From e7c8dc1167a6e198afff21d355d857495284c059 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Carlos=20=C3=81lvaro?= Date: Mon, 12 Nov 2018 09:45:04 +0100 Subject: [PATCH 1/2] Improve salt-master configuration --- Dockerfile | 3 +- assets/build/install.sh | 2 +- assets/runtime/config/master.yml | 134 +++++++++++++++++++++++++++++++ assets/runtime/functions.sh | 107 ++++++++++++------------ 4 files changed, 194 insertions(+), 52 deletions(-) create mode 100644 assets/runtime/config/master.yml diff --git a/Dockerfile b/Dockerfile index c53f610..0f92a6f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -19,6 +19,7 @@ ENV SALT_VERSION="2018.3.3" \ ENV SALT_DOCKER_DIR="/etc/docker-salt" \ SALT_ROOT_DIR="/etc/salt" \ + SALT_CACHE_DIR='/var/cache/salt' \ SALT_USER="salt" \ SALT_HOME="/home/salt" @@ -42,7 +43,7 @@ RUN apt-get update RUN apt-get install --yes --quiet --no-install-recommends \ sudo ca-certificates wget locales pkg-config openssh-client \ python${PYTHON_VERSION} python${PYTHON_VERSION}-dev \ - python3-pip python3-setuptools python3-wheel + python3-pip python3-setuptools python3-wheel gettext-base # Configure locales RUN update-locale LANG=C.UTF-8 LC_MESSAGES=POSIX \ diff --git a/assets/build/install.sh b/assets/build/install.sh index 8e79080..ae6cb57 100755 --- a/assets/build/install.sh +++ b/assets/build/install.sh @@ -23,7 +23,7 @@ EOF # Compile libssh2 echo "Building libssh2 v${LIBSSH2_VERSION} ..." -wget https://github.com/libssh2/libssh2/archive/libssh2-${LIBSSH2_VERSION}.tar.gz +wget https://github.com/libssh2/libssh2/archive/libssh2-${LIBSSH2_VERSION}.tar.gz tar xzf libssh2-${LIBSSH2_VERSION}.tar.gz cd libssh2-libssh2-${LIBSSH2_VERSION}/ cmake -DCMAKE_BUILD_TYPE=Release -DBUILD_SHARED_LIBS=ON -DENABLE_ZLIB_COMPRESSION=ON . diff --git a/assets/runtime/config/master.yml b/assets/runtime/config/master.yml new file mode 100644 index 0000000..bf722e6 --- /dev/null +++ b/assets/runtime/config/master.yml @@ -0,0 +1,134 @@ +##### Primary configuration settings ##### +########################################## +# This configuration file is used to manage the behavior of the Salt Master. +# Values that are commented out but have an empty line after the comment are +# defaults that do not need to be set in the config. If there is no blank line +# after the comment then the value is presented as an example and is not the +# default. + +# The master will automatically include all config files from: +default_include: {{SALT_CONFS_DIR}}/*.conf + +# The user under which the salt master will run. +user: {{SALT_USER}} + +# Directory used to store public key data: +pki_dir: {{SALT_KEYS_DIR}} + +# Directory to store job and cache data: +# This directory may contain sensitive data and should be protected accordingly. +cachedir: {{SALT_CACHE_DIR}}/master + +# Directory for custom modules. This directory can contain subdirectories for +# each of Salt's module types such as "runners", "output", "wheel", "modules", +# "states", "returners", "engines", "utils", etc. +extension_modules: {{SALT_CACHE_DIR}}/master/extmods + + +##### Security settings ##### +########################################## +# Enable passphrase protection of the Master signing_key. This only applies if +# master_sign_pubkey is set to True. This is disabled by default. +master_sign_pubkey: {{SALT_MASTER_SIGN_PUBKEY}} +master_sign_key_name: {{SALT_MASTER_SIGN_KEY_NAME}} +master_pubkey_signature: {{SALT_MASTER_PUBKEY_SIGNATURE}} +master_use_pubkey_signature: {{SALT_MASTER_USE_PUBKEY_SIGNATURE}} + +# Use TLS/SSL encrypted connection between master and minion. +# Can be set to a dictionary containing keyword arguments corresponding to Python's +# 'ssl.wrap_socket' method. +# Default is None. +#ssl: +# keyfile: +# certfile: +# ssl_version: PROTOCOL_TLSv1_2 + + +##### Salt-SSH Configuration ##### +########################################## +# The log file of the salt-ssh command: +ssh_log_file: {{SALT_LOGS_DIR}}/ssh + + +##### File Server settings ##### +########################################## +# Salt runs a lightweight file server written in zeromq to deliver files to +# minions. This file server is built into the master daemon and does not +# require a dedicated port. + +# The file server works on environments passed to the master, each environment +# can have multiple root directories, the subdirectories in the multiple file +# roots cannot match, otherwise the downloaded files will not be able to be +# reliably ensured. A base environment is required to