oracle 10 testing

2026-06-06 10:25:22 +02:00 · 2026-06-03 14:11:30 -04:00
26 changed files with 139 additions and 251 deletions
@@ -11,7 +11,6 @@ body:
        -
        - 3.0.0
        - 3.1.0
-        - 3.2.0
        - Other (please provide detail below)
    validations:
      required: true
@@ -1 +1 @@
-
+20260528
@@ -1 +1 @@
-3.2.0
+3.1.0
@@ -25,11 +25,9 @@ if [ ! -f $BACKUPFILE ]; then
  # Create empty backup file
  tar -cf $BACKUPFILE -T /dev/null

-  # Loop through all paths defined in global.sls, and append them to backup file if they exist
+  # Loop through all paths defined in global.sls, and append them to backup file
  {%- for LOCATION in BACKUPLOCATIONS %}
-  if [[ -d {{ LOCATION }} || -f {{ LOCATION }} ]]; then
-    tar -rf $BACKUPFILE "${EXCLUSIONS[@]}" {{ LOCATION }}
-  fi
+  tar -rf $BACKUPFILE "${EXCLUSIONS[@]}" {{ LOCATION }}
  {%- endfor %}

 fi
@@ -26,14 +26,33 @@ commonpkgs:
      - net-tools
      - nmap-ncat
      - procps-ng
+{# OL10 test path: python3-docker / python3-m2crypto are not packaged in EPEL 10 and are not
+   referenced by SO code (salt uses its bundled docker module from salt/python_modules.sls).
+   python3-rich is also unavailable on EL10 (its pygments dep is not packaged), so it is
+   installed via pip below. Gate on the grain because GLOBALS/pillars are not available this
+   early (see header note). #}
+{% if grains['osmajorrelease']|int < 10 %}
      - python3-docker
      - python3-m2crypto
+      - python3-rich
+{% else %}
+      - python3-pip
+{% endif %}
      - python3-packaging
      - python3-pyyaml
-      - python3-rich
      - rsync
      - sqlite
      - tcpdump
      - unzip
      - wget
      - yum-utils
+
+{% if grains['osmajorrelease']|int >= 10 %}
+# OL10 test path: rich is not packaged for EL10; install it into the system python3 for so-status.
+commonpkgs_pip_rich:
+  cmd.run:
+    - name: python3 -m pip install rich
+    - unless: python3 -c "import rich"
+    - require:
+      - pkg: commonpkgs
+{% endif %}
@@ -354,7 +354,12 @@ gpg_rpm_import() {
 	else
 		local RPMKEYSLOC="$UPDATE_DIR/salt/repo/client/files/$OS/keys"
 	fi
-	RPMKEYS=('RPM-GPG-KEY-oracle' 'RPM-GPG-KEY-EPEL-9' 'SALT-PROJECT-GPG-PUBKEY-2023.pub' 'docker.pub' 'securityonion.pub')
+	if [[ "$OSVER" == "10" ]]; then
+		# OL10 test path uses public repos; the public oracle-epel-release and docker repos provide their own keys
+		RPMKEYS=('RPM-GPG-KEY-oracle' 'SALT-PROJECT-GPG-PUBKEY-2023.pub')
+	else
+		RPMKEYS=('RPM-GPG-KEY-oracle' 'RPM-GPG-KEY-EPEL-9' 'SALT-PROJECT-GPG-PUBKEY-2023.pub' 'docker.pub' 'securityonion.pub')
+	fi
 	for RPMKEY in "${RPMKEYS[@]}"; do
 		rpm --import $RPMKEYSLOC/$RPMKEY
 		echo "Imported $RPMKEY"
@@ -626,9 +631,9 @@ salt_minion_count() {
 }

 set_os() {
-	if [ -f /etc/redhat-release ] && grep -q "Red Hat Enterprise Linux release 9" /etc/redhat-release && [ -f /etc/oracle-release ]; then
+	if [ -f /etc/oracle-release ] && grep -qE "release (9|10)\b" /etc/oracle-release; then
 		OS=oracle
-		OSVER=9
+		OSVER=$(grep -oE "release [0-9]+" /etc/oracle-release | grep -oE "[0-9]+")
 		is_oracle=true
 		is_rpm=true
 	fi
@@ -112,8 +112,23 @@ update_docker_containers() {
  # does not include so-elastic-fleet since that container uses so-elastic-agent image
  local IMAGES_USING_ES_VERSION=("so-elasticsearch")

