chaos/docker-salt-master
Archived
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add support for mapping user uid/gid

Browse Source
This commit is contained in:
Carlos Álvaro
2018-10-03 20:14:54 +02:00
parent 080df756a0
commit 8bf6edc229
5 changed files with 105 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
Dockerfile
View File

@@ -4,14 +4,18 @@ LABEL maintainer="carlos.alvaro@citelan.es"
LABEL description="SaltStack master" LABEL description="SaltStack master"
LABEL version="2018.3.2" LABEL version="2018.3.2"
ENV SALT_DOCKER_DIR="/etc/salt-docker" \ ENV SALT_DOCKER_DIR="/etc/docker-salt" \
SALT_ROOT_DIR="/etc/salt" \ SALT_ROOT_DIR="/etc/salt" \
SALT_USER=root SALT_USER="salt" \
SALT_HOME="/home/salt"
ENV SALT_BUILD_DIR="${SALT_DOCKER_DIR}/build" \ ENV SALT_BUILD_DIR="${SALT_DOCKER_DIR}/build" \
SALT_CONFS_DIR="${SALT_DOCKER_DIR}/config" \ SALT_RUNTIME_DIR="${SALT_DOCKER_DIR}/runtime" \
SALT_KEYS_DIR="${SALT_DOCKER_DIR}/keys" \ SALT_DATA_DIR="${SALT_HOME}/data"
SALT_RUNTIME_DIR="${SALT_DOCKER_DIR}/runtime"
ENV SALT_CONFS_DIR="${SALT_DATA_DIR}/config" \
SALT_KEYS_DIR="${SALT_DATA_DIR}/keys" \
SALT_BASE_DIR="${SALT_DATA_DIR}/srv"
# Bootstrap script options: # Bootstrap script options:
# https://docs.saltstack.com/en/latest/topics/tutorials/salt_bootstrap.html#command-line-options # https://docs.saltstack.com/en/latest/topics/tutorials/salt_bootstrap.html#command-line-options
@@ -31,32 +35,39 @@ ENV DEBIAN_FRONTEND=noninteractive
# Install packages # Install packages
RUN apt-get update RUN apt-get update
RUN apt-get install --yes --quiet --no-install-recommends \ RUN apt-get install --yes --quiet --no-install-recommends \
ca-certificates apt-transport-https curl git vim python3 locales virt-what ca-certificates apt-transport-https curl git vim python3 locales
# Configure locales # Configure locales
RUN update-locale LANG=C.UTF-8 LC_MESSAGES=POSIX \ RUN update-locale LANG=C.UTF-8 LC_MESSAGES=POSIX \
locale-gen en_US.UTF-8 \ locale-gen en_US.UTF-8 \
dpkg-reconfigure locales dpkg-reconfigure locales
EXPOSE 4505/tcp 4506/tcp # Install saltstack
RUN mkdir -p /srv ${SALT_KEYS_DIR} ${SALT_CONFS_DIR}
VOLUME [ "/srv", "${SALT_KEYS_DIR}" "${SALT_CONFS_DIR}" ]
RUN mkdir -p ${SALT_BUILD_DIR} RUN mkdir -p ${SALT_BUILD_DIR}
WORKDIR ${SALT_BUILD_DIR} WORKDIR ${SALT_BUILD_DIR}
RUN curl -o bootstrap-salt.sh -L https://bootstrap.saltstack.com RUN curl -o bootstrap-salt.sh -L https://bootstrap.saltstack.com
RUN sh bootstrap-salt.sh ${SALT_BOOTSTRAP_OPTS} git ${SALT_GIT_RELEASE} RUN sh bootstrap-salt.sh ${SALT_BOOTSTRAP_OPTS} git ${SALT_GIT_RELEASE}
RUN apt-get clean --yes # Salt user
RUN rm -rf /var/lib/apt/lists/* RUN useradd -d ${SALT_HOME} -ms /bin/bash -U -G root,sudo ${SALT_USER}
RUN chown -R ${SALT_USER}: ${SALT_ROOT_DIR}
EXPOSE 4505/tcp 4506/tcp
RUN mkdir -p ${SALT_DATA_DIR} ${SALT_BASE_DIR} ${SALT_KEYS_DIR} ${SALT_CONFS_DIR}
VOLUME [ "${SALT_BASE_DIR}" "${SALT_KEYS_DIR}" "${SALT_CONFS_DIR}" ]
COPY assets/runtime ${SALT_RUNTIME_DIR} COPY assets/runtime ${SALT_RUNTIME_DIR}
RUN chmod -R +x ${SALT_RUNTIME_DIR} RUN chmod -R +x ${SALT_RUNTIME_DIR}
# Cleaning tasks
RUN apt-get clean --yes
RUN rm -rf /var/lib/apt/lists/*
