mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2026-03-26 14:32:42 +01:00
Compare commits
12 Commits
ulimits
...
customulim
| Author | SHA1 | Date | |
|---|---|---|---|
|
057ec6f0f1 | ||
|
|
cacae12ba3 | ||
|
|
e19e83bebb | ||
|
|
341471d38e | ||
|
|
2349750e13 | ||
|
|
00986dc2fd | ||
|
|
d60bef1371 | ||
|
|
5806a85214 | ||
|
2d97dfc8a1 | ||
|
|
d6263812a6 | ||
|
|
ef7d1771ab | ||
|
|
4dc377c99f |
@@ -1,19 +0,0 @@
|
|||||||
{
|
|
||||||
"registry-mirrors": [
|
|
||||||
"https://:5000"
|
|
||||||
],
|
|
||||||
"bip": "172.17.0.1/24",
|
|
||||||
"default-address-pools": [
|
|
||||||
{
|
|
||||||
"base": "172.17.0.0/24",
|
|
||||||
"size": 24
|
|
||||||
}
|
|
||||||
],
|
|
||||||
"default-ulimits": {
|
|
||||||
"nofile": {
|
|
||||||
"Name": "nofile",
|
|
||||||
"Soft": 1048576,
|
|
||||||
"Hard": 1048576
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -1,6 +1,10 @@
|
|||||||
docker:
|
docker:
|
||||||
range: '172.17.1.0/24'
|
range: '172.17.1.0/24'
|
||||||
gateway: '172.17.1.1'
|
gateway: '172.17.1.1'
|
||||||
|
ulimits:
|
||||||
|
- name: nofile
|
||||||
|
soft: 1048576
|
||||||
|
hard: 1048576
|
||||||
containers:
|
containers:
|
||||||
'so-dockerregistry':
|
'so-dockerregistry':
|
||||||
final_octet: 20
|
final_octet: 20
|
||||||
@@ -9,6 +13,7 @@ docker:
|
|||||||
custom_bind_mounts: []
|
custom_bind_mounts: []
|
||||||
extra_hosts: []
|
extra_hosts: []
|
||||||
extra_env: []
|
extra_env: []
|
||||||
|
ulimits: []
|
||||||
'so-elastic-fleet':
|
'so-elastic-fleet':
|
||||||
final_octet: 21
|
final_octet: 21
|
||||||
port_bindings:
|
port_bindings:
|
||||||
@@ -16,6 +21,7 @@ docker:
|
|||||||
custom_bind_mounts: []
|
custom_bind_mounts: []
|
||||||
extra_hosts: []
|
extra_hosts: []
|
||||||
extra_env: []
|
extra_env: []
|
||||||
|
ulimits: []
|
||||||
'so-elasticsearch':
|
'so-elasticsearch':
|
||||||
final_octet: 22
|
final_octet: 22
|
||||||
port_bindings:
|
port_bindings:
|
||||||
@@ -24,6 +30,16 @@ docker:
|
|||||||
custom_bind_mounts: []
|
custom_bind_mounts: []
|
||||||
extra_hosts: []
|
extra_hosts: []
|
||||||
extra_env: []
|
extra_env: []
|
||||||
|
ulimits:
|
||||||
|
- name: memlock
|
||||||
|
soft: -1
|
||||||
|
hard: -1
|
||||||
|
- name: nofile
|
||||||
|
soft: 65536
|
||||||
|
hard: 65536
|
||||||
|
- name: nproc
|
||||||
|
soft: 4096
|
||||||
|
hard: 4096
|
||||||
'so-influxdb':
|
'so-influxdb':
|
||||||
final_octet: 26
|
final_octet: 26
|
||||||
port_bindings:
|
port_bindings:
|
||||||
@@ -31,6 +47,7 @@ docker:
|
|||||||
custom_bind_mounts: []
|
custom_bind_mounts: []
|
||||||
extra_hosts: []
|
extra_hosts: []
|
||||||
extra_env: []
|
extra_env: []
|
||||||
|
ulimits: []
|
||||||
'so-kibana':
|
'so-kibana':
|
||||||
final_octet: 27
|
final_octet: 27
|
||||||
port_bindings:
|
port_bindings:
|
||||||
@@ -38,6 +55,7 @@ docker:
|
|||||||
custom_bind_mounts: []
|
custom_bind_mounts: []
|
||||||
extra_hosts: []
|
extra_hosts: []
|
||||||
extra_env: []
|
extra_env: []
|
||||||
|
ulimits: []
|
||||||
'so-kratos':
|
'so-kratos':
|
||||||
final_octet: 28
|
final_octet: 28
|
||||||
port_bindings:
|
port_bindings:
|
||||||
@@ -46,6 +64,7 @@ docker:
|
|||||||
custom_bind_mounts: []
|
custom_bind_mounts: []
|
||||||
extra_hosts: []
|
extra_hosts: []
|
||||||
extra_env: []
|
extra_env: []
|
||||||
|
ulimits: []
|
||||||
'so-hydra':
|
'so-hydra':
|
||||||
final_octet: 30
|
final_octet: 30
|
||||||
port_bindings:
|
port_bindings:
|
||||||
@@ -54,6 +73,7 @@ docker:
|
|||||||
custom_bind_mounts: []
|
custom_bind_mounts: []
|
||||||
extra_hosts: []
|
extra_hosts: []
|
||||||
extra_env: []
|
extra_env: []
|
||||||
|
ulimits: []
|
||||||
'so-logstash':
|
'so-logstash':
|
||||||
final_octet: 29
|
final_octet: 29
|
||||||
port_bindings:
|
port_bindings:
|
||||||
@@ -70,6 +90,7 @@ docker:
|
|||||||
custom_bind_mounts: []
|
custom_bind_mounts: []
|
||||||
extra_hosts: []
|
extra_hosts: []
|
||||||
extra_env: []
|
extra_env: []
|
||||||
|
ulimits: []
|
||||||
'so-nginx':
|
'so-nginx':
|
||||||
final_octet: 31
|
final_octet: 31
|
||||||
port_bindings:
|
port_bindings:
|
||||||
@@ -81,6 +102,7 @@ docker:
|
|||||||
custom_bind_mounts: []
|
custom_bind_mounts: []
|
||||||
extra_hosts: []
|
extra_hosts: []
|
||||||
extra_env: []
|
extra_env: []
|
||||||
|
ulimits: []
|
||||||
'so-nginx-fleet-node':
|
'so-nginx-fleet-node':
|
||||||
final_octet: 31
|
final_octet: 31
|
||||||
port_bindings:
|
port_bindings:
|
||||||
@@ -88,6 +110,7 @@ docker:
|
|||||||
custom_bind_mounts: []
|
custom_bind_mounts: []
|
||||||
extra_hosts: []
|
extra_hosts: []
|
||||||
extra_env: []
|
extra_env: []
|
||||||
|
ulimits: []
|
||||||
'so-redis':
|
'so-redis':
|
||||||
final_octet: 33
|
final_octet: 33
|
||||||
port_bindings:
|
port_bindings:
|
||||||
@@ -96,11 +119,13 @@ docker:
|
|||||||
custom_bind_mounts: []
|
custom_bind_mounts: []
|
||||||
extra_hosts: []
|
extra_hosts: []
|
||||||
extra_env: []
|
extra_env: []
|
||||||
|
ulimits: []
|
||||||
'so-sensoroni':
|
'so-sensoroni':
|
||||||
final_octet: 99
|
final_octet: 99
|
||||||
custom_bind_mounts: []
|
custom_bind_mounts: []
|
||||||
extra_hosts: []
|
extra_hosts: []
|
||||||
extra_env: []
|
extra_env: []
|
||||||
|
ulimits: []
|
||||||
'so-soc':
|
'so-soc':
|
||||||
final_octet: 34
|
final_octet: 34
|
||||||
port_bindings:
|
port_bindings:
|
||||||
@@ -108,16 +133,19 @@ docker:
|
|||||||
custom_bind_mounts: []
|
custom_bind_mounts: []
|
||||||
extra_hosts: []
|
extra_hosts: []
|
||||||
extra_env: []
|
extra_env: []
|
||||||
|
ulimits: []
|
||||||
'so-strelka-backend':
|
'so-strelka-backend':
|
||||||
final_octet: 36
|
final_octet: 36
|
||||||
custom_bind_mounts: []
|
custom_bind_mounts: []
|
||||||
extra_hosts: []
|
extra_hosts: []
|
||||||
extra_env: []
|
extra_env: []
|
||||||
|
ulimits: []
|
||||||
'so-strelka-filestream':
|
'so-strelka-filestream':
|
||||||
final_octet: 37
|
final_octet: 37
|
||||||
custom_bind_mounts: []
|
custom_bind_mounts: []
|
||||||
extra_hosts: []
|
extra_hosts: []
|
||||||
extra_env: []
|
extra_env: []
|
||||||
|
ulimits: []
|
||||||
'so-strelka-frontend':
|
'so-strelka-frontend':
|
||||||
final_octet: 38
|
final_octet: 38
|
||||||
port_bindings:
|
port_bindings:
|
||||||
@@ -125,11 +153,13 @@ docker:
|
|||||||
custom_bind_mounts: []
|
custom_bind_mounts: []
|
||||||
extra_hosts: []
|
extra_hosts: []
|
||||||
extra_env: []
|
extra_env: []
|
||||||
|
ulimits: []
|
||||||
'so-strelka-manager':
|
'so-strelka-manager':
|
||||||
final_octet: 39
|
final_octet: 39
|
||||||
custom_bind_mounts: []
|
custom_bind_mounts: []
|
||||||
extra_hosts: []
|
extra_hosts: []
|
||||||
extra_env: []
|
extra_env: []
|
||||||
|
ulimits: []
|
||||||
'so-strelka-gatekeeper':
|
'so-strelka-gatekeeper':
|
||||||
final_octet: 40
|
final_octet: 40
|
||||||
port_bindings:
|
port_bindings:
|
||||||
@@ -137,6 +167,7 @@ docker:
|
|||||||
custom_bind_mounts: []
|
custom_bind_mounts: []
|
||||||
extra_hosts: []
|
extra_hosts: []
|
||||||
extra_env: []
|
extra_env: []
|
||||||
|
ulimits: []
|
||||||
'so-strelka-coordinator':
|
'so-strelka-coordinator':
|
||||||
final_octet: 41
|
final_octet: 41
|
||||||
port_bindings:
|
port_bindings:
|
||||||
@@ -144,11 +175,13 @@ docker:
|
|||||||
custom_bind_mounts: []
|
custom_bind_mounts: []
|
||||||
extra_hosts: []
|
extra_hosts: []
|
||||||
extra_env: []
|
extra_env: []
|
||||||
|
ulimits: []
|
||||||
'so-elastalert':
|
'so-elastalert':
|
||||||
final_octet: 42
|
final_octet: 42
|
||||||
custom_bind_mounts: []
|
custom_bind_mounts: []
|
||||||
extra_hosts: []
|
extra_hosts: []
|
||||||
extra_env: []
|
extra_env: []
|
||||||
|
ulimits: []
|
||||||
'so-elastic-fleet-package-registry':
|
'so-elastic-fleet-package-registry':
|
||||||
final_octet: 44
|
final_octet: 44
|
||||||
port_bindings:
|
port_bindings:
|
||||||
@@ -156,11 +189,13 @@ docker:
|
|||||||
custom_bind_mounts: []
|
custom_bind_mounts: []
|
||||||
extra_hosts: []
|
extra_hosts: []
|
||||||
extra_env: []
|
extra_env: []
|
||||||
|
ulimits: []
|
||||||
'so-idh':
|
'so-idh':
|
||||||
final_octet: 45
|
final_octet: 45
|
||||||
custom_bind_mounts: []
|
custom_bind_mounts: []
|
||||||
extra_hosts: []
|
extra_hosts: []
|
||||||
extra_env: []
|
extra_env: []
|
||||||
|
ulimits: []
|
||||||
'so-elastic-agent':
|
'so-elastic-agent':
|
||||||
final_octet: 46
|
final_octet: 46
|
||||||
port_bindings:
|
port_bindings:
|
||||||
@@ -169,23 +204,34 @@ docker:
|
|||||||
custom_bind_mounts: []
|
custom_bind_mounts: []
|
||||||
extra_hosts: []
|
extra_hosts: []
|
||||||
extra_env: []
|
extra_env: []
|
||||||
|
ulimits: []
|
||||||
'so-telegraf':
|
'so-telegraf':
|
||||||
final_octet: 99
|
final_octet: 99
|
||||||
custom_bind_mounts: []
|
custom_bind_mounts: []
|
||||||
extra_hosts: []
|
extra_hosts: []
|
||||||
extra_env: []
|
extra_env: []
|
||||||
|
ulimits: []
|
||||||
'so-suricata':
|
'so-suricata':
|
||||||
final_octet: 99
|
final_octet: 99
|
||||||
custom_bind_mounts: []
|
custom_bind_mounts: []
|
||||||
extra_hosts: []
|
extra_hosts: []
|
||||||
extra_env: []
|
extra_env: []
|
||||||
ulimits:
|
ulimits:
|
||||||
- memlock=524288000
|
- name: memlock
|
||||||
|
soft: 524288000
|
||||||
|
hard: 524288000
|
||||||
'so-zeek':
|
'so-zeek':
|
||||||
final_octet: 99
|
final_octet: 99
|
||||||
custom_bind_mounts: []
|
custom_bind_mounts: []
|
||||||
extra_hosts: []
|
extra_hosts: []
|
||||||
extra_env: []
|
extra_env: []
|
||||||
|
ulimits:
|
||||||
|
- name: core
|
||||||
|
soft: 0
|
||||||
|
hard: 0
|
||||||
|
- name: nofile
|
||||||
|
soft: 1048576
|
||||||
|
hard: 1048576
|
||||||
'so-kafka':
|
'so-kafka':
|
||||||
final_octet: 88
|
final_octet: 88
|
||||||
port_bindings:
|
port_bindings:
|
||||||
@@ -196,3 +242,4 @@ docker:
|
|||||||
custom_bind_mounts: []
|
custom_bind_mounts: []
|
||||||
extra_hosts: []
|
extra_hosts: []
|
||||||
extra_env: []
|
extra_env: []
|
||||||
|
ulimits: []
|
||||||
|
|||||||
@@ -1,8 +1,8 @@
|
|||||||
{% import_yaml 'docker/defaults.yaml' as DOCKERDEFAULTS %}
|
{% import_yaml 'docker/defaults.yaml' as DOCKERDEFAULTS %}
|
||||||
{% set DOCKER = salt['pillar.get']('docker', DOCKERDEFAULTS.docker, merge=True) %}
|
{% set DOCKERMERGED = salt['pillar.get']('docker', DOCKERDEFAULTS.docker, merge=True) %}
|
||||||
{% set RANGESPLIT = DOCKER.range.split('.') %}
|
{% set RANGESPLIT = DOCKERMERGED.range.split('.') %}
|
||||||
{% set FIRSTTHREE = RANGESPLIT[0] ~ '.' ~ RANGESPLIT[1] ~ '.' ~ RANGESPLIT[2] ~ '.' %}
|
{% set FIRSTTHREE = RANGESPLIT[0] ~ '.' ~ RANGESPLIT[1] ~ '.' ~ RANGESPLIT[2] ~ '.' %}
|
||||||
|
|
||||||
{% for container, vals in DOCKER.containers.items() %}
|
{% for container, vals in DOCKERMERGED.containers.items() %}
|
||||||
{% do DOCKER.containers[container].update({'ip': FIRSTTHREE ~ DOCKER.containers[container].final_octet}) %}
|
{% do DOCKERMERGED.containers[container].update({'ip': FIRSTTHREE ~ DOCKERMERGED.containers[container].final_octet}) %}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
|||||||
24
salt/docker/files/daemon.json.jinja
Normal file
24
salt/docker/files/daemon.json.jinja
Normal file
@@ -0,0 +1,24 @@
|
|||||||
|
{% from 'docker/docker.map.jinja' import DOCKERMERGED -%}
|
||||||
|
{
|
||||||
|
"registry-mirrors": [
|
||||||
|
"https://:5000"
|
||||||
|
],
|
||||||
|
"bip": "172.17.0.1/24",
|
||||||
|
"default-address-pools": [
|
||||||
|
{
|
||||||
|
"base": "172.17.0.0/24",
|
||||||
|
"size": 24
|
||||||
|
}
|
||||||
|
]
|
||||||
|
{%- if DOCKERMERGED.ulimits %},
|
||||||
|
"default-ulimits": {
|
||||||
|
{%- for ULIMIT in DOCKERMERGED.ulimits %}
|
||||||
|
"{{ ULIMIT.name }}": {
|
||||||
|
"Name": "{{ ULIMIT.name }}",
|
||||||
|
"Soft": {{ ULIMIT.soft }},
|
||||||
|
"Hard": {{ ULIMIT.hard }}
|
||||||
|
}{{ "," if not loop.last else "" }}
|
||||||
|
{%- endfor %}
|
||||||
|
}
|
||||||
|
{%- endif %}
|
||||||
|
}
|
||||||
@@ -3,7 +3,7 @@
|
|||||||
# https://securityonion.net/license; you may not use this file except in compliance with the
|
# https://securityonion.net/license; you may not use this file except in compliance with the
|
||||||
# Elastic License 2.0.
|
# Elastic License 2.0.
|
||||||
|
|
||||||
{% from 'docker/docker.map.jinja' import DOCKER %}
|
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
|
||||||
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
||||||
|
|
||||||
# docker service requires the ca.crt
|
# docker service requires the ca.crt
|
||||||
@@ -41,10 +41,9 @@ dockeretc:
|
|||||||
file.directory:
|
file.directory:
|
||||||
- name: /etc/docker
|
- name: /etc/docker
|
||||||
|
|
||||||
# Manager daemon.json
|
|
||||||
docker_daemon:
|
docker_daemon:
|
||||||
file.managed:
|
file.managed:
|
||||||
- source: salt://common/files/daemon.json
|
- source: salt://docker/files/daemon.json.jinja
|
||||||
- name: /etc/docker/daemon.json
|
- name: /etc/docker/daemon.json
|
||||||
- template: jinja
|
- template: jinja
|
||||||
|
|
||||||
@@ -75,8 +74,8 @@ dockerreserveports:
|
|||||||
sos_docker_net:
|
sos_docker_net:
|
||||||
docker_network.present:
|
docker_network.present:
|
||||||
- name: sobridge
|
- name: sobridge
|
||||||
- subnet: {{ DOCKER.range }}
|
- subnet: {{ DOCKERMERGED.range }}
|
||||||
- gateway: {{ DOCKER.gateway }}
|
- gateway: {{ DOCKERMERGED.gateway }}
|
||||||
- options:
|
- options:
|
||||||
com.docker.network.bridge.name: 'sobridge'
|
com.docker.network.bridge.name: 'sobridge'
|
||||||
com.docker.network.driver.mtu: '1500'
|
com.docker.network.driver.mtu: '1500'
|
||||||
|
|||||||
@@ -7,6 +7,25 @@ docker:
|
|||||||
description: Default docker IP range for containers.
