICE
    - port_bindings:
-      {% for BINDING in DOCKER.containers[container_config].port_bindings %}
+      {% for BINDING in DOCKERMERGED.containers[container_config].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
    - watch:
--- a/salt/nginx/etc/nginx.conf
+++ b/salt/nginx/etc/nginx.conf
@@ -1,5 +1,5 @@
 {%- from 'vars/globals.map.jinja' import GLOBALS %}
-{%- from 'docker/docker.map.jinja' import DOCKER %}
+{%- from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%- from 'nginx/map.jinja' import NGINXMERGED %}
 {%- set role = grains.id.split('_') | last %}
 {%- set influxpass = salt['pillar.get']('secrets:influx_pass') %}
--- a/salt/ntp/init.sls
+++ b/salt/ntp/init.sls
@@ -2,7 +2,6 @@
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 {% from 'ntp/config.map.jinja' import NTPCONFIG %}
 chrony_pkg:
@@ -17,11 +16,7 @@ chronyconf:
    - defaults:
        NTPCONFIG: {{ NTPCONFIG }}
 {% if GLOBALS.os_family == 'RedHat' %}
 chronyd:
 {% else %}
 chrony:
 {% endif %}
  service.running:
    - enable: True
    - watch: 
--- a/salt/podman/files/podman.service
+++ b/salt/podman/files/podman.service
@@ -1,17 +0,0 @@
 [Unit]
 Description=Podman API Service
 Requires=podman.socket
 After=podman.socket
 Documentation=man:podman-api(1)
 StartLimitIntervalSec=0
 [Service]
 Type=oneshot
 Environment=REGISTRIES_CONFIG_PATH=/etc/containers/registries.conf
 ExecStart=/usr/bin/podman system service
 TimeoutStopSec=30
 KillMode=process
 [Install]
 WantedBy=multi-user.target
 Also=podman.socket
--- a/salt/podman/files/podman.socket
+++ b/salt/podman/files/podman.socket
@@ -1,10 +0,0 @@
 [Unit]
 Description=Podman API Socket
 Documentation=man:podman-api(1)
 [Socket]
 ListenStream=%t/podman/podman.sock
 SocketMode=0660
 [Install]
 WantedBy=sockets.target
--- a/salt/podman/files/sobridge.conflist
+++ b/salt/podman/files/sobridge.conflist
@@ -1,48 +0,0 @@
 {
   "args": {
      "podman_options": {
         "isolate": "true",
         "mtu": "1500"
      }
   },
   "cniVersion": "0.4.0",
   "name": "sobridge",
   "plugins": [
      {
         "type": "bridge",
         "bridge": "sobridge",
         "isGateway": true,
         "ipMasq": false,
         "mtu": 1500,
         "hairpinMode": false,
         "ipam": {
            "type": "host-local",
            "routes": [
               {
                  "dst": "0.0.0.0/0"
               }
            ],
            "ranges": [
               [
                  {
                     "subnet": "172.17.1.0/24",
                     "gateway": "172.17.1.1"
                  }
               ]
            ]
         },
         "capabilities": {
            "ips": true
         }
      },
      {
         "type": "portmap",
         "capabilities": {
            "portMappings": false
         }
      },
      {
         "type": "tuning"
      }
   ]
 }
--- a/salt/podman/init.sls
+++ b/salt/podman/init.sls
@@ -1,56 +0,0 @@
 {% from 'docker/docker.map.jinja' import DOCKER %}
 Podman pkg:
  pkg.installed:
    - name: podman
 cnipkg:
  pkg.installed:
    - name: containernetworking-plugins
 {#
 Podman service:
  file.managed:
    - name: /usr/lib/systemd/system/podman.service
    - source: salt://podman/podman.service
 #}
 sobridgeconf:
  file.managed:
    - name: /etc/cni/net.d/sobridge.conflist
    - source: salt://podman/files/sobridge.conflist
 Podman_socket_service:
  service.running:
    - name: podman.socket
    - enable: true
 Podman_service:
  service.running:
    - name: podman.service
    - enable: true
 Docker socket:
  file.symlink:
    - name: /var/run/docker.sock
    - target: /var/run/podman/podman.sock
 podman_docker_symlink:
  file.symlink:
    - name: /usr/bin/docker
    - target: /usr/bin/podman
 {#
 sos_docker_net:
  docker_network.present:
    - name: sobridge
    - subnet: {{ DOCKER.range }}
    - gateway: {{ DOCKER.bip }}
    - options:
        com.docker.network.bridge.name: 'sobridge'
        com.docker.network.driver.mtu: '1500'
        com.docker.network.bridge.enable_ip_masquerade: 'true'
        com.docker.network.bridge.enable_icc: 'true'
        com.docker.network.bridge.host_binding_ipv4: '0.0.0.0'
    - unless: 'docker network ls | grep sobridge'
 #}
--- a/salt/redis/enabled.sls
+++ b/salt/redis/enabled.sls
@@ -5,7 +5,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
 include:
@@ -21,9 +21,9 @@ so-redis:
    - user: socore
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-redis'].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers['so-redis'].ip }}
    - port_bindings:
-      {% for BINDING in DOCKER.containers['so-redis'].port_bindings %}
+      {% for BINDING in DOCKERMERGED.containers['so-redis'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
    - binds:
@@ -34,23 +34,29 @@ so-redis:
      - /etc/pki/redis.crt:/certs/redis.crt:ro
      - /etc/pki/redis.key:/certs/redis.key:ro
      - /etc/pki/tls/certs/intca.crt:/certs/ca.crt:ro
-      {% if DOCKER.containers['so-redis'].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers['so-redis'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-redis'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-redis'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
-    {% if DOCKER.containers['so-redis'].extra_hosts %}
+    {% if DOCKERMERGED.containers['so-redis'].extra_hosts %}
    - extra_hosts:
-      {% for XTRAHOST in DOCKER.containers['so-redis'].extra_hosts %}
+      {% for XTRAHOST in DOCKERMERGED.containers['so-redis'].extra_hosts %}
      - {{ XTRAHOST }}
      {% endfor %}
    {% endif %}
-    {% if DOCKER.containers['so-redis'].extra_env %}
+    {% if DOCKERMERGED.containers['so-redis'].extra_env %}
    - environment:
-      {% for XTRAENV in DOCKER.containers['so-redis'].extra_env %}
+      {% for XTRAENV in DOCKERMERGED.containers['so-redis'].extra_env %}
      - {{ XTRAENV }}
      {% endfor %}
    {% endif %}
    {% if DOCKERMERGED.containers['so-redis'].ulimits %}
    - ulimits:
    {%   for ULIMIT in DOCKERMERGED.containers['so-redis'].ulimits %}
      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
    {%   endfor %}
    {% endif %}
    - entrypoint: "redis-server /usr/local/etc/redis/redis.conf"
    - watch:
      - file: trusttheca
--- a/salt/registry/enabled.sls
+++ b/salt/registry/enabled.sls
@@ -6,7 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 include:
  - registry.ssl
@@ -20,10 +20,10 @@ so-dockerregistry:
    - hostname: so-registry
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-dockerregistry'].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers['so-dockerregistry'].ip }}
    - restart_policy: always
    - port_bindings:
-      {% for BINDING in DOCKER.containers['so-dockerregistry'].port_bindings %}
+      {% for BINDING in DOCKERMERGED.containers['so-dockerregistry'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
    - binds:
@@ -32,25 +32,31 @@ so-dockerregistry:
      - /nsm/docker-registry/docker:/var/lib/registry/docker:rw
      - /etc/pki/registry.crt:/etc/pki/registry.crt:ro
      - /etc/pki/registry.key:/etc/pki/registry.key:ro
-      {% if DOCKER.containers['so-dockerregistry'].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers['so-dockerregistry'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-dockerregistry'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-dockerregistry'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
-    {% if DOCKER.containers['so-dockerregistry'].extra_hosts %}
+    {% if DOCKERMERGED.containers['so-dockerregistry'].extra_hosts %}
    - extra_hosts:
-      {% for XTRAHOST in DOCKER.containers['so-dockerregistry'].extra_hosts %}
+      {% for XTRAHOST in DOCKERMERGED.containers['so-dockerregistry'].extra_hosts %}
      - {{ XTRAHOST }}
      {% endfor %}
    {% endif %}
    - client_timeout: 180
    - environment:
      - HOME=/root
-      {% if DOCKER.containers['so-dockerregistry'].extra_env %}
+      {% if DOCKERMERGED.containers['so-dockerregistry'].extra_env %}
-        {% for XTRAENV in DOCKER.containers['so-dockerregistry'].extra_env %}
+        {% for XTRAENV in DOCKERMERGED.containers['so-dockerregistry'].extra_env %}
      - {{ XTRAENV }}
        {% endfor %}
      {% endif %}
    {% if DOCKERMERGED.containers['so-dockerregistry'].ulimits %}
    - ulimits:
    {%   for ULIMIT in DOCKERMERGED.containers['so-dockerregistry'].ulimits %}
      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
    {%   endfor %}
    {% endif %}
    - retry:
        attempts: 5
        interval: 30
--- a/salt/repo/client/map.jinja
+++ b/salt/repo/client/map.jinja
@@ -1,43 +1,29 @@
-{% from 'vars/globals.map.jinja' import GLOBALS %}
+{% set REPOPATH = '/etc/yum.repos.d/' %}
-
+{% set ABSENTFILES = [
-{% if GLOBALS.os_family == 'RedHat' %}
+       'centos-addons.repo',
-  {% set REPOPATH = '/etc/yum.repos.d/' %}
+       'centos-devel.repo',
-{%     if GLOBALS.os == 'OEL' %}
+       'centos-extras.repo',
-  {% set ABSENTFILES = [
+       'centos.repo',
-         'centos-addons.repo',
+       'docker-ce.repo',
-         'centos-devel.repo',
+       'epel.repo',
-         'centos-extras.repo',
+       'epel-testing.repo',
-         'centos.repo',
+       'saltstack.repo',
-         'docker-ce.repo',
+       'salt-latest.repo',
-         'epel.repo',
+       'wazuh.repo'
-         'epel-testing.repo',
+       'Rocky-Base.repo',
-         'saltstack.repo',
+       'Rocky-CR.repo',
-         'salt-latest.repo',
+       'Rocky-Debuginfo.repo',
-         'wazuh.repo'
+       'Rocky-fasttrack.repo',
-         'Rocky-Base.repo',
+       'Rocky-Media.repo',
-         'Rocky-CR.repo',
+       'Rocky-Sources.repo',
-         'Rocky-Debuginfo.repo',
+       'Rocky-Vault.repo',
-         'Rocky-fasttrack.repo',
+       'Rocky-x86_64-kernel.repo',
-         'Rocky-Media.repo',
+       'rocky-addons.repo',
-         'Rocky-Sources.repo',
+       'rocky-devel.repo',
-         'Rocky-Vault.repo',
+       'rocky-extras.repo',
-         'Rocky-x86_64-kernel.repo',
+       'rocky.repo',
-         'rocky-addons.repo',
+       'oracle-linux-ol9.repo',
-         'rocky-devel.repo',
+       'uek-ol9.repo',
-         'rocky-extras.repo',
+       'virt-ol9.repo'
-         'rocky.repo',
+     ]
-         'oracle-linux-ol9.repo',
+%}
         'uek-ol9.repo',
         'virt-ol9.repo'
       ]
  %}
 {%     else %}
  {% set ABSENTFILES = [] %}
 {%    endif %}
 {% else %}
  {% set REPOPATH = '/etc/apt/sources.list.d/' %}
  {% set ABSENTFILES = [] %}
 {% endif %}
--- a/salt/salt/init.sls
+++ b/salt/salt/init.sls
@@ -1,10 +1,3 @@
 {% if grains.oscodename == 'focal' %}
 saltpymodules:
  pkg.installed:
    - pkgs:
      - python3-docker
 {% endif %}
 # distribute to minions for salt upgrades
 salt_bootstrap:
  file.managed:
--- a/salt/salt/map.jinja
+++ b/salt/salt/map.jinja
@@ -17,22 +17,12 @@
 {% set SALTVERSION = saltminion.salt.minion.version | string %}
 {% set INSTALLEDSALTVERSION = grains.saltversion | string %}
-{% if grains.os_family == 'Debian' %}
+{% set SPLITCHAR = '-' %}
-  {% set SPLITCHAR = '+' %}
+{% set SALTPACKAGES = ['salt', 'salt-master', 'salt-minion', 'salt-cloud'] %}
-  {% set SALTPACKAGES = ['salt-common', 'salt-master', 'salt-minion', 'salt-cloud'] %}
+{% set SYSTEMD_UNIT_FILE = '/usr/lib/systemd/system/salt-minion.service' %}
  {% set SYSTEMD_UNIT_FILE = '/lib/systemd/system/salt-minion.service' %}
 {% else %}
  {% set SPLITCHAR = '-' %}
  {% set SALTPACKAGES = ['salt', 'salt-master', 'salt-minion', 'salt-cloud'] %}
  {% set SYSTEMD_UNIT_FILE = '/usr/lib/systemd/system/salt-minion.service' %}
 {% endif %}
 {% if INSTALLEDSALTVERSION != SALTVERSION %}
-  {% if grains.os_family|lower == 'redhat' %}
+  {% set UPGRADECOMMAND = 'yum clean all ; /usr/sbin/bootstrap-salt.sh -X -r -F stable ' ~ SALTVERSION %}
      {% set UPGRADECOMMAND = 'yum clean all ; /usr/sbin/bootstrap-salt.sh -X -r -F stable ' ~ SALTVERSION %}
  {% elif grains.os_family|lower == 'debian' %}
    {% set UPGRADECOMMAND = '/usr/sbin/bootstrap-salt.sh -X -F stable ' ~ SALTVERSION %}
  {% endif %}
 {% else %}
  {% set UPGRADECOMMAND = 'echo Already running Salt Minion version ' ~ SALTVERSION %}
 {% endif %}
--- a/salt/salt/master.sls
+++ b/salt/salt/master.sls
@@ -23,15 +23,6 @@ sync_runners:
    - name: saltutil.sync_runners
 {% endif %}
 # prior to 2.4.30 this engine ran on the manager with salt-minion
 # this has changed to running with the salt-master in 2.4.30
 remove_engines_config:
  file.absent:
    - name: /etc/salt/minion.d/engines.conf
    - source: salt://salt/files/engines.conf
    - watch_in:
      - service: salt_minion_service
 checkmine_engine:
  file.managed:
    - name: /etc/salt/engines/checkmine.py
--- a/salt/sensoroni/enabled.sls
+++ b/salt/sensoroni/enabled.sls
@@ -4,7 +4,7 @@
 # Elastic License 2.0.
 {% from 'vars/globals.map.jinja' import GLOBALS %}
-{% from 'docker/docker.map.jinja' import DOCKER %}
+{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
 include:
@@ -23,23 +23,29 @@ so-sensoroni:
      - /opt/so/conf/sensoroni/templates:/opt/sensoroni/templates:ro
      - /opt/so/log/sensoroni:/opt/sensoroni/logs:rw
      - /nsm/suripcap/:/nsm/suripcap:rw
-      {% if DOCKER.containers['so-sensoroni'].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers['so-sensoroni'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-sensoroni'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-sensoroni'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
-    {% if DOCKER.containers['so-sensoroni'].extra_hosts %}
+    {% if DOCKERMERGED.containers['so-sensoroni'].extra_hosts %}
    - extra_hosts:
-      {% for XTRAHOST in DOCKER.containers['so-sensoroni'].extra_hosts %}
+      {% for XTRAHOST in DOCKERMERGED.containers['so-sensoroni'].extra_hosts %}
      - {{ XTRAHOST }}
      {% endfor %}
    {% endif %}
-    {% if DOCKER.containers['so-sensoroni'].extra_env %}
+    {% if DOCKERMERGED.containers['so-sensoroni'].extra_env %}
    - environment:
-      {% for XTRAENV in DOCKER.containers['so-sensoroni'].extra_env %}
+      {% for XTRAENV in DOCKERMERGED.containers['so-sensoroni'].extra_env %}
      - {{ XTRAENV }}
      {% endfor %}
    {% endif %}
    {% if DOCKERMERGED.containers['so-sensoroni'].ulimits %}
    - ulimits:
    {%   for ULIMIT in DOCKERMERGED.containers['so-sensoroni'].ulimits %}
      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
    {%   endfor %}
    {% endif %}
    - watch:
      - file: /opt/so/conf/sensoroni/sensoroni.json
    - require:
--- a/salt/soc/defaults.map.jinja
+++ b/salt/soc/defaults.map.jinja
@@ -5,7 +5,7 @@
 {% import_yaml 'soc/defaults.yaml' as SOCDEFAULTS %}
 {% from 'vars/globals.map.jinja' import GLOBALS %}
-{% from 'docker/docker.map.jinja' import DOCKER -%}
+{% from 'docker/docker.map.jinja' import DOCKERMERGED -%}
 {% set INFLUXDB_TOKEN = salt['pillar.get']('influxdb:token') %}
 {% import_text 'influxdb/metrics_link.txt' as METRICS_LINK %}
@@ -32,7 +32,7 @@
 {%   endif %}
 {% endfor %}
-{% do SOCDEFAULTS.soc.config.server.modules.statickeyauth.update({'anonymousCidr': DOCKER.range, 'apiKey': pillar.sensoroni.config.sensoronikey}) %}
+{% do SOCDEFAULTS.soc.config.server.modules.statickeyauth.update({'anonymousCidr': DOCKERMERGED.range, 'apiKey': pillar.sensoroni.config.sensoronikey}) %}
 {% do SOCDEFAULTS.soc.config.server.client.case.update({'analyzerNodeId': GLOBALS.hostname}) %}
 {% do SOCDEFAULTS.soc.config.server.client.update({'exportNodeId': GLOBALS.hostname}) %}
--- a/salt/soc/enabled.sls
+++ b/salt/soc/enabled.sls
@@ -6,7 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%   from 'soc/merged.map.jinja' import DOCKER_EXTRA_HOSTS %}
 {%   from 'soc/merged.map.jinja' import SOCMERGED %}
@@ -22,7 +22,7 @@ so-soc:
    - name: so-soc
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-soc'].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers['so-soc'].ip }}
    - binds:
      - /nsm/rules:/nsm/rules:rw
      - /opt/so/conf/strelka:/opt/sensoroni/yara:rw
@@ -63,21 +63,27 @@ so-soc:
      - {{hostname}}:{{ip}}
    {%   endfor %}
    {% endfor %}
-    {% if DOCKER.containers['so-soc'].extra_hosts %}
+    {% if DOCKERMERGED.containers['so-soc'].extra_hosts %}
-    {%   for XTRAHOST in DOCKER.containers['so-soc'].extra_hosts %}
+    {%   for XTRAHOST in DOCKERMERGED.containers['so-soc'].extra_hosts %}
      - {{ XTRAHOST }}
    {%   endfor %}
    {% endif %}
    - port_bindings:
-    {% for BINDING in DOCKER.containers['so-soc'].port_bindings %}
+    {% for BINDING in DOCKERMERGED.containers['so-soc'].port_bindings %}
      - {{ BINDING }}
    {% endfor %}
-    {% if DOCKER.containers['so-soc'].extra_env %}
+    {% if DOCKERMERGED.containers['so-soc'].extra_env %}
    - environment:
-    {%   for XTRAENV in DOCKER.containers['so-soc'].extra_env %}
+    {%   for XTRAENV in DOCKERMERGED.containers['so-soc'].extra_env %}
      - {{ XTRAENV }}
    {%   endfor %}
    {% endif %}
    {% if DOCKERMERGED.containers['so-soc'].ulimits %}
    - ulimits:
    {%   for ULIMIT in DOCKERMERGED.containers['so-soc'].ulimits %}
      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
    {%   endfor %}
    {% endif %}
    - watch:
      - file: trusttheca
      - file: /opt/so/conf/soc/*
--- a/salt/strelka/backend/enabled.sls
+++ b/salt/strelka/backend/enabled.sls
@@ -5,7 +5,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
 include:
@@ -18,29 +18,35 @@ strelka_backend:
    - binds:
      - /opt/so/conf/strelka/backend/:/etc/strelka/:ro
      - /opt/so/conf/strelka/rules/compiled/:/etc/yara/:ro
-      {% if DOCKER.containers['so-strelka-backend'].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers['so-strelka-backend'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-strelka-backend'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-strelka-backend'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
    - name: so-strelka-backend
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-strelka-backend'].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers['so-strelka-backend'].ip }}
    - command: strelka-backend
    - extra_hosts:
      - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
-      {% if DOCKER.containers['so-strelka-backend'].extra_hosts %}
+      {% if DOCKERMERGED.containers['so-strelka-backend'].extra_hosts %}
-        {% for XTRAHOST in DOCKER.containers['so-strelka-backend'].extra_hosts %}
+        {% for XTRAHOST in DOCKERMERGED.containers['so-strelka-backend'].extra_hosts %}
      - {{ XTRAHOST }}
        {% endfor %}
      {% endif %}
-    {% if DOCKER.containers['so-strelka-backend'].extra_env %}
+    {% if DOCKERMERGED.containers['so-strelka-backend'].extra_env %}
    - environment:
-      {% for XTRAENV in DOCKER.containers['so-strelka-backend'].extra_env %}
+      {% for XTRAENV in DOCKERMERGED.containers['so-strelka-backend'].extra_env %}
      - {{ XTRAENV }}
      {% endfor %}
    {% endif %}
    {% if DOCKERMERGED.containers['so-strelka-backend'].ulimits %}
    - ulimits:
    {%   for ULIMIT in DOCKERMERGED.containers['so-strelka-backend'].ulimits %}
      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
    {%   endfor %}
    {% endif %}
    - restart_policy: on-failure
    - watch:
      - file: strelkasensorcompiledrules
--- a/salt/strelka/coordinator/enabled.sls
+++ b/salt/strelka/coordinator/enabled.sls
@@ -5,7 +5,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
 include:
@@ -18,32 +18,38 @@ strelka_coordinator:
    - name: so-strelka-coordinator
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-strelka-coordinator'].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers['so-strelka-coordinator'].ip }}
    - entrypoint: redis-server --save "" --appendonly no
    - extra_hosts:
      - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
-      {% if DOCKER.containers['so-strelka-coordinator'].extra_hosts %}
+      {% if DOCKERMERGED.containers['so-strelka-coordinator'].extra_hosts %}
-        {% for XTRAHOST in DOCKER.containers['so-strelka-coordinator'].extra_hosts %}
+        {% for XTRAHOST in DOCKERMERGED.containers['so-strelka-coordinator'].extra_hosts %}
      - {{ XTRAHOST }}
        {% endfor %}
      {% endif %}
    - port_bindings:
-      {% for BINDING in DOCKER.containers['so-strelka-coordinator'].port_bindings %}
+      {% for BINDING in DOCKERMERGED.containers['so-strelka-coordinator'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
-  {% if DOCKER.containers['so-strelka-coordinator'].extra_env %}
+  {% if DOCKERMERGED.containers['so-strelka-coordinator'].extra_env %}
    - environment:
-      {% for XTRAENV in DOCKER.containers['so-strelka-coordinator'].extra_env %}
+      {% for XTRAENV in DOCKERMERGED.containers['so-strelka-coordinator'].extra_env %}
      - {{ XTRAENV }}
      {% endfor %}
    {% endif %}
    - binds:
      - /nsm/strelka/coord-redis-data:/data:rw
-      {% if DOCKER.containers['so-strelka-coordinator'].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers['so-strelka-coordinator'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-strelka-coordinator'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-strelka-coordinator'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
    {% if DOCKERMERGED.containers['so-strelka-coordinator'].ulimits %}
    - ulimits:
    {%   for ULIMIT in DOCKERMERGED.containers['so-strelka-coordinator'].ulimits %}
      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
    {%   endfor %}
    {% endif %}
 delete_so-strelka-coordinator_so-status.disabled:
  file.uncomment:
    - name: /opt/so/conf/so-status/so-status.conf
--- a/salt/strelka/filestream/config.sls
+++ b/salt/strelka/filestream/config.sls
@@ -47,12 +47,6 @@ filestream_config:
        FILESTREAMCONFIG: {{ STRELKAMERGED.filestream.config }}
 # Filecheck Section
 {% if GLOBALS.os_family == 'Debian' %}
 install_watchdog:
  pkg.installed:
    - name: python3-watchdog
 {% elif GLOBALS.os_family == 'RedHat' %}
 remove_old_watchdog:
  pkg.removed:
    - name: python3-watchdog
@@ -60,7 +54,6 @@ remove_old_watchdog:
 install_watchdog:
  pkg.installed:
    - name: securityonion-python39-watchdog
 {% endif %}
 filecheck_logdir:
  file.directory:
--- a/salt/strelka/filestream/enabled.sls
+++ b/salt/strelka/filestream/enabled.sls
@@ -5,7 +5,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
 include:
@@ -18,29 +18,35 @@ strelka_filestream:
    - binds:
      - /opt/so/conf/strelka/filestream/:/etc/strelka/:ro
      - /nsm/strelka:/nsm/strelka
-      {% if DOCKER.containers['so-strelka-filestream'].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers['so-strelka-filestream'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-strelka-filestream'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-strelka-filestream'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
