WIP - testing rpm solution for ownership on upgrade

changelog/65264.fixed.md

@@ -1 +1 @@
-Ensure on rpm systems, that user and group for existing Salt, is maintained on upgrade
+Ensure on rpm and deb systems, that user and group for existing Salt, is maintained on upgrade

pkg/debian/salt-api.postinst

@@ -1,10 +1,15 @@
+. /usr/share/debconf/confmodule
+
 case "$1" in
   configure)
-    if [ ! -e "/var/log/salt/api" ]; then
+    db_get salt-master/user
-      touch /var/log/salt/api
+    if [ "$RET" != "root" ]; then
-      chmod 640 /var/log/salt/api
+      if [ ! -e "/var/log/salt/api" ]; then
+        touch /var/log/salt/api
+        chmod 640 /var/log/salt/api
+      fi
+      chown $RET:$RET /var/log/salt/api
     fi
-    chown salt:salt /var/log/salt/api
     if command -v systemctl; then systemctl enable salt-api; fi
   ;;
 esac

pkg/debian/salt-cloud.postinst

@@ -1,6 +1,12 @@
+. /usr/share/debconf/confmodule
+
 case "$1" in
   configure)
-    PY_VER=$(/opt/saltstack/salt/bin/python3 -c "import sys; sys.stdout.write('{}.{}'.format(*sys.version_info)); sys.stdout.flush;")
+    db_get salt-master/user
-    chown -R salt:salt /etc/salt/cloud.deploy.d /opt/saltstack/salt/lib/python${PY_VER}/site-packages/salt/cloud/deploy
+    if [ "$RET" != "root" ]; then
+      PY_VER=$(/opt/saltstack/salt/bin/python3 -c "import sys; sys.stdout.write('{}.{}'.format(*sys.version_info)); sys.stdout.flush;")
+      # TBD DGM what is this salt:salt doing here, should this be $RET:$RET
+      chown -R salt:salt /etc/salt/cloud.deploy.d /opt/saltstack/salt/lib/python${PY_VER}/site-packages/salt/cloud/deploy
+    fi
   ;;
 esac

pkg/debian/salt-master.config

@@ -0,0 +1,7 @@
+#!/bin/sh -e
+
+# Source debconf library.
+. /usr/share/debconf/confmodule
+
+db_input medium salt-master/user || true
+db_go || true

pkg/debian/salt-master.postinst

@@ -1,14 +1,19 @@
+. /usr/share/debconf/confmodule
+
 case "$1" in
   configure)
-    if [ ! -e "/var/log/salt/master" ]; then
+    db_get salt-master/user
-      touch /var/log/salt/master
+    if [ "$RET" != "root" ]; then
-      chmod 640 /var/log/salt/master
+      if [ ! -e "/var/log/salt/master" ]; then
+        touch /var/log/salt/master
+        chmod 640 /var/log/salt/master
+      fi
+      if [ ! -e "/var/log/salt/key" ]; then
+        touch /var/log/salt/key
+        chmod 640 /var/log/salt/key
+      fi
+      chown -R $RET:$RET /etc/salt/pki/master /etc/salt/master.d /var/log/salt/master /var/log/salt/key /var/cache/salt/master /var/run/salt/master
     fi
-    if [ ! -e "/var/log/salt/key" ]; then
-      touch /var/log/salt/key
-      chmod 640 /var/log/salt/key
-    fi
-    chown -R salt:salt /etc/salt/pki/master /etc/salt/master.d /var/log/salt/master /var/log/salt/key /var/cache/salt/master /var/run/salt/master
     if command -v systemctl; then systemctl enable salt-master; fi
   ;;
 esac

pkg/debian/salt-master.preinst

@@ -7,10 +7,14 @@ case "$1" in
     PY_VER=$(/opt/saltstack/salt/bin/python3 -c "import sys; sys.stdout.write('{}.{}'.format(*sys.version_info)); sys.stdout.flush();")
 
     # Reset permissions to fix previous installs
+    # TBD DGM Need to check this code for root:root, doesn't seem correct, needs to be whatever the user is
     find ${SALT_HOME} /etc/salt /var/log/salt /var/cache/salt /var/run/salt \
         \! \( -path /etc/salt/cloud.deploy.d\* -o -path /var/log/salt/cloud -o -path /opt/saltstack/salt/lib/python${PY_VER}/site-packages/salt/cloud/deploy\* \) -a \
         \( -user ${SALT_USER} -o -group ${SALT_GROUP} \) -exec chown root:root \{\} \;
 