|
description: Default docker IP range for containers.
|
||||||
helpLink: docker.html
|
helpLink: docker.html
|
||||||
advanced: True
|
advanced: True
|
||||||
|
ulimits:
|
||||||
|
description: |
|
||||||
|
Default ulimit settings applied to all containers via the Docker daemon. Each entry specifies a resource name (e.g. nofile, memlock, core, nproc) with soft and hard limits. Individual container ulimits override these defaults. Valid resource names include: cpu, fsize, data, stack, core, rss, nproc, nofile, memlock, as, locks, sigpending, msgqueue, nice, rtprio, rttime.
|
||||||
|
forcedType: "[]{}"
|
||||||
|
syntax: json
|
||||||
|
advanced: True
|
||||||
|
helpLink: docker.html
|
||||||
|
uiElements:
|
||||||
|
- field: name
|
||||||
|
label: Resource Name
|
||||||
|
required: True
|
||||||
|
regex: ^(cpu|fsize|data|stack|core|rss|nproc|nofile|memlock|as|locks|sigpending|msgqueue|nice|rtprio|rttime)$
|
||||||
|
regexFailureMessage: You must enter a valid ulimit name (cpu, fsize, data, stack, core, rss, nproc, nofile, memlock, as, locks, sigpending, msgqueue, nice, rtprio, rttime).
|
||||||
|
- field: soft
|
||||||
|
label: Soft Limit
|
||||||
|
forcedType: int
|
||||||
|
- field: hard
|
||||||
|
label: Hard Limit
|
||||||
|
forcedType: int
|
||||||
containers:
|
containers:
|
||||||
so-dockerregistry: &dockerOptions
|
so-dockerregistry: &dockerOptions
|
||||||
final_octet:
|
final_octet:
|
||||||
@@ -39,6 +58,25 @@ docker:
|
|||||||
helpLink: docker.html
|
helpLink: docker.html
|
||||||
multiline: True
|
multiline: True
|
||||||
forcedType: "[]string"
|
forcedType: "[]string"
|
||||||
|
ulimits:
|
||||||
|
description: |
|
||||||
|
Ulimit settings for the container. Each entry specifies a resource name (e.g. nofile, memlock, core, nproc) with optional soft and hard limits. Valid resource names include: cpu, fsize, data, stack, core, rss, nproc, nofile, memlock, as, locks, sigpending, msgqueue, nice, rtprio, rttime.
|
||||||
|
advanced: True
|
||||||
|
helpLink: docker.html
|
||||||
|
forcedType: "[]{}"
|
||||||
|
syntax: json
|
||||||
|
uiElements:
|
||||||
|
- field: name
|
||||||
|
label: Resource Name
|
||||||
|
required: True
|
||||||
|
regex: ^(cpu|fsize|data|stack|core|rss|nproc|nofile|memlock|as|locks|sigpending|msgqueue|nice|rtprio|rttime)$
|
||||||
|
regexFailureMessage: You must enter a valid ulimit name (cpu, fsize, data, stack, core, rss, nproc, nofile, memlock, as, locks, sigpending, msgqueue, nice, rtprio, rttime).
|
||||||
|
- field: soft
|
||||||
|
label: Soft Limit
|
||||||
|
forcedType: int
|
||||||
|
- field: hard
|
||||||
|
label: Hard Limit
|
||||||
|
forcedType: int
|
||||||
so-elastic-fleet: *dockerOptions
|
so-elastic-fleet: *dockerOptions
|
||||||
so-elasticsearch: *dockerOptions
|
so-elasticsearch: *dockerOptions
|
||||||
so-influxdb: *dockerOptions
|
so-influxdb: *dockerOptions
|
||||||
@@ -62,42 +100,6 @@ docker:
|
|||||||
so-idh: *dockerOptions
|
so-idh: *dockerOptions
|
||||||
so-elastic-agent: *dockerOptions
|
so-elastic-agent: *dockerOptions
|
||||||
so-telegraf: *dockerOptions
|
so-telegraf: *dockerOptions
|
||||||
so-suricata:
|
so-suricata: *dockerOptions
|
||||||
final_octet:
|
|
||||||
description: Last octet of the container IP address.
|
|
||||||
helpLink: docker.html
|
|
||||||
readonly: True
|
|
||||||
advanced: True
|
|
||||||
global: True
|
|
||||||
port_bindings:
|
|
||||||
description: List of port bindings for the container.
|
|
||||||
helpLink: docker.html
|
|
||||||
advanced: True
|
|
||||||
multiline: True
|
|
||||||
forcedType: "[]string"
|
|
||||||
custom_bind_mounts:
|
|
||||||
description: List of custom local volume bindings.
|
|
||||||
advanced: True
|
|
||||||
helpLink: docker.html
|
|
||||||
multiline: True
|
|
||||||
forcedType: "[]string"
|
|
||||||
extra_hosts:
|
|
||||||
description: List of additional host entries for the container.
|
|
||||||
advanced: True
|
|
||||||
helpLink: docker.html
|
|
||||||
multiline: True
|
|
||||||
forcedType: "[]string"
|
|
||||||
extra_env:
|
|
||||||
description: List of additional ENV entries for the container.
|
|
||||||
advanced: True
|
|
||||||
helpLink: docker.html
|
|
||||||
multiline: True
|
|
||||||
forcedType: "[]string"
|
|
||||||
ulimits:
|
|
||||||
description: Ulimits for the container, in bytes.
|
|
||||||
advanced: True
|
|
||||||
helpLink: docker.html
|
|
||||||
multiline: True
|
|
||||||
forcedType: "[]string"
|
|
||||||
so-zeek: *dockerOptions
|
so-zeek: *dockerOptions
|
||||||
so-kafka: *dockerOptions
|
so-kafka: *dockerOptions
|
||||||
|
|||||||
@@ -6,7 +6,7 @@
|
|||||||
{% from 'allowed_states.map.jinja' import allowed_states %}
|
{% from 'allowed_states.map.jinja' import allowed_states %}
|
||||||
{% if sls.split('.')[0] in allowed_states %}
|
{% if sls.split('.')[0] in allowed_states %}
|
||||||
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
||||||
{% from 'docker/docker.map.jinja' import DOCKER %}
|
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
|
||||||
|
|
||||||
include:
|
include:
|
||||||
- elastalert.config
|
- elastalert.config
|
||||||
@@ -24,7 +24,7 @@ so-elastalert:
|
|||||||
- user: so-elastalert
|
- user: so-elastalert
|
||||||
- networks:
|
- networks:
|
||||||
- sobridge:
|
- sobridge:
|
||||||
- ipv4_address: {{ DOCKER.containers['so-elastalert'].ip }}
|
- ipv4_address: {{ DOCKERMERGED.containers['so-elastalert'].ip }}
|
||||||
- detach: True
|
- detach: True
|
||||||
- binds:
|
- binds:
|
||||||
- /opt/so/rules/elastalert:/opt/elastalert/rules/:ro
|
- /opt/so/rules/elastalert:/opt/elastalert/rules/:ro
|
||||||
@@ -33,24 +33,30 @@ so-elastalert:
|
|||||||
- /opt/so/conf/elastalert/predefined/:/opt/elastalert/predefined/:ro
|
- /opt/so/conf/elastalert/predefined/:/opt/elastalert/predefined/:ro
|
||||||
- /opt/so/conf/elastalert/custom/:/opt/elastalert/custom/:ro
|
- /opt/so/conf/elastalert/custom/:/opt/elastalert/custom/:ro
|
||||||
- /opt/so/conf/elastalert/elastalert_config.yaml:/opt/elastalert/config.yaml:ro
|
- /opt/so/conf/elastalert/elastalert_config.yaml:/opt/elastalert/config.yaml:ro
|
||||||
{% if DOCKER.containers['so-elastalert'].custom_bind_mounts %}
|
{% if DOCKERMERGED.containers['so-elastalert'].custom_bind_mounts %}
|
||||||
{% for BIND in DOCKER.containers['so-elastalert'].custom_bind_mounts %}
|
{% for BIND in DOCKERMERGED.containers['so-elastalert'].custom_bind_mounts %}
|
||||||
- {{ BIND }}
|
- {{ BIND }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
- extra_hosts:
|
- extra_hosts:
|
||||||
- {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
|
- {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
|
||||||
{% if DOCKER.containers['so-elastalert'].extra_hosts %}
|
{% if DOCKERMERGED.containers['so-elastalert'].extra_hosts %}
|
||||||
{% for XTRAHOST in DOCKER.containers['so-elastalert'].extra_hosts %}
|
{% for XTRAHOST in DOCKERMERGED.containers['so-elastalert'].extra_hosts %}
|
||||||
- {{ XTRAHOST }}
|
- {{ XTRAHOST }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if DOCKER.containers['so-elastalert'].extra_env %}
|
{% if DOCKERMERGED.containers['so-elastalert'].extra_env %}
|
||||||
- environment:
|
- environment:
|
||||||
{% for XTRAENV in DOCKER.containers['so-elastalert'].extra_env %}
|
{% for XTRAENV in DOCKERMERGED.containers['so-elastalert'].extra_env %}
|
||||||
- {{ XTRAENV }}
|
- {{ XTRAENV }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
{% if DOCKERMERGED.containers['so-elastalert'].ulimits %}
|
||||||
|
- ulimits:
|
||||||
|
{% for ULIMIT in DOCKERMERGED.containers['so-elastalert'].ulimits %}
|
||||||
|
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
|
||||||
|
{% endfor %}
|
||||||
|
{% endif %}
|
||||||
- require:
|
- require:
|
||||||
- cmd: wait_for_elasticsearch
|
- cmd: wait_for_elasticsearch
|
||||||
- file: elastarules
|
- file: elastarules
|
||||||
|
|||||||
@@ -6,7 +6,7 @@
|
|||||||
{% from 'allowed_states.map.jinja' import allowed_states %}
|
{% from 'allowed_states.map.jinja' import allowed_states %}
|
||||||
{% if sls.split('.')[0] in allowed_states %}
|
{% if sls.split('.')[0] in allowed_states %}
|
||||||
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
||||||
{% from 'docker/docker.map.jinja' import DOCKER %}
|
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
|
||||||
|
|
||||||
include:
|
include:
|
||||||
- elastic-fleet-package-registry.config
|
- elastic-fleet-package-registry.config
|
||||||
@@ -21,30 +21,36 @@ so-elastic-fleet-package-registry:
|
|||||||
- user: 948
|
- user: 948
|
||||||
- networks:
|
- networks:
|
||||||
- sobridge:
|
- sobridge:
|
||||||
- ipv4_address: {{ DOCKER.containers['so-elastic-fleet-package-registry'].ip }}
|
- ipv4_address: {{ DOCKERMERGED.containers['so-elastic-fleet-package-registry'].ip }}
|
||||||
- extra_hosts:
|
- extra_hosts:
|
||||||
- {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
|
- {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
|
||||||
{% if DOCKER.containers['so-elastic-fleet-package-registry'].extra_hosts %}
|
{% if DOCKERMERGED.containers['so-elastic-fleet-package-registry'].extra_hosts %}
|
||||||
{% for XTRAHOST in DOCKER.containers['so-elastic-fleet-package-registry'].extra_hosts %}
|
{% for XTRAHOST in DOCKERMERGED.containers['so-elastic-fleet-package-registry'].extra_hosts %}
|
||||||
- {{ XTRAHOST }}
|
- {{ XTRAHOST }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
- port_bindings:
|
- port_bindings:
|
||||||
{% for BINDING in DOCKER.containers['so-elastic-fleet-package-registry'].port_bindings %}
|
{% for BINDING in DOCKERMERGED.containers['so-elastic-fleet-package-registry'].port_bindings %}
|
||||||
- {{ BINDING }}
|
- {{ BINDING }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% if DOCKER.containers['so-elastic-fleet-package-registry'].custom_bind_mounts %}
|
{% if DOCKERMERGED.containers['so-elastic-fleet-package-registry'].custom_bind_mounts %}
|
||||||
- binds:
|
- binds:
|
||||||
{% for BIND in DOCKER.containers['so-elastic-fleet-package-registry'].custom_bind_mounts %}
|
{% for BIND in DOCKERMERGED.containers['so-elastic-fleet-package-registry'].custom_bind_mounts %}
|
||||||
- {{ BIND }}
|
- {{ BIND }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if DOCKER.containers['so-elastic-fleet-package-registry'].extra_env %}
|
{% if DOCKERMERGED.containers['so-elastic-fleet-package-registry'].extra_env %}
|
||||||
- environment:
|
- environment:
|
||||||
{% for XTRAENV in DOCKER.containers['so-elastic-fleet-package-registry'].extra_env %}
|
{% for XTRAENV in DOCKERMERGED.containers['so-elastic-fleet-package-registry'].extra_env %}
|
||||||
- {{ XTRAENV }}
|
- {{ XTRAENV }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
{% if DOCKERMERGED.containers['so-elastic-fleet-package-registry'].ulimits %}
|
||||||
|
- ulimits:
|
||||||
|
{% for ULIMIT in DOCKERMERGED.containers['so-elastic-fleet-package-registry'].ulimits %}
|
||||||
|
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
|
||||||
|
{% endfor %}
|
||||||
|
{% endif %}
|
||||||
delete_so-elastic-fleet-package-registry_so-status.disabled:
|
delete_so-elastic-fleet-package-registry_so-status.disabled:
|
||||||
file.uncomment:
|
file.uncomment:
|
||||||
- name: /opt/so/conf/so-status/so-status.conf
|
- name: /opt/so/conf/so-status/so-status.conf
|
||||||
|
|||||||
@@ -6,7 +6,7 @@
|
|||||||
{% from 'allowed_states.map.jinja' import allowed_states %}
|
{% from 'allowed_states.map.jinja' import allowed_states %}
|
||||||
{% if sls.split('.')[0] in allowed_states %}
|
{% if sls.split('.')[0] in allowed_states %}
|
||||||
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
||||||
{% from 'docker/docker.map.jinja' import DOCKER %}
|
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
|
||||||
|
|
||||||
include:
|
include:
|
||||||
- ca
|
- ca
|
||||||
@@ -22,17 +22,17 @@ so-elastic-agent:
|
|||||||
- user: 949
|
- user: 949
|
||||||
- networks:
|
- networks:
|
||||||
- sobridge:
|
- sobridge:
|
||||||
- ipv4_address: {{ DOCKER.containers['so-elastic-agent'].ip }}
|
- ipv4_address: {{ DOCKERMERGED.containers['so-elastic-agent'].ip }}
|
||||||
- extra_hosts:
|
- extra_hosts:
|
||||||
- {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
|
- {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
|
||||||
- {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
|
- {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
|
||||||
{% if DOCKER.containers['so-elastic-agent'].extra_hosts %}
|
{% if DOCKERMERGED.containers['so-elastic-agent'].extra_hosts %}
|
||||||
{% for XTRAHOST in DOCKER.containers['so-elastic-agent'].extra_hosts %}
|
{% for XTRAHOST in DOCKERMERGED.containers['so-elastic-agent'].extra_hosts %}
|
||||||
- {{ XTRAHOST }}
|
- {{ XTRAHOST }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
- port_bindings:
|
- port_bindings:
|
||||||
{% for BINDING in DOCKER.containers['so-elastic-agent'].port_bindings %}
|
{% for BINDING in DOCKERMERGED.containers['so-elastic-agent'].port_bindings %}
|
||||||
- {{ BINDING }}
|
- {{ BINDING }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
- binds:
|
- binds:
|
||||||
@@ -41,19 +41,25 @@ so-elastic-agent:
|
|||||||
- /etc/pki/tls/certs/intca.crt:/etc/pki/tls/certs/intca.crt:ro
|
- /etc/pki/tls/certs/intca.crt:/etc/pki/tls/certs/intca.crt:ro
|
||||||
- /nsm:/nsm:ro
|
- /nsm:/nsm:ro
|
||||||
- /opt/so/log:/opt/so/log:ro
|
- /opt/so/log:/opt/so/log:ro
|
||||||
{% if DOCKER.containers['so-elastic-agent'].custom_bind_mounts %}
|
{% if DOCKERMERGED.containers['so-elastic-agent'].custom_bind_mounts %}
|
||||||
{% for BIND in DOCKER.containers['so-elastic-agent'].custom_bind_mounts %}
|
{% for BIND in DOCKERMERGED.containers['so-elastic-agent'].custom_bind_mounts %}
|
||||||
- {{ BIND }}
|
- {{ BIND }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
- environment:
|
- environment:
|
||||||
- FLEET_CA=/etc/pki/tls/certs/intca.crt
|
