WIP - testing rpm solution for ownership on upgrade

2025-04-16 09:40:20 +00:00 · 2024-04-25 15:43:37 -06:00 · 2024-04-25 15:43:37 -06:00 · cb6802b35d
commit cb6802b35d
parent 060b0d2e43
8 changed files with 105 additions and 34 deletions
--- a/changelog/65264.fixed.md
+++ b/changelog/65264.fixed.md
@ -1 +1 @@
-Ensure on rpm systems, that user and group for existing Salt, is maintained on upgrade
+Ensure on rpm and deb systems, that user and group for existing Salt, is maintained on upgrade
--- a/pkg/debian/salt-api.postinst
+++ b/pkg/debian/salt-api.postinst
@ -1,10 +1,15 @@
+. /usr/share/debconf/confmodule
+
 case "$1" in
  configure)
+    db_get salt-master/user
+    if [ "$RET" != "root" ]; then
      if [ ! -e "/var/log/salt/api" ]; then
        touch /var/log/salt/api
        chmod 640 /var/log/salt/api
      fi
-    chown salt:salt /var/log/salt/api
+      chown $RET:$RET /var/log/salt/api
+    fi
    if command -v systemctl; then systemctl enable salt-api; fi
  ;;
 esac
--- a/pkg/debian/salt-cloud.postinst
+++ b/pkg/debian/salt-cloud.postinst
@ -1,6 +1,12 @@
+. /usr/share/debconf/confmodule
+
 case "$1" in
  configure)
+    db_get salt-master/user
+    if [ "$RET" != "root" ]; then
      PY_VER=$(/opt/saltstack/salt/bin/python3 -c "import sys; sys.stdout.write('{}.{}'.format(*sys.version_info)); sys.stdout.flush;")
+      # TBD DGM what is this salt:salt doing here, should this be $RET:$RET
      chown -R salt:salt /etc/salt/cloud.deploy.d /opt/saltstack/salt/lib/python${PY_VER}/site-packages/salt/cloud/deploy
+    fi
  ;;
 esac
--- a/pkg/debian/salt-master.config
+++ b/pkg/debian/salt-master.config
@ -0,0 +1,7 @@
+#!/bin/sh -e
+
+# Source debconf library.
+. /usr/share/debconf/confmodule
+
+db_input medium salt-master/user || true
+db_go || true
--- a/pkg/debian/salt-master.postinst
+++ b/pkg/debian/salt-master.postinst
@ -1,5 +1,9 @@
+. /usr/share/debconf/confmodule
+
 case "$1" in
  configure)
+    db_get salt-master/user
+    if [ "$RET" != "root" ]; then
      if [ ! -e "/var/log/salt/master" ]; then
        touch /var/log/salt/master
        chmod 640 /var/log/salt/master
@ -8,7 +12,8 @@ case "$1" in
        touch /var/log/salt/key
        chmod 640 /var/log/salt/key
      fi
-    chown -R salt:salt /etc/salt/pki/master /etc/salt/master.d /var/log/salt/master /var/log/salt/key /var/cache/salt/master /var/run/salt/master
+      chown -R $RET:$RET /etc/salt/pki/master /etc/salt/master.d /var/log/salt/master /var/log/salt/key /var/cache/salt/master /var/run/salt/master
+    fi
    if command -v systemctl; then systemctl enable salt-master; fi
  ;;
 esac
--- a/pkg/debian/salt-master.preinst
+++ b/pkg/debian/salt-master.preinst
@ -7,10 +7,14 @@ case "$1" in
    PY_VER=$(/opt/saltstack/salt/bin/python3 -c "import sys; sys.stdout.write('{}.{}'.format(*sys.version_info)); sys.stdout.flush();")

    # Reset permissions to fix previous installs
+    # TBD DGM Need to check this code for root:root, doesn't seem correct, needs to be whatever the user is
    find ${SALT_HOME} /etc/salt /var/log/salt /var/cache/salt /var/run/salt \
        \! \( -path /etc/salt/cloud.deploy.d\* -o -path /var/log/salt/cloud -o -path /opt/saltstack/salt/lib/python${PY_VER}/site-packages/salt/cloud/deploy\* \) -a \
        \( -user ${SALT_USER} -o -group ${SALT_GROUP} \) -exec chown root:root \{\} \;