-  rm -rf $SIGNPATH >> "$LOG_FILE" 2>&1 
-  mkdir -p $SIGNPATH >> "$LOG_FILE" 2>&1 
+  rm -rf $SIGNPATH >> "$LOG_FILE" 2>&1
+  mkdir -p $SIGNPATH >> "$LOG_FILE" 2>&1
+
+  # OL10 test path: GnuPG 2.4 enables the keybox daemon (keyboxd) by default, which deadlocks
+  # under the rapid sequential gpg --verify calls below ("waiting for lock ... keydb_search
+  # failed: Connection timed out ... No public key"). Editing the default homedir's common.conf
+  # is unreliable (gpg re-adds use-keyboxd when it re-initializes the homedir), so run all the
+  # image-signature gpg ops in a dedicated homedir whose pre-written common.conf leaves keyboxd
+  # off, forcing the classic keybox. Isolated from the system keyring and deterministic.
+  if [ "$OSVER" = "10" ]; then
+    export GNUPGHOME="$SIGNPATH/gnupg"
+    rm -rf "$GNUPGHOME" >> "$LOG_FILE" 2>&1
+    mkdir -p "$GNUPGHOME" >> "$LOG_FILE" 2>&1
+    chmod 700 "$GNUPGHOME"
+    echo "# keyboxd disabled for SO image signature verification on EL10" > "$GNUPGHOME/common.conf"
+    gpgconf --kill keyboxd gpg-agent >> "$LOG_FILE" 2>&1 || true
+  fi

  # Let's make sure we have the public key
  run_check_net_err \
@@ -18,10 +18,18 @@ dockergroup:
 dockerheldpackages:
  pkg.installed:
    - pkgs:
+{% if GLOBALS.os_version|int >= 10 %}
+      # OL10 test path: install latest Docker CE from the public repo (no .el9 builds available)
+      - containerd.io
+      - docker-ce
+      - docker-ce-cli
+      - docker-ce-rootless-extras
+{% else %}
      - containerd.io: 2.2.1-1.el9
      - docker-ce: 3:29.2.1-1.el9
      - docker-ce-cli: 1:29.2.1-1.el9
      - docker-ce-rootless-extras: 29.2.1-1.el9
+{% endif %}
    - hold: True
    - update_holds: True

@@ -103,7 +103,7 @@ kratos:
  config:
    session:
      lifespan: 
-        description: Defines the length of a login session before it will timeout, and require a new login.
+        description: Defines the length of a login session.
        global: True
        helpLink: kratos
      whoami:
@@ -31,13 +31,11 @@ sync_es_users:
      - http: wait_for_kratos
      - file: so-user.lock # require so-user.lock file to be missing

-# we dont want this added too early in setup, so the onlyif gates on the
-# /opt/so/state/setup-complete marker. The marker is written by
-# mark_setup_complete in setup/so-functions just before the final setup
-# highstate (and by an upgrade-path state for systems set up under the old gate).
+# we dont want this added too early in setup, so we add the onlyif to verify 'startup_states: highstate'
+# is in the minion config. That line is added before the final highstate during setup
 so-user_sync:
  cron.present:
    - user: root
    - name: 'PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin /usr/sbin/so-user sync &>> /opt/so/log/soc/sync.log'
    - identifier: so-user_sync
-    - onlyif: "test -e /opt/so/state/setup-complete"
+    - onlyif: "grep -x 'startup_states: highstate' /etc/salt/minion"
@@ -188,6 +188,13 @@ airgap_update_dockers() {
  fi
 }

+backup_old_states_pillars() {
+
+	tar czf /nsm/backup/$(echo $INSTALLEDVERSION)_$(date +%Y%m%d-%H%M%S)_soup_default_states_pillars.tar.gz /opt/so/saltstack/default/
+	tar czf /nsm/backup/$(echo $INSTALLEDVERSION)_$(date +%Y%m%d-%H%M%S)_soup_local_states_pillars.tar.gz /opt/so/saltstack/local/
+
+}
+
 update_registry() {
  docker stop so-dockerregistry
  docker rm so-dockerregistry
@@ -363,9 +370,8 @@ preupgrade_changes() {
    # This function is to add any new pillar items if needed.
    echo "Checking to see if changes are needed."