- FLEET_CA=/etc/pki/tls/certs/intca.crt
|
||||||
- LOGS_PATH=logs
|
- LOGS_PATH=logs
|
||||||
{% if DOCKER.containers['so-elastic-agent'].extra_env %}
|
{% if DOCKERMERGED.containers['so-elastic-agent'].extra_env %}
|
||||||
{% for XTRAENV in DOCKER.containers['so-elastic-agent'].extra_env %}
|
{% for XTRAENV in DOCKERMERGED.containers['so-elastic-agent'].extra_env %}
|
||||||
- {{ XTRAENV }}
|
- {{ XTRAENV }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
{% if DOCKERMERGED.containers['so-elastic-agent'].ulimits %}
|
||||||
|
- ulimits:
|
||||||
|
{% for ULIMIT in DOCKERMERGED.containers['so-elastic-agent'].ulimits %}
|
||||||
|
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
|
||||||
|
{% endfor %}
|
||||||
|
{% endif %}
|
||||||
- require:
|
- require:
|
||||||
- file: create-elastic-agent-config
|
- file: create-elastic-agent-config
|
||||||
- file: trusttheca
|
- file: trusttheca
|
||||||
|
|||||||
@@ -6,7 +6,7 @@
|
|||||||
{% from 'allowed_states.map.jinja' import allowed_states %}
|
{% from 'allowed_states.map.jinja' import allowed_states %}
|
||||||
{% if sls.split('.')[0] in allowed_states %}
|
{% if sls.split('.')[0] in allowed_states %}
|
||||||
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
||||||
{% from 'docker/docker.map.jinja' import DOCKER %}
|
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
|
||||||
{% from 'elasticfleet/map.jinja' import ELASTICFLEETMERGED %}
|
{% from 'elasticfleet/map.jinja' import ELASTICFLEETMERGED %}
|
||||||
|
|
||||||
{# This value is generated during node install and stored in minion pillar #}
|
{# This value is generated during node install and stored in minion pillar #}
|
||||||
@@ -94,17 +94,17 @@ so-elastic-fleet:
|
|||||||
- user: 947
|
- user: 947
|
||||||
- networks:
|
- networks:
|
||||||
- sobridge:
|
- sobridge:
|
||||||
- ipv4_address: {{ DOCKER.containers['so-elastic-fleet'].ip }}
|
- ipv4_address: {{ DOCKERMERGED.containers['so-elastic-fleet'].ip }}
|
||||||
- extra_hosts:
|
- extra_hosts:
|
||||||
- {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
|
- {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
|
||||||
- {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
|
- {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
|
||||||
{% if DOCKER.containers['so-elastic-fleet'].extra_hosts %}
|
{% if DOCKERMERGED.containers['so-elastic-fleet'].extra_hosts %}
|
||||||
{% for XTRAHOST in DOCKER.containers['so-elastic-fleet'].extra_hosts %}
|
{% for XTRAHOST in DOCKERMERGED.containers['so-elastic-fleet'].extra_hosts %}
|
||||||
- {{ XTRAHOST }}
|
- {{ XTRAHOST }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
- port_bindings:
|
- port_bindings:
|
||||||
{% for BINDING in DOCKER.containers['so-elastic-fleet'].port_bindings %}
|
{% for BINDING in DOCKERMERGED.containers['so-elastic-fleet'].port_bindings %}
|
||||||
- {{ BINDING }}
|
- {{ BINDING }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
- binds:
|
- binds:
|
||||||
@@ -112,8 +112,8 @@ so-elastic-fleet:
|
|||||||
- /etc/pki/elasticfleet-server.key:/etc/pki/elasticfleet-server.key:ro
|
- /etc/pki/elasticfleet-server.key:/etc/pki/elasticfleet-server.key:ro
|
||||||
- /etc/pki/tls/certs/intca.crt:/etc/pki/tls/certs/intca.crt:ro
|
- /etc/pki/tls/certs/intca.crt:/etc/pki/tls/certs/intca.crt:ro
|
||||||
- /opt/so/log/elasticfleet:/usr/share/elastic-agent/logs
|
- /opt/so/log/elasticfleet:/usr/share/elastic-agent/logs
|
||||||
{% if DOCKER.containers['so-elastic-fleet'].custom_bind_mounts %}
|
{% if DOCKERMERGED.containers['so-elastic-fleet'].custom_bind_mounts %}
|
||||||
{% for BIND in DOCKER.containers['so-elastic-fleet'].custom_bind_mounts %}
|
{% for BIND in DOCKERMERGED.containers['so-elastic-fleet'].custom_bind_mounts %}
|
||||||
- {{ BIND }}
|
- {{ BIND }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
@@ -128,11 +128,17 @@ so-elastic-fleet:
|
|||||||
- FLEET_CA=/etc/pki/tls/certs/intca.crt
|
- FLEET_CA=/etc/pki/tls/certs/intca.crt
|
||||||
- FLEET_SERVER_ELASTICSEARCH_CA=/etc/pki/tls/certs/intca.crt
|
- FLEET_SERVER_ELASTICSEARCH_CA=/etc/pki/tls/certs/intca.crt
|
||||||
- LOGS_PATH=logs
|
- LOGS_PATH=logs
|
||||||
{% if DOCKER.containers['so-elastic-fleet'].extra_env %}
|
{% if DOCKERMERGED.containers['so-elastic-fleet'].extra_env %}
|
||||||
{% for XTRAENV in DOCKER.containers['so-elastic-fleet'].extra_env %}
|
{% for XTRAENV in DOCKERMERGED.containers['so-elastic-fleet'].extra_env %}
|
||||||
- {{ XTRAENV }}
|
- {{ XTRAENV }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
{% if DOCKERMERGED.containers['so-elastic-fleet'].ulimits %}
|
||||||
|
- ulimits:
|
||||||
|
{% for ULIMIT in DOCKERMERGED.containers['so-elastic-fleet'].ulimits %}
|
||||||
|
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
|
||||||
|
{% endfor %}
|
||||||
|
{% endif %}
|
||||||
- watch:
|
- watch:
|
||||||
- file: trusttheca
|
- file: trusttheca
|
||||||
- x509: etc_elasticfleet_key
|
- x509: etc_elasticfleet_key
|
||||||
|
|||||||
@@ -6,7 +6,7 @@
|
|||||||
{% from 'allowed_states.map.jinja' import allowed_states %}
|
{% from 'allowed_states.map.jinja' import allowed_states %}
|
||||||
{% if sls.split('.')[0] in allowed_states %}
|
{% if sls.split('.')[0] in allowed_states %}
|
||||||
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
||||||
{% from 'docker/docker.map.jinja' import DOCKER %}
|
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
|
||||||
{% from 'elasticsearch/config.map.jinja' import ELASTICSEARCH_NODES %}
|
{% from 'elasticsearch/config.map.jinja' import ELASTICSEARCH_NODES %}
|
||||||
{% from 'elasticsearch/config.map.jinja' import ELASTICSEARCH_SEED_HOSTS %}
|
{% from 'elasticsearch/config.map.jinja' import ELASTICSEARCH_SEED_HOSTS %}
|
||||||
{% from 'elasticsearch/config.map.jinja' import ELASTICSEARCHMERGED %}
|
{% from 'elasticsearch/config.map.jinja' import ELASTICSEARCHMERGED %}
|
||||||
@@ -28,15 +28,15 @@ so-elasticsearch:
|
|||||||
- user: elasticsearch
|
- user: elasticsearch
|
||||||
- networks:
|
- networks:
|
||||||
- sobridge:
|
- sobridge:
|
||||||
- ipv4_address: {{ DOCKER.containers['so-elasticsearch'].ip }}
|
- ipv4_address: {{ DOCKERMERGED.containers['so-elasticsearch'].ip }}
|
||||||
- extra_hosts:
|
- extra_hosts:
|
||||||
{% for node in ELASTICSEARCH_NODES %}
|
{% for node in ELASTICSEARCH_NODES %}
|
||||||
{% for hostname, ip in node.items() %}
|
{% for hostname, ip in node.items() %}
|
||||||
- {{hostname}}:{{ip}}
|
- {{hostname}}:{{ip}}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% if DOCKER.containers['so-elasticsearch'].extra_hosts %}
|
{% if DOCKERMERGED.containers['so-elasticsearch'].extra_hosts %}
|
||||||
{% for XTRAHOST in DOCKER.containers['so-elasticsearch'].extra_hosts %}
|
{% for XTRAHOST in DOCKERMERGED.containers['so-elasticsearch'].extra_hosts %}
|
||||||
- {{ XTRAHOST }}
|
- {{ XTRAHOST }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
@@ -45,17 +45,19 @@ so-elasticsearch:
|
|||||||
- discovery.type=single-node
|
- discovery.type=single-node
|
||||||
{% endif %}
|
{% endif %}
|
||||||
- ES_JAVA_OPTS=-Xms{{ GLOBALS.elasticsearch.es_heap }} -Xmx{{ GLOBALS.elasticsearch.es_heap }} -Des.transport.cname_in_publish_address=true -Dlog4j2.formatMsgNoLookups=true
|
- ES_JAVA_OPTS=-Xms{{ GLOBALS.elasticsearch.es_heap }} -Xmx{{ GLOBALS.elasticsearch.es_heap }} -Des.transport.cname_in_publish_address=true -Dlog4j2.formatMsgNoLookups=true
|
||||||
ulimits:
|
{% if DOCKERMERGED.containers['so-elasticsearch'].extra_env %}
|
||||||
- memlock=-1:-1
|
{% for XTRAENV in DOCKERMERGED.containers['so-elasticsearch'].extra_env %}
|
||||||
- nofile=65536:65536
|
|
||||||
- nproc=4096
|
|
||||||
{% if DOCKER.containers['so-elasticsearch'].extra_env %}
|
|
||||||
{% for XTRAENV in DOCKER.containers['so-elasticsearch'].extra_env %}
|
|
||||||
- {{ XTRAENV }}
|
- {{ XTRAENV }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
{% if DOCKERMERGED.containers['so-elasticsearch'].ulimits %}
|
||||||
|
- ulimits:
|
||||||
|
{% for ULIMIT in DOCKERMERGED.containers['so-elasticsearch'].ulimits %}
|
||||||
|
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
|
||||||
|
{% endfor %}
|
||||||
|
{% endif %}
|
||||||
- port_bindings:
|
- port_bindings:
|
||||||
{% for BINDING in DOCKER.containers['so-elasticsearch'].port_bindings %}
|
{% for BINDING in DOCKERMERGED.containers['so-elasticsearch'].port_bindings %}
|
||||||
- {{ BINDING }}
|
- {{ BINDING }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
- binds:
|
- binds:
|
||||||
@@ -75,8 +77,8 @@ so-elasticsearch:
|
|||||||
- {{ repo }}:{{ repo }}:rw
|
- {{ repo }}:{{ repo }}:rw
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if DOCKER.containers['so-elasticsearch'].custom_bind_mounts %}
|
{% if DOCKERMERGED.containers['so-elasticsearch'].custom_bind_mounts %}
|
||||||
{% for BIND in DOCKER.containers['so-elasticsearch'].custom_bind_mounts %}
|
{% for BIND in DOCKERMERGED.containers['so-elasticsearch'].custom_bind_mounts %}
|
||||||
- {{ BIND }}
|
- {{ BIND }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
{%- from 'vars/globals.map.jinja' import GLOBALS %}
|
{%- from 'vars/globals.map.jinja' import GLOBALS %}
|
||||||
{%- from 'docker/docker.map.jinja' import DOCKER %}
|
{%- from 'docker/docker.map.jinja' import DOCKERMERGED %}
|
||||||
{%- from 'firewall/map.jinja' import FIREWALL_MERGED %}
|
{%- from 'firewall/map.jinja' import FIREWALL_MERGED %}
|
||||||
{%- set role = GLOBALS.role.split('-')[1] %}
|
{%- set role = GLOBALS.role.split('-')[1] %}
|
||||||
{%- from 'firewall/containers.map.jinja' import NODE_CONTAINERS %}
|
{%- from 'firewall/containers.map.jinja' import NODE_CONTAINERS %}
|
||||||
@@ -8,9 +8,9 @@
|
|||||||
{%- set D1 = [] %}
|
{%- set D1 = [] %}
|
||||||
{%- set D2 = [] %}
|
{%- set D2 = [] %}
|
||||||
{%- for container in NODE_CONTAINERS %}
|
{%- for container in NODE_CONTAINERS %}
|
||||||
{%- set IP = DOCKER.containers[container].ip %}
|
{%- set IP = DOCKERMERGED.containers[container].ip %}
|
||||||
{%- if DOCKER.containers[container].port_bindings is defined %}
|
{%- if DOCKERMERGED.containers[container].port_bindings is defined %}
|
||||||
{%- for binding in DOCKER.containers[container].port_bindings %}
|
{%- for binding in DOCKERMERGED.containers[container].port_bindings %}
|
||||||
{#- cant split int so we convert to string #}
|
{#- cant split int so we convert to string #}
|
||||||
{%- set binding = binding|string %}
|
{%- set binding = binding|string %}
|
||||||
{#- split the port binding by /. if proto not specified, default is tcp #}
|
{#- split the port binding by /. if proto not specified, default is tcp #}
|
||||||
@@ -33,13 +33,13 @@
|
|||||||
{%- set hostPort = bsa[0] %}
|
{%- set hostPort = bsa[0] %}
|
||||||
{%- set containerPort = bsa[1] %}
|
{%- set containerPort = bsa[1] %}
|
||||||
{%- endif %}
|
{%- endif %}
|
||||||
{%- do PR.append("-A POSTROUTING -s " ~ DOCKER.containers[container].ip ~ "/32 -d " ~ DOCKER.containers[container].ip ~ "/32 -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ containerPort ~ " -j MASQUERADE") %}
|
{%- do PR.append("-A POSTROUTING -s " ~ DOCKERMERGED.containers[container].ip ~ "/32 -d " ~ DOCKERMERGED.containers[container].ip ~ "/32 -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ containerPort ~ " -j MASQUERADE") %}
|
||||||
{%- if bindip | length and bindip != '0.0.0.0' %}
|
{%- if bindip | length and bindip != '0.0.0.0' %}
|
||||||
{%- do D1.append("-A DOCKER -d " ~ bindip ~ "/32 ! -i sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ hostPort ~ " -j DNAT --to-destination " ~ DOCKER.containers[container].ip ~ ":" ~ containerPort) %}
|
{%- do D1.append("-A DOCKER -d " ~ bindip ~ "/32 ! -i sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ hostPort ~ " -j DNAT --to-destination " ~ DOCKERMERGED.containers[container].ip ~ ":" ~ containerPort) %}
|
||||||
{%- else %}
|
{%- else %}
|
||||||
{%- do D1.append("-A DOCKER ! -i sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ hostPort ~ " -j DNAT --to-destination " ~ DOCKER.containers[container].ip ~ ":" ~ containerPort) %}
|
{%- do D1.append("-A DOCKER ! -i sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ hostPort ~ " -j DNAT --to-destination " ~ DOCKERMERGED.containers[container].ip ~ ":" ~ containerPort) %}
|
||||||
{%- endif %}
|
{%- endif %}
|
||||||
{%- do D2.append("-A DOCKER -d " ~ DOCKER.containers[container].ip ~ "/32 ! -i sobridge -o sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ containerPort ~ " -j ACCEPT") %}
|
{%- do D2.append("-A DOCKER -d " ~ DOCKERMERGED.containers[container].ip ~ "/32 ! -i sobridge -o sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ containerPort ~ " -j ACCEPT") %}
|
||||||
{%- endfor %}
|
{%- endfor %}
|
||||||
{%- endif %}
|
{%- endif %}
|
||||||
{%- endfor %}
|
{%- endfor %}
|
||||||
@@ -52,7 +52,7 @@
|
|||||||
:DOCKER - [0:0]
|
:DOCKER - [0:0]
|
||||||
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
|
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
|
||||||
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
|
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
|
||||||
-A POSTROUTING -s {{DOCKER.range}} ! -o sobridge -j MASQUERADE
|
-A POSTROUTING -s {{DOCKERMERGED.range}} ! -o sobridge -j MASQUERADE
|
||||||
{%- for rule in PR %}
|
{%- for rule in PR %}
|
||||||
{{ rule }}
|
{{ rule }}
|
||||||
{%- endfor %}
|
{%- endfor %}
|
||||||
|
|||||||
@@ -1,11 +1,11 @@
|
|||||||
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
||||||
{% from 'docker/docker.map.jinja' import DOCKER %}
|
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
|
||||||
{% import_yaml 'firewall/defaults.yaml' as FIREWALL_DEFAULT %}
|
{% import_yaml 'firewall/defaults.yaml' as FIREWALL_DEFAULT %}
|
||||||
|
|
||||||
{# add our ip to self #}
|
{# add our ip to self #}
|
||||||
{% do FIREWALL_DEFAULT.firewall.hostgroups.self.append(GLOBALS.node_ip) %}