    - name: so-strelka-filestream
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-strelka-filestream'].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers['so-strelka-filestream'].ip }}
    - command: strelka-filestream
    - extra_hosts:
      - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
-      {% if DOCKER.containers['so-strelka-filestream'].extra_hosts %}
+      {% if DOCKERMERGED.containers['so-strelka-filestream'].extra_hosts %}
-        {% for XTRAHOST in DOCKER.containers['so-strelka-filestream'].extra_hosts %}
+        {% for XTRAHOST in DOCKERMERGED.containers['so-strelka-filestream'].extra_hosts %}
      - {{ XTRAHOST }}
        {% endfor %}
      {% endif %}
-    {% if DOCKER.containers['so-strelka-filestream'].extra_env %}
+    {% if DOCKERMERGED.containers['so-strelka-filestream'].extra_env %}
    - environment:
-      {% for XTRAENV in DOCKER.containers['so-strelka-filestream'].extra_env %}
+      {% for XTRAENV in DOCKERMERGED.containers['so-strelka-filestream'].extra_env %}
      - {{ XTRAENV }}
      {% endfor %}
    {% endif %}
    {% if DOCKERMERGED.containers['so-strelka-filestream'].ulimits %}
    - ulimits:
    {%   for ULIMIT in DOCKERMERGED.containers['so-strelka-filestream'].ulimits %}
      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
    {%   endfor %}
    {% endif %}
    - watch:
      - file: filestream_config
--- a/salt/strelka/frontend/enabled.sls
+++ b/salt/strelka/frontend/enabled.sls
@@ -5,7 +5,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
 include:
@@ -18,8 +18,8 @@ strelka_frontend:
    - binds:
      - /opt/so/conf/strelka/frontend/:/etc/strelka/:ro
      - /nsm/strelka/log/:/var/log/strelka/:rw
-      {% if DOCKER.containers['so-strelka-frontend'].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers['so-strelka-frontend'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-strelka-frontend'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-strelka-frontend'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
@@ -27,25 +27,31 @@ strelka_frontend:
    - name: so-strelka-frontend
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-strelka-frontend'].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers['so-strelka-frontend'].ip }}
    - command: strelka-frontend
    - extra_hosts:
      - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
-      {% if DOCKER.containers['so-strelka-frontend'].extra_hosts %}
+      {% if DOCKERMERGED.containers['so-strelka-frontend'].extra_hosts %}
-        {% for XTRAHOST in DOCKER.containers['so-strelka-frontend'].extra_hosts %}
+        {% for XTRAHOST in DOCKERMERGED.containers['so-strelka-frontend'].extra_hosts %}
      - {{ XTRAHOST }}
        {% endfor %}
      {% endif %}
    - port_bindings:
-      {% for BINDING in DOCKER.containers['so-strelka-frontend'].port_bindings %}
+      {% for BINDING in DOCKERMERGED.containers['so-strelka-frontend'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
-    {% if DOCKER.containers['so-strelka-frontend'].extra_env %}
+    {% if DOCKERMERGED.containers['so-strelka-frontend'].extra_env %}
    - environment:
-      {% for XTRAENV in DOCKER.containers['so-strelka-frontend'].extra_env %}
+      {% for XTRAENV in DOCKERMERGED.containers['so-strelka-frontend'].extra_env %}
      - {{ XTRAENV }}
      {% endfor %}
    {% endif %}
    {% if DOCKERMERGED.containers['so-strelka-frontend'].ulimits %}
    - ulimits:
    {%   for ULIMIT in DOCKERMERGED.containers['so-strelka-frontend'].ulimits %}
      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
    {%   endfor %}
    {% endif %}
    - watch:
      - file: frontend_config
--- a/salt/strelka/gatekeeper/enabled.sls
+++ b/salt/strelka/gatekeeper/enabled.sls
@@ -5,7 +5,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
 include:
@@ -18,32 +18,38 @@ strelka_gatekeeper:
    - name: so-strelka-gatekeeper
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-strelka-gatekeeper'].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers['so-strelka-gatekeeper'].ip }}
    - entrypoint: redis-server --save "" --appendonly no --maxmemory-policy allkeys-lru
    - extra_hosts:
      - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
-      {% if DOCKER.containers['so-strelka-gatekeeper'].extra_hosts %}
+      {% if DOCKERMERGED.containers['so-strelka-gatekeeper'].extra_hosts %}
-        {% for XTRAHOST in DOCKER.containers['so-strelka-gatekeeper'].extra_hosts %}
+        {% for XTRAHOST in DOCKERMERGED.containers['so-strelka-gatekeeper'].extra_hosts %}
      - {{ XTRAHOST }}
        {% endfor %}
      {% endif %}
    - port_bindings:
-      {% for BINDING in DOCKER.containers['so-strelka-gatekeeper'].port_bindings %}
+      {% for BINDING in DOCKERMERGED.containers['so-strelka-gatekeeper'].port_bindings %}
      - {{ BINDING }}
      {% endfor %}
    - binds:
      - /nsm/strelka/gk-redis-data:/data:rw
-      {% if DOCKER.containers['so-strelka-gatekeeper'].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers['so-strelka-gatekeeper'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-strelka-gatekeeper'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-strelka-gatekeeper'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
-    {% if DOCKER.containers['so-strelka-gatekeeper'].extra_env %}
+    {% if DOCKERMERGED.containers['so-strelka-gatekeeper'].extra_env %}
    - environment:
-      {% for XTRAENV in DOCKER.containers['so-strelka-gatekeeper'].extra_env %}
+      {% for XTRAENV in DOCKERMERGED.containers['so-strelka-gatekeeper'].extra_env %}
      - {{ XTRAENV }}
      {% endfor %}
-    {% endif %}   
+    {% endif %}
    {% if DOCKERMERGED.containers['so-strelka-gatekeeper'].ulimits %}
    - ulimits:
    {%   for ULIMIT in DOCKERMERGED.containers['so-strelka-gatekeeper'].ulimits %}
      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
    {%   endfor %}
    {% endif %}
 delete_so-strelka-gatekeeper_so-status.disabled:
  file.uncomment:
--- a/salt/strelka/manager/enabled.sls
+++ b/salt/strelka/manager/enabled.sls
@@ -5,7 +5,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
 include:
@@ -17,29 +17,35 @@ strelka_manager:
    - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-strelka-manager:{{ GLOBALS.so_version }}
    - binds:
      - /opt/so/conf/strelka/manager/:/etc/strelka/:ro
-      {% if DOCKER.containers['so-strelka-manager'].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers['so-strelka-manager'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-strelka-manager'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-strelka-manager'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
    - name: so-strelka-manager
    - networks:
      - sobridge:
-        - ipv4_address: {{ DOCKER.containers['so-strelka-manager'].ip }}
+        - ipv4_address: {{ DOCKERMERGED.containers['so-strelka-manager'].ip }}
    - command: strelka-manager
    - extra_hosts:
      - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
-      {% if DOCKER.containers['so-strelka-manager'].extra_hosts %}
+      {% if DOCKERMERGED.containers['so-strelka-manager'].extra_hosts %}
-        {% for XTRAHOST in DOCKER.containers['so-strelka-manager'].extra_hosts %}
+        {% for XTRAHOST in DOCKERMERGED.containers['so-strelka-manager'].extra_hosts %}
      - {{ XTRAHOST }}
        {% endfor %}
      {% endif %}
-   {% if DOCKER.containers['so-strelka-manager'].extra_env %}
+   {% if DOCKERMERGED.containers['so-strelka-manager'].extra_env %}
    - environment:
-      {% for XTRAENV in DOCKER.containers['so-strelka-manager'].extra_env %}
+      {% for XTRAENV in DOCKERMERGED.containers['so-strelka-manager'].extra_env %}
      - {{ XTRAENV }}
      {% endfor %}
    {% endif %}
    {% if DOCKERMERGED.containers['so-strelka-manager'].ulimits %}
    - ulimits:
    {%   for ULIMIT in DOCKERMERGED.containers['so-strelka-manager'].ulimits %}
      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
    {%   endfor %}
    {% endif %}
    - watch:
      - file: manager_config
--- a/salt/suricata/enabled.sls
+++ b/salt/suricata/enabled.sls
@@ -6,7 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%   from 'suricata/map.jinja' import SURICATAMERGED %}
@@ -20,16 +20,16 @@ so-suricata:
    - privileged: True
    - environment:
      - INTERFACE={{ GLOBALS.sensor.interface }}
-      {% if DOCKER.containers['so-suricata'].extra_env %}
+      {% if DOCKERMERGED.containers['so-suricata'].extra_env %}
-        {% for XTRAENV in DOCKER.containers['so-suricata'].extra_env %}
+        {% for XTRAENV in DOCKERMERGED.containers['so-suricata'].extra_env %}
      - {{ XTRAENV }}
        {% endfor %}
      {% endif %}
    {# we look at SURICATAMERGED.config['af-packet'][0] since we only allow one interface and therefore always the first list item #}
-    {% if SURICATAMERGED.config['af-packet'][0]['mmap-locked'] == "yes" and DOCKER.containers['so-suricata'].ulimits %}
+    {% if SURICATAMERGED.config['af-packet'][0]['mmap-locked'] == "yes" and DOCKERMERGED.containers['so-suricata'].ulimits %}
    - ulimits:
-    {%   for ULIMIT in DOCKER.containers['so-suricata'].ulimits %}
+    {%   for ULIMIT in DOCKERMERGED.containers['so-suricata'].ulimits %}
-      - {{ ULIMIT }}
+      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
    {%   endfor %}
    {% endif %}
    - binds:
@@ -42,15 +42,15 @@ so-suricata:
      - /nsm/suricata/extracted:/var/log/suricata//filestore:rw
      - /opt/so/conf/suricata/bpf:/etc/suricata/bpf:ro
      - /nsm/suripcap/:/nsm/suripcap:rw
-      {% if DOCKER.containers['so-suricata'].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers['so-suricata'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-suricata'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-suricata'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
    - network_mode: host