house the top file. +file_roots: + base: + - {{SALT_BASE_DIR}}/salt + +# The master_roots setting configures a master-only copy of the file_roots dictionary, +# used by the state compiler. +master_roots: + base: + - {{SALT_BASE_DIR}}/salt-master + + +##### Pillar settings ##### +########################################## +# Salt Pillars allow for the building of global data that can be made selectively +# available to different minions based on minion grain filtering. The Salt +# Pillar is laid out in the same fashion as the file server, with environments, +# a top file and sls files. However, pillar data does not need to be in the +# highstate format, and is generally just key/value pairs. +pillar_roots: + base: + - {{SALT_BASE_DIR}}/pillar + + +##### Syndic settings ##### +########################################## +# The Salt syndic is used to pass commands through a master from a higher +# master. Using the syndic is simple. If this is a master that will have +# syndic servers(s) below it, then set the "order_masters" setting to True. +# +# If this is a master that will be running a syndic daemon for passthrough, then +# the "syndic_master" setting needs to be set to the location of the master server +# to receive commands from. + +# The log file of the salt-syndic daemon: +syndic_log_file: {{SALT_LOGS_DIR}}/syndic + + +##### Logging settings ##### +########################################## +# The location of the master log file +log_file: {{SALT_LOGS_DIR}}/master +key_logfile: {{SALT_LOGS_DIR}}/key + +# The level of messages to send to the console. +# One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'. +# +# The following log levels are considered INSECURE and may log sensitive data: +# ['garbage', 'trace', 'debug'] +# +log_level: {{SALT_LOG_LEVEL}} + +# The level of messages to send to the log file. +# One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'. +# If using 'log_granular_levels' this must be set to the highest desired level. +log_level_logfile: {{SALT_LEVEL_LOGFILE}} + + +##### Windows Software Repo settings ##### +########################################### +# Location of the repo on the master: +winrepo_dir_ng: '{{SALT_BASE_DIR}}/salt/win/repo-ng' + + +##### Windows Software Repo settings - Pre 2015.8 ##### +######################################################## +# Legacy repo settings for pre-2015.8 Windows minions. +# +# Location of the repo on the master: +winrepo_dir: '{{SALT_BASE_DIR}}/salt/win/repo' +# +# Location of the master's repo cache file: +winrepo_mastercachefile: '{{SALT_BASE_DIR}}/salt/win/repo/winrepo.p' diff --git a/assets/runtime/functions.sh b/assets/runtime/functions.sh index e7c9649..708dbcb 100755 --- a/assets/runtime/functions.sh +++ b/assets/runtime/functions.sh @@ -3,6 +3,16 @@ set -e source ${SALT_RUNTIME_DIR}/env-defaults.sh +# Execute a command as SALT_USER +function exec_as_salt() +{ + if [[ $(whoami) == ${SALT_USER} ]]; then + $@ + else + sudo -HEu ${SALT_USER} "$@" + fi +} + # Map salt user with host user function map_uidgid() { @@ -18,6 +28,35 @@ function map_uidgid() fi } +# This function replaces placeholders with values +# $1: file with placeholders to replace +# $x: placeholders to replace +function update_template() +{ + local FILE=${1?missing argument} + shift + + [[ ! -f ${FILE} ]] && return 1 + + local VARIABLES=($@) + local USR=$(stat -c %U ${FILE}) + local tmp_file=$(mktemp) + cp -a "${FILE}" ${tmp_file} + + local variables + for variable in ${VARIABLES[@]}; do + sed -ri "s|[{}]{2}$variable[}]{2}|\${$variable}|g" ${tmp_file} + done + + # Replace placeholders + ( + export ${VARIABLES[@]} + local IFS=":"; sudo -HEu ${USR} envsubst "${VARIABLES[*]/#/$}" < ${tmp_file} > ${FILE} + ) + + rm -f ${tmp_file} +} + # This function generates a master_sign key pair and its signature function gen_signed_keys() { @@ -35,25 +74,7 @@ function gen_signed_keys() # This function repairs keys permissions and creates keys if neaded function setup_salt_keys() { - echo "Setting up keys ..." - - sed -i \ - -e "s|^[# ]*master_sign_pubkey:.*$|# master_sign_pubkey -> Overrided, see Custom Settings|" \ - -e "s|^[# ]*master_sign_key_name:.*$|# master_sign_key_name -> Overrided, see Custom Settings|" \ - -e "s|^[# ]*master_pubkey_signature:.*$|# master_pubkey_signature -> Overrided, see Custom Settings|" \ - -e "s|^[# ]*master_use_pubkey_signature:.