|
{% do FIREWALL_DEFAULT.firewall.hostgroups.self.append(GLOBALS.node_ip) %}
|
||||||
{# add dockernet range #}
|
{# add dockernet range #}
|
||||||
{% do FIREWALL_DEFAULT.firewall.hostgroups.dockernet.append(DOCKER.range) %}
|
{% do FIREWALL_DEFAULT.firewall.hostgroups.dockernet.append(DOCKERMERGED.range) %}
|
||||||
|
|
||||||
{% if GLOBALS.role == 'so-idh' %}
|
{% if GLOBALS.role == 'so-idh' %}
|
||||||
{% from 'idh/opencanary_config.map.jinja' import IDH_PORTGROUPS %}
|
{% from 'idh/opencanary_config.map.jinja' import IDH_PORTGROUPS %}
|
||||||
|
|||||||
@@ -11,7 +11,7 @@
|
|||||||
|
|
||||||
{% from 'allowed_states.map.jinja' import allowed_states %}
|
{% from 'allowed_states.map.jinja' import allowed_states %}
|
||||||
{% if sls.split('.')[0] in allowed_states %}
|
{% if sls.split('.')[0] in allowed_states %}
|
||||||
{% from 'docker/docker.map.jinja' import DOCKER %}
|
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
|
||||||
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
||||||
{% if 'api' in salt['pillar.get']('features', []) %}
|
{% if 'api' in salt['pillar.get']('features', []) %}
|
||||||
|
|
||||||
@@ -26,32 +26,38 @@ so-hydra:
|
|||||||
- name: so-hydra
|
- name: so-hydra
|
||||||
- networks:
|
- networks:
|
||||||
- sobridge:
|
- sobridge:
|
||||||
- ipv4_address: {{ DOCKER.containers['so-hydra'].ip }}
|
- ipv4_address: {{ DOCKERMERGED.containers['so-hydra'].ip }}
|
||||||
- binds:
|
- binds:
|
||||||
- /opt/so/conf/hydra/:/hydra-conf:ro
|
- /opt/so/conf/hydra/:/hydra-conf:ro
|
||||||
- /opt/so/log/hydra/:/hydra-log:rw
|
- /opt/so/log/hydra/:/hydra-log:rw
|
||||||
- /nsm/hydra/db:/hydra-data:rw
|
- /nsm/hydra/db:/hydra-data:rw
|
||||||
{% if DOCKER.containers['so-hydra'].custom_bind_mounts %}
|
{% if DOCKERMERGED.containers['so-hydra'].custom_bind_mounts %}
|
||||||
{% for BIND in DOCKER.containers['so-hydra'].custom_bind_mounts %}
|
{% for BIND in DOCKERMERGED.containers['so-hydra'].custom_bind_mounts %}
|
||||||
- {{ BIND }}
|
- {{ BIND }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
- port_bindings:
|
- port_bindings:
|
||||||
{% for BINDING in DOCKER.containers['so-hydra'].port_bindings %}
|
{% for BINDING in DOCKERMERGED.containers['so-hydra'].port_bindings %}
|
||||||
- {{ BINDING }}
|
- {{ BINDING }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% if DOCKER.containers['so-hydra'].extra_hosts %}
|
{% if DOCKERMERGED.containers['so-hydra'].extra_hosts %}
|
||||||
- extra_hosts:
|
- extra_hosts:
|
||||||
{% for XTRAHOST in DOCKER.containers['so-hydra'].extra_hosts %}
|
{% for XTRAHOST in DOCKERMERGED.containers['so-hydra'].extra_hosts %}
|
||||||
- {{ XTRAHOST }}
|
- {{ XTRAHOST }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if DOCKER.containers['so-hydra'].extra_env %}
|
{% if DOCKERMERGED.containers['so-hydra'].extra_env %}
|
||||||
- environment:
|
- environment:
|
||||||
{% for XTRAENV in DOCKER.containers['so-hydra'].extra_env %}
|
{% for XTRAENV in DOCKERMERGED.containers['so-hydra'].extra_env %}
|
||||||
- {{ XTRAENV }}
|
- {{ XTRAENV }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
{% if DOCKERMERGED.containers['so-hydra'].ulimits %}
|
||||||
|
- ulimits:
|
||||||
|
{% for ULIMIT in DOCKERMERGED.containers['so-hydra'].ulimits %}
|
||||||
|
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
|
||||||
|
{% endfor %}
|
||||||
|
{% endif %}
|
||||||
- restart_policy: unless-stopped
|
- restart_policy: unless-stopped
|
||||||
- watch:
|
- watch:
|
||||||
- file: hydraconfig
|
- file: hydraconfig
|
||||||
|
|||||||
@@ -6,7 +6,7 @@
|
|||||||
{% from 'allowed_states.map.jinja' import allowed_states %}
|
{% from 'allowed_states.map.jinja' import allowed_states %}
|
||||||
{% if sls.split('.')[0] in allowed_states %}
|
{% if sls.split('.')[0] in allowed_states %}
|
||||||
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
||||||
{% from 'docker/docker.map.jinja' import DOCKER %}
|
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
|
||||||
|
|
||||||
include:
|
include:
|
||||||
- idh.config
|
- idh.config
|
||||||
@@ -22,23 +22,29 @@ so-idh:
|
|||||||
- /nsm/idh:/var/tmp:rw
|
- /nsm/idh:/var/tmp:rw
|
||||||
- /opt/so/conf/idh/http-skins:/usr/local/lib/python3.12/site-packages/opencanary/modules/data/http/skin:ro
|
- /opt/so/conf/idh/http-skins:/usr/local/lib/python3.12/site-packages/opencanary/modules/data/http/skin:ro
|
||||||
- /opt/so/conf/idh/opencanary.conf:/etc/opencanaryd/opencanary.conf:ro
|
- /opt/so/conf/idh/opencanary.conf:/etc/opencanaryd/opencanary.conf:ro
|
||||||
{% if DOCKER.containers['so-idh'].custom_bind_mounts %}
|
{% if DOCKERMERGED.containers['so-idh'].custom_bind_mounts %}
|
||||||
{% for BIND in DOCKER.containers['so-idh'].custom_bind_mounts %}
|
{% for BIND in DOCKERMERGED.containers['so-idh'].custom_bind_mounts %}
|
||||||
- {{ BIND }}
|
- {{ BIND }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if DOCKER.containers['so-idh'].extra_hosts %}
|
{% if DOCKERMERGED.containers['so-idh'].extra_hosts %}
|
||||||
- extra_hosts:
|
- extra_hosts:
|
||||||
{% for XTRAHOST in DOCKER.containers['so-idh'].extra_hosts %}
|
{% for XTRAHOST in DOCKERMERGED.containers['so-idh'].extra_hosts %}
|
||||||
- {{ XTRAHOST }}
|
- {{ XTRAHOST }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if DOCKER.containers['so-idh'].extra_env %}
|
{% if DOCKERMERGED.containers['so-idh'].extra_env %}
|
||||||
- environment:
|
- environment:
|
||||||
{% for XTRAENV in DOCKER.containers['so-idh'].extra_env %}
|
{% for XTRAENV in DOCKERMERGED.containers['so-idh'].extra_env %}
|
||||||
- {{ XTRAENV }}
|
- {{ XTRAENV }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
{% if DOCKERMERGED.containers['so-idh'].ulimits %}
|
||||||
|
- ulimits:
|
||||||
|
{% for ULIMIT in DOCKERMERGED.containers['so-idh'].ulimits %}
|
||||||
|
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
|
||||||
|
{% endfor %}
|
||||||
|
{% endif %}
|
||||||
- watch:
|
- watch:
|
||||||
- file: opencanary_config
|
- file: opencanary_config
|
||||||
- require:
|
- require:
|
||||||
|
|||||||
@@ -6,7 +6,7 @@
|
|||||||
{% from 'allowed_states.map.jinja' import allowed_states %}
|
{% from 'allowed_states.map.jinja' import allowed_states %}
|
||||||
{% if sls.split('.')[0] in allowed_states %}
|
{% if sls.split('.')[0] in allowed_states %}
|
||||||
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
||||||
{% from 'docker/docker.map.jinja' import DOCKER %}
|
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
|
||||||
{% set PASSWORD = salt['pillar.get']('secrets:influx_pass') %}
|
{% set PASSWORD = salt['pillar.get']('secrets:influx_pass') %}
|
||||||
{% set TOKEN = salt['pillar.get']('influxdb:token') %}
|
{% set TOKEN = salt['pillar.get']('influxdb:token') %}
|
||||||
|
|
||||||
@@ -21,7 +21,7 @@ so-influxdb:
|
|||||||
- hostname: influxdb
|
- hostname: influxdb
|
||||||
- networks:
|
- networks:
|
||||||
- sobridge:
|
- sobridge:
|
||||||
- ipv4_address: {{ DOCKER.containers['so-influxdb'].ip }}
|
- ipv4_address: {{ DOCKERMERGED.containers['so-influxdb'].ip }}
|
||||||
- environment:
|
- environment:
|
||||||
- INFLUXD_CONFIG_PATH=/conf/config.yaml
|
- INFLUXD_CONFIG_PATH=/conf/config.yaml
|
||||||
- INFLUXDB_HTTP_LOG_ENABLED=false
|
- INFLUXDB_HTTP_LOG_ENABLED=false
|
||||||
@@ -31,8 +31,8 @@ so-influxdb:
|
|||||||
- DOCKER_INFLUXDB_INIT_ORG=Security Onion
|
- DOCKER_INFLUXDB_INIT_ORG=Security Onion
|
||||||
- DOCKER_INFLUXDB_INIT_BUCKET=telegraf/so_short_term
|
- DOCKER_INFLUXDB_INIT_BUCKET=telegraf/so_short_term
|
||||||
- DOCKER_INFLUXDB_INIT_ADMIN_TOKEN={{ TOKEN }}
|
- DOCKER_INFLUXDB_INIT_ADMIN_TOKEN={{ TOKEN }}
|
||||||
{% if DOCKER.containers['so-influxdb'].extra_env %}
|
{% if DOCKERMERGED.containers['so-influxdb'].extra_env %}
|
||||||
{% for XTRAENV in DOCKER.containers['so-influxdb'].extra_env %}
|
{% for XTRAENV in DOCKERMERGED.containers['so-influxdb'].extra_env %}
|
||||||
- {{ XTRAENV }}
|
- {{ XTRAENV }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
@@ -43,21 +43,27 @@ so-influxdb:
|
|||||||
- /nsm/influxdb:/var/lib/influxdb2:rw
|
- /nsm/influxdb:/var/lib/influxdb2:rw
|
||||||
- /etc/pki/influxdb.crt:/conf/influxdb.crt:ro
|
- /etc/pki/influxdb.crt:/conf/influxdb.crt:ro
|
||||||
- /etc/pki/influxdb.key:/conf/influxdb.key:ro
|
- /etc/pki/influxdb.key:/conf/influxdb.key:ro
|
||||||
{% if DOCKER.containers['so-influxdb'].custom_bind_mounts %}
|
{% if DOCKERMERGED.containers['so-influxdb'].custom_bind_mounts %}
|
||||||
{% for BIND in DOCKER.containers['so-influxdb'].custom_bind_mounts %}
|
{% for BIND in DOCKERMERGED.containers['so-influxdb'].custom_bind_mounts %}
|
||||||
- {{ BIND }}
|
- {{ BIND }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
- port_bindings:
|
- port_bindings:
|
||||||
{% for BINDING in DOCKER.containers['so-influxdb'].port_bindings %}
|
{% for BINDING in DOCKERMERGED.containers['so-influxdb'].port_bindings %}
|
||||||
- {{ BINDING }}
|
- {{ BINDING }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% if DOCKER.containers['so-influxdb'].extra_hosts %}
|
{% if DOCKERMERGED.containers['so-influxdb'].extra_hosts %}
|
||||||
- extra_hosts:
|
- extra_hosts:
|
||||||
{% for XTRAHOST in DOCKER.containers['so-influxdb'].extra_hosts %}
|
{% for XTRAHOST in DOCKERMERGED.containers['so-influxdb'].extra_hosts %}
|
||||||
- {{ XTRAHOST }}
|
- {{ XTRAHOST }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
{% if DOCKERMERGED.containers['so-influxdb'].ulimits %}
|
||||||
|
- ulimits:
|
||||||
|
{% for ULIMIT in DOCKERMERGED.containers['so-influxdb'].ulimits %}
|
||||||
|
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
|
||||||
|
{% endfor %}
|
||||||
|
{% endif %}
|
||||||
- watch:
|
- watch:
|
||||||
- file: influxdbconf
|
- file: influxdbconf
|
||||||
- x509: influxdb_key
|
- x509: influxdb_key
|
||||||
|
|||||||
@@ -12,7 +12,7 @@
|
|||||||
{% from 'allowed_states.map.jinja' import allowed_states %}
|
{% from 'allowed_states.map.jinja' import allowed_states %}
|
||||||
{% if sls.split('.')[0] in allowed_states %}
|
{% if sls.split('.')[0] in allowed_states %}
|
||||||
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
||||||
{% from 'docker/docker.map.jinja' import DOCKER %}
|
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
|
||||||
{% set KAFKANODES = salt['pillar.get']('kafka:nodes') %}
|
{% set KAFKANODES = salt['pillar.get']('kafka:nodes') %}
|
||||||
{% set KAFKA_EXTERNAL_ACCESS = salt['pillar.get']('kafka:config:external_access:enabled', default=False) %}
|
{% set KAFKA_EXTERNAL_ACCESS = salt['pillar.get']('kafka:config:external_access:enabled', default=False) %}
|
||||||
{% if 'gmd' in salt['pillar.get']('features', []) %}
|
{% if 'gmd' in salt['pillar.get']('features', []) %}
|
||||||
@@ -31,22 +31,22 @@ so-kafka:
|
|||||||
- name: so-kafka
|
- name: so-kafka
|
||||||
- networks:
|
- networks:
|
||||||
- sobridge:
|
- sobridge:
|
||||||
- ipv4_address: {{ DOCKER.containers['so-kafka'].ip }}
|
- ipv4_address: {{ DOCKERMERGED.containers['so-kafka'].ip }}
|
||||||
- user: kafka
|
- user: kafka
|
||||||
- environment:
|
- environment:
|
||||||
KAFKA_HEAP_OPTS: -Xmx2G -Xms1G
|
KAFKA_HEAP_OPTS: -Xmx2G -Xms1G
|
||||||
KAFKA_OPTS: "-javaagent:/opt/jolokia/agents/jolokia-agent-jvm-javaagent.jar=port=8778,host={{ DOCKER.containers['so-kafka'].ip }},policyLocation=file:/opt/jolokia/jolokia.xml {%- if KAFKA_EXTERNAL_ACCESS %} -Djava.security.auth.login.config=/opt/kafka/config/kafka_server_jaas.conf {% endif -%}"
|
KAFKA_OPTS: "-javaagent:/opt/jolokia/agents/jolokia-agent-jvm-javaagent.jar=port=8778,host={{ DOCKERMERGED.containers['so-kafka'].ip }},policyLocation=file:/opt/jolokia/jolokia.xml {%- if KAFKA_EXTERNAL_ACCESS %} -Djava.security.auth.login.config=/opt/kafka/config/kafka_server_jaas.conf {% endif -%}"
|
||||||
- extra_hosts:
|
- extra_hosts:
|
||||||
{% for node in KAFKANODES %}
|
{% for node in KAFKANODES %}
|
||||||
- {{ node }}:{{ KAFKANODES[node].ip }}
|
- {{ node }}:{{ KAFKANODES[node].ip }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% if DOCKER.containers['so-kafka'].extra_hosts %}
|
{% if DOCKERMERGED.containers['so-kafka'].extra_hosts %}
|
||||||
{% for XTRAHOST in DOCKER.containers['so-kafka'].extra_hosts %}
|
{% for XTRAHOST in DOCKERMERGED.containers['so-kafka'].extra_hosts %}
|
||||||
- {{ XTRAHOST }}
|
- {{ XTRAHOST }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
- port_bindings:
|
- port_bindings:
|
||||||
{% for BINDING in DOCKER.containers['so-kafka'].port_bindings %}
|
{% for BINDING in DOCKERMERGED.containers['so-kafka'].port_bindings %}
|
||||||
- {{ BINDING }}
|
- {{ BINDING }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
- binds:
|
- binds:
|
||||||
@@ -60,6 +60,12 @@ so-kafka:
|
|||||||
{% if KAFKA_EXTERNAL_ACCESS %}
|
{% if KAFKA_EXTERNAL_ACCESS %}
|
||||||
- /opt/so/conf/kafka/kafka_server_jaas.conf:/opt/kafka/config/kafka_server_jaas.conf:ro
|
- /opt/so/conf/kafka/kafka_server_jaas.conf:/opt/kafka/config/kafka_server_jaas.conf:ro
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
{% if DOCKERMERGED.containers['so-kafka'].ulimits %}
|
||||||
|
- ulimits:
|
||||||
|
{% for ULIMIT in DOCKERMERGED.containers['so-kafka'].ulimits %}
|
||||||
|
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
|
||||||
|
{% endfor %}
|
||||||
|
{% endif %}
|
||||||
- watch:
|
- watch:
|
||||||
{% for sc in ['server', 'client'] %}
|
{% for sc in ['server', 'client'] %}
|
||||||
- file: kafka_kraft_{{sc}}_properties
|
- file: kafka_kraft_{{sc}}_properties
|
||||||
|
|||||||
@@ -5,7 +5,7 @@
|
|||||||
|
|
||||||
{% from 'allowed_states.map.jinja' import allowed_states %}
|
{% from 'allowed_states.map.jinja' import allowed_states %}
|
||||||
{% if sls.split('.')[0] in allowed_states %}
|
{% if sls.split('.')[0] in allowed_states %}
|
||||||
{% from 'docker/docker.map.jinja' import DOCKER %}
|
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
