Josh Patterson 8a3f5d0f81 Gate so-salt-minion-wait on real minion readiness
The previous gate did not detect whether the restarted minion was back:

  systemctl is-active --quiet salt-minion \
    && salt-call --local --timeout=5 --out=quiet test.ping

Both halves are near-vacuous. `--local` sets file_client=local, so test.ping
runs in a throwaway minion that never contacts the master and never inspects
the running daemon; it only proves python and the module loader work. And the
shipped unit is Type=notify with notify_systemd() called before the daemon
imports salt.cli.daemons, so is-active goes true at process launch, not at
connection. The script could return ready while the minion was still
authenticating, which is the race it exists to prevent.

Gate instead on the condition salt itself uses to log "Minion is ready to
receive requests!", requiring both signals of the current daemon instance:

  1. the pid-tagged ready line in the minion log. tune_in() emits it only
     after sync_connect_master() returns, i.e. the pub channel authenticated,
     the req channel connected, and _post_master_init() finished loading
     modules and compiling pillar.
  2. that same pid holding an ESTABLISHED req connection to a master on 4506
     plus a second (publish) connection to the same master IP. The publish
     port is absent from minion config -- the minion learns it from the
     master's auth reply -- so it is derived from the connection.

Resolve the daemon pid from systemd (MainPID -> pgrep -P), never from
/var/run/salt-minion.pid. salt_minion() runs the minion in a multiprocessing
child; that child writes the pidfile, owns the sockets and logs the ready
line, while MainPID is the parent. During a restart the pidfile still names
the old child, whose own ready line is already in the log, so keying off it
reports ready instantly. Children of the current MainPID exclude the old
instance structurally, with no timing assumptions.

Degrade deterministically rather than spinning to the timeout: if
log_level_logfile does not emit INFO records the ready line can never appear,
so detect that up front from the merged config and fall back to the socket
check. log_level_logfile defaults to None (inherit log_level), so resolve the
inheritance before deciding. If ss is unavailable, fall back to the log gate.
If neither signal is usable, fail immediately with a clear message.

Requiring master connectivity adds no new dependency: every path that applies
salt.minion or a highstate does so without --local, so file_client=remote
already required a reachable master to fetch salt:// files. No salt-call
master round-trip is added; the daemon's own successful auth already proves
the key is accepted.

Also fix the comment above wait_for_salt_minion_ready, which attributed the
script to common_sbin/common/tools/sbin (it is deployed by salt_sbin from
salt/tools/sbin) and asserted a --no-block restart that appears nowhere in
the repo. No state logic changed.
2026-07-09 16:55:30 -04:00
2023-12-19 18:58:17 +00:00
2024-04-11 15:32:00 -04:00
2026-05-28 09:34:17 -04:00
2025-06-27 11:00:35 -04:00
2026-04-01 10:47:59 -04:00
2026-05-28 09:34:17 -04:00
2026-05-28 10:24:47 -04:00
2020-11-17 09:00:02 -05:00
2025-02-20 11:07:50 -05:00
2026-03-04 15:48:16 -05:00
2026-03-05 11:05:19 -05:00
2023-06-26 16:01:58 -04:00
2022-09-07 09:06:25 -04:00
ver
2026-06-11 08:18:38 -04:00

Security Onion Logo

Security Onion

Security Onion is a free and open Linux distribution for threat hunting, enterprise security monitoring, and log management. It includes a comprehensive suite of tools designed to work together to provide visibility into your network and host activity.

Features

Security Onion includes everything you need to monitor your network and host systems:

  • Security Onion Console (SOC): A unified web interface for analyzing security events and managing your grid.
  • Elastic Stack: Powerful search backed by Elasticsearch.
  • Intrusion Detection: Network-based IDS with Suricata and host-based monitoring with Elastic Fleet.
  • Network Metadata: Detailed network metadata generated by Zeek or Suricata.
  • Full Packet Capture: Retain and analyze raw network traffic with Suricata PCAP.

Security Onion Pro

For organizations and enterprises requiring advanced capabilities, Security Onion Pro offers additional features designed for scale and efficiency:

  • Onion AI: Leverage powerful AI-driven insights to accelerate your analysis and investigations.
  • Enterprise Features: Enhanced tools and integrations tailored for enterprise-grade security operations.

For more information, visit the Security Onion Pro page.

☁️ Cloud Deployment

Security Onion is available and ready to deploy in the AWS, Azure, and Google Cloud (GCP) marketplaces.

🚀 Getting Started

Goal Resource
Download Security Onion ISO
Requirements Hardware Guide
Install Installation Instructions
What's New Release Notes

📖 Documentation & Support

For more detailed information, please visit our Documentation.

🤝 Contributing

We welcome contributions! Please see our CONTRIBUTING.md for guidelines on how to get involved.

🛡️ License

Security Onion is licensed under the terms of the license found in the LICENSE file.


Built with 🧅 by Security Onion Solutions.

S
Description
Security Onion 2 - Linux distro for threat hunting, enterprise security monitoring, and log management
Readme 79 MiB
Languages
Shell 51%
Jinja 22.2%
SaltStack 12%
Python 8.7%
CSS 2%
Other 4%