mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2026-05-10 05:12:54 +02:00
Mike Reeves
ee89b78751
salt/auth fires on every minion authentication — including every minion restart and every master restart — so the reactor was re-running the postgres.auth + postgres.telegraf_users + telegraf orchestration for every already-accepted minion on every reconnect. The underlying states are idempotent, so this was wasted work and log noise, not a correctness issue. Switch the subscription to salt/key, which fires only when the master actually changes a key's state (accept / reject / delete). Match the pattern used by salt/reactor/check_hypervisor.sls (registered in salt/salt/cloud/reactor_config_hypervisor.sls) and add the result==True guard so half-failed key operations don't trigger the orchestration.
19 lines
767 B
Plaintext
19 lines
767 B
Plaintext
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
|
|
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
|
|
# https://securityonion.net/license; you may not use this file except in compliance with the
|
|
# Elastic License 2.0.
|
|
|
|
{# Fires on salt/key. Only act on successful key acceptance — not reauth. #}
|
|
{% if data.get('act') == 'accept' and data.get('result') == True and data.get('id') %}
|
|
|
|
{{ data['id'] }}_telegraf_pg_sync:
|
|
runner.state.orchestrate:
|
|
- args:
|
|
- mods: orch.telegraf_postgres_sync
|
|
- pillar:
|
|
minion_id: {{ data['id'] }}
|
|
|
|
{% do salt.log.info('telegraf_user_sync reactor: syncing telegraf PG user for minion %s' % data['id']) %}
|
|
|
|
{% endif %}
|