|
||||||
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
||||||
|
|
||||||
include:
|
include:
|
||||||
@@ -20,20 +20,20 @@ so-kibana:
|
|||||||
- user: kibana
|
- user: kibana
|
||||||
- networks:
|
- networks:
|
||||||
- sobridge:
|
- sobridge:
|
||||||
- ipv4_address: {{ DOCKER.containers['so-kibana'].ip }}
|
- ipv4_address: {{ DOCKERMERGED.containers['so-kibana'].ip }}
|
||||||
- environment:
|
- environment:
|
||||||
- ELASTICSEARCH_HOST={{ GLOBALS.manager }}
|
- ELASTICSEARCH_HOST={{ GLOBALS.manager }}
|
||||||
- ELASTICSEARCH_PORT=9200
|
- ELASTICSEARCH_PORT=9200
|
||||||
- MANAGER={{ GLOBALS.manager }}
|
- MANAGER={{ GLOBALS.manager }}
|
||||||
{% if DOCKER.containers['so-kibana'].extra_env %}
|
{% if DOCKERMERGED.containers['so-kibana'].extra_env %}
|
||||||
{% for XTRAENV in DOCKER.containers['so-kibana'].extra_env %}
|
{% for XTRAENV in DOCKERMERGED.containers['so-kibana'].extra_env %}
|
||||||
- {{ XTRAENV }}
|
- {{ XTRAENV }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
- extra_hosts:
|
- extra_hosts:
|
||||||
- {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
|
- {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
|
||||||
{% if DOCKER.containers['so-kibana'].extra_hosts %}
|
{% if DOCKERMERGED.containers['so-kibana'].extra_hosts %}
|
||||||
{% for XTRAHOST in DOCKER.containers['so-kibana'].extra_hosts %}
|
{% for XTRAHOST in DOCKERMERGED.containers['so-kibana'].extra_hosts %}
|
||||||
- {{ XTRAHOST }}
|
- {{ XTRAHOST }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
@@ -42,15 +42,21 @@ so-kibana:
|
|||||||
- /opt/so/log/kibana:/var/log/kibana:rw
|
- /opt/so/log/kibana:/var/log/kibana:rw
|
||||||
- /opt/so/conf/kibana/customdashboards:/usr/share/kibana/custdashboards:ro
|
- /opt/so/conf/kibana/customdashboards:/usr/share/kibana/custdashboards:ro
|
||||||
- /sys/fs/cgroup:/sys/fs/cgroup:ro
|
- /sys/fs/cgroup:/sys/fs/cgroup:ro
|
||||||
{% if DOCKER.containers['so-kibana'].custom_bind_mounts %}
|
{% if DOCKERMERGED.containers['so-kibana'].custom_bind_mounts %}
|
||||||
{% for BIND in DOCKER.containers['so-kibana'].custom_bind_mounts %}
|
{% for BIND in DOCKERMERGED.containers['so-kibana'].custom_bind_mounts %}
|
||||||
- {{ BIND }}
|
- {{ BIND }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
- port_bindings:
|
- port_bindings:
|
||||||
{% for BINDING in DOCKER.containers['so-kibana'].port_bindings %}
|
{% for BINDING in DOCKERMERGED.containers['so-kibana'].port_bindings %}
|
||||||
- {{ BINDING }}
|
- {{ BINDING }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
{% if DOCKERMERGED.containers['so-kibana'].ulimits %}
|
||||||
|
- ulimits:
|
||||||
|
{% for ULIMIT in DOCKERMERGED.containers['so-kibana'].ulimits %}
|
||||||
|
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
|
||||||
|
{% endfor %}
|
||||||
|
{% endif %}
|
||||||
- watch:
|
- watch:
|
||||||
- file: kibanaconfig
|
- file: kibanaconfig
|
||||||
|
|
||||||
|
|||||||
@@ -5,7 +5,7 @@
|
|||||||
|
|
||||||
{% from 'allowed_states.map.jinja' import allowed_states %}
|
{% from 'allowed_states.map.jinja' import allowed_states %}
|
||||||
{% if sls.split('.')[0] in allowed_states %}
|
{% if sls.split('.')[0] in allowed_states %}
|
||||||
{% from 'docker/docker.map.jinja' import DOCKER %}
|
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
|
||||||
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
||||||
|
|
||||||
include:
|
include:
|
||||||
@@ -19,32 +19,38 @@ so-kratos:
|
|||||||
- name: so-kratos
|
- name: so-kratos
|
||||||
- networks:
|
- networks:
|
||||||
- sobridge:
|
- sobridge:
|
||||||
- ipv4_address: {{ DOCKER.containers['so-kratos'].ip }}
|
- ipv4_address: {{ DOCKERMERGED.containers['so-kratos'].ip }}
|
||||||
- binds:
|
- binds:
|
||||||
- /opt/so/conf/kratos/:/kratos-conf:ro
|
- /opt/so/conf/kratos/:/kratos-conf:ro
|
||||||
- /opt/so/log/kratos/:/kratos-log:rw
|
- /opt/so/log/kratos/:/kratos-log:rw
|
||||||
- /nsm/kratos/db:/kratos-data:rw
|
- /nsm/kratos/db:/kratos-data:rw
|
||||||
{% if DOCKER.containers['so-kratos'].custom_bind_mounts %}
|
{% if DOCKERMERGED.containers['so-kratos'].custom_bind_mounts %}
|
||||||
{% for BIND in DOCKER.containers['so-kratos'].custom_bind_mounts %}
|
{% for BIND in DOCKERMERGED.containers['so-kratos'].custom_bind_mounts %}
|
||||||
- {{ BIND }}
|
- {{ BIND }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
- port_bindings:
|
- port_bindings:
|
||||||
{% for BINDING in DOCKER.containers['so-kratos'].port_bindings %}
|
{% for BINDING in DOCKERMERGED.containers['so-kratos'].port_bindings %}
|
||||||
- {{ BINDING }}
|
- {{ BINDING }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% if DOCKER.containers['so-kratos'].extra_hosts %}
|
{% if DOCKERMERGED.containers['so-kratos'].extra_hosts %}
|
||||||
- extra_hosts:
|
- extra_hosts:
|
||||||
{% for XTRAHOST in DOCKER.containers['so-kratos'].extra_hosts %}
|
{% for XTRAHOST in DOCKERMERGED.containers['so-kratos'].extra_hosts %}
|
||||||
- {{ XTRAHOST }}
|
- {{ XTRAHOST }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if DOCKER.containers['so-kratos'].extra_env %}
|
{% if DOCKERMERGED.containers['so-kratos'].extra_env %}
|
||||||
- environment:
|
- environment:
|
||||||
{% for XTRAENV in DOCKER.containers['so-kratos'].extra_env %}
|
{% for XTRAENV in DOCKERMERGED.containers['so-kratos'].extra_env %}
|
||||||
- {{ XTRAENV }}
|
- {{ XTRAENV }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
{% if DOCKERMERGED.containers['so-kratos'].ulimits %}
|
||||||
|
- ulimits:
|
||||||
|
{% for ULIMIT in DOCKERMERGED.containers['so-kratos'].ulimits %}
|
||||||
|
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
|
||||||
|
{% endfor %}
|
||||||
|
{% endif %}
|
||||||
- restart_policy: unless-stopped
|
- restart_policy: unless-stopped
|
||||||
- watch:
|
- watch:
|
||||||
- file: kratosschema
|
- file: kratosschema
|
||||||
|
|||||||
@@ -6,7 +6,7 @@
|
|||||||
{% from 'allowed_states.map.jinja' import allowed_states %}
|
{% from 'allowed_states.map.jinja' import allowed_states %}
|
||||||
{% if sls.split('.')[0] in allowed_states %}
|
{% if sls.split('.')[0] in allowed_states %}
|
||||||
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
||||||
{% from 'docker/docker.map.jinja' import DOCKER %}
|
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
|
||||||
{% from 'logstash/map.jinja' import LOGSTASH_MERGED %}
|
{% from 'logstash/map.jinja' import LOGSTASH_MERGED %}
|
||||||
{% from 'logstash/map.jinja' import LOGSTASH_NODES %}
|
{% from 'logstash/map.jinja' import LOGSTASH_NODES %}
|
||||||
{% set lsheap = LOGSTASH_MERGED.settings.lsheap %}
|
{% set lsheap = LOGSTASH_MERGED.settings.lsheap %}
|
||||||
@@ -32,7 +32,7 @@ so-logstash:
|
|||||||
- name: so-logstash
|
- name: so-logstash
|
||||||
- networks:
|
- networks:
|
||||||
- sobridge:
|
- sobridge:
|
||||||
- ipv4_address: {{ DOCKER.containers['so-logstash'].ip }}
|
- ipv4_address: {{ DOCKERMERGED.containers['so-logstash'].ip }}
|
||||||
- user: logstash
|
- user: logstash
|
||||||
- extra_hosts:
|
- extra_hosts:
|
||||||
{% for node in LOGSTASH_NODES %}
|
{% for node in LOGSTASH_NODES %}
|
||||||
@@ -40,20 +40,20 @@ so-logstash:
|
|||||||
- {{hostname}}:{{ip}}
|
- {{hostname}}:{{ip}}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% if DOCKER.containers['so-logstash'].extra_hosts %}
|
{% if DOCKERMERGED.containers['so-logstash'].extra_hosts %}
|
||||||
{% for XTRAHOST in DOCKER.containers['so-logstash'].extra_hosts %}
|
{% for XTRAHOST in DOCKERMERGED.containers['so-logstash'].extra_hosts %}
|
||||||
- {{ XTRAHOST }}
|
- {{ XTRAHOST }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
- environment:
|
- environment:
|
||||||
- LS_JAVA_OPTS=-Xms{{ lsheap }} -Xmx{{ lsheap }}
|
- LS_JAVA_OPTS=-Xms{{ lsheap }} -Xmx{{ lsheap }}
|
||||||
{% if DOCKER.containers['so-logstash'].extra_env %}
|
{% if DOCKERMERGED.containers['so-logstash'].extra_env %}
|
||||||
{% for XTRAENV in DOCKER.containers['so-logstash'].extra_env %}
|
{% for XTRAENV in DOCKERMERGED.containers['so-logstash'].extra_env %}
|
||||||
- {{ XTRAENV }}
|
- {{ XTRAENV }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
- port_bindings:
|
- port_bindings:
|
||||||
{% for BINDING in DOCKER.containers['so-logstash'].port_bindings %}
|
{% for BINDING in DOCKERMERGED.containers['so-logstash'].port_bindings %}
|
||||||
- {{ BINDING }}
|
- {{ BINDING }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
- binds:
|
- binds:
|
||||||
@@ -91,11 +91,17 @@ so-logstash:
|
|||||||
- /opt/so/log/fleet/:/osquery/logs:ro
|
- /opt/so/log/fleet/:/osquery/logs:ro
|
||||||
- /opt/so/log/strelka:/strelka:ro
|
- /opt/so/log/strelka:/strelka:ro
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if DOCKER.containers['so-logstash'].custom_bind_mounts %}
|
{% if DOCKERMERGED.containers['so-logstash'].custom_bind_mounts %}
|
||||||
{% for BIND in DOCKER.containers['so-logstash'].custom_bind_mounts %}
|
{% for BIND in DOCKERMERGED.containers['so-logstash'].custom_bind_mounts %}
|
||||||
- {{ BIND }}
|
- {{ BIND }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
{% if DOCKERMERGED.containers['so-logstash'].ulimits %}
|
||||||
|
- ulimits:
|
||||||
|
{% for ULIMIT in DOCKERMERGED.containers['so-logstash'].ulimits %}
|
||||||
|
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
|
||||||
|
{% endfor %}
|
||||||
|
{% endif %}
|
||||||
- watch:
|
- watch:
|
||||||
- file: lsetcsync
|
- file: lsetcsync
|
||||||
- file: trusttheca
|
- file: trusttheca
|
||||||
|
|||||||
@@ -6,7 +6,7 @@
|
|||||||
{% from 'allowed_states.map.jinja' import allowed_states %}
|
{% from 'allowed_states.map.jinja' import allowed_states %}
|
||||||
{% if sls.split('.')[0] in allowed_states %}
|
{% if sls.split('.')[0] in allowed_states %}
|
||||||
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
||||||
{% from 'docker/docker.map.jinja' import DOCKER %}
|
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
|
||||||
{% from 'nginx/map.jinja' import NGINXMERGED %}
|
{% from 'nginx/map.jinja' import NGINXMERGED %}
|
||||||
|
|
||||||
include:
|
include:
|
||||||
@@ -37,11 +37,11 @@ so-nginx:
|
|||||||
- hostname: so-nginx
|
- hostname: so-nginx
|
||||||
- networks:
|
- networks:
|
||||||
- sobridge:
|
- sobridge:
|
||||||
- ipv4_address: {{ DOCKER.containers[container_config].ip }}
|
- ipv4_address: {{ DOCKERMERGED.containers[container_config].ip }}
|
||||||
- extra_hosts:
|
- extra_hosts:
|
||||||
- {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
|
- {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
|
||||||
{% if DOCKER.containers[container_config].extra_hosts %}
|
{% if DOCKERMERGED.containers[container_config].extra_hosts %}
|
||||||
{% for XTRAHOST in DOCKER.containers[container_config].extra_hosts %}
|
{% for XTRAHOST in DOCKERMERGED.containers[container_config].extra_hosts %}
|
||||||
- {{ XTRAHOST }}
|
- {{ XTRAHOST }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
@@ -64,20 +64,26 @@ so-nginx:
|
|||||||
- /opt/so/rules/nids/suri:/surirules:ro
|
- /opt/so/rules/nids/suri:/surirules:ro
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if DOCKER.containers[container_config].custom_bind_mounts %}
|
{% if DOCKERMERGED.containers[container_config].custom_bind_mounts %}
|
||||||
{% for BIND in DOCKER.containers[container_config].custom_bind_mounts %}
|
{% for BIND in DOCKERMERGED.containers[container_config].custom_bind_mounts %}
|
||||||
- {{ BIND }}
|
- {{ BIND }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if DOCKER.containers[container_config].extra_env %}
|
{% if DOCKERMERGED.containers[container_config].extra_env %}
|
||||||
- environment:
|
- environment:
|
||||||
{% for XTRAENV in DOCKER.containers[container_config].extra_env %}
|
{% for XTRAENV in DOCKERMERGED.containers[container_config].extra_env %}
|
||||||
- {{ XTRAENV }}
|
- {{ XTRAENV }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
{% if DOCKERMERGED.containers[container_config].ulimits %}
|
||||||
|
- ulimits:
|
||||||
|
{% for ULIMIT in DOCKERMERGED.containers[container_config].ulimits %}
|
||||||
|
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
|
||||||
|
{% endfor %}
|
||||||
|
{% endif %}
|
||||||
- cap_add: NET_BIND_SERVICE
|
- cap_add: NET_BIND_SERVICE
|
||||||
- port_bindings:
|
- port_bindings:
|
||||||
{% for BINDING in DOCKER.containers[container_config].port_bindings %}
|
{% for BINDING in DOCKERMERGED.containers[container_config].port_bindings %}
|
||||||
- {{ BINDING }}
|
- {{ BINDING }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
- watch:
|
- watch:
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
{%- from 'vars/globals.map.jinja' import GLOBALS %}
|
{%- from 'vars/globals.map.jinja' import GLOBALS %}
|
||||||
{%- from 'docker/docker.map.jinja' import DOCKER %}
|
{%- from 'docker/docker.map.jinja' import DOCKERMERGED %}
|
||||||
{%- from 'nginx/map.jinja' import NGINXMERGED %}
|
{%- from 'nginx/map.jinja' import NGINXMERGED %}
|
||||||
{%- set role = grains.id.split('_') | last %}
|
{%- set role = grains.id.split('_') | last %}
|
||||||
{%- set influxpass = salt['pillar.get']('secrets:influx_pass') %}
|
{%- set influxpass = salt['pillar.get']('secrets:influx_pass') %}
|
||||||
|
|||||||
@@ -5,7 +5,7 @@
|
|||||||
|
|
||||||
{% from 'allowed_states.map.jinja' import allowed_states %}
|
{% from 'allowed_states.map.jinja' import allowed_states %}
|
||||||
{% if sls.split('.')[0] in allowed_states %}
|
{% if sls.split('.')[0] in allowed_states %}
|
||||||
{% from 'docker/docker.map.jinja' import DOCKER %}
|
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
|
||||||
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
||||||
|
|
||||||
include:
|
include:
|
||||||
@@ -21,9 +21,9 @@ so-redis:
|
|||||||
- user: socore
|
- user: socore
|
||||||
- networks:
|
- networks:
|
||||||
- sobridge:
|
- sobridge:
|
||||||
- ipv4_address: {{ DOCKER.containers['so-redis'].ip }}