+    ;;
+    esac
+
   # remove incorrectly installed ufw salt-master directory - issue 57712
   test -d /etc/ufw/applications.d/salt-master && rm -rf /etc/ufw/applications.d/salt-master || /bin/true
 

pkg/debian/salt-master.templates

@@ -0,0 +1,5 @@
+Template: salt-master/user
+Type: string
+Default: salt
+Description: User for salt-master
+  User to run the salt-master process as

pkg/rpm/salt.spec

@@ -15,10 +15,12 @@
 %global __requires_exclude_from ^.*$
 %define _source_payload w2.gzdio
 %define _binary_payload w2.gzdio
-%define _SALT_GROUP salt
+%global _SALT_GROUP salt
-%define _SALT_USER salt
+%global _SALT_USER salt
-%define _SALT_NAME Salt
+%global _SALT_NAME Salt
-%define _SALT_HOME /opt/saltstack/salt
+%global _SALT_HOME /opt/saltstack/salt
+%global _CUR_USER %{_SALT_USER}
+%global _CUR_GROUP %{_SALT_GROUP}
 
 # Disable debugsource template
 %define _debugsource_template %{nil}
@@ -426,22 +428,37 @@ usermod -c "%{_SALT_NAME}" \
 
 %pre master
 if [ $1 -gt 1 ] ; then
-    # Reset permissions to match previous installs
+    # Reset permissions to match previous installs - performing upgrade
-    PY_VER=$(/opt/saltstack/salt/bin/python3 -c "import sys; sys.stdout.write('{}.{}'.format(*sys.version_info)); sys.stdout.flush();")
+#    PY_VER=$(/opt/saltstack/salt/bin/python3 -c "import sys; sys.stdout.write('{}.{}'.format(*sys.version_info)); sys.stdout.flush();")
-    _CUR_USER=$(command -v salt-master | xargs ls -l | cut -d ' ' -f 3)
+#    _CUR_USER=$(ls -dl /run/salt/master | cut -d ' ' -f 3)
-    _CUR_GROUP=$(command -v salt-master | xargs ls -l | cut -d ' ' -f 4)
+#    _CUR_GROUP=$(ls -dl /run/salt/master | cut -d ' ' -f 4)
-    find /etc/salt /opt/saltstack/salt /var/log/salt /var/cache/salt /var/run/salt \
+#    # TBD DGM this find command will overwrite any ownership if a minion - user is preinstalled first
-      \! \( -path /etc/salt/cloud.deploy.d\* -o -path /var/log/salt/cloud -o -path /opt/saltstack/salt/lib/python${PY_VER}/site-packages/salt/cloud/deploy\* \) -a \
+#    find /etc/salt /opt/saltstack/salt /var/log/salt /var/cache/salt /var/run/salt \
-      \( -user salt -o -group salt \) -exec chown -R ${_CUR_USER}:${_CUR_GROUP} \{\} \;
+#      \! \( -path /etc/salt/cloud.deploy.d\* -o -path /var/log/salt/cloud -o \
+#      -path /opt/saltstack/salt/lib/python${PY_VER}/site-packages/salt/cloud/deploy\* \) -a \
+#      \( -user salt -o -group salt \) -exec chown -R ${_CUR_USER}:${_CUR_GROUP} \{\} \;
+    _LCUR_USER=$(ls -dl /run/salt/master | cut -d ' ' -f 3)
+    _LCUR_GROUP=$(ls -dl /run/salt/master | cut -d ' ' -f 4)
+    %global _CUR_USER  %{_LCUR_USER}
+    %global _CUR_GROUP %{_LCUR_GROUP}
 fi
 
 %pre minion
 if [ $1 -gt 1 ] ; then
-    # Reset permissions to match previous installs
+    # Reset permissions to match previous installs - performing upgrade
-    _CUR_USER=$(command -v salt-minion | xargs ls -l | cut -d ' ' -f 3)
+#    _CUR_USER=$(ls -dl /run/salt/minion | cut -d ' ' -f 3)
-    _CUR_GROUP=$(command -v salt-minion | xargs ls -l | cut -d ' ' -f 4)
+#    _CUR_GROUP=$(ls -dl /run/salt/minion | cut -d ' ' -f 4)
-    find /etc/salt /opt/saltstack/salt /var/log/salt /var/cache/salt /var/run/salt \
+#    if [ ! -e "/var/log/salt/master" ]; then
-      \( -user salt -o -group salt \) -exec chown -R ${_CUR_USER}:${_CUR_GROUP} \{\} \;
+#        find /etc/salt /opt/saltstack/salt /var/log/salt /var/cache/salt /var/run/salt \
+#          \( -user salt -o -group salt \) -exec chown -R ${_CUR_USER}:${_CUR_GROUP} \{\} \;
+#    else
+#        # master exists, it takes precedence
+#        find /etc/salt/minion /var/log/salt/minion /var/cache/salt/minion /var/run/salt/minion \
+#          \( -user salt -o -group salt \) -exec chown -R ${_CUR_USER}:${_CUR_GROUP} \{\} \;
+    _LCUR_USER=$(ls -dl /run/salt/minion | cut -d ' ' -f 3)
+    _LCUR_GROUP=$(ls -dl /run/salt/minion | cut -d ' ' -f 4)
+    %global _CUR_USER  %{_LCUR_USER}
+    %global _CUR_GROUP %{_LCUR_GROUP}
 fi
 