-    {% if DOCKER.containers['so-suricata'].extra_hosts %}
+    {% if DOCKERMERGED.containers['so-suricata'].extra_hosts %}
    - extra_hosts:
-      {% for XTRAHOST in DOCKER.containers['so-suricata'].extra_hosts %}
+      {% for XTRAHOST in DOCKERMERGED.containers['so-suricata'].extra_hosts %}
      - {{ XTRAHOST }}
      {% endfor %}
    {% endif %}
--- a/salt/suricata/rules/.gitkeep
+++ b/salt/suricata/rules/.gitkeep
--- a/salt/telegraf/enabled.sls
+++ b/salt/telegraf/enabled.sls
@@ -6,7 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {%   from 'telegraf/map.jinja' import TELEGRAFMERGED %}
 include:
@@ -25,8 +25,8 @@ so-telegraf:
      - HOST_SYS=/host/sys
      - HOST_MOUNT_PREFIX=/host
      - GODEBUG=x509ignoreCN=0
-      {% if DOCKER.containers['so-telegraf'].extra_env %}
+      {% if DOCKERMERGED.containers['so-telegraf'].extra_env %}
-        {% for XTRAENV in DOCKER.containers['so-telegraf'].extra_env %}
+        {% for XTRAENV in DOCKERMERGED.containers['so-telegraf'].extra_env %}
      - {{ XTRAENV }}
        {% endfor %}
      {% endif %}
@@ -55,17 +55,23 @@ so-telegraf:
      {% if GLOBALS.is_manager or GLOBALS.role == 'so-heavynode' %}
      - /opt/so/conf/telegraf/etc/escurl.config:/etc/telegraf/elasticsearch.config:ro
      {% endif %}
-      {% if DOCKER.containers['so-telegraf'].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers['so-telegraf'].custom_bind_mounts %}
-        {% for BIND in DOCKER.containers['so-telegraf'].custom_bind_mounts %}
+        {% for BIND in DOCKERMERGED.containers['so-telegraf'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %}
-    {% if DOCKER.containers['so-telegraf'].extra_hosts %}
+    {% if DOCKERMERGED.containers['so-telegraf'].extra_hosts %}
    - extra_hosts:
-      {% for XTRAHOST in DOCKER.containers['so-telegraf'].extra_hosts %}
+      {% for XTRAHOST in DOCKERMERGED.containers['so-telegraf'].extra_hosts %}
      - {{ XTRAHOST }}
      {% endfor %}
    {% endif %}
    {% if DOCKERMERGED.containers['so-telegraf'].ulimits %}
    - ulimits:
    {%   for ULIMIT in DOCKERMERGED.containers['so-telegraf'].ulimits %}
      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
    {%   endfor %}
    {% endif %}
    - watch:
      - file: trusttheca
      - x509: telegraf_crt
--- a/salt/telegraf/ssl.sls
+++ b/salt/telegraf/ssl.sls
@@ -46,17 +46,6 @@ telegraf_key_perms:
    - mode: 640
    - group: 939
 {%   if not GLOBALS.is_manager %}
 {# Prior to 2.4.210, minions used influxdb.crt and key for telegraf #}
 remove_influxdb.crt:
  file.absent:
    - name: /etc/pki/influxdb.crt
 remove_influxdb.key:
  file.absent:
    - name: /etc/pki/influxdb.key
 {%   endif %}
 {% else %}
 {{sls}}_state_not_allowed:
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -81,7 +81,6 @@ base:
    - suricata
    - zeek
    - strelka
    - curator.disabled
    - elastalert
    - utility
    - elasticfleet
@@ -111,7 +110,6 @@ base:
    - suricata
    - zeek
    - strelka
    - curator.disabled
    - elastalert
    - utility
    - elasticfleet
@@ -139,7 +137,6 @@ base:
    - redis
    - elastic-fleet-package-registry
    - kibana
    - curator.disabled
    - elastalert
    - utility
    - elasticfleet
@@ -168,7 +165,6 @@ base:
    - elasticsearch
    - logstash
    - redis
    - curator.disabled
    - elastic-fleet-package-registry
    - kibana
    - elastalert
@@ -238,7 +234,6 @@ base:
    - elasticsearch
    - logstash
    - redis
    - curator.disabled
    - strelka
    - suricata
    - zeek
--- a/salt/vars/globals.map.jinja
+++ b/salt/vars/globals.map.jinja
@@ -1,5 +1,5 @@
 {% import 'vars/init.map.jinja' as INIT %}
-{% from 'docker/docker.map.jinja' import DOCKER %}
+{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
 {% from 'global/map.jinja' import GLOBALMERGED %}
 {% from 'vars/' ~ INIT.GRAINS.role.split('-')[1] ~ '.map.jinja' import ROLE_GLOBALS %} {# role is so-role so we have to split off the 'so' #}
@@ -25,8 +25,8 @@
    'pcap_engine': GLOBALMERGED.pcapengine,
    'pipeline': GLOBALMERGED.pipeline,
    'so_version': INIT.PILLAR.global.soversion,
-    'so_docker_gateway': DOCKER.gateway,
+    'so_docker_gateway': DOCKERMERGED.gateway,
-    'so_docker_range': DOCKER.range,
+    'so_docker_range': DOCKERMERGED.range,
    'url_base': INIT.PILLAR.global.url_base,
    'so_model': INIT.GRAINS.get('sosmodel',''),
    'sensoroni_key': INIT.PILLAR.sensoroni.config.sensoronikey,
--- a/salt/versionlock/init.sls
+++ b/salt/versionlock/init.sls
@@ -3,7 +3,7 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
-{% if grains.os_family == 'Debian' or (grains.os_family == 'RedHat' and salt['pkg.version']('python3-dnf-plugin-versionlock') !=  "") %}
+{% if salt['pkg.version']('python3-dnf-plugin-versionlock') != "" %}
 {%   from 'versionlock/map.jinja' import VERSIONLOCKMERGED %}
 {%   for pkg in VERSIONLOCKMERGED.hold %}
 {{pkg}}_held:
--- a/salt/versionlock/map.jinja
+++ b/salt/versionlock/map.jinja
@@ -6,11 +6,7 @@
 {% import_yaml 'versionlock/defaults.yaml' as VERSIONLOCKDEFAULTS %}
 {% set VERSIONLOCKMERGED = salt['pillar.get']('versionlock', VERSIONLOCKDEFAULTS.versionlock, merge=True) %}
-{% if grains.os_family == 'RedHat' %}
+{% set HELD = salt['pkg.list_holds']() %}
 {%   set HELD = salt['pkg.list_holds']() %}
 {% else %}
 {%   set HELD = salt['pkg.get_selections'](state='hold')['hold'] %}
 {% endif %}
 {# these are packages held / versionlock in other states #}
 {% set PACKAGES_HELD_IN_OTHER_STATES = [
--- a/salt/zeek/config.sls
+++ b/salt/zeek/config.sls
@@ -32,6 +32,15 @@ zeekpolicydir:
    - group: 939
    - makedirs: True
 zeekzkgsync:
  file.recurse:
    - name: /opt/so/conf/zeek/zkg
    - source: salt://zeek/zkg
    - user: 937
    - group: 939
    - makedirs: True
    - exclude_pat: README
 # Zeek Log Directory
 zeeklogdir:
  file.directory:
--- a/salt/zeek/enabled.sls
+++ b/salt/zeek/enabled.sls
@@ -6,7 +6,7 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
-{%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'docker/docker.map.jinja' import DOCKERMERGED %}
 include:
@@ -18,9 +18,12 @@ so-zeek:
    - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-zeek:{{ GLOBALS.so_version }}
    - start: True
    - privileged: True
    {% if DOCKERMERGED.containers['so-zeek'].ulimits %}
    - ulimits:
-      - core=0
+    {%   for ULIMIT in DOCKERMERGED.containers['so-zeek'].ulimits %}
-      - nofile=1048576:1048576
+      - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
    {%   endfor %}
    {% endif %}
    - binds:
      - /nsm/zeek/logs:/nsm/zeek/logs:rw
      - /nsm/zeek/spool:/nsm/zeek/spool:rw
@@ -35,21 +38,22 @@ so-zeek:
      - /opt/so/conf/zeek/policy/intel:/opt/zeek/share/zeek/policy/intel:rw
      - /opt/so/conf/zeek/bpf:/opt/zeek/etc/bpf:ro
      - /opt/so/conf/zeek/config.zeek:/opt/zeek/share/zeek/site/packages/ja4/config.zeek:ro
-      {% if DOCKER.containers['so-zeek'].custom_bind_mounts %}
+      - /opt/so/conf/zeek/zkg:/opt/so/conf/zeek/zkg:ro
-        {% for BIND in DOCKER.containers['so-zeek'].custom_bind_mounts %}
+      {% if DOCKERMERGED.containers['so-zeek'].custom_bind_mounts %}
        {% for BIND in DOCKERMERGED.containers['so-zeek'].custom_bind_mounts %}
      - {{ BIND }}
        {% endfor %}
      {% endif %} 
    - network_mode: host
-    {% if DOCKER.containers['so-zeek'].extra_hosts %}
+    {% if DOCKERMERGED.containers['so-zeek'].extra_hosts %}
    - extra_hosts:
-      {% for XTRAHOST in DOCKER.containers['so-zeek'].extra_hosts %}
+      {% for XTRAHOST in DOCKERMERGED.containers['so-zeek'].extra_hosts %}
      - {{ XTRAHOST }}
      {% endfor %}
    {% endif %}
-    {% if DOCKER.containers['so-zeek'].extra_env %}
+    {% if DOCKERMERGED.containers['so-zeek'].extra_env %}
    - environment:
-      {% for XTRAENV in DOCKER.containers['so-zeek'].extra_env %}
+      {% for XTRAENV in DOCKERMERGED.containers['so-zeek'].extra_env %}
      - {{ XTRAENV }}
      {% endfor %}
    {% endif %}
--- a/salt/zeek/zkg/README
+++ b/salt/zeek/zkg/README
@@ -0,0 +1 @@
 # Place custom Zeek packages in /opt/so/saltstack/local/salt/zeek/zkg/
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -852,74 +852,14 @@ detect_cloud() {
 detect_os() {
 	title "Detecting Base OS"
-	if [ -f /etc/redhat-release ]; then
+	if [ -f /etc/redhat-release ] && grep -q "Red Hat Enterprise Linux release 9" /etc/redhat-release && [ -f /etc/oracle-release ]; then
-		if grep -q "Rocky Linux release 9" /etc/redhat-release; then
+		OS=oracle
-			OS=rocky
+		OSVER=9
-			OSVER=9
+		is_oracle=true
-			is_rocky=true
+		is_rpm=true
-			is_rpm=true
+		is_supported=true
 			not_supported=true
 			unset is_supported
 		elif grep -q "CentOS Stream release 9" /etc/redhat-release; then
 			OS=centos
 			OSVER=9
 			is_centos=true
 			is_rpm=true
 			not_supported=true
 			unset is_supported
 		elif grep -q "AlmaLinux release 9" /etc/redhat-release; then
 			OS=alma
 			OSVER=9
 			is_alma=true
 			is_rpm=true
 			not_supported=true
 			unset is_supported
 		elif grep -q "Red Hat Enterprise Linux release 9" /etc/redhat-release; then
 			if [ -f /etc/oracle-release ]; then
 				OS=oracle
 				OSVER=9
 				is_oracle=true
 				is_rpm=true
 				is_supported=true
 			else
 				OS=rhel
 				OSVER=9
 				is_rhel=true
 				is_rpm=true
 				not_supported=true
 				unset is_supported
 			fi
 		fi
 	elif [ -f /etc/os-release ]; then
 		if grep -q "UBUNTU_CODENAME=focal" /etc/os-release; then
 			OSVER=focal
 			UBVER=20.04
 			OS=ubuntu
 			is_ubuntu=true
 			is_deb=true
 			not_supported=true
 			unset is_supported
 		elif grep -q "UBUNTU_CODENAME=jammy" /etc/os-release; then
 			OSVER=jammy
 			UBVER=22.04
 			OS=ubuntu
 			is_ubuntu=true
 			is_deb=true
 			not_supported=true
 			unset is_supported
 		elif grep -q "VERSION_CODENAME=bookworm" /etc/os-release; then
 			OSVER=bookworm
 			DEBVER=12
 			is_debian=true
 			OS=debian
 			is_deb=true
 			not_supported=true
 			unset is_supported
 		fi
 		installer_prereq_packages
 	else
-		info "We were unable to determine if you are using a supported OS."