-    [[ "$INSTALLEDVERSION" =~ ^2\.4\.21[0-9]+$ ]] && up_to_3.0.0
+    [[ "$INSTALLEDVERSION" =~ ^2\.4\.21[0-9]+$ ]] && up_to_3.0.0   
    [[ "$INSTALLEDVERSION" == "3.0.0" ]] && up_to_3.1.0
-    [[ "$INSTALLEDVERSION" == "3.1.0" ]] && up_to_3.2.0
    true
 }

@@ -375,7 +381,6 @@ postupgrade_changes() {

    [[ "$POSTVERSION" =~ ^2\.4\.21[0-9]+$ ]] && post_to_3.0.0
    [[ "$POSTVERSION" == "3.0.0" ]] && post_to_3.1.0
-    [[ "$POSTVERSION" == "3.1.0" ]] && post_to_3.2.0
    true
 }

@@ -737,48 +742,6 @@ post_to_3.1.0() {

 ### 3.1.0 End ###

-### 3.2.0 Scripts ###
-
-bootstrap_so_soc_database() {
-  # init-db.sh is mounted into so-postgres at /docker-entrypoint-initdb.d/init-db.sh
-  # and runs automatically only on a fresh data directory. Hosts upgrading from
-  # 3.1.0 already have /nsm/postgres populated, so the so_soc bootstrap block
-  # added in 3.2 never fires. Re-run the script explicitly; it's idempotent.
-  echo "Bootstrapping so_soc database via init-db.sh."
-  # The postgres image has no USER directive, so `docker exec` defaults to
-  # root, and the container env intentionally omits POSTGRES_USER (the upstream
-  # entrypoint defaults it transiently during first-init only). Recreate both
-  # so psql inside init-db.sh resolves the connect user correctly.
-  local exec_cmd="docker exec -u postgres -e POSTGRES_USER=postgres so-postgres bash /docker-entrypoint-initdb.d/init-db.sh"
-  if ! /usr/sbin/so-postgres-wait; then
-    FINAL_MESSAGE_QUEUE+=("WARNING: so-postgres was not ready during the 3.2.0 upgrade; the so_soc database may not have been bootstrapped. Re-run manually: $exec_cmd")
-    return 0
-  fi
-  if ! $exec_cmd; then
-    FINAL_MESSAGE_QUEUE+=("WARNING: init-db.sh failed inside so-postgres during the 3.2.0 upgrade; the so_soc database may not have been bootstrapped. Re-run manually: $exec_cmd")
-    return 0
-  fi
-  echo "so_soc bootstrap complete."
-}
-
-up_to_3.2.0() {
-  fix_logstash_0013_lumberjack_pipeline_name
-
-  INSTALLEDVERSION=3.2.0
-}
-
-post_to_3.2.0() {
-  bootstrap_so_soc_database
-
-  # Including agent regen script here since it was missed in post_to_3.1.0
-  echo "Regenerating Elastic Agent Installers"
-  /sbin/so-elastic-agent-gen-installers
-
-  POSTVERSION=3.2.0
-}
-
-### 3.2.0 End ###
-

 repo_sync() {
  echo "Sync the local repo."
@@ -1565,7 +1528,13 @@ EOF

 # Keeping this block in case we need to do a hotfix that requires salt update
 apply_hotfix() {
-    echo "No actions required. ($INSTALLEDVERSION/$HOTFIXVERSION)"
+    if [[ "$INSTALLEDVERSION" == "3.1.0" ]] ; then
+       # Do not remove this fix_logstash_0013_lumberjack_pipeline_name in future hotfixes without first validating older
+       #  installs referencing "so/0013_input_lumberjack_fleet.conf" via pillar are upgradable
+       fix_logstash_0013_lumberjack_pipeline_name
+    else
+        echo "No actions required. ($INSTALLEDVERSION/$HOTFIXVERSION)"
+    fi
 }

 failed_soup_restore_items() {
@@ -1637,13 +1606,13 @@ main() {
  echo "Verifying we have the latest soup script."
  verify_latest_update_script

+  echo "Verifying Elasticsearch version compatibility across the grid before upgrading."
+  verify_es_version_compatibility
+
  echo "Let's see if we need to update Security Onion."
  upgrade_check
  upgrade_space

