Versions Compared

Old Version 1

changes.mady.by.user Jack kim

Saved on

compared with

New Version 2

changes.mady.by.user Jack kim

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Stop Salt services. e.g. salt-master, salt-minion, salt-api, etc.

  2. Here you are a shell script. (Original code: https://gist.github.com/itskenny0/df20bdb24a2f49b318a91195634ed3c6#file-cleanup-sh)
    Run to your machine.

    Code Block
    languagepy
    # remove for root
crontab -l | sed "/$i/d" | crontab -

# check other users crontabs
for f in $(ls /var/spool/cron/crontabs/*); do
  sed -i "/$i/d" $f
done

# remove ssh public key added by v5
sed -i '/PbNwmJNcFwSLF12fFBoF\/$/d' /root/.ssh/authorized_keys

for i in $(ls /home/*/.ssh/authorized_keys); do
  sed -i '/PbNwmJNcFwSLF12fFBoF\/$/d' $i
done

# newer versions seem to set themselves immutable
chattr -i /tmp/salt-store
chattr -i /var/tmp/salt-store
chattr -i /tmp/salt-minions
chattr -i /usr/bin/salt-store

# remove all the trash
rm /tmp/salt-minions
rm /tmp/salt-store
rm /var/tmp/salt-store
rm /usr/bin/salt-store
rm /etc/selinux/config
rm -rf /tmp/.ICE*
rm -rf /var/tmp/.ICE*
rm /root/.wget-hsts

# create apparmor profiles to prevent execution
echo 'profile salt-store /var/tmp/salt-store { }' | tee /etc/apparmor.d/salt-store
apparmor_parser -r -W /etc/apparmor.d/salt-store

echo 'profile salt-minions /tmp/salt-minions { }' | tee /etc/apparmor.d/salt-minions
apparmor_parser -r -W /etc/apparmor.d/salt-minions

# reenable nmi watchdog
sysctl kernel.nmi_watchdog=1
echo '1' >/proc/sys/kernel/nmi_watchdog
sed -i '/kernel.nmi_watchdog/d' /etc/sysctl.conf

# disable hugepages
sysctl -w vm.nr_hugepages=0

# enable apparmor
systemctl enable apparmor
systemctl start apparmor

# kill processes and reenabler
kill -9 $(ps faux | grep /tmp/.ICE | grep -v grep | awk '{print $2}')
ps aux | grep ICEd | grep -v grep | cut -c5-15 | xargs -n 1 kill -9
killall -9 salt-minions
killall -9 salt-store

# fix syslog
touch /var/log/syslog
service rsyslog restart

  3. Update SaltStack to patch version(2019.2.4)

    Code Block
    languagepy
    $ yum check-update salt
(omit)

$ yum update salt
(install all dependencies)

$ # yum list salt
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
 * base: mirror.kakao.com
 * epel: hk.mirrors.thegigabit.com
 * extras: mirror.kakao.com
 * updates: mirror.kakao.com
Installed Packages
salt.noarch   2019.2.4-1.el7     @salt-py3-2019.2

...