+		info "This OS is not supported. Security Onion requires Oracle Linux 9."
 		fail_setup
 	fi
@@ -932,23 +872,6 @@ download_elastic_agent_artifacts() {
 	fi
 }
 installer_prereq_packages() {	
 	if [[ $is_deb ]]; then
 		# Print message to stdout so the user knows setup is doing something
 		info "Running apt-get update"
 		retry 150 10 "apt-get update" "" "Err:" >> "$setup_log" 2>&1 || fail_setup
 		# Install network manager so we can do interface stuff
 		if ! command -v nmcli > /dev/null 2>&1; then
 			info "Installing network-manager"
 			retry 150 10 "apt-get -y install network-manager ethtool" >> "$setup_log" 2>&1 || fail_setup
 			logCmd "systemctl enable NetworkManager"
 			logCmd "systemctl start NetworkManager"
 		fi
 		if ! command -v curl > /dev/null 2>&1; then
 			retry 150 10 "apt-get -y install curl"  >> "$setup_log" 2>&1 || fail_setup
 		fi
 	fi
 }
 disable_auto_start() {
@@ -1366,9 +1289,6 @@ create_global() {
 	echo "  mdengine: 'ZEEK'" >> $global_pillar_file
 	echo "  ids: 'Suricata'" >> $global_pillar_file
 	echo "  url_base: '$REDIRECTIT'" >> $global_pillar_file
 	if [[ $HIGHLANDER == 'True' ]]; then
 		echo "  highlander: True" >> $global_pillar_file
 	fi
 	if [[ $is_airgap ]]; then
 		echo "  airgap: True" >> $global_pillar_file
 	else 
@@ -1460,7 +1380,7 @@ network_init() {
 	title "Initializing Network"
 	disable_ipv6
 	set_hostname
-	if [[ ( $is_iso || $is_desktop_iso || $is_debian ) ]]; then
+	if [[ ( $is_iso || $is_desktop_iso ) ]]; then
 		set_management_interface
 	fi
 }
@@ -1694,11 +1614,6 @@ reinstall_init() {
 		# Uninstall local Elastic Agent, if installed
 		elastic-agent uninstall -f
 		if [[ $is_deb ]]; then
 			echo "Unholding previously held packages."
 			apt-mark unhold $(apt-mark showhold)
 		fi
 	} >> "$setup_log" 2>&1
 	info "System reinstall init has been completed."
@@ -1715,11 +1630,7 @@ reset_proxy() {
 	[[ -f /etc/gitconfig ]] && rm -f /etc/gitconfig
-	if [[ $is_rpm ]]; then
+	sed -i "/proxy=/d" /etc/dnf/dnf.conf
 		sed -i "/proxy=/d" /etc/dnf/dnf.conf
 	else
 		[[ -f /etc/apt/apt.conf.d/00-proxy.conf ]] && rm -f /etc/apt/apt.conf.d/00-proxy.conf
 	fi
 }
 restore_file() {
@@ -1765,14 +1676,8 @@ drop_install_options() {
 remove_package() {
 	local package_name=$1
-	if [[ $is_rpm ]]; then
+	if rpm -qa | grep -q "$package_name"; then
-		if rpm -qa | grep -q "$package_name"; then
+		logCmd "dnf remove -y $package_name"
 			logCmd "dnf remove -y $package_name"
 		fi
 	else
 		if dpkg -l | grep -q "$package_name"; then
 			retry 150 10 "apt purge -y \"$package_name\""
 		fi
 	fi
 }
@@ -1786,122 +1691,91 @@ remove_package() {
 securityonion_repo() {
 	# Remove all the current repos
-	if [[ $is_oracle ]]; then
+	logCmd "dnf -v clean all"
-		logCmd "dnf -v clean all"
+	logCmd "mkdir -vp /root/oldrepos"
-		logCmd "mkdir -vp /root/oldrepos"
+	if [ -n "$(ls -A /etc/yum.repos.d/ 2>/dev/null)" ]; then
-		if [ -n "$(ls -A /etc/yum.repos.d/ 2>/dev/null)" ]; then
+		logCmd "mv -v /etc/yum.repos.d/* /root/oldrepos/"
-			logCmd "mv -v /etc/yum.repos.d/* /root/oldrepos/"
+	fi
-		fi
+	if ! $is_desktop_grid; then
-		if ! $is_desktop_grid; then
+		gpg_rpm_import
-			gpg_rpm_import
+		if [[ ! $is_airgap ]]; then
-			if [[ ! $is_airgap ]]; then
+			echo "https://repo.securityonion.net/file/so-repo/prod/3/oracle/9" > /etc/yum/mirror.txt
-				echo "https://repo.securityonion.net/file/so-repo/prod/3/oracle/9" > /etc/yum/mirror.txt
+			echo "https://so-repo-east.s3.us-east-005.backblazeb2.com/prod/3/oracle/9" >> /etc/yum/mirror.txt
-				echo "https://so-repo-east.s3.us-east-005.backblazeb2.com/prod/3/oracle/9" >> /etc/yum/mirror.txt
+			echo "[main]" > /etc/yum.repos.d/securityonion.repo
-				echo "[main]" > /etc/yum.repos.d/securityonion.repo
+			echo "gpgcheck=1" >> /etc/yum.repos.d/securityonion.repo
-				echo "gpgcheck=1" >> /etc/yum.repos.d/securityonion.repo
+			echo "installonly_limit=3" >> /etc/yum.repos.d/securityonion.repo
-				echo "installonly_limit=3" >> /etc/yum.repos.d/securityonion.repo
+			echo "clean_requirements_on_remove=True" >> /etc/yum.repos.d/securityonion.repo
-				echo "clean_requirements_on_remove=True" >> /etc/yum.repos.d/securityonion.repo
+			echo "best=True" >> /etc/yum.repos.d/securityonion.repo
-				echo "best=True" >> /etc/yum.repos.d/securityonion.repo
+			echo "skip_if_unavailable=False" >> /etc/yum.repos.d/securityonion.repo
-				echo "skip_if_unavailable=False" >> /etc/yum.repos.d/securityonion.repo
+			echo "cachedir=/opt/so/conf/reposync/cache" >> /etc/yum.repos.d/securityonion.repo
-				echo "cachedir=/opt/so/conf/reposync/cache" >> /etc/yum.repos.d/securityonion.repo
+			echo "keepcache=0" >> /etc/yum.repos.d/securityonion.repo
-				echo "keepcache=0" >> /etc/yum.repos.d/securityonion.repo
+			echo "[securityonionsync]" >> /etc/yum.repos.d/securityonion.repo
-				echo "[securityonionsync]" >> /etc/yum.repos.d/securityonion.repo
+			echo "name=Security Onion Repo repo" >> /etc/yum.repos.d/securityonion.repo
-				echo "name=Security Onion Repo repo" >> /etc/yum.repos.d/securityonion.repo
+			echo "mirrorlist=file:///etc/yum/mirror.txt" >> /etc/yum.repos.d/securityonion.repo
-				echo "mirrorlist=file:///etc/yum/mirror.txt" >> /etc/yum.repos.d/securityonion.repo
+			echo "enabled=1" >> /etc/yum.repos.d/securityonion.repo
-				echo "enabled=1" >> /etc/yum.repos.d/securityonion.repo
+			echo "gpgcheck=1" >> /etc/yum.repos.d/securityonion.repo
-				echo "gpgcheck=1" >> /etc/yum.repos.d/securityonion.repo
+			logCmd "dnf repolist"
-				logCmd "dnf repolist"
+		else
 			else
 				echo "[securityonion]" > /etc/yum.repos.d/securityonion.repo
 				echo "name=Security Onion Repo" >> /etc/yum.repos.d/securityonion.repo
 				echo "baseurl=https://$MSRV/repo" >> /etc/yum.repos.d/securityonion.repo
 				echo "enabled=1" >> /etc/yum.repos.d/securityonion.repo
 				echo "gpgcheck=1" >> /etc/yum.repos.d/securityonion.repo
 				echo "sslverify=0" >> /etc/yum.repos.d/securityonion.repo
 				logCmd "dnf repolist"
 			fi
 		elif [[ ! $waitforstate ]]; then
 			echo "[securityonion]" > /etc/yum.repos.d/securityonion.repo
 			echo "name=Security Onion Repo" >> /etc/yum.repos.d/securityonion.repo
 			echo "baseurl=https://$MSRV/repo" >> /etc/yum.repos.d/securityonion.repo
 			echo "enabled=1" >> /etc/yum.repos.d/securityonion.repo
 			echo "gpgcheck=1" >> /etc/yum.repos.d/securityonion.repo
-			echo "sslverify=0" >> /etc/yum.repos.d/securityonion.repo		
+			echo "sslverify=0" >> /etc/yum.repos.d/securityonion.repo
-		elif [[ $waitforstate ]]; then
+			logCmd "dnf repolist"
 			echo "[securityonion]" > /etc/yum.repos.d/securityonion.repo
 			echo "name=Security Onion Repo" >> /etc/yum.repos.d/securityonion.repo
 			echo "baseurl=file:///nsm/repo/" >> /etc/yum.repos.d/securityonion.repo
 			echo "enabled=1" >> /etc/yum.repos.d/securityonion.repo
 			echo "gpgcheck=1" >> /etc/yum.repos.d/securityonion.repo
 		fi
 	elif [[ ! $waitforstate ]]; then
 		echo "[securityonion]" > /etc/yum.repos.d/securityonion.repo
 		echo "name=Security Onion Repo" >> /etc/yum.repos.d/securityonion.repo
 		echo "baseurl=https://$MSRV/repo" >> /etc/yum.repos.d/securityonion.repo
 		echo "enabled=1" >> /etc/yum.repos.d/securityonion.repo
 		echo "gpgcheck=1" >> /etc/yum.repos.d/securityonion.repo
 		echo "sslverify=0" >> /etc/yum.repos.d/securityonion.repo
 	elif [[ $waitforstate ]]; then
 		echo "[securityonion]" > /etc/yum.repos.d/securityonion.repo
 		echo "name=Security Onion Repo" >> /etc/yum.repos.d/securityonion.repo
 		echo "baseurl=file:///nsm/repo/" >> /etc/yum.repos.d/securityonion.repo
 		echo "enabled=1" >> /etc/yum.repos.d/securityonion.repo
 		echo "gpgcheck=1" >> /etc/yum.repos.d/securityonion.repo
 	fi
-	if [[ $is_rpm ]]; then logCmd "dnf repolist all"; fi
+	logCmd "dnf repolist all"
 	if [[ $waitforstate ]]; then
-		if [[ $is_rpm ]]; then
+		# Build the repo locally so we can use it
-				# Build the repo locally so we can use it
+		echo "Syncing Repos"
-				echo "Syncing Repos"
+		repo_sync_local
 				repo_sync_local
 		fi
 	fi
 }
 repo_sync_local() {
 	SALTVERSION=$(grep "version:" ../salt/salt/master.defaults.yaml | grep -o "[0-9]\+\.[0-9]\+")
 	info "Repo Sync"
-	if [[ $is_supported ]]; then
+	# Sync the repo from the SO repo locally.
