saltstack/salt
1
0
Fork 0
mirror of https://github.com/saltstack/salt.git synced 2025-04-16 09:40:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Move salt user creation to common package

Browse source 
Move the salt user creation to the common package shared all other salt
packages.
This commit is contained in:
Daniel A. Wozniak 2023-04-26 14:17:36 -07:00 committed by Gareth J. Greenaway
parent ba29a27ad7
commit b7fbec8158
4 changed files with 123 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

40
pkg/debian/salt-common.postinst Normal file
View file

@ -0,0 +1,40 @@
case "$1" in
install|upgrade)
[ -z "$SALT_HOME" ] && SALT_HOME=/opt/saltstack/salt
[ -z "$SALT_USER" ] && SALT_USER=salt
[ -z "$SALT_NAME" ] && SALT_NAME="Salt"
[ -z "$SALT_GROUP" ] && SALT_GROUP=salt
# create user to avoid running server as root
# 1. create group if not existing
if ! getent group | grep -q "^$SALT_GROUP:" ; then
echo -n "Adding group $SALT_GROUP.."
addgroup --quiet --system $SALT_GROUP 2>/dev/null ||true
echo "..done"
fi
# 2. create homedir if not existing
test -d $SALT_HOME || mkdir $SALT_HOME
# 3. create user if not existing
if ! getent passwd | grep -q "^$SALT_USER:"; then
echo -n "Adding system user $SALT_USER.."
adduser --quiet \
--system \
--ingroup $SALT_GROUP \
--no-create-home \
--disabled-password \
$SALT_USER 2>/dev/null || true
echo "..done"
fi
# 4. adjust passwd entry
usermod -c "$SALT_NAME" \
-d $SALT_HOME \
-g $SALT_GROUP \
$SALT_USER
# 5. adjust file and directory permissions
if ! dpkg-statoverride --list $SALT_HOME >/dev/null
then
chown -R $SALT_USER:$SALT_GROUP $SALT_HOME
chmod u=rwx,g=rxs,o= $SALT_HOME
fi
;;
esac

12
pkg/debian/salt-master.postinst
View file

@ -1,3 +1,9 @@
adduser --system salt --group
chown -R salt:salt /etc/salt /var/log/salt /opt/saltstack/salt/ /var/cache/salt/ /var/run/salt
if command -v systemctl; then systemctl enable salt-master; fi
case "$1" in
install)
if command -v systemctl; then systemctl enable salt-master; fi
chown -R salt:salt /etc/salt /var/log/salt /opt/saltstack/salt/ /var/cache/salt/ /var/run/salt
;;
upgrade)
chown -R salt:salt /etc/salt /var/log/salt /opt/saltstack/salt/ /var/cache/salt/ /var/run/salt
;;
esac