-  echo "Verifying Elasticsearch version compatibility across the grid before upgrading."
-  verify_es_version_compatibility
-
  echo "Checking for Salt Master and Minion updates."
  upgrade_check_salt
  set -e
@@ -1663,8 +1632,7 @@ main() {
    echo "Applying $HOTFIXVERSION hotfix"
    # since we don't run the backup.config_backup state on import we wont snapshot previous version states and pillars
    if [[ ! "$MINION_ROLE" == "import" ]]; then
-        echo "Running so-config-backup script."
-        /sbin/so-config-backup
+      backup_old_states_pillars
    fi
    copy_new_files
    create_local_directories "/opt/so/saltstack/default"
@@ -1720,8 +1688,8 @@ main() {
    # since we don't run the backup.config_backup state on import we wont snapshot previous version states and pillars
    if [[ ! "$MINION_ROLE" == "import" ]]; then
      echo ""
-      echo "Running so-config-backup script."
-      /sbin/so-config-backup
+      echo "Creating snapshots of default and local Salt states and pillars and saving to /nsm/backup/"
+      backup_old_states_pillars
    fi

    echo ""
@@ -17,7 +17,6 @@ psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-E
        END IF;
    END
    \$\$;
-    GRANT ALL ON SCHEMA public TO "$SO_POSTGRES_USER";
    GRANT ALL PRIVILEGES ON DATABASE "$POSTGRES_DB" TO "$SO_POSTGRES_USER";
    -- Lock the SOC database down at the connect layer; PUBLIC gets CONNECT
    -- by default, which would let per-minion telegraf roles open sessions
@@ -32,4 +31,4 @@ EOSQL
 # only ensures the shared database exists on first initialization.
 if ! psql -U "$POSTGRES_USER" -tAc "SELECT 1 FROM pg_database WHERE datname='so_telegraf'" | grep -q 1; then
    psql -v ON_ERROR_STOP=1 -U "$POSTGRES_USER" -c "CREATE DATABASE so_telegraf"
-fi
+fi
@@ -18,12 +18,26 @@ include:
 {% set TG_OUT = TELEGRAFMERGED.output | upper %}
 {% if TG_OUT in ['POSTGRES', 'BOTH'] %}

+# docker_container.running returns as soon as the container starts, but on
+# first-init docker-entrypoint.sh starts a temporary postgres with
+# `listen_addresses=''` to run /docker-entrypoint-initdb.d scripts, then
+# shuts it down before exec'ing the real CMD. A default pg_isready check
+# (Unix socket) passes during that ephemeral phase and races the shutdown
+# with "the database system is shutting down". Checking TCP readiness on
+# 127.0.0.1 only succeeds after the final postgres binds the port.
 postgres_wait_ready:
  cmd.run:
-    - name: /usr/sbin/so-postgres-wait
+    - name: |
+        for i in $(seq 1 60); do
+          if docker exec so-postgres pg_isready -h 127.0.0.1 -U postgres -q 2>/dev/null; then
+            exit 0
+          fi
+          sleep 2
+        done
+        echo "so-postgres did not accept TCP connections within 120s" >&2
+        exit 1
    - require:
      - docker_container: so-postgres
-      - file: postgres_sbin

