Merge pull request #10 from cdalvaro/add_logrotate_support

Add logrotate support

CHANGELOG.md

@@ -6,12 +6,15 @@ Please refer to the SaltStack [Release Notes](https://docs.saltstack.com/en/deve
 **2018.3.3**
 
 - Upgrade SaltStack Master to `2018.3.3`
-- Change Docker base image to `ubuntu:xenial-20181005`
+- Change Docker base image to `ubuntu:xenial-20181113`
 - Add `GitPython` support
 - Add `PyGit2` support
 - Expose `/home/salt/data/logs`
 - Run `salt-master` as `salt` user
 - Add support for setting timezone
+- Add logrotate support
+- Add supervisor support
+- Addressed a bug that caused the container to crash when `/home/salt/data/keys/minions` was not present
 
 **2018.3.2**
 

Dockerfile

@@ -1,4 +1,4 @@
-FROM ubuntu:xenial-20181005
+FROM ubuntu:xenial-20181113
 
 LABEL maintainer="carlos.alvaro@citelan.es"
 LABEL description="SaltStack master"
@@ -11,11 +11,15 @@ ENV SALT_VERSION="2018.3.3" \
     LIBGIT2_VERSION="0.27.7" \
     PYGIT2_VERSION="0.27.2" \
     GITPYTHON_VERSION="2.1.11" \
-    M2CRYPTO_VERSION="0.30.1" \
+    M2CRYPTO_VERSION="0.31.0" \
     MAKO_VERSION="1.0.7" \
-    PYCRYPTODOME_VERSION="3.7.0" \
+    PYCRYPTODOME_VERSION="3.7.2" \
     LIBNACL_VERSION="1.6.1" \
-    RAET_VERSION="0.6.8"
+    RAET_VERSION="0.6.8" \
+    CHERRYPY_VERSION="18.0.1" \
+    TIMELIB_VERSION="0.2.4" \
+    DOCKERPY_VERSION="1.10.6" \
+    MSGPACKPURE_VERSION="0.1.3"
 
 ENV SALT_DOCKER_DIR="/etc/docker-salt" \
     SALT_ROOT_DIR="/etc/salt" \
@@ -43,7 +47,8 @@ RUN apt-get update
 RUN apt-get install --yes --quiet --no-install-recommends \
     sudo ca-certificates wget locales pkg-config openssh-client \
     python${PYTHON_VERSION} python${PYTHON_VERSION}-dev \
-    python3-pip python3-setuptools python3-wheel gettext-base
+    python3-pip python3-setuptools python3-wheel gettext-base \
+    supervisor logrotate
 
 # Configure locales
 RUN update-locale LANG=C.UTF-8 LC_MESSAGES=POSIX \

Makefile

@@ -22,7 +22,9 @@ quickstart:
 		--publish=4505:4505/tcp --publish=4506:4506/tcp \
 		--env "USERMAP_UID=$(shell id -u)" --env "USERMAP_GID=$(shell id -g)" \
 		--env SALT_LOG_LEVEL=info \
-		--read-only --volume $(shell pwd)/srv/:/home/salt/data/srv/ \
+		--volume $(shell pwd)/recipes/:/home/salt/data/srv/ \
+		--volume $(shell pwd)/keys/:/home/salt/data/keys/ \
+		--volume $(shell pwd)/logs/:/home/salt/data/logs/ \
 		cdalvaro/saltstack-master:latest
 	@echo "Type 'make logs' for the logs"
 

README.md

@@ -19,6 +19,7 @@ For other methods to install SaltStack please refer to the [Official SaltStack I
   - [Git Fileserver](#git-fileserver)
     - [GitPython](#gitpython)
     - [PyGit2](#pygit2)
+  - [Logs](#logs)
   - [Available Configuration Parameters](#available-configuration-parameters)
 - [Usage](#usage)
 - [Shell Access](#shell-access)
@@ -64,7 +65,8 @@ Alternatively, you can manually launch the `saltstack-master`  container:
 docker run --name salt_master --detach \
     --publish 4505:4505/tcp --publish 4506:4506/tcp \
     --env 'SALT_LOG_LEVEL=info' \
-    --read-only --volume $(pwd)/srv/:/home/salt/data/srv/ \
+    --volume $(pwd)/recipes/:/home/salt/data/srv/ \
+    --volume $(pwd)/keys/:/home/salt/data/keys/ \
     cdalvaro/saltstack-master:2018.3.3
 ```
 
@@ -72,13 +74,13 @@ docker run --name salt_master --detach \
 
 ### Custom Recipes
 
-This image does not require storing data out of the container.
+In order to provide salt with your custom recipes you must mount the volume `/home/salt/data/srv/` with your recipes directory.
-
-But it is necessary to mount the `/srv/` volume ir order to provide your custom recipes.
 
 ### Minion Keys
 
-Minion keys can be added automatically on startup to SaltStack master by mounting the volume `/home/salt/data/keys` and copying the minion keys inside `keys/minions/` directory:
+Minion keys can be added automatically on startup to SaltStack master by mounting the volume `/home/salt/data/keys` and copying the minion keys inside `keys/minions/` directory.
+
+It is also important to know that, in order to keep your keys after removing the container, the keys directory must be mounted.
 
