From 886c85e1a37e256cde405db5e68bd7a2f6526065 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Carlos=20=C3=81lvaro?= <carlos.alvaro@citelan.es>
Date: Fri, 9 Nov 2018 23:44:16 +0100
Subject: [PATCH] Run salt-master as salt user

---
 Dockerfile                  |  2 +-
 assets/build/functions.sh   | 13 +++++++++++++
 assets/build/install.sh     | 15 +++++++++++----
 assets/runtime/functions.sh | 16 ++++++++++++++--
 docker-compose.yml          |  4 ++--
 entrypoint.sh               |  2 +-
 6 files changed, 42 insertions(+), 10 deletions(-)
 create mode 100755 assets/build/functions.sh

diff --git a/Dockerfile b/Dockerfile
index 1033ede..c53f610 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -40,7 +40,7 @@ WORKDIR ${SALT_BUILD_DIR}
 # Install packages
 RUN apt-get update
 RUN apt-get install --yes --quiet --no-install-recommends \
-    ca-certificates wget locales pkg-config openssh-client \
+    sudo ca-certificates wget locales pkg-config openssh-client \
     python${PYTHON_VERSION} python${PYTHON_VERSION}-dev \
     python3-pip python3-setuptools python3-wheel
 
diff --git a/assets/build/functions.sh b/assets/build/functions.sh
new file mode 100755
index 0000000..a8a7bf6
--- /dev/null
+++ b/assets/build/functions.sh
@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+
+set -e
+
+# Execute a command as SALT_USER
+function exec_as_salt()
+{
+  if [[ $(whoami) == ${SALT_USER} ]]; then
+    $@
+  else
+    sudo -HEu ${SALT_USER} "$@"
+  fi
+}
diff --git a/assets/build/install.sh b/assets/build/install.sh
index bfb3f86..8e79080 100755
--- a/assets/build/install.sh
+++ b/assets/build/install.sh
@@ -2,6 +2,8 @@
 
 set -e
 
+source ${SALT_BUILD_DIR}/functions.sh
+
 # Install build dependencies
 echo "Installing dependencies ..."
 BUILD_DEPENDENCIES="gnupg git cmake gcc g++ make \
@@ -10,6 +12,15 @@ BUILD_DEPENDENCIES="gnupg git cmake gcc g++ make \
 
 apt-get install --yes --quiet --no-install-recommends ${BUILD_DEPENDENCIES}
 
+# Create salt user
+echo "Creating ${SALT_USER} user ..."
+useradd -d ${SALT_HOME} -ms /bin/bash -U -G root,sudo ${SALT_USER}
+
+# Set PATH
+exec_as_salt cat >> ${SALT_HOME}/.profile <<EOF
+PATH=/usr/local/sbin:/usr/local/bin:\$PATH
+EOF
+
 # Compile libssh2
 echo "Building libssh2 v${LIBSSH2_VERSION} ..."
 wget https://github.com/libssh2/libssh2/archive/libssh2-${LIBSSH2_VERSION}.tar.gz 
@@ -36,10 +47,6 @@ pip3 install "pygit2==v${PYGIT2_VERSION}" \
              "libnacl==v${LIBNACL_VERSION}" \
              "raet==v${RAET_VERSION}"
 
-# Salt user
-echo "Creating ${SALT_USER} user ..."
-useradd -d ${SALT_HOME} -ms /bin/bash -U -G root,sudo ${SALT_USER}
-
 # Bootstrap script options:
 # https://docs.saltstack.com/en/latest/topics/tutorials/salt_bootstrap.html#command-line-options
 ## -M: install Salt Master by default
diff --git a/assets/runtime/functions.sh b/assets/runtime/functions.sh
index 3c23c4c..e7c9649 100755
--- a/assets/runtime/functions.sh
+++ b/assets/runtime/functions.sh
@@ -11,10 +11,10 @@ function map_uidgid()
   USERMAP_GID=${USERMAP_GID:-${USERMAP_UID:-$USERMAP_ORIG_GID}}
   USERMAP_UID=${USERMAP_UID:-$USERMAP_ORIG_UID}
   if [[ ${USERMAP_UID} != ${USERMAP_ORIG_UID} ]] || [[ ${USERMAP_GID} != ${USERMAP_ORIG_GID} ]]; then
-    echo "Mapping UID and GID for ${SALT_USER}:${SALT_USER} to ${USERMAP_UID}:${USERMAP_GID}..."
+    echo "Mapping UID and GID for ${SALT_USER}:${SALT_USER} to ${USERMAP_UID}:${USERMAP_GID} ..."
     groupmod -o -g ${USERMAP_GID} ${SALT_USER}
     sed -i -e "s|:${USERMAP_ORIG_UID}:${USERMAP_GID}:|:${USERMAP_UID}:${USERMAP_GID}:|" /etc/passwd
-    find ${SALT_HOME} -path ${SALT_DATA_DIR}/\* -prune -o -print0 | xargs -0 chown -h ${SALT_USER}:
+    find ${SALT_HOME} -path ${SALT_DATA_DIR}/\* \( ! -uid ${USERMAP_ORIG_UID} -o ! -gid ${USERMAP_ORIG_GID} \) -print0 | xargs -0 chown -h ${SALT_USER}: ${SALT_HOME}
   fi
 }
 
@@ -109,6 +109,7 @@ function configure_salt_master()
 
   # Set env variables
   sed -i \
+      -e "s|^[#]*user:.*$|user: ${SALT_USER}|" \
       -e "s|^[#]*log_level:.*$|log_level: ${SALT_LOG_LEVEL}|" \
       -e "s|^[#]*log_level_logfile:.*$|log_level_logfile: ${SALT_LEVEL_LOGFILE}|" \
       -e "s|^[#]*default_include:.*$|default_include: ${SALT_CONFS_DIR}/*.conf|" \
@@ -143,6 +144,17 @@ function initialize_datadir()
   [[ -d /srv ]] && [[ ! -L /srv ]] && rm -rf /srv
   ln -sfnv ${SALT_BASE_DIR} /srv
 
+  # Set Slat root permissions
+  chown -R ${SALT_USER} ${SALT_ROOT_DIR}
+
+  # Set Salt run permissions
+  mkdir -p /var/run/salt
+  chown -R ${SALT_USER} /var/run/salt
+
+  # Set cache permissions
+  mkdir -p /var/cache/salt/master
+  chown -R salt /var/cache/salt
+
   # Logs directory
   [[ -d /var/log/salt ]] && [[ ! -L /var/log/salt ]] && rm -rf /var/log/salt
   mkdir -p /var/log
diff --git a/docker-compose.yml b/docker-compose.yml
index cb4a047..3205c43 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -11,7 +11,7 @@ services:
       - "4506:4506/tcp"
     environment:
       - DEBUG=false
-      - USERMAP_UID=501
-      - USERMAP_GID=20
+      - USERMAP_UID=1000
+      - USERMAP_GID=1000
 
       - SALT_LOG_LEVEL=info
diff --git a/entrypoint.sh b/entrypoint.sh
index 9ce773e..ab1147c 100755
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -13,7 +13,7 @@ case ${1} in
     case ${1} in
       app:start)
         echo "Starting salt-master..."
-        exec salt-master
+        exec sudo -HEu ${SALT_USER} salt-master
         ;;
       app:gen-signed-keys)
         shift 1