-		# Sync the repo from the the SO repo locally.
+	info "Adding Repo Download Configuration"
-		# Check for reposync
+	mkdir -p /nsm/repo
-		info "Adding Repo Download Configuration"
+	mkdir -p /opt/so/conf/reposync/cache
-		mkdir -p /nsm/repo
+	echo "https://repo.securityonion.net/file/so-repo/prod/3/oracle/9" > /opt/so/conf/reposync/mirror.txt
-		mkdir -p /opt/so/conf/reposync/cache
+	echo "https://repo-alt.securityonion.net/prod/3/oracle/9" >> /opt/so/conf/reposync/mirror.txt
-		echo "https://repo.securityonion.net/file/so-repo/prod/3/oracle/9" > /opt/so/conf/reposync/mirror.txt
+	echo "[main]" > /opt/so/conf/reposync/repodownload.conf
-		echo "https://repo-alt.securityonion.net/prod/3/oracle/9" >> /opt/so/conf/reposync/mirror.txt
+	echo "gpgcheck=1" >> /opt/so/conf/reposync/repodownload.conf
-		echo "[main]" > /opt/so/conf/reposync/repodownload.conf
+	echo "installonly_limit=3" >> /opt/so/conf/reposync/repodownload.conf
-		echo "gpgcheck=1" >> /opt/so/conf/reposync/repodownload.conf
+	echo "clean_requirements_on_remove=True" >> /opt/so/conf/reposync/repodownload.conf
-		echo "installonly_limit=3" >> /opt/so/conf/reposync/repodownload.conf
+	echo "best=True" >> /opt/so/conf/reposync/repodownload.conf
-		echo "clean_requirements_on_remove=True" >> /opt/so/conf/reposync/repodownload.conf
+	echo "skip_if_unavailable=False" >> /opt/so/conf/reposync/repodownload.conf
-		echo "best=True" >> /opt/so/conf/reposync/repodownload.conf
+	echo "cachedir=/opt/so/conf/reposync/cache" >> /opt/so/conf/reposync/repodownload.conf
-		echo "skip_if_unavailable=False" >> /opt/so/conf/reposync/repodownload.conf
+	echo "keepcache=0" >> /opt/so/conf/reposync/repodownload.conf
-		echo "cachedir=/opt/so/conf/reposync/cache" >> /opt/so/conf/reposync/repodownload.conf
+	echo "[securityonionsync]" >> /opt/so/conf/reposync/repodownload.conf
-		echo "keepcache=0" >> /opt/so/conf/reposync/repodownload.conf
+	echo "name=Security Onion Repo repo" >> /opt/so/conf/reposync/repodownload.conf
-		echo "[securityonionsync]" >> /opt/so/conf/reposync/repodownload.conf
+	echo "mirrorlist=file:///opt/so/conf/reposync/mirror.txt" >> /opt/so/conf/reposync/repodownload.conf
-		echo "name=Security Onion Repo repo" >> /opt/so/conf/reposync/repodownload.conf
+	echo "enabled=1" >> /opt/so/conf/reposync/repodownload.conf
-		echo "mirrorlist=file:///opt/so/conf/reposync/mirror.txt" >> /opt/so/conf/reposync/repodownload.conf
+	echo "gpgcheck=1" >> /opt/so/conf/reposync/repodownload.conf
-		echo "enabled=1" >> /opt/so/conf/reposync/repodownload.conf
+
-		echo "gpgcheck=1" >> /opt/so/conf/reposync/repodownload.conf
+	logCmd "dnf repolist"
-	
+
-		logCmd "dnf repolist"
+	if [[ ! $is_airgap ]]; then
-		
+		curl --retry 5 --retry-delay 60 -A "netinstall/$SOVERSION/$OS/$(uname -r)/1" https://sigs.securityonion.net/checkup --output /tmp/install
-		if [[ ! $is_airgap ]]; then
+		retry 5 60 "dnf reposync --norepopath -g --delete -m -c /opt/so/conf/reposync/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/" >> "$setup_log" 2>&1 || fail_setup
-        	curl --retry 5 --retry-delay 60 -A "netinstall/$SOVERSION/$OS/$(uname -r)/1" https://sigs.securityonion.net/checkup --output /tmp/install
+		# After the download is complete run createrepo
-			retry 5 60 "dnf reposync --norepopath -g --delete -m -c /opt/so/conf/reposync/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/" >> "$setup_log" 2>&1 || fail_setup
+		create_repo
 			# After the download is complete run createrepo
 			create_repo
 		fi
 	else
 		# Add the proper repos for unsupported stuff
 		echo "Adding Repos"
 		if [[ $is_rpm ]]; then
 			if [[ $is_rhel ]]; then
 				logCmd "subscription-manager repos --enable codeready-builder-for-rhel-9-$(arch)-rpms"
 				info "Install epel for rhel" 
 				logCmd "dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm"
 				logCmd "dnf -y install https://dl.fedoraproject.org/pub/epel/epel-next-release-latest-9.noarch.rpm"
 			else  
 				logCmd "dnf config-manager --set-enabled crb"
 				logCmd "dnf -y install epel-release"
 			fi
 			dnf install -y yum-utils device-mapper-persistent-data lvm2
 			curl -fsSL https://repo.securityonion.net/file/so-repo/prod/3/so/so.repo | tee /etc/yum.repos.d/so.repo
 			rpm --import https://packages.broadcom.com/artifactory/api/security/keypair/SaltProjectKey/public
 			dnf config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
 			curl -fsSL "https://github.com/saltstack/salt-install-guide/releases/latest/download/salt.repo" | tee /etc/yum.repos.d/salt.repo
 			dnf repolist
 			curl --retry 5 --retry-delay 60 -A "netinstall/$SOVERSION/$OS/$(uname -r)/1" https://sigs.securityonion.net/checkup --output /tmp/install
 		else
 			echo "Not sure how you got here."
 			exit 1
 		fi
 	fi
 }
@@ -1909,57 +1783,13 @@ saltify() {
 	SALTVERSION=$(grep "version:" ../salt/salt/master.defaults.yaml | grep -o "[0-9]\+\.[0-9]\+")
 	info "Installing Salt $SALTVERSION"
 	chmod u+x ../salt/salt/scripts/bootstrap-salt.sh
 	if [[ $is_deb ]]; then
-		DEBIAN_FRONTEND=noninteractive retry 30 10 "apt-get -y -o Dpkg::Options::=\"--force-confdef\" -o Dpkg::Options::=\"--force-confold\" upgrade" >> "$setup_log" 2>&1 || fail_setup
+	if [[ $waitforstate ]]; then
-		if [ $OSVER == "focal" ]; then update-alternatives --install /usr/bin/python python /usr/bin/python3.10 10; fi
+		# install all for a manager
-		local pkg_arr=(
+		retry 30 10 "bash ../salt/salt/scripts/bootstrap-salt.sh -r -M -X stable $SALTVERSION" || fail_setup
-			'apache2-utils'
+	else
-			'ca-certificates'
+		# just a minion
-			'curl'
+		retry 30 10 "bash ../salt/salt/scripts/bootstrap-salt.sh -r -X stable $SALTVERSION" || fail_setup
 			'software-properties-common'
 			'apt-transport-https'
 			'openssl'
 			'netcat-openbsd'
 			'jq'
 			'gnupg'
 		)
 		retry 30 10 "apt-get -y install ${pkg_arr[*]}" || fail_setup
 		logCmd "mkdir -vp /etc/apt/keyrings"
 		logCmd "wget -q --inet4-only -O /etc/apt/keyrings/docker.pub https://download.docker.com/linux/ubuntu/gpg"
 		if [[ $is_ubuntu ]]; then
 			# Add Docker Repo
 			add-apt-repository -y "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" 
 		else
 			# Add Docker Repo
 			curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
 			echo "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $OSVER stable" > /etc/apt/sources.list.d/docker.list 
 		fi
 		logCmd "apt-key add /etc/apt/keyrings/docker.pub"
 		retry 30 10 "apt-get update" "" "Err:" || fail_setup
 		if [[ $waitforstate ]]; then
 			retry 30 10 "bash ../salt/salt/scripts/bootstrap-salt.sh -M -X stable $SALTVERSION" || fail_setup
 			retry 30 10 "apt-mark hold salt-minion salt-common salt-master" || fail_setup
 			retry 30 10 "apt-get -y install python3-pip python3-dateutil python3-m2crypto python3-packaging python3-influxdb python3-lxml" || exit 1
 		else
 			retry 30 10 "bash ../salt/salt/scripts/bootstrap-salt.sh -X stable $SALTVERSION" || fail_setup
 			retry 30 10 "apt-mark hold salt-minion salt-common" || fail_setup
 		fi
 	fi
 	if [[ $is_rpm ]]; then
 		if [[ $waitforstate ]]; then 
 			# install all for a manager
 			retry 30 10 "bash ../salt/salt/scripts/bootstrap-salt.sh -r -M -X stable $SALTVERSION" || fail_setup
 		else
 			# just a minion
 			retry 30 10 "bash ../salt/salt/scripts/bootstrap-salt.sh -r -X stable $SALTVERSION" || fail_setup
 		fi
 	fi
 	salt_install_module_deps
@@ -2105,14 +1935,7 @@ set_proxy() {
 		"}" > /root/.docker/config.json
 	# Set proxy for package manager
-	if [[ $is_rpm ]]; then
+	echo "proxy=$so_proxy" >> /etc/yum.conf
 		echo "proxy=$so_proxy" >> /etc/yum.conf
 	else
 		# Set it up so the updates roll through the manager
 		printf '%s\n'\
 			"Acquire::http::Proxy \"$so_proxy\";"\
 			"Acquire::https::Proxy \"$so_proxy\";" > /etc/apt/apt.conf.d/00-proxy.conf
 	fi
 	# Set global git proxy
 	printf '%s\n'\
@@ -2302,23 +2125,13 @@ update_sudoers_for_testing() {
 }
 update_packages() {
-	if [[ $is_oracle ]]; then
+	logCmd "dnf repolist"
-		logCmd "dnf repolist"
+	logCmd "dnf -y update --allowerasing --exclude=salt*,docker*,containerd*"
-		logCmd "dnf -y update --allowerasing --exclude=salt*,docker*,containerd*"
+	RMREPOFILES=("oracle-linux-ol9.repo" "uek-ol9.repo" "virt-ol9.repo")
-		RMREPOFILES=("oracle-linux-ol9.repo" "uek-ol9.repo" "virt-ol9.repo")
+	info "Removing repo files added by oracle-repos package update"
-		info "Removing repo files added by oracle-repos package update"
+	for FILE in ${RMREPOFILES[@]}; do
-		for FILE in ${RMREPOFILES[@]}; do
+		logCmd "rm -f /etc/yum.repos.d/$FILE"
-			logCmd "rm -f /etc/yum.repos.d/$FILE"
+	done
 		done
 	elif [[ $is_deb ]]; then
 		info "Running apt-get update"
 		retry 150 10 "apt-get -y update" "" "Err:" >> "$setup_log" 2>&1 || fail_setup
 		info "Running apt-get upgrade"
 		retry 150 10 "apt-get -y upgrade" >> "$setup_log" 2>&1 || fail_setup
 	else
 		info "Updating packages"
 		logCmd "dnf -y update --allowerasing --exclude=salt*,docker*,containerd*"