 # Ensure the shared Telegraf database exists. init-db.sh only runs on a
 # fresh data dir, so hosts upgraded onto an existing /nsm/postgres volume
@@ -1,32 +0,0 @@
-#!/bin/bash
-
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-# Wait for the so-postgres container to accept TCP connections.
-#
-# docker_container.running returns as soon as the container starts, but on
-# first-init docker-entrypoint.sh starts a temporary postgres with
-# `listen_addresses=''` to run /docker-entrypoint-initdb.d scripts, then
-# shuts it down before exec'ing the real CMD. A default pg_isready check
-# (Unix socket) passes during that ephemeral phase and races the shutdown
-# with "the database system is shutting down". Checking TCP readiness on
-# 127.0.0.1 only succeeds after the final postgres binds the port.
-#
-# Usage: so-postgres-wait [iterations] [sleep_seconds]
-# Default: 60 iterations, 2s sleep (~120s total).
-
-ITERATIONS=${1:-60}
-SLEEP_SECONDS=${2:-2}
-
-for i in $(seq 1 "$ITERATIONS"); do
-  if docker exec so-postgres pg_isready -h 127.0.0.1 -U postgres -q 2>/dev/null; then
-    exit 0
-  fi
-  sleep "$SLEEP_SECONDS"
-done
-
-echo "so-postgres did not accept TCP connections within $((ITERATIONS * SLEEP_SECONDS))s" >&2
-exit 1
@@ -1,5 +1,6 @@
 {% from 'vars/globals.map.jinja' import GLOBALS %}
-{% if GLOBALS.os == 'OEL' %}
+{# OL10 test path uses public repos; skip the SO repo state (which removes public repos and points at /nsm/repo) #}
+{% if GLOBALS.os == 'OEL' and GLOBALS.os_version|int == 9 %}
 include:
  - repo.client.oracle
 {% endif %}
@@ -1,31 +0,0 @@
-# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
-# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
-# https://securityonion.net/license; you may not use this file except in compliance with the
-# Elastic License 2.0.
-
-# Manages /etc/systemd/system/so-boot-highstate.service, a Type=oneshot
-# RemainAfterExit=yes unit that runs `salt-call state.highstate` exactly once
-# per system boot. Replaces the legacy `startup_states: highstate` minion
-# config, which fired on every salt-minion service restart (causing a redundant
-# highstate whenever a highstate itself restarted salt-minion).
-
-include:
-  - systemd.reload
-
-so_boot_highstate_unit_file:
-  file.managed:
-    - name: /etc/systemd/system/so-boot-highstate.service
-    - source: salt://salt/service/so-boot-highstate.service
-    - onchanges_in:
-      - module: systemd_reload
-
-# Only enable once setup is complete. Until then the gate file is missing and
-# the unit's own ConditionPathExists would no-op it anyway -- this just keeps
-# `systemctl is-enabled` honest for the sync_es_users gate.
-so_boot_highstate_service:
-  service.enabled:
-    - name: so-boot-highstate.service
-    - onlyif: test -e /opt/so/state/setup-complete
-    - require:
-      - file: so_boot_highstate_unit_file
-      - module: systemd_reload
@@ -17,7 +17,6 @@ include:
  - repo.client
  - salt.mine_functions
  - salt.minion.service_file
-  - salt.minion.boot_highstate
 {% if GLOBALS.is_manager %}
  - ca.signing_policy
 {% endif %}
@@ -81,33 +80,11 @@ set_log_levels:
      - "log_level: info"
      - "log_level_logfile: info"

-# startup_states: highstate caused a full highstate to run on every
-# salt-minion service start, including the restart triggered when a highstate
-# itself modified the minion config (beacons, mine, unit file). Replaced by
-# so-boot-highstate.service (managed in salt.minion.boot_highstate), which
-# runs once per system boot only. Strip the line from /etc/salt/minion on
-# upgrade; both the commented and uncommented forms historically existed.
-remove_startup_states:
-  file.line:
+enable_startup_states:
+  file.uncomment:
    - name: /etc/salt/minion
-    - match: 'startup_states: highstate'
-    - mode: delete
-
-# Upgrade-path bridge: systems that already passed setup under the old gate
-# (`grep -x 'startup_states: highstate' /etc/salt/minion`) get a /opt/so/state/setup-complete
-# marker so so-boot-highstate.service can be enabled and the so-user_sync cron
-# in sync_es_users.sls keeps installing. Setup-in-progress systems instead get
-# the marker from `mark_setup_complete` in setup/so-functions at the right
-# moment. `replace: false` means we never overwrite a marker once written.
-mark_setup_complete_for_upgrades:
-  file.managed:
-    - name: /opt/so/state/setup-complete
-    - replace: false
-    - makedirs: True
-    - onlyif: "grep -qx 'startup_states: highstate' /etc/salt/minion"
-    - require_in:
-      - file: remove_startup_states
-      - service: so_boot_highstate_service
+    - regex: '^startup_states: highstate$'
+    - unless: pgrep so-setup

 {% endif %}

@@ -1,14 +0,0 @@
-[Unit]
-Description=Security Onion boot-time highstate (runs once per boot)
-After=salt-minion.service network-online.target docker.service
-Wants=network-online.target docker.service
-Requires=salt-minion.service
-ConditionPathExists=/opt/so/state/setup-complete
-
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-ExecStart=/usr/bin/salt-call state.highstate -l info queue=True
-
-[Install]
-WantedBy=multi-user.target
@@ -8,6 +8,11 @@ set_role_grain:
    - name: role
    - value: so-{{ grains.id.split("_") | last }}

