diff --git a/CHANGELOG.md b/CHANGELOG.md index 92227c0..95edc74 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,6 +11,7 @@ Please refer to the SaltStack [Release Notes](https://docs.saltstack.com/en/deve - Add `PyGit2` support - Expose `/home/salt/data/logs` - Run `salt-master` as `salt` user +- Add support for setting timezone **2018.3.2** diff --git a/Dockerfile b/Dockerfile index c53f610..0f92a6f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -19,6 +19,7 @@ ENV SALT_VERSION="2018.3.3" \ ENV SALT_DOCKER_DIR="/etc/docker-salt" \ SALT_ROOT_DIR="/etc/salt" \ + SALT_CACHE_DIR='/var/cache/salt' \ SALT_USER="salt" \ SALT_HOME="/home/salt" @@ -42,7 +43,7 @@ RUN apt-get update RUN apt-get install --yes --quiet --no-install-recommends \ sudo ca-certificates wget locales pkg-config openssh-client \ python${PYTHON_VERSION} python${PYTHON_VERSION}-dev \ - python3-pip python3-setuptools python3-wheel + python3-pip python3-setuptools python3-wheel gettext-base # Configure locales RUN update-locale LANG=C.UTF-8 LC_MESSAGES=POSIX \ diff --git a/LICENSE b/LICENSE index 35fb1ff..ed89c6a 100644 --- a/LICENSE +++ b/LICENSE @@ -19,4 +19,3 @@ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - diff --git a/README.md b/README.md index 770df63..1e58dc5 100644 --- a/README.md +++ b/README.md @@ -161,7 +161,7 @@ gitfs_privkey: /home/salt/data/keys/gitfs/gitfs_ssh gitfs_pubkey: /home/salt/data/keys/gitfs/gitfs_ssh.pub ``` -**Important Note** +**Important Note** If you get the following error while using `gitfs` with `pygit2` @@ -178,7 +178,9 @@ Please refer the docker run command options for the `--env-file` flag where you Below is the list of available options that can be used to customize your SaltStack master installation. | Parameter | Description | -|-----------|-------------| +|:----------|:------------| +| `DEBUG` | Set this to `true` to enable entrypoint debugging. | +| `TIMEZONE` | Set the container timezone. Defaults to `UTC`. Values are expected to be in Canonical format. Example: `Europe/Madrid`. See the list of [acceptable values](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones). | | `SALT_LOG_LEVEL` | The level of messages to send to the console. One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'. Default: `warning` | | `SALT_LEVEL_LOGFILE` | The level of messages to send to the log file. One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'. Default: `warning` | | `SALT_MASTER_SIGN_PUBKEY` | Sign the master auth-replies with a cryptographic signature of the master's public key. Possible values: 'True' or 'False'. Default: `False` | diff --git a/assets/build/install.sh b/assets/build/install.sh index 8e79080..ae6cb57 100755 --- a/assets/build/install.sh +++ b/assets/build/install.sh @@ -23,7 +23,7 @@ EOF # Compile libssh2 echo "Building libssh2 v${LIBSSH2_VERSION} ..." -wget https://github.com/libssh2/libssh2/archive/libssh2-${LIBSSH2_VERSION}.tar.gz +wget https://github.com/libssh2/libssh2/archive/libssh2-${LIBSSH2_VERSION}.tar.gz tar xzf libssh2-${LIBSSH2_VERSION}.tar.gz cd libssh2-libssh2-${LIBSSH2_VERSION}/ cmake -DCMAKE_BUILD_TYPE=Release -DBUILD_SHARED_LIBS=ON -DENABLE_ZLIB_COMPRESSION=ON . diff --git a/assets/runtime/config/master.yml b/assets/runtime/config/master.yml new file mode 100644 index 0000000..bf722e6 --- /dev/null +++ b/assets/runtime/config/master.yml @@ -0,0 +1,134 @@ +##### Primary configuration settings ##### +########################################## +# This configuration file is used to manage the behavior of the Salt Master. +# Values that are commented out but have an empty line after the comment are +# defaults that do not need to be set in the config. If there is no blank line +# after the comment then the value is presented as an example and is not the +# default. + +# The master will automatically include all config