|
- ipv4_address: {{ DOCKERMERGED.containers['so-redis'].ip }}
|
||||||
- port_bindings:
|
- port_bindings:
|
||||||
{% for BINDING in DOCKER.containers['so-redis'].port_bindings %}
|
{% for BINDING in DOCKERMERGED.containers['so-redis'].port_bindings %}
|
||||||
- {{ BINDING }}
|
- {{ BINDING }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
- binds:
|
- binds:
|
||||||
@@ -34,23 +34,29 @@ so-redis:
|
|||||||
- /etc/pki/redis.crt:/certs/redis.crt:ro
|
- /etc/pki/redis.crt:/certs/redis.crt:ro
|
||||||
- /etc/pki/redis.key:/certs/redis.key:ro
|
- /etc/pki/redis.key:/certs/redis.key:ro
|
||||||
- /etc/pki/tls/certs/intca.crt:/certs/ca.crt:ro
|
- /etc/pki/tls/certs/intca.crt:/certs/ca.crt:ro
|
||||||
{% if DOCKER.containers['so-redis'].custom_bind_mounts %}
|
{% if DOCKERMERGED.containers['so-redis'].custom_bind_mounts %}
|
||||||
{% for BIND in DOCKER.containers['so-redis'].custom_bind_mounts %}
|
{% for BIND in DOCKERMERGED.containers['so-redis'].custom_bind_mounts %}
|
||||||
- {{ BIND }}
|
- {{ BIND }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if DOCKER.containers['so-redis'].extra_hosts %}
|
{% if DOCKERMERGED.containers['so-redis'].extra_hosts %}
|
||||||
- extra_hosts:
|
- extra_hosts:
|
||||||
{% for XTRAHOST in DOCKER.containers['so-redis'].extra_hosts %}
|
{% for XTRAHOST in DOCKERMERGED.containers['so-redis'].extra_hosts %}
|
||||||
- {{ XTRAHOST }}
|
- {{ XTRAHOST }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if DOCKER.containers['so-redis'].extra_env %}
|
{% if DOCKERMERGED.containers['so-redis'].extra_env %}
|
||||||
- environment:
|
- environment:
|
||||||
{% for XTRAENV in DOCKER.containers['so-redis'].extra_env %}
|
{% for XTRAENV in DOCKERMERGED.containers['so-redis'].extra_env %}
|
||||||
- {{ XTRAENV }}
|
- {{ XTRAENV }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
{% if DOCKERMERGED.containers['so-redis'].ulimits %}
|
||||||
|
- ulimits:
|
||||||
|
{% for ULIMIT in DOCKERMERGED.containers['so-redis'].ulimits %}
|
||||||
|
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
|
||||||
|
{% endfor %}
|
||||||
|
{% endif %}
|
||||||
- entrypoint: "redis-server /usr/local/etc/redis/redis.conf"
|
- entrypoint: "redis-server /usr/local/etc/redis/redis.conf"
|
||||||
- watch:
|
- watch:
|
||||||
- file: trusttheca
|
- file: trusttheca
|
||||||
|
|||||||
@@ -6,7 +6,7 @@
|
|||||||
{% from 'allowed_states.map.jinja' import allowed_states %}
|
{% from 'allowed_states.map.jinja' import allowed_states %}
|
||||||
{% if sls.split('.')[0] in allowed_states %}
|
{% if sls.split('.')[0] in allowed_states %}
|
||||||
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
||||||
{% from 'docker/docker.map.jinja' import DOCKER %}
|
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
|
||||||
|
|
||||||
include:
|
include:
|
||||||
- registry.ssl
|
- registry.ssl
|
||||||
@@ -20,10 +20,10 @@ so-dockerregistry:
|
|||||||
- hostname: so-registry
|
- hostname: so-registry
|
||||||
- networks:
|
- networks:
|
||||||
- sobridge:
|
- sobridge:
|
||||||
- ipv4_address: {{ DOCKER.containers['so-dockerregistry'].ip }}
|
- ipv4_address: {{ DOCKERMERGED.containers['so-dockerregistry'].ip }}
|
||||||
- restart_policy: always
|
- restart_policy: always
|
||||||
- port_bindings:
|
- port_bindings:
|
||||||
{% for BINDING in DOCKER.containers['so-dockerregistry'].port_bindings %}
|
{% for BINDING in DOCKERMERGED.containers['so-dockerregistry'].port_bindings %}
|
||||||
- {{ BINDING }}
|
- {{ BINDING }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
- binds:
|
- binds:
|
||||||
@@ -32,25 +32,31 @@ so-dockerregistry:
|
|||||||
- /nsm/docker-registry/docker:/var/lib/registry/docker:rw
|
- /nsm/docker-registry/docker:/var/lib/registry/docker:rw
|
||||||
- /etc/pki/registry.crt:/etc/pki/registry.crt:ro
|
- /etc/pki/registry.crt:/etc/pki/registry.crt:ro
|
||||||
- /etc/pki/registry.key:/etc/pki/registry.key:ro
|
- /etc/pki/registry.key:/etc/pki/registry.key:ro
|
||||||
{% if DOCKER.containers['so-dockerregistry'].custom_bind_mounts %}
|
{% if DOCKERMERGED.containers['so-dockerregistry'].custom_bind_mounts %}
|
||||||
{% for BIND in DOCKER.containers['so-dockerregistry'].custom_bind_mounts %}
|
{% for BIND in DOCKERMERGED.containers['so-dockerregistry'].custom_bind_mounts %}
|
||||||
- {{ BIND }}
|
- {{ BIND }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if DOCKER.containers['so-dockerregistry'].extra_hosts %}
|
{% if DOCKERMERGED.containers['so-dockerregistry'].extra_hosts %}
|
||||||
- extra_hosts:
|
- extra_hosts:
|
||||||
{% for XTRAHOST in DOCKER.containers['so-dockerregistry'].extra_hosts %}
|
{% for XTRAHOST in DOCKERMERGED.containers['so-dockerregistry'].extra_hosts %}
|
||||||
- {{ XTRAHOST }}
|
- {{ XTRAHOST }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
- client_timeout: 180
|
- client_timeout: 180
|
||||||
- environment:
|
- environment:
|
||||||
- HOME=/root
|
- HOME=/root
|
||||||
{% if DOCKER.containers['so-dockerregistry'].extra_env %}
|
{% if DOCKERMERGED.containers['so-dockerregistry'].extra_env %}
|
||||||
{% for XTRAENV in DOCKER.containers['so-dockerregistry'].extra_env %}
|
{% for XTRAENV in DOCKERMERGED.containers['so-dockerregistry'].extra_env %}
|
||||||
- {{ XTRAENV }}
|
- {{ XTRAENV }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
{% if DOCKERMERGED.containers['so-dockerregistry'].ulimits %}
|
||||||
|
- ulimits:
|
||||||
|
{% for ULIMIT in DOCKERMERGED.containers['so-dockerregistry'].ulimits %}
|
||||||
|
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
|
||||||
|
{% endfor %}
|
||||||
|
{% endif %}
|
||||||
- retry:
|
- retry:
|
||||||
attempts: 5
|
attempts: 5
|
||||||
interval: 30
|
interval: 30
|
||||||
|
|||||||
@@ -4,7 +4,7 @@
|
|||||||
# Elastic License 2.0.
|
# Elastic License 2.0.
|
||||||
|
|
||||||
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
||||||
{% from 'docker/docker.map.jinja' import DOCKER %}
|
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
|
||||||
|
|
||||||
|
|
||||||
include:
|
include:
|
||||||
@@ -23,23 +23,29 @@ so-sensoroni:
|
|||||||
- /opt/so/conf/sensoroni/templates:/opt/sensoroni/templates:ro
|
- /opt/so/conf/sensoroni/templates:/opt/sensoroni/templates:ro
|
||||||
- /opt/so/log/sensoroni:/opt/sensoroni/logs:rw
|
- /opt/so/log/sensoroni:/opt/sensoroni/logs:rw
|
||||||
- /nsm/suripcap/:/nsm/suripcap:rw
|
- /nsm/suripcap/:/nsm/suripcap:rw
|
||||||
{% if DOCKER.containers['so-sensoroni'].custom_bind_mounts %}
|
{% if DOCKERMERGED.containers['so-sensoroni'].custom_bind_mounts %}
|
||||||
{% for BIND in DOCKER.containers['so-sensoroni'].custom_bind_mounts %}
|
{% for BIND in DOCKERMERGED.containers['so-sensoroni'].custom_bind_mounts %}
|
||||||
- {{ BIND }}
|
- {{ BIND }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if DOCKER.containers['so-sensoroni'].extra_hosts %}
|
{% if DOCKERMERGED.containers['so-sensoroni'].extra_hosts %}
|
||||||
- extra_hosts:
|
- extra_hosts:
|
||||||
{% for XTRAHOST in DOCKER.containers['so-sensoroni'].extra_hosts %}
|
{% for XTRAHOST in DOCKERMERGED.containers['so-sensoroni'].extra_hosts %}
|
||||||
- {{ XTRAHOST }}
|
- {{ XTRAHOST }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if DOCKER.containers['so-sensoroni'].extra_env %}
|
{% if DOCKERMERGED.containers['so-sensoroni'].extra_env %}
|
||||||
- environment:
|
- environment:
|
||||||
{% for XTRAENV in DOCKER.containers['so-sensoroni'].extra_env %}
|
{% for XTRAENV in DOCKERMERGED.containers['so-sensoroni'].extra_env %}
|
||||||
- {{ XTRAENV }}
|
- {{ XTRAENV }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
{% if DOCKERMERGED.containers['so-sensoroni'].ulimits %}
|
||||||
|
- ulimits:
|
||||||
|
{% for ULIMIT in DOCKERMERGED.containers['so-sensoroni'].ulimits %}
|
||||||
|
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
|
||||||
|
{% endfor %}
|
||||||
|
{% endif %}
|
||||||
- watch:
|
- watch:
|
||||||
- file: /opt/so/conf/sensoroni/sensoroni.json
|
- file: /opt/so/conf/sensoroni/sensoroni.json
|
||||||
- require:
|
- require:
|
||||||
|
|||||||
@@ -5,7 +5,7 @@
|
|||||||
|
|
||||||
{% import_yaml 'soc/defaults.yaml' as SOCDEFAULTS %}
|
{% import_yaml 'soc/defaults.yaml' as SOCDEFAULTS %}
|
||||||
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
||||||
{% from 'docker/docker.map.jinja' import DOCKER -%}
|
{% from 'docker/docker.map.jinja' import DOCKERMERGED -%}
|
||||||
{% set INFLUXDB_TOKEN = salt['pillar.get']('influxdb:token') %}
|
{% set INFLUXDB_TOKEN = salt['pillar.get']('influxdb:token') %}
|
||||||
{% import_text 'influxdb/metrics_link.txt' as METRICS_LINK %}
|
{% import_text 'influxdb/metrics_link.txt' as METRICS_LINK %}
|
||||||
|
|
||||||
@@ -32,7 +32,7 @@
|
|||||||
{% endif %}
|
{% endif %}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
|
||||||
{% do SOCDEFAULTS.soc.config.server.modules.statickeyauth.update({'anonymousCidr': DOCKER.range, 'apiKey': pillar.sensoroni.config.sensoronikey}) %}
|
{% do SOCDEFAULTS.soc.config.server.modules.statickeyauth.update({'anonymousCidr': DOCKERMERGED.range, 'apiKey': pillar.sensoroni.config.sensoronikey}) %}
|
||||||
|
|
||||||
{% do SOCDEFAULTS.soc.config.server.client.case.update({'analyzerNodeId': GLOBALS.hostname}) %}
|
{% do SOCDEFAULTS.soc.config.server.client.case.update({'analyzerNodeId': GLOBALS.hostname}) %}
|
||||||
{% do SOCDEFAULTS.soc.config.server.client.update({'exportNodeId': GLOBALS.hostname}) %}
|
{% do SOCDEFAULTS.soc.config.server.client.update({'exportNodeId': GLOBALS.hostname}) %}
|
||||||
|
|||||||
@@ -6,7 +6,7 @@
|
|||||||
{% from 'allowed_states.map.jinja' import allowed_states %}
|
{% from 'allowed_states.map.jinja' import allowed_states %}
|
||||||
{% if sls.split('.')[0] in allowed_states %}
|
{% if sls.split('.')[0] in allowed_states %}
|
||||||
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
||||||
{% from 'docker/docker.map.jinja' import DOCKER %}
|
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
|
||||||
{% from 'soc/merged.map.jinja' import DOCKER_EXTRA_HOSTS %}
|
{% from 'soc/merged.map.jinja' import DOCKER_EXTRA_HOSTS %}
|
||||||
{% from 'soc/merged.map.jinja' import SOCMERGED %}
|
{% from 'soc/merged.map.jinja' import SOCMERGED %}
|
||||||
|
|
||||||
@@ -22,7 +22,7 @@ so-soc:
|
|||||||
- name: so-soc
|
- name: so-soc
|
||||||
- networks:
|
- networks:
|
||||||
- sobridge:
|
- sobridge:
|
||||||
- ipv4_address: {{ DOCKER.containers['so-soc'].ip }}
|
- ipv4_address: {{ DOCKERMERGED.containers['so-soc'].ip }}
|
||||||
- binds:
|
- binds:
|
||||||
- /nsm/rules:/nsm/rules:rw
|
- /nsm/rules:/nsm/rules:rw
|
||||||
- /opt/so/conf/strelka:/opt/sensoroni/yara:rw
|
- /opt/so/conf/strelka:/opt/sensoroni/yara:rw
|
||||||
@@ -63,21 +63,27 @@ so-soc:
|
|||||||
- {{hostname}}:{{ip}}
|
- {{hostname}}:{{ip}}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% if DOCKER.containers['so-soc'].extra_hosts %}
|
{% if DOCKERMERGED.containers['so-soc'].extra_hosts %}
|
||||||
{% for XTRAHOST in DOCKER.containers['so-soc'].extra_hosts %}
|
{% for XTRAHOST in DOCKERMERGED.containers['so-soc'].extra_hosts %}
|
||||||
- {{ XTRAHOST }}
|
- {{ XTRAHOST }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
- port_bindings:
|
- port_bindings:
|
||||||
{% for BINDING in DOCKER.containers['so-soc'].port_bindings %}
|
{% for BINDING in DOCKERMERGED.containers['so-soc'].port_bindings %}
|
||||||
- {{ BINDING }}
|
- {{ BINDING }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% if DOCKER.containers['so-soc'].extra_env %}
|
{% if DOCKERMERGED.containers['so-soc'].extra_env %}
|
||||||
- environment:
|
- environment:
|
||||||
{% for XTRAENV in DOCKER.containers['so-soc'].extra_env %}
|
{% for XTRAENV in DOCKERMERGED.containers['so-soc'].extra_env %}
|
||||||
- {{ XTRAENV }}
|
- {{ XTRAENV }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
{% if DOCKERMERGED.containers['so-soc'].ulimits %}
|
||||||
|
- ulimits:
|
||||||
|
{% for ULIMIT in DOCKERMERGED.containers['so-soc'].ulimits %}
|
||||||
|
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
|
||||||
|
{% endfor %}
|
||||||
|
{% endif %}
|
||||||
- watch:
|
- watch:
|
||||||
- file: trusttheca
|
- file: trusttheca
|
||||||
- file: /opt/so/conf/soc/*
|
- file: /opt/so/conf/soc/*
|
||||||
|
|||||||
@@ -5,7 +5,7 @@
|
|||||||
|
|
||||||
{% from 'allowed_states.map.jinja' import allowed_states %}
|
{% from 'allowed_states.map.jinja' import allowed_states %}
|
||||||
{% if sls.split('.')[0] in allowed_states %}
|
{% if sls.split('.')[0] in allowed_states %}
|
||||||
{% from 'docker/docker.map.jinja' import DOCKER %}
|
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
|
||||||
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
||||||
|
|
||||||
include:
|
include:
|
||||||
@@ -18,29 +18,35 @@ strelka_backend:
|
|||||||
- binds:
|
- binds:
|
||||||
- /opt/so/conf/strelka/backend/:/etc/strelka/:ro
|
- /opt/so/conf/strelka/backend/:/etc/strelka/:ro
|
||||||
- /opt/so/conf/strelka/rules/compiled/:/etc/yara/:ro
|
- /opt/so/conf/strelka/rules/compiled/:/etc/yara/:ro
|
||||||
{% if DOCKER.containers['so-strelka-backend'].custom_bind_mounts %}
|
{% if DOCKERMERGED.containers['so-strelka-backend'].custom_bind_mounts %}
|
||||||
{% for BIND in DOCKER.containers['so-strelka-backend'].custom_bind_mounts %}
|
{% for BIND in DOCKERMERGED.containers['so-strelka-backend'].custom_bind_mounts %}
|
||||||
- {{ BIND }}
|
- {{ BIND }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
- name: so-strelka-backend
|
- name: so-strelka-backend
|
||||||
- networks:
|
- networks:
|
||||||
- sobridge:
|
- sobridge:
|
||||||
- ipv4_address: {{ DOCKER.containers['so-strelka-backend'].ip }}
|
- ipv4_address: {{ DOCKERMERGED.containers['so-strelka-backend'].ip }}
|
||||||
- command: strelka-backend
|
- command: strelka-backend
|
||||||
- extra_hosts:
|
- extra_hosts:
|
||||||
- {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