50
pkg/rpm/salt.spec
View file

@ -14,6 +14,10 @@
%global __requires_exclude_from ^.*\\.so.*$
%define _source_payload w2.gzdio
%define _binary_payload w2.gzdio
%define _SALT_GROUP salt
%define _SALT_USER salt
%define _SALT_NAME Salt
%define _SALT_HOME /opt/saltstack/salt
# Disable python bytecompile for MANY reasons
%global __os_install_post %(echo '%{__os_install_post}' | sed -e 's!/usr/lib[^[:space:]]*/brp-python-bytecompile[[:space:]].*$!!g')
@ -278,8 +282,6 @@ rm -rf %{buildroot}
%dir %{_sysconfdir}/salt/pki
%files master
%defattr(-,root,root)
%doc %{_mandir}/man7/salt.7*
@ -311,6 +313,7 @@ rm -rf %{buildroot}
%dir %attr(0750, salt, salt) %{_var}/cache/salt/master/syndics/
%dir %attr(0750, salt, salt) %{_var}/cache/salt/master/tokens/
%files minion
%defattr(-,root,root)
%doc %{_mandir}/man1/salt-call.1*
@ -327,17 +330,20 @@ rm -rf %{buildroot}
%dir %{_sysconfdir}/salt/minion.d
%dir %attr(0750, root, root) %{_var}/cache/salt/minion/
%files syndic
%doc %{_mandir}/man1/salt-syndic.1*
%{_bindir}/salt-syndic
%{_unitdir}/salt-syndic.service
%files api
%defattr(-,root,root)
%doc %{_mandir}/man1/salt-api.1*
%{_bindir}/salt-api
%{_unitdir}/salt-api.service
%files cloud
%doc %{_mandir}/man1/salt-cloud.1*
%{_bindir}/salt-cloud
@ -348,36 +354,64 @@ rm -rf %{buildroot}
%{_sysconfdir}/salt/cloud.providers.d
%config(noreplace) %{_sysconfdir}/salt/cloud
%files ssh
%doc %{_mandir}/man1/salt-ssh.1*
%{_bindir}/salt-ssh
%config(noreplace) %{_sysconfdir}/salt/roster
# Add salt user/group for Salt Master
%pre master
getent group salt >/dev/null || groupadd -r salt
getent passwd salt >/dev/null || \
useradd -r -g salt -s /sbin/nologin \
-c "Salt user for Salt Master" salt
%pre
# create user to avoid running server as root
# 1. create group if not existing
if ! getent group | grep -q "^%{_SALT_GROUP}:" ; then
addgroup --quiet --system %{_SALT_GROUP} 2>/dev/null ||true
fi
# 2. create homedir if not existing
test -d %{_SALT_HOME} || mkdir %{_SALT_HOME}
# 3. create user if not existing
if ! getent passwd | grep -q "^%{_SALT_USER}:"; then
adduser --quiet \
--system \
--ingroup %{_SALT_USER} \
--no-create-home \
--disabled-password \
-s /sbin/nlogin \
%{_SALT_USER} 2>/dev/null || true
fi
# 4. adjust passwd entry
usermod -c "%{_SALT_NAME}" \
-d %{_SALT_HOME} \
-g %{_SALT_GROUP} \
%{_SALT_USER}
# 5. adjust file and directory permissions
chown -R %{_SALT_USER}:%{_SALT_GROUP} %{_SALT_HOME}
chmod u=rwx,g=rxs,o= %{_SALT_HOME}
# assumes systemd for RHEL 7 & 8 & 9
%preun master
# RHEL 9 is giving warning msg if syndic is not installed, supress it
%systemd_preun salt-syndic.service > /dev/null 2>&1
%preun minion
%systemd_preun salt-minion.service
%preun api
%systemd_preun salt-api.service
%post
ln -s -f /opt/saltstack/salt/spm %{_bindir}/spm
ln -s -f /opt/saltstack/salt/salt-pip %{_bindir}/salt-pip
%post cloud
ln -s -f /opt/saltstack/salt/salt-cloud %{_bindir}/salt-cloud
%post master
%systemd_post salt-master.service
ln -s -f /opt/saltstack/salt/salt %{_bindir}/salt

32
pkg/tests/integration/test_salt_user.py
View file

@ -1,3 +1,5 @@
import subprocess
import psutil
import pytest
import yaml
@ -20,3 +22,33 @@ def test_salt_user_master(salt_master, install_salt):
match = True
assert match
def test_salt_user_home(install_salt):
"""
Test the correct user is running the Salt Master
"""
proc = subprocess.run(["getent", "salt"], check=False, capture=True)
assert proc.exitcode() == 0
home = ""
try:
home = proc.stdout.decode().split(":")[5]
except:
pass
assert home == "/opt/saltstack/salt"
def test_salt_user_group(install_salt):
"""
Test the salt user is the salt group
"""
proc = subprocess.run(["id", "salt"], check=False, capture=True)
assert proc.exitcode() == 0
in_group = False
try:
for group in proc.stdout.decode().split(" "):
if group == "salt":
in_group = True
except:
pass
assert in_group is True