 	fi
 }
 # This is used for development to speed up network install tests.
@@ -2328,15 +2141,7 @@ use_turbo_proxy() {
 		return
 	fi
-	if [[ $OS == 'centos' ]]; then
+	printf '%s\n' "proxy=${TURBO}:3142" >> /etc/yum.conf
 		printf '%s\n' "proxy=${TURBO}:3142" >> /etc/yum.conf
 	else
 		printf '%s\n'\
 			"Acquire {"\
 			"  HTTP::proxy \"${TURBO}:3142\";"\
 			"  HTTPS::proxy \"${TURBO}:3142\";"\
 			"}" > /etc/apt/apt.conf.d/proxy.conf
 	fi
 }
 wait_for_file() {
--- a/setup/so-preflight
+++ b/setup/so-preflight
@@ -1,213 +0,0 @@
 #!/bin/bash
 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
 # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 cd "$(dirname "$0")" || exit 255
 source ../salt/common/tools/sbin/so-common
 source ./so-functions
 script_run="$1"
 retry_count=10
 retry_sleep=5
 warning_prefix="[WARNING]"
 info_prefix="[INFO   ]"
 error_prefix="[ERROR  ]"
 if [[ $script_run == true ]]; then
 	preflight_log="${2:-'/root/preflight.log'}"
 else
 	preflight_log='/root/preflight.log'
 fi
 check_default_repos() {
 	local ret_code=0
 	local repo_str='  Checking OS default repos with '
 	if [[ $script_run == true ]]; then
 		printf '%s' "$repo_str"
 	else
 		printf '%s' "$repo_str" | tee -a "$preflight_log"
 	fi
 	if [[ $OS == 'centos' ]]; then
 		if [[ $script_run == true ]]; then
 			printf '%s' 'yum update.'
 		else
 			printf '%s' 'yum update.' | tee -a "$preflight_log"
 		fi
 		echo "" >> "$preflight_log"
 		yum -y check-update >> $preflight_log 2>&1
 		ret_code=$?
 		if [[ $ret_code == 0 || $ret_code == 100 ]]; then
 			printf '%s\n' '  SUCCESS'
 			ret_code=0
 		else
 			printf '%s\n' '  FAILURE'
 		fi
 	else
 		if [[ $script_run == true ]]; then
 			printf '%s' 'apt update.'
 		else
 			printf '%s' 'apt update.' | tee -a "$preflight_log"
 		fi
 		echo "" >> "$preflight_log"
 		retry 150 10 "apt-get -y update" >> $preflight_log 2>&1
 		ret_code=$?
 		[[ $ret_code == 0 ]] && printf '%s\n' '  SUCCESS' || printf '%s\n' '  FAILURE'
 	fi
 	return $ret_code
 }
 check_new_repos() {
 	local repo_url_str='  Checking repo URLs added by setup.'
 	if [[ $script_run == true ]]; then
 		printf '%s' "$repo_url_str"
 	else
 		printf '%s' "$repo_url_str" | tee -a "$preflight_log"
 	fi
 	if [[ $OS == 'centos' ]]; then
 		local repo_arr=( 
 			"https://download.docker.com/linux/centos/docker-ce.repo"
 			"https://repo.securityonion.net/file/securityonion-repo/keys/SALTSTACK-GPG-KEY.pub"
 			"https://download.docker.com/linux/ubuntu/gpg"
 			)
 	else
 		local ubuntu_version
 		ubuntu_version=$(grep VERSION_ID /etc/os-release 2> /dev/null | awk -F '[ "]' '{print $2}')
 		local repo_arr=(
 			"https://download.docker.com/linux/ubuntu/gpg"
 			"https://download.docker.com/linux/ubuntu"
 			"https://repo.securityonion.net/file/securityonion-repo/ubuntu/$ubuntu_version/amd64/salt/SALTSTACK-GPG-KEY.pub"
 		)
 	fi
 	__check_url_arr "${repo_arr[@]}"
 	local ret_code=$?
 	[[ $ret_code == 0 ]] && printf '%s\n' '  SUCCESS' || printf '%s\n' '  FAILURE'
 	return $ret_code
 }
 check_misc_urls() {
 	local misc_url_str='  Checking various other URLs used by setup.'
 	if [[ $script_run == true ]]; then
 		printf '%s' "$misc_url_str"
 	else
 		printf '%s' "$misc_url_str" | tee -a "$preflight_log"
 	fi
 	local so_version
 	so_version=$(cat ../VERSION)
 	local url_arr=(
 		"https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS"
 		"https://github.com/Neo23x0/signature-base"
 		"https://sigs.securityonion.net/$so_version/securityonion-$so_version.iso.sig"
 		"https://ghcr.io/"
 		"https://rules.emergingthreats.net/open/"
 		"https://rules.emergingthreatspro.com/"
 	)
 	__check_url_arr "${url_arr[@]}"
 	local ret_code=$?
 	[[ $ret_code == 0 ]] && printf '%s\n' '  SUCCESS' || printf '%s\n' '  FAILURE'
 	return $ret_code
 }
 __check_url_arr() {
 	local ret_code=0
 	echo "" >> "$preflight_log"
 	for url in "$@"; do
 		# Reset vars
 		local status=999 # Set status to something outside the range of normal HTTP codes but above the 200 range
 		local ret=1
 		local count=0
 		while [[ $ret != 0 && $count -lt $retry_count ]]; do
 			((count++))
 			[[ $count != 1 ]] && sleep $retry_sleep
 			status=$(curl -s -o /dev/null -w "%{http_code}" -L "$url" 2> /dev/null)
 			ret=$?
 			local count_str
 			printf -v count_str '%02d' "$count"
 			[[ $ret != 0 ]] && echo "$warning_prefix ($count_str/$retry_count) Could not reach $url, curl error code: $ret" >> "$preflight_log"
 		done
 		if [[ $ret == 0 ]]; then
 			url_success_str="Successfully reached $url"
 			if [[ $status -ge 400 ]]; then
 				echo "$warning_prefix $url_success_str but server responded with HTTP code $status." >> "$preflight_log"
 			else
 				printf '%s\n' "$info_prefix $url_success_str" >> "$preflight_log"
 			fi
 		else
 			ret_code=1
 			echo "$error_prefix Could not reach $url after $retry_count attempts." >> "$preflight_log"
 		fi
 	done
 	echo "" >> "$preflight_log"
 	return $ret_code
 }
 preflight_prereqs() {
 	local ret_code=0
 	if [[ $OS == 'centos' ]]; then
 		: # no-op to match structure of other checks for $OS var
 	else
 		retry 150 10 "apt-get -y install curl" >> "$preflight_log" 2>&1 || ret_code=1
 	fi
 	return $ret_code
 }
 main() {
 	local intro_str="Beginning pre-flight checks."
 	local success_str="Pre-flight checks completed successfully!"
 	local fail_str="Pre-flight checks could not complete."
 	[[ -f $preflight_log ]] || touch "$preflight_log"
 	detect_os "$preflight_log"
 	if [[ $script_run == true ]]; then
 		echo "$intro_str"
 	else
 		echo "$intro_str" | tee "$preflight_log"
 	fi
 	check_default_repos &&\
 	preflight_prereqs &&\
 	check_new_repos &&\
 	check_misc_urls
 	local success=$?
 	echo ""
 	if [[ $success == 0 ]]; then
 		if [[ $script_run == true ]]; then
 			echo "$success_str"
 		else
 			echo "$success_str" | tee -a "$preflight_log"
 			echo ""
 		fi
 	else
 		if [[ $script_run == true ]]; then
 			echo "$fail_str"
 		else
 			echo "$fail_str" | tee -a "$preflight_log"
 			echo "Check $preflight_log for details."
 			echo ""
 		fi
 	fi
 	exit $success
 }
 main
--- a/setup/so-setup
+++ b/setup/so-setup
@@ -66,36 +66,6 @@ set_timezone
 # Let's see what OS we are dealing with here
 detect_os
 # Ubuntu/Debian whiptail pallete to make it look the same as CentOS and Rocky.
 set_palette >> $setup_log 2>&1
 if [[ $not_supported ]] && [ -z "$test_profile" ]; then
 	if [[ "$OSVER" == "focal" ]]; then
 		if (whiptail_focal_warning); then
 			true
 		else
 			info "User cancelled setup."
 			whiptail_cancel
 		fi
 	else
 		if (whiptail_unsupported_os_warning); then
 			true
 		else
 			info "User cancelled setup."
 			whiptail_cancel
 		fi
 	fi
 fi
 # we need to upgrade packages on debian prior to install and reboot if there are due to iptables-restore not running properly
 # if packages are updated and the box isn't rebooted
 if [[ $is_debian ]]; then
 	update_packages
 	if [[ -f "/var/run/reboot-required" ]] && [ -z "$test_profile" ]; then
 		whiptail_debian_reboot_required
 		reboot
 	fi
 fi
 # Check to see if this is the setup type of "desktop".
 is_desktop=
@@ -108,7 +78,7 @@ if [ "$setup_type" = 'desktop' ]; then
 	fi
 fi
-# Make sure if ISO is specified that we are dealing with CentOS or Rocky
+# Make sure if ISO is specified that we are dealing with an RPM-based install
 title "Detecting if this is an ISO install"
 if [[ "$setup_type" == 'iso' ]]; then
 	if [[ $is_rpm ]]; then
--- a/setup/so-whiptail
+++ b/setup/so-whiptail
@@ -27,23 +27,6 @@ whiptail_airgap() {
 	fi
 }
 whiptail_debian_reboot_required() {
 	[ -n "$TESTING" ] && return
 	read -r -d '' message <<- EOM
 	Packages were upgraded and a reboot is required prior to Security Onion installation.