 ```sh
 mkdir -p keys/minions
@@ -87,7 +89,7 @@ rsync root@minion1:/etc/salt/pki/minion/minion.pub keys/minions/minion1
 docker run --name salt_master -d \
     --publish 4505:4505/tcp --publish 4506:4506/tcp \
     --env 'SALT_LOG_LEVEL=info' \
-    --volume $(pwd)/srv/:/home/salt/data/srv/ \
+    --volume $(pwd)/recipes/:/home/salt/data/srv/ \
     --volume $(pwd)/keys/:/home/salt/data/keys/ \
     cdalvaro/saltstack-master:2018.3.3
 ```
@@ -101,7 +103,7 @@ docker run --name salt_stack --detach \
     --publish 4505:4505/tcp --publish 4506:4506/tcp \
     --env 'SALT_LOG_LEVEL=info' \
     --env 'SALT_MASTER_SIGN_PUBKEY=True'
-    --volume $(pwd)/srv/:/home/salt/data/srv/ \
+    --volume $(pwd)/recipes/:/home/salt/data/srv/ \
     --volume $(pwd)/keys/:/home/salt/data/keys/ \
     cdalvaro/saltstack-master:2018.3.3
 ```
@@ -127,7 +129,8 @@ Also the container processes seem to be executed as the host's user/group `1000`
 ```sh
 docker run --name salt_stack -it --rm \
     --env "USERMAP_UID=$(id -u)" --env "USERMAP_GID=$(id -g)" \
-    --volume $(pwd)/srv/:/home/salt/data/srv/ \
+    --volume $(pwd)/recipes/:/home/salt/data/srv/ \
+    --volume $(pwd)/keys/:/home/salt/data/keys/ \
     cdalvaro/saltstack-master:2018.3.3
 ```
 
@@ -171,6 +174,22 @@ _pygit2.GitError: Failed to authenticate SSH session: Unable to send userauth-pu
 
 look if your private key hash empty lines at the bottom of the file and suppress them for solving the error.
 
+### Logs
+
+Salt logs are accessible by mounting the volume `/home/salt/data/logs/`.
+
+Inside that directory you could find `supervisor/` logs and `salt/` logs:
+
+docker run --name salt_master --detach \
+    --publish 4505:4505/tcp --publish 4506:4506/tcp \
+    --env 'SALT_LOG_LEVEL=info' \
+    --volume $(pwd)/recipes/:/home/salt/data/srv/ \
+    --volume $(pwd)/keys/:/home/salt/data/keys/ \
+    --volume $(pwd)/logs/:/home/salt/data/logs/ \
+    cdalvaro/saltstack-master:2018.3.3
+
+Check [Available Configuration Parameters](#available-configuration-parameters) section for configuring logrotate.
+
 ### Available Configuration Parameters
 