|
- {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
|
||||||
{% if DOCKER.containers['so-strelka-backend'].extra_hosts %}
|
{% if DOCKERMERGED.containers['so-strelka-backend'].extra_hosts %}
|
||||||
{% for XTRAHOST in DOCKER.containers['so-strelka-backend'].extra_hosts %}
|
{% for XTRAHOST in DOCKERMERGED.containers['so-strelka-backend'].extra_hosts %}
|
||||||
- {{ XTRAHOST }}
|
- {{ XTRAHOST }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if DOCKER.containers['so-strelka-backend'].extra_env %}
|
{% if DOCKERMERGED.containers['so-strelka-backend'].extra_env %}
|
||||||
- environment:
|
- environment:
|
||||||
{% for XTRAENV in DOCKER.containers['so-strelka-backend'].extra_env %}
|
{% for XTRAENV in DOCKERMERGED.containers['so-strelka-backend'].extra_env %}
|
||||||
- {{ XTRAENV }}
|
- {{ XTRAENV }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
{% if DOCKERMERGED.containers['so-strelka-backend'].ulimits %}
|
||||||
|
- ulimits:
|
||||||
|
{% for ULIMIT in DOCKERMERGED.containers['so-strelka-backend'].ulimits %}
|
||||||
|
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
|
||||||
|
{% endfor %}
|
||||||
|
{% endif %}
|
||||||
- restart_policy: on-failure
|
- restart_policy: on-failure
|
||||||
- watch:
|
- watch:
|
||||||
- file: strelkasensorcompiledrules
|
- file: strelkasensorcompiledrules
|
||||||
|
|||||||
@@ -5,7 +5,7 @@
|
|||||||
|
|
||||||
{% from 'allowed_states.map.jinja' import allowed_states %}
|
{% from 'allowed_states.map.jinja' import allowed_states %}
|
||||||
{% if sls.split('.')[0] in allowed_states %}
|
{% if sls.split('.')[0] in allowed_states %}
|
||||||
{% from 'docker/docker.map.jinja' import DOCKER %}
|
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
|
||||||
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
||||||
|
|
||||||
include:
|
include:
|
||||||
@@ -18,32 +18,38 @@ strelka_coordinator:
|
|||||||
- name: so-strelka-coordinator
|
- name: so-strelka-coordinator
|
||||||
- networks:
|
- networks:
|
||||||
- sobridge:
|
- sobridge:
|
||||||
- ipv4_address: {{ DOCKER.containers['so-strelka-coordinator'].ip }}
|
- ipv4_address: {{ DOCKERMERGED.containers['so-strelka-coordinator'].ip }}
|
||||||
- entrypoint: redis-server --save "" --appendonly no
|
- entrypoint: redis-server --save "" --appendonly no
|
||||||
- extra_hosts:
|
- extra_hosts:
|
||||||
- {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
|
- {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
|
||||||
{% if DOCKER.containers['so-strelka-coordinator'].extra_hosts %}
|
{% if DOCKERMERGED.containers['so-strelka-coordinator'].extra_hosts %}
|
||||||
{% for XTRAHOST in DOCKER.containers['so-strelka-coordinator'].extra_hosts %}
|
{% for XTRAHOST in DOCKERMERGED.containers['so-strelka-coordinator'].extra_hosts %}
|
||||||
- {{ XTRAHOST }}
|
- {{ XTRAHOST }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
- port_bindings:
|
- port_bindings:
|
||||||
{% for BINDING in DOCKER.containers['so-strelka-coordinator'].port_bindings %}
|
{% for BINDING in DOCKERMERGED.containers['so-strelka-coordinator'].port_bindings %}
|
||||||
- {{ BINDING }}
|
- {{ BINDING }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% if DOCKER.containers['so-strelka-coordinator'].extra_env %}
|
{% if DOCKERMERGED.containers['so-strelka-coordinator'].extra_env %}
|
||||||
- environment:
|
- environment:
|
||||||
{% for XTRAENV in DOCKER.containers['so-strelka-coordinator'].extra_env %}
|
{% for XTRAENV in DOCKERMERGED.containers['so-strelka-coordinator'].extra_env %}
|
||||||
- {{ XTRAENV }}
|
- {{ XTRAENV }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
- binds:
|
- binds:
|
||||||
- /nsm/strelka/coord-redis-data:/data:rw
|
- /nsm/strelka/coord-redis-data:/data:rw
|
||||||
{% if DOCKER.containers['so-strelka-coordinator'].custom_bind_mounts %}
|
{% if DOCKERMERGED.containers['so-strelka-coordinator'].custom_bind_mounts %}
|
||||||
{% for BIND in DOCKER.containers['so-strelka-coordinator'].custom_bind_mounts %}
|
{% for BIND in DOCKERMERGED.containers['so-strelka-coordinator'].custom_bind_mounts %}
|
||||||
- {{ BIND }}
|
- {{ BIND }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
{% if DOCKERMERGED.containers['so-strelka-coordinator'].ulimits %}
|
||||||
|
- ulimits:
|
||||||
|
{% for ULIMIT in DOCKERMERGED.containers['so-strelka-coordinator'].ulimits %}
|
||||||
|
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
|
||||||
|
{% endfor %}
|
||||||
|
{% endif %}
|
||||||
delete_so-strelka-coordinator_so-status.disabled:
|
delete_so-strelka-coordinator_so-status.disabled:
|
||||||
file.uncomment:
|
file.uncomment:
|
||||||
- name: /opt/so/conf/so-status/so-status.conf
|
- name: /opt/so/conf/so-status/so-status.conf
|
||||||
|
|||||||
@@ -5,7 +5,7 @@
|
|||||||
|
|
||||||
{% from 'allowed_states.map.jinja' import allowed_states %}
|
{% from 'allowed_states.map.jinja' import allowed_states %}
|
||||||
{% if sls.split('.')[0] in allowed_states %}
|
{% if sls.split('.')[0] in allowed_states %}
|
||||||
{% from 'docker/docker.map.jinja' import DOCKER %}
|
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
|
||||||
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
||||||
|
|
||||||
include:
|
include:
|
||||||
@@ -18,29 +18,35 @@ strelka_filestream:
|
|||||||
- binds:
|
- binds:
|
||||||
- /opt/so/conf/strelka/filestream/:/etc/strelka/:ro
|
- /opt/so/conf/strelka/filestream/:/etc/strelka/:ro
|
||||||
- /nsm/strelka:/nsm/strelka
|
- /nsm/strelka:/nsm/strelka
|
||||||
{% if DOCKER.containers['so-strelka-filestream'].custom_bind_mounts %}
|
{% if DOCKERMERGED.containers['so-strelka-filestream'].custom_bind_mounts %}
|
||||||
{% for BIND in DOCKER.containers['so-strelka-filestream'].custom_bind_mounts %}
|
{% for BIND in DOCKERMERGED.containers['so-strelka-filestream'].custom_bind_mounts %}
|
||||||
- {{ BIND }}
|
- {{ BIND }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
- name: so-strelka-filestream
|
- name: so-strelka-filestream
|
||||||
- networks:
|
- networks:
|
||||||
- sobridge:
|
- sobridge:
|
||||||
- ipv4_address: {{ DOCKER.containers['so-strelka-filestream'].ip }}
|
- ipv4_address: {{ DOCKERMERGED.containers['so-strelka-filestream'].ip }}
|
||||||
- command: strelka-filestream
|
- command: strelka-filestream
|
||||||
- extra_hosts:
|
- extra_hosts:
|
||||||
- {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
|
- {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
|
||||||
{% if DOCKER.containers['so-strelka-filestream'].extra_hosts %}
|
{% if DOCKERMERGED.containers['so-strelka-filestream'].extra_hosts %}
|
||||||
{% for XTRAHOST in DOCKER.containers['so-strelka-filestream'].extra_hosts %}
|
{% for XTRAHOST in DOCKERMERGED.containers['so-strelka-filestream'].extra_hosts %}
|
||||||
- {{ XTRAHOST }}
|
- {{ XTRAHOST }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if DOCKER.containers['so-strelka-filestream'].extra_env %}
|
{% if DOCKERMERGED.containers['so-strelka-filestream'].extra_env %}
|
||||||
- environment:
|
- environment:
|
||||||
{% for XTRAENV in DOCKER.containers['so-strelka-filestream'].extra_env %}
|
{% for XTRAENV in DOCKERMERGED.containers['so-strelka-filestream'].extra_env %}
|
||||||
- {{ XTRAENV }}
|
- {{ XTRAENV }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
{% if DOCKERMERGED.containers['so-strelka-filestream'].ulimits %}
|
||||||
|
- ulimits:
|
||||||
|
{% for ULIMIT in DOCKERMERGED.containers['so-strelka-filestream'].ulimits %}
|
||||||
|
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
|
||||||
|
{% endfor %}
|
||||||
|
{% endif %}
|
||||||
- watch:
|
- watch:
|
||||||
- file: filestream_config
|
- file: filestream_config
|
||||||
|
|
||||||
|
|||||||
@@ -5,7 +5,7 @@
|
|||||||
|
|
||||||
{% from 'allowed_states.map.jinja' import allowed_states %}
|
{% from 'allowed_states.map.jinja' import allowed_states %}
|
||||||
{% if sls.split('.')[0] in allowed_states %}
|
{% if sls.split('.')[0] in allowed_states %}
|
||||||
{% from 'docker/docker.map.jinja' import DOCKER %}
|
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
|
||||||
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
||||||
|
|
||||||
include:
|
include:
|
||||||
@@ -18,8 +18,8 @@ strelka_frontend:
|
|||||||
- binds:
|
- binds:
|
||||||
- /opt/so/conf/strelka/frontend/:/etc/strelka/:ro
|
- /opt/so/conf/strelka/frontend/:/etc/strelka/:ro
|
||||||
- /nsm/strelka/log/:/var/log/strelka/:rw
|
- /nsm/strelka/log/:/var/log/strelka/:rw
|
||||||
{% if DOCKER.containers['so-strelka-frontend'].custom_bind_mounts %}
|
{% if DOCKERMERGED.containers['so-strelka-frontend'].custom_bind_mounts %}
|
||||||
{% for BIND in DOCKER.containers['so-strelka-frontend'].custom_bind_mounts %}
|
{% for BIND in DOCKERMERGED.containers['so-strelka-frontend'].custom_bind_mounts %}
|
||||||
- {{ BIND }}
|
- {{ BIND }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
@@ -27,25 +27,31 @@ strelka_frontend:
|
|||||||
- name: so-strelka-frontend
|
- name: so-strelka-frontend
|
||||||
- networks:
|
- networks:
|
||||||
- sobridge:
|
- sobridge:
|
||||||
- ipv4_address: {{ DOCKER.containers['so-strelka-frontend'].ip }}
|
- ipv4_address: {{ DOCKERMERGED.containers['so-strelka-frontend'].ip }}
|
||||||
- command: strelka-frontend
|
- command: strelka-frontend
|
||||||
- extra_hosts:
|
- extra_hosts:
|
||||||
- {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
|
- {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
|
||||||
{% if DOCKER.containers['so-strelka-frontend'].extra_hosts %}
|
{% if DOCKERMERGED.containers['so-strelka-frontend'].extra_hosts %}
|
||||||
{% for XTRAHOST in DOCKER.containers['so-strelka-frontend'].extra_hosts %}
|
{% for XTRAHOST in DOCKERMERGED.containers['so-strelka-frontend'].extra_hosts %}
|
||||||
- {{ XTRAHOST }}
|
- {{ XTRAHOST }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
- port_bindings:
|
- port_bindings:
|
||||||
{% for BINDING in DOCKER.containers['so-strelka-frontend'].port_bindings %}
|
{% for BINDING in DOCKERMERGED.containers['so-strelka-frontend'].port_bindings %}
|
||||||
- {{ BINDING }}
|
- {{ BINDING }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% if DOCKER.containers['so-strelka-frontend'].extra_env %}
|
{% if DOCKERMERGED.containers['so-strelka-frontend'].extra_env %}
|
||||||
- environment:
|
- environment:
|
||||||
{% for XTRAENV in DOCKER.containers['so-strelka-frontend'].extra_env %}
|
{% for XTRAENV in DOCKERMERGED.containers['so-strelka-frontend'].extra_env %}
|
||||||
- {{ XTRAENV }}
|
- {{ XTRAENV }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
{% if DOCKERMERGED.containers['so-strelka-frontend'].ulimits %}
|
||||||
|
- ulimits:
|
||||||
|
{% for ULIMIT in DOCKERMERGED.containers['so-strelka-frontend'].ulimits %}
|
||||||
|
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
|
||||||
|
{% endfor %}
|
||||||
|
{% endif %}
|
||||||
- watch:
|
- watch:
|
||||||
- file: frontend_config
|
- file: frontend_config
|
||||||
|
|
||||||
|
|||||||
@@ -5,7 +5,7 @@
|
|||||||
|
|
||||||
{% from 'allowed_states.map.jinja' import allowed_states %}
|
{% from 'allowed_states.map.jinja' import allowed_states %}
|
||||||
{% if sls.split('.')[0] in allowed_states %}
|
{% if sls.split('.')[0] in allowed_states %}
|
||||||
{% from 'docker/docker.map.jinja' import DOCKER %}
|
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
|
||||||
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
||||||
|
|
||||||
include:
|
include:
|
||||||
@@ -18,32 +18,38 @@ strelka_gatekeeper:
|
|||||||
- name: so-strelka-gatekeeper
|
- name: so-strelka-gatekeeper
|
||||||
- networks:
|
- networks:
|
||||||
- sobridge:
|
- sobridge:
|
||||||
- ipv4_address: {{ DOCKER.containers['so-strelka-gatekeeper'].ip }}
|
- ipv4_address: {{ DOCKERMERGED.containers['so-strelka-gatekeeper'].ip }}
|
||||||
- entrypoint: redis-server --save "" --appendonly no --maxmemory-policy allkeys-lru
|
- entrypoint: redis-server --save "" --appendonly no --maxmemory-policy allkeys-lru
|
||||||
- extra_hosts:
|
- extra_hosts:
|
||||||
- {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
|
- {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
|
||||||
{% if DOCKER.containers['so-strelka-gatekeeper'].extra_hosts %}
|
{% if DOCKERMERGED.containers['so-strelka-gatekeeper'].extra_hosts %}
|
||||||
{% for XTRAHOST in DOCKER.containers['so-strelka-gatekeeper'].extra_hosts %}
|
{% for XTRAHOST in DOCKERMERGED.containers['so-strelka-gatekeeper'].extra_hosts %}
|
||||||
- {{ XTRAHOST }}
|
- {{ XTRAHOST }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
- port_bindings:
|
- port_bindings:
|
||||||
{% for BINDING in DOCKER.containers['so-strelka-gatekeeper'].port_bindings %}
|
{% for BINDING in DOCKERMERGED.containers['so-strelka-gatekeeper'].port_bindings %}
|
||||||
- {{ BINDING }}
|
- {{ BINDING }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
- binds:
|
- binds:
|
||||||
- /nsm/strelka/gk-redis-data:/data:rw
|
- /nsm/strelka/gk-redis-data:/data:rw
|
||||||
{% if DOCKER.containers['so-strelka-gatekeeper'].custom_bind_mounts %}
|
{% if DOCKERMERGED.containers['so-strelka-gatekeeper'].custom_bind_mounts %}
|
||||||
{% for BIND in DOCKER.containers['so-strelka-gatekeeper'].custom_bind_mounts %}
|
{% for BIND in DOCKERMERGED.containers['so-strelka-gatekeeper'].custom_bind_mounts %}
|
||||||
- {{ BIND }}
|
- {{ BIND }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if DOCKER.containers['so-strelka-gatekeeper'].extra_env %}
|
{% if DOCKERMERGED.containers['so-strelka-gatekeeper'].extra_env %}
|
||||||
- environment:
|
- environment:
|
||||||
{% for XTRAENV in DOCKER.containers['so-strelka-gatekeeper'].extra_env %}
|
{% for XTRAENV in DOCKERMERGED.containers['so-strelka-gatekeeper'].extra_env %}
|
||||||
- {{ XTRAENV }}
|
- {{ XTRAENV }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
{% if DOCKERMERGED.containers['so-strelka-gatekeeper'].ulimits %}