# Entrypoint
COPY entrypoint.sh /sbin/entrypoint.sh COPY entrypoint.sh /sbin/entrypoint.sh
RUN chmod +x /sbin/entrypoint.sh RUN chmod +x /sbin/entrypoint.sh
WORKDIR ${SALT_DOCKER_DIR} WORKDIR ${SALT_HOME}
ENTRYPOINT [ "/sbin/entrypoint.sh" ] ENTRYPOINT [ "/sbin/entrypoint.sh" ]
CMD [ "app:start" ] CMD [ "app:start" ]

39
README.md
View File

@@ -14,6 +14,7 @@ For other methods to install SaltStack please refer to the [Official SaltStack I
- [Custom Recipes](#custom-recipes) - [Custom Recipes](#custom-recipes)
- [Minion Keys](#minion-keys) - [Minion Keys](#minion-keys)
- [Master Signed Keys](#master-signed-keys) - [Master Signed Keys](#master-signed-keys)
- [Host Mapping](#host-mapping)
- [Available Configuration Parameters](#available-configuration-parameters) - [Available Configuration Parameters](#available-configuration-parameters)
- [Usage](#usage) - [Usage](#usage)
- [Shell Access](#shell-access) - [Shell Access](#shell-access)
@@ -73,7 +74,7 @@ But it is necessary to mount the `/srv/` volume ir order to provide your custom
### Minion Keys ### Minion Keys
Minion keys can be added automatically on startup to SaltStack master by mounting the volume `/etc/salt-docker/keys` and copying the minion keys inside `keys/minions/` directory: Minion keys can be added automatically on startup to SaltStack master by mounting the volume `/home/salt/data/keys` and copying the minion keys inside `keys/minions/` directory:
```sh ```sh
mkdir -p keys/minions mkdir -p keys/minions
@@ -82,8 +83,8 @@ rsync root@minion1:/etc/salt/pki/minion/minion.pub keys/minions/minion1
docker run --name salt_master -d \ docker run --name salt_master -d \
--publish 4505:4505/tcp --publish 4506:4506/tcp \ --publish 4505:4505/tcp --publish 4506:4506/tcp \
--env 'SALT_LOG_LEVEL=info' \ --env 'SALT_LOG_LEVEL=info' \
--volume $(pwd)/srv/:/srv/ \ --volume $(pwd)/srv/:/home/salt/data/srv/ \
--volume $(pwd)/keys/:/etc/salt-docker/keys/ \ --volume $(pwd)/keys/:/home/salt/data/keys/ \
cdalvaro/saltstack-master:2018.3.2 cdalvaro/saltstack-master:2018.3.2
``` ```
@@ -96,8 +97,8 @@ docker run --name salt_stack --detach \
--publish 4505:4505/tcp --publish 4506:4506/tcp \ --publish 4505:4505/tcp --publish 4506:4506/tcp \
--env 'SALT_LOG_LEVEL=info' \ --env 'SALT_LOG_LEVEL=info' \
--env 'SALT_MASTER_SIGN_PUBKEY=True' --env 'SALT_MASTER_SIGN_PUBKEY=True'
--volume $(pwd)/srv/:/srv/ \ --volume $(pwd)/srv/:/home/salt/data/srv/ \
--volume $(pwd)/keys/:/etc/salt-docker/keys/ \ --volume $(pwd)/keys/:/home/salt/data/keys/ \
cdalvaro/saltstack-master:2018.3.2 cdalvaro/saltstack-master:2018.3.2
``` ```
@@ -107,12 +108,25 @@ Additionally, you can generate new keys by executing the following command:
```sh ```sh
docker run --name salt_stack -it --rm \ docker run --name salt_stack -it --rm \
--volume $(pwd)/keys/:/etc/salt-docker/keys/ \ --volume $(pwd)/keys/:/home/salt/data/keys/ \
cdalvaro/saltstack-master:2018.3.2 app:gen-signed-keys other_master_sign cdalvaro/saltstack-master:2018.3.2 app:gen-signed-keys other_master_sign
``` ```
The newly created keys will appear inside `keys/generated/other_master_sign` directory. The newly created keys will appear inside `keys/generated/other_master_sign` directory.