 Please refer the docker run command options for the `--env-file` flag where you can specify all required environment variables in a single file. This will save you from writing a potentially long docker run command. Alternatively you can use docker-compose.
@@ -182,6 +201,8 @@ Below is the list of available options that can be used to customize your SaltSt
 | `DEBUG` | Set this to `true` to enable entrypoint debugging. |
 | `TIMEZONE` | Set the container timezone. Defaults to `UTC`. Values are expected to be in Canonical format. Example: `Europe/Madrid`. See the list of [acceptable values](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones). |
 | `SALT_LOG_LEVEL` | The level of messages to send to the console. One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'. Default: `warning` |
+| `SALT_LOG_ROTATE_FREQUENCY` | Logrotate frequency for salt logs. Available options are 'daily', 'weekly', 'monthly', and 'yearly'. Default: `weekly` |
+| `SALT_LOG_ROTATE_RETENTION` | Keep x files before deleting old log files. Defaults: `52` |
 | `SALT_LEVEL_LOGFILE` | The level of messages to send to the log file. One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'. Default: `warning` |
 | `SALT_MASTER_SIGN_PUBKEY` | Sign the master auth-replies with a cryptographic signature of the master's public key. Possible values: 'True' or 'False'. Default: `False` |
 | `SALT_MASTER_USE_PUBKEY_SIGNATURE` | Instead of computing the signature for each auth-reply, use a pre-calculated signature. This option requires `SALT_MASTER_SIGN_PUBKEY` set to 'True'. Possible values: 'True' or 'False'. Default: `True` |
@@ -207,7 +228,8 @@ EOF
 docker run --name salt_master -d \
     --publish 3505:3505/tcp --publish 3506:3506/tcp \
     --env 'SALT_LOG_LEVEL=info' \
-    --read-only --volume $(pwd)/srv/:/home/salt/data/srv/ \
+    --volume $(pwd)/recipes/:/home/salt/data/srv/ \
+    --volume $(pwd)/keys/:/home/salt/data/keys/ \
     --volume $(pwd)/config/:/home/salt/data/config/ \
     cdalvaro/saltstack-master:2018.3.3
 ```

assets/build/install.sh

@@ -45,7 +45,11 @@ pip3 install "pygit2==v${PYGIT2_VERSION}" \
              "Mako==v${MAKO_VERSION}" \
              "pycryptodome==v${PYCRYPTODOME_VERSION}" \
              "libnacl==v${LIBNACL_VERSION}" \
-             "raet==v${RAET_VERSION}"
+             "raet==v${RAET_VERSION}" \
+             "CherryPy==v${CHERRYPY_VERSION}" \
+             "timelib==v${TIMELIB_VERSION}" \
+             "docker-py==v${DOCKERPY_VERSION}" \
+             "msgpack-pure==v${MSGPACKPURE_VERSION}"
 
 # Bootstrap script options:
 # https://docs.saltstack.com/en/latest/topics/tutorials/salt_bootstrap.html#command-line-options
@@ -67,3 +71,30 @@ sed -i -e "s|^[# ]*StrictHostKeyChecking.*$|    StrictHostKeyChecking no|" /etc/
 echo "    UserKnownHostsFile /dev/null" >> /etc/ssh/ssh_config
 echo "    LogLevel ERROR" >> /etc/ssh/ssh_config
 echo "#   IdentityFile salt_ssh_key" >> /etc/ssh/ssh_config
+
+# Configure logrotate
+echo "Configuring logrotate ..."
+
+# move supervisord.log file to ${SALT_LOGS_DIR}/supervisor/
+sed -i "s|^[#]*logfile=.*|logfile=${SALT_LOGS_DIR}/supervisor/supervisord.log ;|" /etc/supervisor/supervisord.conf
+
+# fix "unknown group 'syslog'" error preventing logrotate from functioning
+sed -i "s|^su root syslog$|su root root|" /etc/logrotate.conf
+
+# Configure supervisor
+echo "Configuring supervisor ..."
+
+# configure supervisord to start unicorn
+cat > /etc/supervisor/conf.d/salt-master.conf <<EOF
+[program:salt-master]
+priority=5
+directory=${SALT_HOME}
+environment=HOME=${SALT_HOME}
+command=salt-master
+user=${SALT_USER}
+autostart=true
+autorestart=true
+stopsignal=QUIT
+stdout_logfile=${SALT_LOGS_DIR}/supervisor/%(program_name)s.log
+stderr_logfile=${SALT_LOGS_DIR}/supervisor/%(program_name)s.log
+EOF

assets/runtime/config/master.yml

@@ -47,7 +47,7 @@ master_use_pubkey_signature: {{SALT_MASTER_USE_PUBKEY_SIGNATURE}}