+    ;;
+    esac
+
  # remove incorrectly installed ufw salt-master directory - issue 57712
  test -d /etc/ufw/applications.d/salt-master && rm -rf /etc/ufw/applications.d/salt-master || /bin/true

--- a/pkg/debian/salt-master.templates
+++ b/pkg/debian/salt-master.templates
@ -0,0 +1,5 @@
+Template: salt-master/user
+Type: string
+Default: salt
+Description: User for salt-master
+  User to run the salt-master process as
--- a/pkg/rpm/salt.spec
+++ b/pkg/rpm/salt.spec
@ -15,10 +15,12 @@
 %global __requires_exclude_from ^.*$
 %define _source_payload w2.gzdio
 %define _binary_payload w2.gzdio
-%define _SALT_GROUP salt
-%define _SALT_USER salt
-%define _SALT_NAME Salt
-%define _SALT_HOME /opt/saltstack/salt
+%global _SALT_GROUP salt
+%global _SALT_USER salt
+%global _SALT_NAME Salt
+%global _SALT_HOME /opt/saltstack/salt
+%global _CUR_USER %{_SALT_USER}
+%global _CUR_GROUP %{_SALT_GROUP}

 # Disable debugsource template
 %define _debugsource_template %{nil}
@ -426,22 +428,37 @@ usermod -c "%{_SALT_NAME}" \

 %pre master
 if [ $1 -gt 1 ] ; then
-    # Reset permissions to match previous installs
-    PY_VER=$(/opt/saltstack/salt/bin/python3 -c "import sys; sys.stdout.write('{}.{}'.format(*sys.version_info)); sys.stdout.flush();")
-    _CUR_USER=$(command -v salt-master | xargs ls -l | cut -d ' ' -f 3)
-    _CUR_GROUP=$(command -v salt-master | xargs ls -l | cut -d ' ' -f 4)
-    find /etc/salt /opt/saltstack/salt /var/log/salt /var/cache/salt /var/run/salt \
-      \! \( -path /etc/salt/cloud.deploy.d\* -o -path /var/log/salt/cloud -o -path /opt/saltstack/salt/lib/python${PY_VER}/site-packages/salt/cloud/deploy\* \) -a \
-      \( -user salt -o -group salt \) -exec chown -R ${_CUR_USER}:${_CUR_GROUP} \{\} \;
+    # Reset permissions to match previous installs - performing upgrade
+#    PY_VER=$(/opt/saltstack/salt/bin/python3 -c "import sys; sys.stdout.write('{}.{}'.format(*sys.version_info)); sys.stdout.flush();")
+#    _CUR_USER=$(ls -dl /run/salt/master | cut -d ' ' -f 3)
+#    _CUR_GROUP=$(ls -dl /run/salt/master | cut -d ' ' -f 4)
+#    # TBD DGM this find command will overwrite any ownership if a minion - user is preinstalled first
+#    find /etc/salt /opt/saltstack/salt /var/log/salt /var/cache/salt /var/run/salt \
+#      \! \( -path /etc/salt/cloud.deploy.d\* -o -path /var/log/salt/cloud -o \
+#      -path /opt/saltstack/salt/lib/python${PY_VER}/site-packages/salt/cloud/deploy\* \) -a \
+#      \( -user salt -o -group salt \) -exec chown -R ${_CUR_USER}:${_CUR_GROUP} \{\} \;
+    _LCUR_USER=$(ls -dl /run/salt/master | cut -d ' ' -f 3)
+    _LCUR_GROUP=$(ls -dl /run/salt/master | cut -d ' ' -f 4)
+    %global _CUR_USER  %{_LCUR_USER}
+    %global _CUR_GROUP %{_LCUR_GROUP}
 fi