|
||||||
|
- ulimits:
|
||||||
|
{% for ULIMIT in DOCKERMERGED.containers['so-strelka-gatekeeper'].ulimits %}
|
||||||
|
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
|
||||||
|
{% endfor %}
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
delete_so-strelka-gatekeeper_so-status.disabled:
|
delete_so-strelka-gatekeeper_so-status.disabled:
|
||||||
file.uncomment:
|
file.uncomment:
|
||||||
|
|||||||
@@ -5,7 +5,7 @@
|
|||||||
|
|
||||||
{% from 'allowed_states.map.jinja' import allowed_states %}
|
{% from 'allowed_states.map.jinja' import allowed_states %}
|
||||||
{% if sls.split('.')[0] in allowed_states %}
|
{% if sls.split('.')[0] in allowed_states %}
|
||||||
{% from 'docker/docker.map.jinja' import DOCKER %}
|
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
|
||||||
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
||||||
|
|
||||||
include:
|
include:
|
||||||
@@ -17,29 +17,35 @@ strelka_manager:
|
|||||||
- image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-strelka-manager:{{ GLOBALS.so_version }}
|
- image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-strelka-manager:{{ GLOBALS.so_version }}
|
||||||
- binds:
|
- binds:
|
||||||
- /opt/so/conf/strelka/manager/:/etc/strelka/:ro
|
- /opt/so/conf/strelka/manager/:/etc/strelka/:ro
|
||||||
{% if DOCKER.containers['so-strelka-manager'].custom_bind_mounts %}
|
{% if DOCKERMERGED.containers['so-strelka-manager'].custom_bind_mounts %}
|
||||||
{% for BIND in DOCKER.containers['so-strelka-manager'].custom_bind_mounts %}
|
{% for BIND in DOCKERMERGED.containers['so-strelka-manager'].custom_bind_mounts %}
|
||||||
- {{ BIND }}
|
- {{ BIND }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
- name: so-strelka-manager
|
- name: so-strelka-manager
|
||||||
- networks:
|
- networks:
|
||||||
- sobridge:
|
- sobridge:
|
||||||
- ipv4_address: {{ DOCKER.containers['so-strelka-manager'].ip }}
|
- ipv4_address: {{ DOCKERMERGED.containers['so-strelka-manager'].ip }}
|
||||||
- command: strelka-manager
|
- command: strelka-manager
|
||||||
- extra_hosts:
|
- extra_hosts:
|
||||||
- {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
|
- {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
|
||||||
{% if DOCKER.containers['so-strelka-manager'].extra_hosts %}
|
{% if DOCKERMERGED.containers['so-strelka-manager'].extra_hosts %}
|
||||||
{% for XTRAHOST in DOCKER.containers['so-strelka-manager'].extra_hosts %}
|
{% for XTRAHOST in DOCKERMERGED.containers['so-strelka-manager'].extra_hosts %}
|
||||||
- {{ XTRAHOST }}
|
- {{ XTRAHOST }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if DOCKER.containers['so-strelka-manager'].extra_env %}
|
{% if DOCKERMERGED.containers['so-strelka-manager'].extra_env %}
|
||||||
- environment:
|
- environment:
|
||||||
{% for XTRAENV in DOCKER.containers['so-strelka-manager'].extra_env %}
|
{% for XTRAENV in DOCKERMERGED.containers['so-strelka-manager'].extra_env %}
|
||||||
- {{ XTRAENV }}
|
- {{ XTRAENV }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
{% if DOCKERMERGED.containers['so-strelka-manager'].ulimits %}
|
||||||
|
- ulimits:
|
||||||
|
{% for ULIMIT in DOCKERMERGED.containers['so-strelka-manager'].ulimits %}
|
||||||
|
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
|
||||||
|
{% endfor %}
|
||||||
|
{% endif %}
|
||||||
- watch:
|
- watch:
|
||||||
- file: manager_config
|
- file: manager_config
|
||||||
|
|
||||||
|
|||||||
@@ -6,7 +6,7 @@
|
|||||||
{% from 'allowed_states.map.jinja' import allowed_states %}
|
{% from 'allowed_states.map.jinja' import allowed_states %}
|
||||||
{% if sls.split('.')[0] in allowed_states %}
|
{% if sls.split('.')[0] in allowed_states %}
|
||||||
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
||||||
{% from 'docker/docker.map.jinja' import DOCKER %}
|
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
|
||||||
{% from 'suricata/map.jinja' import SURICATAMERGED %}
|
{% from 'suricata/map.jinja' import SURICATAMERGED %}
|
||||||
|
|
||||||
|
|
||||||
@@ -20,16 +20,16 @@ so-suricata:
|
|||||||
- privileged: True
|
- privileged: True
|
||||||
- environment:
|
- environment:
|
||||||
- INTERFACE={{ GLOBALS.sensor.interface }}
|
- INTERFACE={{ GLOBALS.sensor.interface }}
|
||||||
{% if DOCKER.containers['so-suricata'].extra_env %}
|
{% if DOCKERMERGED.containers['so-suricata'].extra_env %}
|
||||||
{% for XTRAENV in DOCKER.containers['so-suricata'].extra_env %}
|
{% for XTRAENV in DOCKERMERGED.containers['so-suricata'].extra_env %}
|
||||||
- {{ XTRAENV }}
|
- {{ XTRAENV }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{# we look at SURICATAMERGED.config['af-packet'][0] since we only allow one interface and therefore always the first list item #}
|
{# we look at SURICATAMERGED.config['af-packet'][0] since we only allow one interface and therefore always the first list item #}
|
||||||
{% if SURICATAMERGED.config['af-packet'][0]['mmap-locked'] == "yes" and DOCKER.containers['so-suricata'].ulimits %}
|
{% if SURICATAMERGED.config['af-packet'][0]['mmap-locked'] == "yes" and DOCKERMERGED.containers['so-suricata'].ulimits %}
|
||||||
- ulimits:
|
- ulimits:
|
||||||
{% for ULIMIT in DOCKER.containers['so-suricata'].ulimits %}
|
{% for ULIMIT in DOCKERMERGED.containers['so-suricata'].ulimits %}
|
||||||
- {{ ULIMIT }}
|
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
- binds:
|
- binds:
|
||||||
@@ -42,15 +42,15 @@ so-suricata:
|
|||||||
- /nsm/suricata/extracted:/var/log/suricata//filestore:rw
|
- /nsm/suricata/extracted:/var/log/suricata//filestore:rw
|
||||||
- /opt/so/conf/suricata/bpf:/etc/suricata/bpf:ro
|
- /opt/so/conf/suricata/bpf:/etc/suricata/bpf:ro
|
||||||
- /nsm/suripcap/:/nsm/suripcap:rw
|
- /nsm/suripcap/:/nsm/suripcap:rw
|
||||||
{% if DOCKER.containers['so-suricata'].custom_bind_mounts %}
|
{% if DOCKERMERGED.containers['so-suricata'].custom_bind_mounts %}
|
||||||
{% for BIND in DOCKER.containers['so-suricata'].custom_bind_mounts %}
|
{% for BIND in DOCKERMERGED.containers['so-suricata'].custom_bind_mounts %}
|
||||||
- {{ BIND }}
|
- {{ BIND }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
- network_mode: host
|
- network_mode: host
|
||||||
{% if DOCKER.containers['so-suricata'].extra_hosts %}
|
{% if DOCKERMERGED.containers['so-suricata'].extra_hosts %}
|
||||||
- extra_hosts:
|
- extra_hosts:
|
||||||
{% for XTRAHOST in DOCKER.containers['so-suricata'].extra_hosts %}
|
{% for XTRAHOST in DOCKERMERGED.containers['so-suricata'].extra_hosts %}
|
||||||
- {{ XTRAHOST }}
|
- {{ XTRAHOST }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|||||||
@@ -6,7 +6,7 @@
|
|||||||
{% from 'allowed_states.map.jinja' import allowed_states %}
|
{% from 'allowed_states.map.jinja' import allowed_states %}
|
||||||
{% if sls.split('.')[0] in allowed_states %}
|
{% if sls.split('.')[0] in allowed_states %}
|
||||||
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
||||||
{% from 'docker/docker.map.jinja' import DOCKER %}
|
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
|
||||||
{% from 'telegraf/map.jinja' import TELEGRAFMERGED %}
|
{% from 'telegraf/map.jinja' import TELEGRAFMERGED %}
|
||||||
|
|
||||||
include:
|
include:
|
||||||
@@ -25,8 +25,8 @@ so-telegraf:
|
|||||||
- HOST_SYS=/host/sys
|
- HOST_SYS=/host/sys
|
||||||
- HOST_MOUNT_PREFIX=/host
|
- HOST_MOUNT_PREFIX=/host
|
||||||
- GODEBUG=x509ignoreCN=0
|
- GODEBUG=x509ignoreCN=0
|
||||||
{% if DOCKER.containers['so-telegraf'].extra_env %}
|
{% if DOCKERMERGED.containers['so-telegraf'].extra_env %}
|
||||||
{% for XTRAENV in DOCKER.containers['so-telegraf'].extra_env %}
|
{% for XTRAENV in DOCKERMERGED.containers['so-telegraf'].extra_env %}
|
||||||
- {{ XTRAENV }}
|
- {{ XTRAENV }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
@@ -55,17 +55,23 @@ so-telegraf:
|
|||||||
{% if GLOBALS.is_manager or GLOBALS.role == 'so-heavynode' %}
|
{% if GLOBALS.is_manager or GLOBALS.role == 'so-heavynode' %}
|
||||||
- /opt/so/conf/telegraf/etc/escurl.config:/etc/telegraf/elasticsearch.config:ro
|
- /opt/so/conf/telegraf/etc/escurl.config:/etc/telegraf/elasticsearch.config:ro
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if DOCKER.containers['so-telegraf'].custom_bind_mounts %}
|
{% if DOCKERMERGED.containers['so-telegraf'].custom_bind_mounts %}
|
||||||
{% for BIND in DOCKER.containers['so-telegraf'].custom_bind_mounts %}
|
{% for BIND in DOCKERMERGED.containers['so-telegraf'].custom_bind_mounts %}
|
||||||
- {{ BIND }}
|
- {{ BIND }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if DOCKER.containers['so-telegraf'].extra_hosts %}
|
{% if DOCKERMERGED.containers['so-telegraf'].extra_hosts %}
|
||||||
- extra_hosts:
|
- extra_hosts:
|
||||||
{% for XTRAHOST in DOCKER.containers['so-telegraf'].extra_hosts %}
|
{% for XTRAHOST in DOCKERMERGED.containers['so-telegraf'].extra_hosts %}
|
||||||
- {{ XTRAHOST }}
|
- {{ XTRAHOST }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
{% if DOCKERMERGED.containers['so-telegraf'].ulimits %}
|
||||||
|
- ulimits:
|
||||||
|
{% for ULIMIT in DOCKERMERGED.containers['so-telegraf'].ulimits %}
|
||||||
|
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
|
||||||
|
{% endfor %}
|
||||||
|
{% endif %}
|
||||||
- watch:
|
- watch:
|
||||||
- file: trusttheca
|
- file: trusttheca
|
||||||
- x509: telegraf_crt
|
- x509: telegraf_crt
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
{% import 'vars/init.map.jinja' as INIT %}
|
{% import 'vars/init.map.jinja' as INIT %}
|
||||||
{% from 'docker/docker.map.jinja' import DOCKER %}
|
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
|
||||||
{% from 'global/map.jinja' import GLOBALMERGED %}
|
{% from 'global/map.jinja' import GLOBALMERGED %}
|
||||||
|
|
||||||
{% from 'vars/' ~ INIT.GRAINS.role.split('-')[1] ~ '.map.jinja' import ROLE_GLOBALS %} {# role is so-role so we have to split off the 'so' #}
|
{% from 'vars/' ~ INIT.GRAINS.role.split('-')[1] ~ '.map.jinja' import ROLE_GLOBALS %} {# role is so-role so we have to split off the 'so' #}
|
||||||
@@ -25,8 +25,8 @@
|
|||||||
'pcap_engine': GLOBALMERGED.pcapengine,
|
'pcap_engine': GLOBALMERGED.pcapengine,
|
||||||
'pipeline': GLOBALMERGED.pipeline,
|
'pipeline': GLOBALMERGED.pipeline,
|
||||||
'so_version': INIT.PILLAR.global.soversion,
|
'so_version': INIT.PILLAR.global.soversion,
|
||||||
'so_docker_gateway': DOCKER.gateway,
|
'so_docker_gateway': DOCKERMERGED.gateway,
|
||||||
'so_docker_range': DOCKER.range,
|
'so_docker_range': DOCKERMERGED.range,
|
||||||
'url_base': INIT.PILLAR.global.url_base,
|
'url_base': INIT.PILLAR.global.url_base,
|
||||||
'so_model': INIT.GRAINS.get('sosmodel',''),
|
'so_model': INIT.GRAINS.get('sosmodel',''),
|
||||||
'sensoroni_key': INIT.PILLAR.sensoroni.config.sensoronikey,
|
'sensoroni_key': INIT.PILLAR.sensoroni.config.sensoronikey,
|
||||||
|
|||||||
@@ -6,7 +6,7 @@
|
|||||||
{% from 'allowed_states.map.jinja' import allowed_states %}
|
{% from 'allowed_states.map.jinja' import allowed_states %}
|
||||||
{% if sls.split('.')[0] in allowed_states %}
|
{% if sls.split('.')[0] in allowed_states %}
|
||||||
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
{% from 'vars/globals.map.jinja' import GLOBALS %}
|
||||||
{% from 'docker/docker.map.jinja' import DOCKER %}
|
{% from 'docker/docker.map.jinja' import DOCKERMERGED %}
|
||||||
|
|
||||||
|
|
||||||
include:
|
include:
|
||||||
@@ -18,9 +18,12 @@ so-zeek:
|
|||||||
- image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-zeek:{{ GLOBALS.so_version }}
|
- image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-zeek:{{ GLOBALS.so_version }}
|
||||||
- start: True
|
- start: True
|
||||||
- privileged: True
|
- privileged: True
|
||||||
|
{% if DOCKERMERGED.containers['so-zeek'].ulimits %}
|
||||||
- ulimits:
|
- ulimits:
|
||||||
- core=0
|
{% for ULIMIT in DOCKERMERGED.containers['so-zeek'].ulimits %}
|
||||||
- nofile=1048576:1048576
|
- {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}
|
||||||
|
{% endfor %}
|
||||||
|
{% endif %}
|
||||||
- binds:
|
- binds:
|
||||||
- /nsm/zeek/logs:/nsm/zeek/logs:rw
|
- /nsm/zeek/logs:/nsm/zeek/logs:rw
|
||||||
- /nsm/zeek/spool:/nsm/zeek/spool:rw
|
- /nsm/zeek/spool:/nsm/zeek/spool:rw
|
||||||
@@ -36,21 +39,21 @@ so-zeek:
|
|||||||
- /opt/so/conf/zeek/bpf:/opt/zeek/etc/bpf:ro
|
- /opt/so/conf/zeek/bpf:/opt/zeek/etc/bpf:ro
|
||||||
- /opt/so/conf/zeek/config.zeek:/opt/zeek/share/zeek/site/packages/ja4/config.zeek:ro
|
- /opt/so/conf/zeek/config.zeek:/opt/zeek/share/zeek/site/packages/ja4/config.zeek:ro
|
||||||
- /opt/so/conf/zeek/zkg:/opt/so/conf/zeek/zkg:ro
|
- /opt/so/conf/zeek/zkg:/opt/so/conf/zeek/zkg:ro
|
||||||
{% if DOCKER.containers['so-zeek'].custom_bind_mounts %}
|
{% if DOCKERMERGED.containers['so-zeek'].custom_bind_mounts %}
|
||||||
{% for BIND in DOCKER.containers['so-zeek'].custom_bind_mounts %}
|
{% for BIND in DOCKERMERGED.containers['so-zeek'].custom_bind_mounts %}
|
||||||
- {{ BIND }}
|
- {{ BIND }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
- network_mode: host
|
- network_mode: host
|
||||||
{% if DOCKER.containers['so-zeek'].extra_hosts %}
|
{% if DOCKERMERGED.containers['so-zeek'].extra_hosts %}
|
||||||
- extra_hosts:
|
- extra_hosts:
|
||||||
{% for XTRAHOST in DOCKER.containers['so-zeek'].extra_hosts %}
|
{% for XTRAHOST in DOCKERMERGED.containers['so-zeek'].extra_hosts %}
|
||||||
- {{ XTRAHOST }}
|
- {{ XTRAHOST }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if DOCKER.containers['so-zeek'].extra_env %}
|
{% if DOCKERMERGED.containers['so-zeek'].extra_env %}
|
||||||
- environment:
|
- environment:
|
||||||
{% for XTRAENV in DOCKER.containers['so-zeek'].extra_env %}
|
{% for XTRAENV in DOCKERMERGED.containers['so-zeek'].extra_env %}
|
||||||
- {{ XTRAENV }}
|
- {{ XTRAENV }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|||||||
Reference in New Issue
Block a user