#!/bin/bash # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . . /usr/sbin/so-common local_salt_dir=/opt/so/saltstack/local cat << EOF This program will switch from the open source version of the Elastic Stack to the Features version licensed under the Elastic license. If you proceed, then we will download new Docker images and restart services. Please review the Elastic license: https://raw.githubusercontent.com/elastic/elasticsearch/master/licenses/ELASTIC-LICENSE.txt Please also note that, if you have a distributed deployment and continue with this change, Elastic traffic between nodes will change from encrypted to cleartext! (We expect to support Elastic Features Security at some point in the future.) Do you agree to the terms of the Elastic license and understand the note about encryption? If so, type AGREE to accept the Elastic license and continue. Otherwise, just press Enter to exit this program without making any changes. EOF read INPUT if [ "$INPUT" != "AGREE" ]; then exit fi echo "Please wait while switching to Elastic Features." manager_check() { # Check to see if this is a manager MANAGERCHECK=$(cat /etc/salt/grains | grep role | awk '{print $2}') if [[ "$MANAGERCHECK" =~ ^('so-eval'|'so-manager'|'so-standalone'|'so-managersearch')$ ]]; then echo "This is a manager. We can proceed" else echo "Please run so-features-enable on the manager." exit 0 fi } manager_check # Let's make sure we have the public key curl -sSL https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS | gpg --import - CONTAINER_REGISTRY=quay.io SIGNPATH=/root/sosigs rm -rf $SIGNPATH mkdir -p $SIGNPATH if [ -z "$BRANCH" ]; then BRANCH="master" fi VERSION=$(lookup_pillar soversion) # Modify global.sls to enable Features SUFFIX="-features" TRUSTED_CONTAINERS=( \ "so-elasticsearch" \ "so-filebeat" \ "so-kibana" \ "so-logstash" ) for i in "${TRUSTED_CONTAINERS[@]}" do # Pull down the trusted docker image echo "Downloading $i" docker pull $CONTAINER_REGISTRY/$IMAGEREPO/$i:$VERSION$SUFFIX # Get signature curl https://sigs.securityonion.net/$VERSION/$i:$VERSION$SUFFIX.sig --output $SIGNPATH/$i:$VERSION$SUFFIX.sig if [[ $? -ne 0 ]]; then echo "Unable to pull signature file for $i:$VERSION$SUFFIX" exit 1 fi # Dump our hash values DOCKERINSPECT=$(docker inspect $CONTAINER_REGISTRY/$IMAGEREPO/$i:$VERSION$SUFFIX) echo "$DOCKERINSPECT" | jq ".[0].RepoDigests[] | select(. | contains(\"$CONTAINER_REGISTRY\"))" > $SIGNPATH/$i:$VERSION$SUFFIX.txt echo "$DOCKERINSPECT" | jq ".[0].Created, .[0].RootFS.Layers" >> $SIGNPATH/$i:$VERSION$SUFFIX.txt if [[ $? -ne 0 ]]; then echo "Unable to inspect $i:$VERSION:$SUFFIX" exit 1 fi GPGTEST=$(gpg --verify $SIGNPATH/$i:$VERSION$SUFFIX.sig $SIGNPATH/$i:$VERSION$SUFFIX.txt 2>&1) if [[ $? -eq 0 ]]; then # Tag it with the new registry destination docker tag $CONTAINER_REGISTRY/$IMAGEREPO/$i:$VERSION$SUFFIX $HOSTNAME:5000/$IMAGEREPO/$i:$VERSION$SUFFIX docker push $HOSTNAME:5000/$IMAGEREPO/$i:$VERSION$SUFFIX else echo "There is a problem downloading the $i:$VERSION$SUFFIX image. Details: " echo "" echo $GPGTEST exit 1 fi done sed -i 's/features: False/features: True/' $local_salt_dir/pillar/global.sls