 
@@ -571,7 +588,14 @@ if [ ! -e "/var/log/salt/cloud" ]; then
   touch /var/log/salt/cloud
   chmod 640 /var/log/salt/cloud
 fi
-chown -R %{_SALT_USER}:%{_SALT_GROUP} /etc/salt/cloud.deploy.d /var/log/salt/cloud /opt/saltstack/salt/lib/python${PY_VER}/site-packages/salt/cloud/deploy
+if [ $1 -gt 1 ] ; then
+    # Reset permissions to match previous installs - performing upgrade
+#    _CUR_USER=$(ls -dl /var/log/salt/cloud | cut -d ' ' -f 3)
+#    _CUR_GROUP=$(ls -dl /var/log/salt/cloud | cut -d ' ' -f 4)
+    chown -R %{_CUR_USER}:%{_CUR_GROUP} /etc/salt/cloud.deploy.d /var/log/salt/cloud /opt/saltstack/salt/lib/python${PY_VER}/site-packages/salt/cloud/deploy
+else
+    chown -R %{_SALT_USER}:%{_SALT_GROUP} /etc/salt/cloud.deploy.d /var/log/salt/cloud /opt/saltstack/salt/lib/python${PY_VER}/site-packages/salt/cloud/deploy
+fi
 
 
 %posttrans master
@@ -583,7 +607,14 @@ if [ ! -e "/var/log/salt/key" ]; then
   touch /var/log/salt/key
   chmod 640 /var/log/salt/key
 fi
-chown -R %{_SALT_USER}:%{_SALT_GROUP} /etc/salt/pki/master /etc/salt/master.d /var/log/salt/master /var/log/salt/key /var/cache/salt/master /var/run/salt/master
+if [ $1 -gt 1 ] ; then
+    # Reset permissions to match previous installs - performing upgrade
+#    _CUR_USER=$(ls -dl /run/salt/master | cut -d ' ' -f 3)
+#    _CUR_GROUP=$(ls -dl /run/salt/master | cut -d ' ' -f 4)
+    chown -R %{_CUR_USER}:%{_CUR_GROUP} /etc/salt/pki/master /etc/salt/master.d /var/log/salt/master /var/log/salt/key /var/cache/salt/master /var/run/salt/master
+else
+    chown -R %{_SALT_USER}:%{_SALT_GROUP} /etc/salt/pki/master /etc/salt/master.d /var/log/salt/master /var/log/salt/key /var/cache/salt/master /var/run/salt/master
+fi
 
 
 %posttrans api
@@ -591,7 +622,14 @@ if [ ! -e "/var/log/salt/api" ]; then
   touch /var/log/salt/api
   chmod 640 /var/log/salt/api
 fi
-chown %{_SALT_USER}:%{_SALT_GROUP} /var/log/salt/api
+if [ $1 -gt 1 ] ; then
+    # Reset permissions to match previous installs - performing upgrade
+#    _CUR_USER=$(ls -dl /var/log/salt/api | cut -d ' ' -f 3)
+#    _CUR_GROUP=$(ls -dl /var/log/salt/api | cut -d ' ' -f 4)
+    chown -R %{_CUR_USER}:%{_CUR_GROUP} /var/log/salt/api
+else
+    chown -R %{_SALT_USER}:%{_SALT_GROUP} /var/log/salt/api
+fi
 
 
 %preun
@@ -748,6 +786,7 @@ fi
 
 # Fixed
 
+- Fix issue with ownership on upgrade of master and minion files
 - Fix an issue with mac_shadow that was causing a command execution error when
   retrieving values that were not yet set. For example, retrieving last login
   before the user had logged in. [#34658](https://github.com/saltstack/salt/issues/34658)