+set_highstate:
+  file.append:
+    - name: /etc/salt/minion
+    - text: 'startup_states: highstate'
+
 enable_salt_minion:
  service.enabled:
    - name: salt-minion
@@ -1519,16 +1519,6 @@ soc:
              serviceAccountJSON: ""
              serviceAccountLocation: ""
              healthTimeoutSeconds: 5
-        onionconfig:
-          saltstackDir: /opt/so/saltstack
-          bypassEnabled: false
-        postgres:
-          host: ""
-          port: 5432
-          sslMode: "allow"
-          database: securityonion
-          user: ""
-          password: ""
        salt:
          queueDir: /opt/sensoroni/queue
          timeoutMs: 45000
@@ -16,14 +16,6 @@
 {% do SOCMERGED.config.server.update({'additionalCA': MANAGERMERGED.additionalCA}) %}
 {% do SOCMERGED.config.server.update({'insecureSkipVerify': MANAGERMERGED.insecureSkipVerify}) %}

-{% if not SOCMERGED.config.server.modules.postgres.host %}
-{%   do SOCMERGED.config.server.modules.postgres.update({'host': GLOBALS.manager}) %}
-{% endif %}
-{% if not SOCMERGED.config.server.modules.postgres.password %}
-{%   do SOCMERGED.config.server.modules.postgres.update({'password': salt['pillar.get']('postgres:auth:users:so_postgres_user:pass', '')}) %}
-{%   do SOCMERGED.config.server.modules.postgres.update({'user': salt['pillar.get']('postgres:auth:users:so_postgres_user:user', 'so_postgres')}) %}
-{% endif %}
-
 {# if SOCMERGED.config.server.modules.cases == httpcase details come from the soc pillar #}
 {% if SOCMERGED.config.server.modules.cases != 'soc' %}
 {%   do SOCMERGED.config.server.modules.elastic.update({'casesEnabled': false}) %}
@@ -453,42 +453,6 @@ soc:
            description: Duration (in milliseconds) that must elapse after a grid node fails to check-in before the node will be marked offline (fault).
            global: True
            advanced: True
-        onionconfig:
-          saltstackDir:
-            description: Root directory containing the SaltStack tree that SOC reads and writes configuration from. Should not be changed under normal circumstances.
-            global: True
-            advanced: True
-          bypassEnabled:
-            description: When enabled, errors encountered while reading the SaltStack pillar tree (missing files, unreadable directories, etc.) are logged but do not prevent SOC from starting or serving settings. Intended for advanced troubleshooting and recovery scenarios when the pillar tree is partially unreadable.
-            global: True
-            advanced: True
-            forcedType: bool
-        postgres:
-          host:
-            description: Hostname or IP address of the PostgreSQL server used by SOC. Defaults to the manager hostname.
-            global: True
-            advanced: True
-          port:
-            description: Port of the PostgreSQL server used by SOC.
-            global: True
-            advanced: True
-          sslMode:
-            description: "Use encrypted connections to the PostgreSQL server. Must be one of the following values: disable, allow, prefer, require, verify-ca, verify-full.  Defaults to allow."
-            global: True
-            advanced: True
-          database:
-            description: Database used by SOC to authenticate to the PostgreSQL server.
-            global: True
-            advanced: True
-          user:
-            description: Username used by SOC to authenticate to the PostgreSQL server.
-            global: True
-            advanced: True
-          password:
-            description: Password used by SOC to authenticate to the PostgreSQL server.
-            global: True
-            sensitive: True
-            advanced: True
        salt:
          longRelayTimeoutMs:
            description: Duration (in milliseconds) to wait for a response from the Salt API when executing tasks known for being long running before giving up and showing an error on the SOC UI.
@@ -854,7 +818,6 @@ soc:
          description: List of available external tools visible in the SOC UI. Each tool is defined in JSON object notation, and must include the "name" key and "link" key, where the link is the tool's URL.
          global: True
          advanced: True
-          multiline: True
          forcedType: "[]{}"
        exportNodeId:
          description: The node ID on which export jobs will be executed.
@@ -31,6 +31,7 @@
    'so_model': INIT.GRAINS.get('sosmodel',''),
    'sensoroni_key': INIT.PILLAR.sensoroni.config.sensoronikey,
    'os': INIT.GRAINS.os,
+    'os_version': INIT.GRAINS.osmajorrelease,
    'os_family': INIT.GRAINS.os_family,
    'application_urls': {},
    'manager_roles': [
@@ -539,19 +539,16 @@ configure_minion() {
 		"  x509_v2: true"\
 		"log_level: info"\
 		"log_level_logfile: info"\
-		"log_file: /opt/so/log/salt/minion" >> "$minion_config"
+		"log_file: /opt/so/log/salt/minion"\
+		"#startup_states: highstate" >> "$minion_config"

