CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2026-05-10 05:12:54 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
1abfd77351411c4a9477daccafe8448699b3152d
securityonion/salt/orch/deploy_newnode.sls
T
Mike Reeves 1abfd77351 Hide telegraf password from console and close so-minion race 
Two fixes on the postgres telegraf fan-out path:

1. postgres.auth cmd.run leaked the password to the console because
   Salt always prints the Name: field and `show_changes: False` does
   not apply to cmd.run. Move the user and password into the `env:`
   attribute so the shell body still sees them via $PG_USER / $PG_PASS
   but Salt's state reporter never renders them.

2. so-minion's addMinion -> setupMinionFiles sequence removes the
   minion pillar file and rewrites it from scratch, which wipes the
   postgres.telegraf.* entries the reactor may have already written on
   salt-key accept. Add a postgres.auth fan-out step to
   orch.deploy_newnode (the orch so-minion kicks off after
   setupMinionFiles) and require it from the new minion's highstate.
   Idempotent via the existing unless: guard in postgres.auth.
2026-04-21 15:10:57 -04:00

50 lines
1.5 KiB
Plaintext
Raw Blame History

{% set MANAGER = salt['pillar.get']('setup:manager') %}
{% set NEWNODE = salt['pillar.get']('setup:newnode') %}
# tell the minion to populate the mine with data from mine_functions which is populated during setup
# this only needs to happen on non managers since they handle this during setup
# and they need to wait for ca creation to update the mine
{{NEWNODE}}_update_mine:
salt.function:
- name: mine.update
- tgt: {{ NEWNODE }}
- retry:
attempts: 36
interval: 5
# so-minion's setupMinionFiles rebuilds the new minion's pillar file from
# scratch, wiping any postgres.telegraf.* entries the reactor may have written
# on salt-key accept. Re-fan the cred here so the highstate below sees it.
# Idempotent via the unless: guard in postgres.auth.
manager_fanout_postgres_telegraf_{{NEWNODE}}:
salt.state:
- tgt: {{ MANAGER }}
- sls:
- postgres.auth
- queue: True
- pillar:
postgres_fanout_minion: {{ NEWNODE }}
- require:
- salt: {{NEWNODE}}_update_mine
# we need to prepare the manager for a new searchnode or heavynode
{% if NEWNODE.split('_')|last in ['searchnode', 'heavynode'] %}
manager_run_es_soc:
salt.state:
- tgt: {{ MANAGER }}
- sls:
- elasticsearch
- soc
- queue: True
- require:
- salt: {{NEWNODE}}_update_mine
{% endif %}
{{NEWNODE}}_run_highstate:
salt.state:
- tgt: {{ NEWNODE }}
- highstate: True
- queue: True
- require:
- salt: manager_fanout_postgres_telegraf_{{NEWNODE}}
Reference in New Issue View Git Blame Copy Permalink