files from: +default_include: {{SALT_CONFS_DIR}}/*.conf + +# The user under which the salt master will run. +user: {{SALT_USER}} + +# Directory used to store public key data: +pki_dir: {{SALT_KEYS_DIR}} + +# Directory to store job and cache data: +# This directory may contain sensitive data and should be protected accordingly. +cachedir: {{SALT_CACHE_DIR}}/master + +# Directory for custom modules. This directory can contain subdirectories for +# each of Salt's module types such as "runners", "output", "wheel", "modules", +# "states", "returners", "engines", "utils", etc. +extension_modules: {{SALT_CACHE_DIR}}/master/extmods + + +##### Security settings ##### +########################################## +# Enable passphrase protection of the Master signing_key. This only applies if +# master_sign_pubkey is set to True. This is disabled by default. +master_sign_pubkey: {{SALT_MASTER_SIGN_PUBKEY}} +master_sign_key_name: {{SALT_MASTER_SIGN_KEY_NAME}} +master_pubkey_signature: {{SALT_MASTER_PUBKEY_SIGNATURE}} +master_use_pubkey_signature: {{SALT_MASTER_USE_PUBKEY_SIGNATURE}} + +# Use TLS/SSL encrypted connection between master and minion. +# Can be set to a dictionary containing keyword arguments corresponding to Python's +# 'ssl.wrap_socket' method. +# Default is None. +#ssl: +# keyfile: +# certfile: +# ssl_version: PROTOCOL_TLSv1_2 + + +##### Salt-SSH Configuration ##### +########################################## +# The log file of the salt-ssh command: +ssh_log_file: {{SALT_LOGS_DIR}}/ssh + + +##### File Server settings ##### +########################################## +# Salt runs a lightweight file server written in zeromq to deliver files to +# minions. This file server is built into the master daemon and does not +# require a dedicated port. + +# The file server works on environments passed to the master, each environment +# can have multiple root directories, the subdirectories in the multiple file +# roots cannot match, otherwise the downloaded files will not be able to be +# reliably ensured. A base environment is required to house the top file. +file_roots: + base: + - {{SALT_BASE_DIR}}/salt + +# The master_roots setting configures a master-only copy of the file_roots dictionary, +# used by the state compiler. +master_roots: + base: + - {{SALT_BASE_DIR}}/salt-master + + +##### Pillar settings ##### +########################################## +# Salt Pillars allow for the building of global data that can be made selectively +# available to different minions based on minion grain filtering. The Salt +# Pillar is laid out in the same fashion as the file server, with environments, +# a top file and sls files. However, pillar data does not need to be in the +# highstate format, and is generally just key/value pairs. +pillar_roots: + base: + - {{SALT_BASE_DIR}}/pillar + + +##### Syndic settings ##### +########################################## +# The Salt syndic is used to pass commands through a master from a higher +# master. Using the syndic is simple. If this is a master that will have +# syndic servers(s) below it, then set the "order_masters" setting to True. +# +# If this is a master that will be running a syndic daemon for passthrough, then +# the "syndic_master" setting needs to be set to the location of the master server +# to receive commands from. + +# The log file of the salt-syndic daemon: +syndic_log_file: {{SALT_LOGS_DIR}}/syndic + + +##### Logging settings ##### +########################################## +# The location of the master log file +log_file: {{SALT_LOGS_DIR}}/master +key_logfile: {{SALT_LOGS_DIR}}/key + +# The level of messages to send to the console. +# One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'. +# +# The following log levels are considered INSECURE and may log sensitive data: +# ['garbage', 'trace', 'debug'] +# +log_level: {{SALT_LOG_LEVEL}} + +# The level of messages to send to the log file. +# One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'. +# If using 'log_granular_levels' this must be set to the highest desired level. +log_level_logfile: {{SALT_LEVEL_LOGFILE}} + + +##### Windows Software Repo settings ##### +########################################### +# Location of the repo on the master: +winrepo_dir_ng: '{{SALT_BASE_DIR}}/salt/win/repo-ng' + + +##### Windows Software Repo settings - Pre 2015.8 ##### +######################################################## +# Legacy repo settings for pre-2015.8 Windows minions. +# +# Location of the repo on the master: +winrepo_dir: '{{SALT_BASE_DIR}}/salt/win/repo' +# +# Location of the master's repo cache file: +winrepo_mastercachefile: '{{SALT_BASE_DIR}}/salt/win/repo/winrepo.p' diff --git a/assets/runtime/env-defaults.sh b/assets/runtime/env-defaults.sh index 5e7673f..a759859 100755 --- a/assets/runtime/env-defaults.sh +++ b/assets/runtime/env-defaults.sh @@ -1,5 +1,8 @@ #!/usr/bin/env bash +DEBUG=${DEBUG:-false} +TIMEZONE=${TIMEZONE:-UTC} + # https://docs.saltstack.com/en/latest/ref/configuration/master.html ##### Logging settings ##### diff --git a/assets/runtime/functions.sh b/assets/runtime/functions.sh index e7c9649..352a802 100755 --- a/assets/runtime/functions.sh +++ b/assets/runtime/functions.sh @@ -3,6 +3,16 @@ set -e source ${SALT_RUNTIME_DIR}/env-defaults.sh +# Execute a command as SALT_USER +function exec_as_salt() +{ + if [[ $(whoami) == ${SALT_USER} ]]; then + $@ + else + sudo -HEu ${SALT_USER} "$@" + fi +} + # Map salt user with host user function map_uidgid() { @@ -18,11 +28,60 @@ function map_uidgid() fi } +# This function replaces placeholders with values +# $1: file with placeholders to replace +# $x: placeholders to replace +function update_template() +{ + local FILE=${1?missing argument} + shift + + [[ ! -f ${FILE} ]] && return 1 + + local VARIABLES=($@) + local USR=$(stat -c %U ${FILE}) + local tmp_file=$(mktemp) + cp -a "${FILE}" ${tmp_file} + + local variables + for variable in ${VARIABLES[@]}; do + sed -ri "s|[{}]{2}$variable[}]{2}|\${$variable}|g" ${tmp_file} + done + + # Replace placeholders + ( + export ${VARIABLES[@]} + local IFS=":"; sudo -HEu ${USR} envsubst "${VARIABLES[*]/#/$}" < ${tmp_file} > ${FILE} + ) + + rm -f ${tmp_file} +} + +# This function configures containers timezone +function configure_timezone() +{ + echo "Configuring container timezone ..." + + # Perform sanity check of provided timezone value + if [ -e /usr/share/zoneinfo/${TIMEZONE} ]; then + echo "Setting TimeZone -> ${TIMEZONE} ..." + + # Set localtime + ln -snf /usr/share/zoneinfo/${TIMEZONE} /etc/localtime + + # Set timezone + echo ${TIMEZONE} > /etc/timezone + else + echo "Timezone: '${TIMEZONE}' is not valid. Check available timezones at: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones" + return 1 + fi +} + # This function generates a master_sign key pair and its signature function gen_signed_keys() { local key_name=${1:-master} - + mkdir -p ${SALT_KEYS_DIR}/generated/ GENERATED_KEYS_DIR=$(mktemp -d -p ${SALT_KEYS_DIR}/generated/ -t ${key_name}.XXXXX) @@ -35,25 +94,7 @@ function gen_signed_keys() # This function repairs keys permissions and creates keys if neaded function setup_salt_keys() { - echo "Setting up keys ..." - - sed -i \ - -e "s|^[# ]*master_sign_pubkey:.*$|# master_sign_pubkey -> Overrided, see Custom Settings|" \ - -e "s|^[# ]*master_sign_key_name:.*$|# master_sign_key_name -> Overrided, see Custom Settings|" \ - -e "s|^[# ]*master_pubkey_signature:.*$|# master_pubkey_signature -> Overrided, see Custom Settings|" \ - -e "s|^[# ]*master_use_pubkey_signature:.*$|# master_use_pubkey_signature -> Overrided, see Custom Settings|" \ - ${SALT_ROOT_DIR}/master - - cat >> ${SALT_ROOT_DIR}/master <> ${SALT_ROOT_DIR}/master <