*$|# master_use_pubkey_signature -> Overrided, see Custom Settings|" \ - ${SALT_ROOT_DIR}/master - - cat >> ${SALT_ROOT_DIR}/master <> ${SALT_ROOT_DIR}/master < Date: Mon, 12 Nov 2018 09:45:57 +0100 Subject: [PATCH 2/2] Add support for setting timezone --- CHANGELOG.md | 1 + LICENSE | 1 - README.md | 6 ++++-- assets/runtime/env-defaults.sh | 3 +++ assets/runtime/functions.sh | 25 +++++++++++++++++++++++-- docker-compose.yml | 2 ++ 6 files changed, 33 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 92227c0..95edc74 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,6 +11,7 @@ Please refer to the SaltStack [Release Notes](https://docs.saltstack.com/en/deve - Add `PyGit2` support - Expose `/home/salt/data/logs` - Run `salt-master` as `salt` user +- Add support for setting timezone **2018.3.2** diff --git a/LICENSE b/LICENSE index 35fb1ff..ed89c6a 100644 --- a/LICENSE +++ b/LICENSE @@ -19,4 +19,3 @@ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - diff --git a/README.md b/README.md index 770df63..1e58dc5 100644 --- a/README.md +++ b/README.md @@ -161,7 +161,7 @@ gitfs_privkey: /home/salt/data/keys/gitfs/gitfs_ssh gitfs_pubkey: /home/salt/data/keys/gitfs/gitfs_ssh.pub ``` -**Important Note** +**Important Note** If you get the following error while using `gitfs` with `pygit2` @@ -178,7 +178,9 @@ Please refer the docker run command options for the `--env-file` flag where you Below is the list of available options that can be used to customize your SaltStack master installation. | Parameter | Description | -|-----------|-------------| +|:----------|:------------| +| `DEBUG` | Set this to `true` to enable entrypoint debugging. | +| `TIMEZONE` | Set the container timezone. Defaults to `UTC`. Values are expected to be in Canonical format. Example: `Europe/Madrid`. See the list of [acceptable values](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones). | | `SALT_LOG_LEVEL` | The level of messages to send to the console. One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'. Default: `warning` | | `SALT_LEVEL_LOGFILE` | The level of messages to send to the log file. One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'. Default: `warning` | | `SALT_MASTER_SIGN_PUBKEY` | Sign the master auth-replies with a cryptographic signature of the master's public key. Possible values: 'True' or 'False'. Default: `False` | diff --git a/assets/runtime/env-defaults.sh b/assets/runtime/env-defaults.sh index 5e7673f..a759859 100755 --- a/assets/runtime/env-defaults.sh +++ b/assets/runtime/env-defaults.sh @@ -1,5 +1,8 @@ #!/usr/bin/env bash +DEBUG=${DEBUG:-false} +TIMEZONE=${TIMEZONE:-UTC} + # https://docs.saltstack.com/en/latest/ref/configuration/master.html ##### Logging settings ##### diff --git a/assets/runtime/functions.sh b/assets/runtime/functions.sh index 708dbcb..352a802 100755 --- a/assets/runtime/functions.sh +++ b/assets/runtime/functions.sh @@ -57,11 +57,31 @@ function update_template() rm -f ${tmp_file} } +# This function configures containers timezone +function configure_timezone() +{ + echo "Configuring container timezone ..." + + # Perform sanity check of provided timezone value + if [ -e /usr/share/zoneinfo/${TIMEZONE} ]; then + echo "Setting TimeZone -> ${TIMEZONE} ..." + + # Set localtime + ln -snf /usr/share/zoneinfo/${TIMEZONE} /etc/localtime + + # Set timezone + echo ${TIMEZONE} > /etc/timezone + else + echo "Timezone: '${TIMEZONE}' is not valid. Check available timezones at: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones" + return 1 + fi +} + # This function generates a master_sign key pair and its signature function gen_signed_keys() { local key_name=${1:-master} - + mkdir -p ${SALT_KEYS_DIR}/generated/ GENERATED_KEYS_DIR=$(mktemp -d -p ${SALT_KEYS_DIR}/generated/ -t ${key_name}.XXXXX) @@ -146,7 +166,7 @@ function configure_salt_master() function initialize_datadir() { echo "Configuring directories ..." - + # This symlink simplifies paths for loading sls files [[ -d /srv ]] && [[ ! -L /srv ]] && rm -rf /srv ln -sfnv ${SALT_BASE_DIR} /srv @@ -174,6 +194,7 @@ function initialize_system() { map_uidgid initialize_datadir + configure_timezone configure_salt_master setup_salt_keys setup_ssh_keys diff --git a/docker-compose.yml b/docker-compose.yml index 3205c43..fe9f6a9 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -4,6 +4,7 @@ services: master: container_name: salt_master image: cdalvaro/saltstack-master:2018.3.3 + restart: always volumes: - "./srv/:/home/salt/data/srv" ports: @@ -11,6 +12,7 @@ services: - "4506:4506/tcp" environment: - DEBUG=false + - TIMEZONE=Europe/Madrid - USERMAP_UID=1000 - USERMAP_GID=1000