 }

-mark_setup_complete() {
-	# Writes the setup-complete marker. Salt's so-boot-highstate.service
-	# (boot-time oneshot) and the so-user_sync cron gate in
-	# salt/manager/sync_es_users.sls both key off this file.
-	local marker=/opt/so/state/setup-complete
+checkin_at_boot() {
+	local minion_config=/etc/salt/minion

-	info "Marking setup as complete"
-	mkdir -p "$(dirname "$marker")"
-	touch "$marker"
+	info "Enabling checkin at boot"
+	sed -i 's/#startup_states: highstate/startup_states: highstate/' "$minion_config"
 }

 check_requirements() {
@@ -906,14 +903,14 @@ detect_cloud() {

 detect_os() {
 	title "Detecting Base OS"
-	if [ -f /etc/redhat-release ] && grep -q "Red Hat Enterprise Linux release 9" /etc/redhat-release && [ -f /etc/oracle-release ]; then
+	if [ -f /etc/oracle-release ] && grep -qE "release (9|10)\b" /etc/oracle-release; then
 		OS=oracle
-		OSVER=9
+		OSVER=$(grep -oE "release [0-9]+" /etc/oracle-release | grep -oE "[0-9]+")
 		is_oracle=true
 		is_rpm=true
 		is_supported=true
 	else
-		info "This OS is not supported. Security Onion requires Oracle Linux 9."
+		info "This OS is not supported. Security Onion requires Oracle Linux 9 or 10."
 		fail_setup
 	fi

@@ -1786,6 +1783,15 @@ ensure_pyyaml() {
 # - securityonion/salt/salt/minion.defaults.yaml

 securityonion_repo() {
+	if [[ "$OSVER" == "10" ]]; then
+		# TEST PATH: Oracle Linux 10 uses the public OL10 + EPEL + Docker CE repos.
+		# Keep the stock /etc/yum.repos.d/* in place, skip the SO mirror and local reposync.
+		gpg_rpm_import
+		logCmd "dnf -y install oracle-epel-release-el10"
+		logCmd "dnf -y config-manager --add-repo https://download.docker.com/linux/rhel/docker-ce.repo"
+		logCmd "dnf repolist"
+		return
+	fi
 	# Remove all the current repos
 	logCmd "dnf -v clean all"
 	logCmd "mkdir -vp /root/oldrepos"
@@ -1880,12 +1886,19 @@ saltify() {
 	info "Installing Salt $SALTVERSION"
 	chmod u+x ../salt/salt/scripts/bootstrap-salt.sh

+	# Normally Salt packages come from the SO mirror, so -r disables the bootstrap's own repo setup.
+	# On the OL10 test path there is no SO mirror, so let bootstrap configure the public Salt repo.
+	local saltrepoflag="-r"
+	if [[ "$OSVER" == "10" ]]; then
+		saltrepoflag=""
+	fi
+
 	if [[ $waitforstate ]]; then
 		# install all for a manager
-		retry 30 10 "bash ../salt/salt/scripts/bootstrap-salt.sh -r -M -X stable $SALTVERSION" || fail_setup
+		retry 30 10 "bash ../salt/salt/scripts/bootstrap-salt.sh $saltrepoflag -M -X stable $SALTVERSION" || fail_setup
 	else
 		# just a minion
-		retry 30 10 "bash ../salt/salt/scripts/bootstrap-salt.sh -r -X stable $SALTVERSION" || fail_setup
+		retry 30 10 "bash ../salt/salt/scripts/bootstrap-salt.sh $saltrepoflag -X stable $SALTVERSION" || fail_setup
 	fi

 	salt_install_module_deps
@@ -792,7 +792,7 @@ if ! [[ -f $install_opt_file ]]; then
 			error "Failed to run so-elastic-fleet-setup"
 			fail_setup
 		fi
-		mark_setup_complete
+		checkin_at_boot
 		set_initial_firewall_access
        initialize_elasticsearch_indices "so-case so-casehistory so-assistant-session so-assistant-chat"
 		# run a final highstate before enabling scheduled highstates.
@@ -1 +1 @@
 .2.0
 .1.0