 %pre minion
 if [ $1 -gt 1 ] ; then
-    # Reset permissions to match previous installs
-    _CUR_USER=$(command -v salt-minion | xargs ls -l | cut -d ' ' -f 3)
-    _CUR_GROUP=$(command -v salt-minion | xargs ls -l | cut -d ' ' -f 4)
-    find /etc/salt /opt/saltstack/salt /var/log/salt /var/cache/salt /var/run/salt \
-      \( -user salt -o -group salt \) -exec chown -R ${_CUR_USER}:${_CUR_GROUP} \{\} \;
+    # Reset permissions to match previous installs - performing upgrade
+#    _CUR_USER=$(ls -dl /run/salt/minion | cut -d ' ' -f 3)
+#    _CUR_GROUP=$(ls -dl /run/salt/minion | cut -d ' ' -f 4)
+#    if [ ! -e "/var/log/salt/master" ]; then
+#        find /etc/salt /opt/saltstack/salt /var/log/salt /var/cache/salt /var/run/salt \
+#          \( -user salt -o -group salt \) -exec chown -R ${_CUR_USER}:${_CUR_GROUP} \{\} \;
+#    else
+#        # master exists, it takes precedence
+#        find /etc/salt/minion /var/log/salt/minion /var/cache/salt/minion /var/run/salt/minion \
+#          \( -user salt -o -group salt \) -exec chown -R ${_CUR_USER}:${_CUR_GROUP} \{\} \;
+    _LCUR_USER=$(ls -dl /run/salt/minion | cut -d ' ' -f 3)
+    _LCUR_GROUP=$(ls -dl /run/salt/minion | cut -d ' ' -f 4)
+    %global _CUR_USER  %{_LCUR_USER}
+    %global _CUR_GROUP %{_LCUR_GROUP}
 fi


@ -571,7 +588,14 @@ if [ ! -e "/var/log/salt/cloud" ]; then
  touch /var/log/salt/cloud
  chmod 640 /var/log/salt/cloud
 fi
+if [ $1 -gt 1 ] ; then
+    # Reset permissions to match previous installs - performing upgrade
+#    _CUR_USER=$(ls -dl /var/log/salt/cloud | cut -d ' ' -f 3)
+#    _CUR_GROUP=$(ls -dl /var/log/salt/cloud | cut -d ' ' -f 4)
+    chown -R %{_CUR_USER}:%{_CUR_GROUP} /etc/salt/cloud.deploy.d /var/log/salt/cloud /opt/saltstack/salt/lib/python${PY_VER}/site-packages/salt/cloud/deploy
+else
    chown -R %{_SALT_USER}:%{_SALT_GROUP} /etc/salt/cloud.deploy.d /var/log/salt/cloud /opt/saltstack/salt/lib/python${PY_VER}/site-packages/salt/cloud/deploy
+fi


 %posttrans master
@ -583,7 +607,14 @@ if [ ! -e "/var/log/salt/key" ]; then
  touch /var/log/salt/key
  chmod 640 /var/log/salt/key
 fi
+if [ $1 -gt 1 ] ; then
+    # Reset permissions to match previous installs - performing upgrade
+#    _CUR_USER=$(ls -dl /run/salt/master | cut -d ' ' -f 3)
+#    _CUR_GROUP=$(ls -dl /run/salt/master | cut -d ' ' -f 4)
+    chown -R %{_CUR_USER}:%{_CUR_GROUP} /etc/salt/pki/master /etc/salt/master.d /var/log/salt/master /var/log/salt/key /var/cache/salt/master /var/run/salt/master
+else
    chown -R %{_SALT_USER}:%{_SALT_GROUP} /etc/salt/pki/master /etc/salt/master.d /var/log/salt/master /var/log/salt/key /var/cache/salt/master /var/run/salt/master
+fi


 %posttrans api
@ -591,7 +622,14 @@ if [ ! -e "/var/log/salt/api" ]; then
  touch /var/log/salt/api
  chmod 640 /var/log/salt/api
 fi
-chown %{_SALT_USER}:%{_SALT_GROUP} /var/log/salt/api
+if [ $1 -gt 1 ] ; then
+    # Reset permissions to match previous installs - performing upgrade
+#    _CUR_USER=$(ls -dl /var/log/salt/api | cut -d ' ' -f 3)
+#    _CUR_GROUP=$(ls -dl /var/log/salt/api | cut -d ' ' -f 4)
+    chown -R %{_CUR_USER}:%{_CUR_GROUP} /var/log/salt/api
+else
+    chown -R %{_SALT_USER}:%{_SALT_GROUP} /var/log/salt/api
+fi


 %preun
@ -748,6 +786,7 @@ fi

 # Fixed

+- Fix issue with ownership on upgrade of master and minion files
 - Fix an issue with mac_shadow that was causing a command execution error when
  retrieving values that were not yet set. For example, retrieving last login
  before the user had logged in. [#34658](https://github.com/saltstack/salt/issues/34658)