 	Once the reboot has completed, rerun Security Onion setup.
 	Press TAB and then the ENTER key to reboot the system.
 	EOM
 	whiptail --title "$whiptail_title" --msgbox "$message" 24 75 --scrolltext
 }
 whiptail_desktop_install() {
 	[ -n "$TESTING" ] && return
@@ -496,27 +479,6 @@ __append_end_msg() {
 	EOM
 }
 whiptail_focal_warning() {
 	[ -n "$TESTING" ] && return
 	read -r -d '' focal_warning_continue <<- EOM
 	WARNING: Ubuntu 20.04 is only supported as a minion role.
 	This node may not install or operate as expected if installed
 	as a manager, managersearch, standalone, eval, or import.
 	Would you like to continue the install?
 	EOM
 	whiptail --title "$whiptail_title" \
 		--yesno "$focal_warning_continue" 14 75 --defaultno
 	local exitstatus=$?
 	return $exitstatus
 }
 whiptail_gauge_post_setup() {
@@ -586,23 +548,15 @@ whiptail_install_type() {
 	[ -n "$TESTING" ] && return
 	# What kind of install are we doing?
-	if [[ "$OSVER" != "focal" ]]; then
+	install_type=$(whiptail --title "$whiptail_title" --menu \
-		install_type=$(whiptail --title "$whiptail_title" --menu \
+	"What kind of installation would you like to do?\n\nFor more information, please see:\n$DOC_BASE_URL/architecture" 18 65 5 \
-		"What kind of installation would you like to do?\n\nFor more information, please see:\n$DOC_BASE_URL/architecture" 18 65 5 \
+		"IMPORT" "Import PCAP or log files " \
-			"IMPORT" "Import PCAP or log files " \
+		"EVAL" "Evaluation mode (not for production) " \
-			"EVAL" "Evaluation mode (not for production) " \
+		"STANDALONE" "Standalone production install " \
-			"STANDALONE" "Standalone production install " \
+		"DISTRIBUTED" "Distributed deployment " \
-			"DISTRIBUTED" "Distributed deployment " \
+		"DESKTOP" "Security Onion Desktop" \
-			"DESKTOP" "Security Onion Desktop" \
+		3>&1 1>&2 2>&3
-			3>&1 1>&2 2>&3
+	)
 		)
 	elif [[ "$OSVER" == "focal" ]]; then
 		install_type=$(whiptail --title "$whiptail_title" --menu \
 		"What kind of installation would you like to do?\n\nFor more information, please see:\n$DOC_BASE_URL/architecture" 18 65 5 \
 			"DISTRIBUTED" "Distributed install submenu " \
 			3>&1 1>&2 2>&3
 		)
 	fi
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus
@@ -623,18 +577,11 @@ whiptail_install_type_dist() {
 	[ -n "$TESTING" ] && return
 	if [[ "$OSVER" != "focal" ]]; then
 	dist_option=$(whiptail --title "$whiptail_title" --menu "Do you want to start a new deployment or join this box to \nan existing deployment?" 11 75 2 \
 		"New Deployment         " "Create a new Security Onion deployment" \
 		"Existing Deployment    " "Join to an existing Security Onion deployment " \
 		 3>&1 1>&2 2>&3
 	)
 	elif [[ "$OSVER" == "focal" ]]; then
 	dist_option=$(whiptail --title "$whiptail_title" --menu "Since this is Ubuntu, this box can only be connected to \nan existing deployment." 11 75 2 \
 		"Existing Deployment    " "Join to an existing Security Onion deployment " \
 		 3>&1 1>&2 2>&3
 	)
 	fi
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus
@@ -916,7 +863,7 @@ whiptail_net_method() {
 	[ -n "$TESTING" ] && return
 	local pkg_mngr
-	if [[ $OS = 'centos' ]]; then pkg_mngr="yum"; else pkg_mngr='apt'; fi
+	pkg_mngr="yum"
 	read -r -d '' options_msg <<- EOM
 	"Direct" - Internet requests connect directly to the Internet.
@@ -1133,25 +1080,11 @@ whiptail_passwords_dont_match() {
 }
 whiptail_preflight_err() {
 	[ -n "$TESTING" ] && return 1
 	read -r -d '' message <<- EOM
 	The so-preflight script failed checking one or more URLs required by setup. Check $setup_log for more details.
 	Would you like to exit setup?
 	EOM
 	whiptail --title "$whiptail_title" \
 		--yesno "$message" 11 75 \
 		--yes-button "Continue" --no-button "Exit" --defaultno
 }
 whiptail_proxy_ask() {
 	[ -n "$TESTING" ] && return
 	local pkg_mngr
-	if [[ $OS = 'centos' ]]; then pkg_mngr="yum"; else pkg_mngr='apt'; fi
+	pkg_mngr="yum"
 	whiptail --title "$whiptail_title" --yesno "Do you want to proxy the traffic for git, docker client, wget, curl, ${pkg_mngr}, and various other SO components through a separate server in your environment?" 9 65 --defaultno
 }
@@ -1434,48 +1367,6 @@ whiptail_storage_requirements() {
 	whiptail_check_exitstatus $exitstatus
 }
 whiptail_ubuntu_notsupported() {
 	[ -n "$TESTING" ] && return
 	read -r -d '' message <<- EOM
 		Ubuntu is not supported for this node type.
 		Please use a supported OS or install via ISO.
 	EOM
 	whiptail --title "$whiptail_title"  --msgbox "$message" 14 75
 }
 whiptail_ubuntu_warning() {
 	[ -n "$TESTING" ] && return
 	read -r -d '' message <<- EOM
 		Ubuntu support for this node type is limited.
 		Please consider using a fully supported OS or install via ISO.
 	EOM
 	whiptail --title "$whiptail_title"  --msgbox "$message" 14 75
 }
 whiptail_unsupported_os_warning() {
 	[ -n "$TESTING" ] && return
 	read -r -d '' unsupported_os_continue <<- EOM
 	WARNING: An unsupported operating system has been detected. 
 	Security Onion may not install or operate as expected. 
 	Would you like to continue the install?
 	EOM
 	whiptail --title "$whiptail_title" \
 		--yesno "$unsupported_os_continue" 14 75 --defaultno
 	local exitstatus=$?
 	return $exitstatus
 }
 whiptail_uppercase_warning() {
Author	SHA1	Message	Date
Josh Patterson	057ec6f0f1	ensure valid ulimit names	2026-03-18 12:49:46 -04:00
Josh Patterson	cacae12ba3	remove .jinja from daemon.json	2026-03-18 11:08:33 -04:00
Josh Patterson	e19e83bebb	allow user defined ulimits	2026-03-18 10:38:15 -04:00
Josh Patterson	341471d38e	DOCKER to DOCKERMERGED	2026-03-17 16:19:36 -04:00
Josh Patterson	2349750e13	DOCKER to DOCKERMERGED	2026-03-17 16:19:02 -04:00
Josh Patterson	00986dc2fd	Merge remote-tracking branch 'origin/delta' into customulimit	2026-03-17 16:04:09 -04:00
Josh Patterson	d60bef1371	add spft/hard ulimits	2026-03-17 16:00:09 -04:00
Josh Patterson	5806a85214	Merge pull request #15629 from Security-Onion-Solutions/ulimits Add customizable ulimit settings for all Docker containers	2026-03-17 15:14:31 -04:00
Mike Reeves	2d97dfc8a1	Add customizable ulimit settings for all Docker containers Add ulimits as a configurable advanced setting for every container, allowing customization through the web UI. Move hardcoded ulimits from elasticsearch and zeek into defaults.yaml and fix elasticsearch ulimits that were incorrectly nested under the environment key. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-17 15:10:42 -04:00
Josh Patterson	d6263812a6	move daemon.json to docker/files	2026-03-17 15:09:09 -04:00
Josh Patterson	ef7d1771ab	DOCKER TO DOCKERMERGED	2026-03-17 15:08:10 -04:00
Josh Patterson	4dc377c99f	DOCKER to DOCKERMERGED	2026-03-17 15:06:06 -04:00
Mike Reeves	4bb61d999d	Merge pull request #15628 from Security-Onion-Solutions/zeekload Add salt states for custom Zeek package loading	2026-03-17 13:40:14 -04:00
Mike Reeves	e0e0e3e97b	Exclude README from zkg sync	2026-03-17 13:36:56 -04:00
Mike Reeves	6b039b3f94	Consolidate zkg directory creation into file.recurse with makedirs	2026-03-17 13:36:03 -04:00
Josh Patterson	d2d2f0cb5f	Merge pull request #15627 from Security-Onion-Solutions/delta old code cleanup. add ja4 toggle in soc.	2026-03-17 13:24:59 -04:00
Mike Reeves	e6ee7dac7c	Add salt states for custom Zeek package loading Create /opt/so/conf/zeek/zkg directory and sync custom packages from the manager via file.recurse. Bind mount the directory into the so-zeek container so the entrypoint can install packages on startup.	2026-03-17 13:22:59 -04:00
Josh Patterson	7bf63b822d	replace placeholder files with .gitkeep to keep empty directories	2026-03-17 11:40:49 -04:00
Josh Patterson	1a7d72c630	ensure empty directory tracked by git	2026-03-17 11:11:02 -04:00
Josh Patterson	4224713cc6	Merge pull request #15624 from Security-Onion-Solutions/moreja Add SOC UI toggle for JA4+ fingerprinting	2026-03-17 09:44:04 -04:00
Josh Patterson	744d8fdd5e	Merge pull request #15620 from Security-Onion-Solutions/mreeves/remove-non-oracle9-salt Remove non-Oracle Linux 9 support from salt states	2026-03-16 17:10:24 -04:00
Josh Patterson	6feb06e623	cleanup preflight	2026-03-16 17:02:36 -04:00
Mike Reeves	afc14ec29d	Remove non-Oracle Linux 9 support from salt states Simplifies salt states, map files, and modules to only support Oracle Linux 9, removing all Debian/Ubuntu/CentOS/Rocky/AlmaLinux/RHEL conditional branches.	2026-03-16 16:58:39 -04:00
Josh Patterson	59134c65d0	Merge pull request #15619 from Security-Onion-Solutions/mreeves/remove-non-oracle9-support Remove support for non-Oracle Linux 9 operating systems	2026-03-16 16:55:59 -04:00
Josh Patterson	614537998a	remove curator.disabled from top	2026-03-16 16:44:11 -04:00
Mike Reeves	d2cee468a0	Remove support for non-Oracle Linux 9 operating systems Security Onion now exclusively supports Oracle Linux 9. This removes detection, setup, and update logic for Ubuntu, Debian, CentOS, Rocky, AlmaLinux, and RHEL.	2026-03-16 16:44:07 -04:00
Josh Patterson	94f454c311	cleanup file.absent	2026-03-16 15:57:15 -04:00
Josh Patterson	17881c9a36	cleanup highlander	2026-03-16 15:56:16 -04:00
		`@@ -0,0 +1 @@`
							`# Place custom Zeek packages in /opt/so/saltstack/local/salt/zeek/zkg/`