 #####     Salt-SSH Configuration     #####
 ##########################################
 # The log file of the salt-ssh command:
-ssh_log_file: {{SALT_LOGS_DIR}}/ssh
+ssh_log_file: {{SALT_LOGS_DIR}}/salt/ssh
 
 
 #####      File Server settings      #####
@@ -94,14 +94,14 @@ pillar_roots:
 # to receive commands from.
 
 # The log file of the salt-syndic daemon:
-syndic_log_file: {{SALT_LOGS_DIR}}/syndic
+syndic_log_file: {{SALT_LOGS_DIR}}/salt/syndic
 
 
 #####         Logging settings       #####
 ##########################################
 # The location of the master log file
-log_file: {{SALT_LOGS_DIR}}/master
+log_file: {{SALT_LOGS_DIR}}/salt/master
-key_logfile: {{SALT_LOGS_DIR}}/key
+key_logfile: {{SALT_LOGS_DIR}}/salt/key
 
 # The level of messages to send to the console.
 # One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'.

assets/runtime/env-defaults.sh

@@ -3,6 +3,9 @@
 DEBUG=${DEBUG:-false}
 TIMEZONE=${TIMEZONE:-UTC}
 
+SALT_LOG_ROTATE_FREQUENCY=${SALT_LOG_ROTATE_FREQUENCY:-weekly}
+SALT_LOG_ROTATE_RETENTION=${SALT_LOG_ROTATE_RETENTION:-52}
+
 # https://docs.saltstack.com/en/latest/ref/configuration/master.html
 
 #####         Logging settings       #####

assets/runtime/functions.sh

@@ -171,22 +171,62 @@ function initialize_datadir()
   [[ -d /srv ]] && [[ ! -L /srv ]] && rm -rf /srv
   ln -sfnv ${SALT_BASE_DIR} /srv
 
-  # Set Slat root permissions
+  # Set Salt root permissions
-  chown -R ${SALT_USER} ${SALT_ROOT_DIR}
+  chown -R ${SALT_USER}: ${SALT_ROOT_DIR}
 
   # Set Salt run permissions
   mkdir -p /var/run/salt
-  chown -R ${SALT_USER} /var/run/salt
+  chown -R ${SALT_USER}: /var/run/salt
 
   # Set cache permissions
   mkdir -p /var/cache/salt/master
-  chown -R salt /var/cache/salt
+  chown -R ${SALT_USER}: /var/cache/salt
+
+  # Keys directories
+  mkdir -p ${SALT_KEYS_DIR}/minions
+  chown -R ${SALT_USER}: ${SALT_KEYS_DIR}
 
   # Logs directory
+  mkdir -p ${SALT_LOGS_DIR}/salt ${SALT_LOGS_DIR}/supervisor
+  chmod -R 0755 ${SALT_LOGS_DIR}/supervisor
+  chown -R root: ${SALT_LOGS_DIR}/supervisor
+
   [[ -d /var/log/salt ]] && [[ ! -L /var/log/salt ]] && rm -rf /var/log/salt
-  mkdir -p /var/log
+  mkdir -p ${SALT_LOGS_DIR}/salt /var/log
-  ln -sfnv ${SALT_LOGS_DIR} /var/log/salt
+  ln -sfnv ${SALT_LOGS_DIR}/salt /var/log/salt
-  chown -R ${SALT_USER} ${SALT_LOGS_DIR}
+  chown -R ${SALT_USER}: ${SALT_LOGS_DIR}/salt
+}
+
+# Configures logrotate
+function configure_logrotate()
+{
+  echo "Configuring logrotate ..."
+
+  # configure supervisord log rotation
+  cat > /etc/logrotate.d/supervisord <<EOF
+${SALT_LOGS_DIR}/supervisor/*.log {
+  ${SALT_LOG_ROTATE_FREQUENCY}
+  missingok
+  rotate ${SALT_LOG_ROTATE_RETENTION}
+  compress
+  delaycompress
+  notifempty
+  copytruncate
+}
+EOF
+
+  # configure salt-master log rotation
+  cat > /etc/logrotate.d/salt <<EOF
+${SALT_LOGS_DIR}/salt/* {
+  ${SALT_LOG_ROTATE_FREQUENCY}
+  missingok
+  rotate ${SALT_LOG_ROTATE_RETENTION}
+  compress
+  delaycompress
+  notifempty
+  copytruncate
+}
+EOF
 }
 
 # Initializes the system
@@ -194,8 +234,10 @@ function initialize_system()
 {
   map_uidgid
   initialize_datadir
+  configure_logrotate
   configure_timezone
   configure_salt_master
   setup_salt_keys
   setup_ssh_keys
+  rm -rf /var/run/supervisor.sock
 }

docker-compose.yml

@@ -6,7 +6,9 @@ services:
     image: cdalvaro/saltstack-master:2018.3.3
     restart: always
     volumes:
-      - "./srv/:/home/salt/data/srv"
+      - "recipes/:/home/salt/data/srv"
+      - "keys/:/home/salt/data/keys"
+      - "logs/:/home/salt/data/logs"
     ports:
       - "4505:4505/tcp"
       - "4506:4506/tcp"

entrypoint.sh

@@ -13,7 +13,7 @@ case ${1} in
     case ${1} in
       app:start)
         echo "Starting salt-master..."
-        exec sudo -HEu ${SALT_USER} salt-master
+        exec /usr/bin/supervisord -nc /etc/supervisor/supervisord.conf
         ;;
       app:gen-signed-keys)
         shift 1