### Host Mapping
Per default the container is configured to run `salt-master` as user and group `salt` with `uid` and `gid` `1000`. From the host it appears as if the mounted data volumes are owned by the host's user/group `1000` and maybe leading to unfavorable effects.
Also the container processes seem to be executed as the host's user/group `1000`. The container can be configured to map the uid and gid of git to different ids on host by passing the environment variables `USERMAP_UID` and `USERMAP_GID`. The following command maps the ids to the current user and group on the host.
```sh
docker run --name salt_stack -it --rm \
--env "USERMAP_UID=$(id -u)" --env "USERMAP_GID=$(id -g)" \
--volume $(pwd)/srv/:/home/salt/data/srv/ \
cdalvaro/saltstack-master:2018.3.2
```
### Available Configuration Parameters ### Available Configuration Parameters
Please refer the docker run command options for the `--env-file` flag where you can specify all required environment variables in a single file. This will save you from writing a potentially long docker run command. Alternatively you can use docker-compose. Please refer the docker run command options for the `--env-file` flag where you can specify all required environment variables in a single file. This will save you from writing a potentially long docker run command. Alternatively you can use docker-compose.
@@ -127,12 +141,15 @@ Below is the list of available options that can be used to customize your SaltSt
| `SALT_MASTER_USE_PUBKEY_SIGNATURE` | Instead of computing the signature for each auth-reply, use a pre-calculated signature. This option requires `SALT_MASTER_SIGN_PUBKEY` set to 'True'. Possible values: 'True' or 'False'. Default: `True` | | `SALT_MASTER_USE_PUBKEY_SIGNATURE` | Instead of computing the signature for each auth-reply, use a pre-calculated signature. This option requires `SALT_MASTER_SIGN_PUBKEY` set to 'True'. Possible values: 'True' or 'False'. Default: `True` |
| `SALT_MASTER_SIGN_KEY_NAME` | The customizable name of the signing-key-pair without suffix. Default: `master_sign` | | `SALT_MASTER_SIGN_KEY_NAME` | The customizable name of the signing-key-pair without suffix. Default: `master_sign` |
| `SALT_MASTER_PUBKEY_SIGNATURE` | The name of the file in the master's pki-directory that holds the pre-calculated signature of the master's public-key. Default: `master_pubkey_signature` | | `SALT_MASTER_PUBKEY_SIGNATURE` | The name of the file in the master's pki-directory that holds the pre-calculated signature of the master's public-key. Default: `master_pubkey_signature` |
| `SALT_MASTER_ROOT_USER` | Forces `salt-master` to be runned as `root` instead of `salt`. Default: `False` |
| `USERMAP_UID` | Sets the uid for user `salt` to the specified uid. Default: `1000`. |
| `USERMAP_GID` | Sets the gid for user `salt` to the specified gid. Default: `1000`. |
Any parameter not listed in the above table and available in the following [link](https://docs.saltstack.com/en/latest/ref/configuration/examples.html#configuration-examples-master), can be set by creating the directory `confs` and adding into it a `.conf` file with the desired parameters: Any parameter not listed in the above table and available in the following [link](https://docs.saltstack.com/en/latest/ref/configuration/examples.html#configuration-examples-master), can be set by creating the directory `config` and adding into it a `.conf` file with the desired parameters:
```sh ```sh
mkdir confs mkdir config
cat > confs/ports.conf << EOF cat > config/ports.conf << EOF
# The tcp port used by the publisher: # The tcp port used by the publisher:
publish_port: 3505 publish_port: 3505
# The port used by the communication interface. # The port used by the communication interface.
@@ -142,8 +159,8 @@ EOF
docker run --name salt_master -d \ docker run --name salt_master -d \
--publish 3505:3505/tcp --publish 3506:3506/tcp \ --publish 3505:3505/tcp --publish 3506:3506/tcp \
--env 'SALT_LOG_LEVEL=info' \ --env 'SALT_LOG_LEVEL=info' \
--read-only --volume $(pwd)/srv/:/srv/ \ --read-only --volume $(pwd)/srv/:/home/salt/data/srv/ \
--volume $(pwd)/confs/:/etc/salt-docker/confs/ \ --volume $(pwd)/config/:/home/salt/data/config/ \
cdalvaro/saltstack-master:2018.3.2 cdalvaro/saltstack-master:2018.3.2
``` ```

65
assets/runtime/functions.sh
View File

@@ -3,6 +3,21 @@
set -e set -e
source ${SALT_RUNTIME_DIR}/env-defaults.sh source ${SALT_RUNTIME_DIR}/env-defaults.sh
# Map salt user with host user
function map_uidgid()
{
USERMAP_ORIG_UID=$(id -u ${SALT_USER})
USERMAP_ORIG_GID=$(id -g ${SALT_USER})
USERMAP_GID=${USERMAP_GID:-${USERMAP_UID:-$USERMAP_ORIG_GID}}
USERMAP_UID=${USERMAP_UID:-$USERMAP_ORIG_UID}
if [[ ${USERMAP_UID} != ${USERMAP_ORIG_UID} ]] || [[ ${USERMAP_GID} != ${USERMAP_ORIG_GID} ]]; then
echo "Mapping UID and GID for ${SALT_USER}:${SALT_USER} to ${USERMAP_UID}:${USERMAP_GID}..."
groupmod -o -g ${USERMAP_GID} ${SALT_USER}
sed -i -e "s|:${USERMAP_ORIG_UID}:${USERMAP_GID}:|:${USERMAP_UID}:${USERMAP_GID}:|" /etc/passwd
find ${SALT_HOME} -path ${SALT_DATA_DIR}/\* -prune -o -print0 | xargs -0 chown -h ${SALT_USER}:
fi
}
# This function generates a master_sign key pair and its signature # This function generates a master_sign key pair and its signature
function gen_signed_keys() function gen_signed_keys()
{ {
@@ -30,30 +45,34 @@ function setup_keys()
${SALT_ROOT_DIR}/master ${SALT_ROOT_DIR}/master
cat >> ${SALT_ROOT_DIR}/master <<EOF cat >> ${SALT_ROOT_DIR}/master <<EOF
##### Security settings ##### ##### Security settings #####
############################################ ############################################
master_sign_pubkey: ${SALT_MASTER_SIGN_PUBKEY} master_sign_pubkey: ${SALT_MASTER_SIGN_PUBKEY}
master_sign_key_name: ${SALT_MASTER_SIGN_KEY_NAME} master_sign_key_name: ${SALT_MASTER_SIGN_KEY_NAME}
master_pubkey_signature: ${SALT_MASTER_PUBKEY_SIGNATURE} master_pubkey_signature: ${SALT_MASTER_PUBKEY_SIGNATURE}
master_use_pubkey_signature: ${SALT_MASTER_USE_PUBKEY_SIGNATURE} master_use_pubkey_signature: ${SALT_MASTER_USE_PUBKEY_SIGNATURE}
EOF EOF
if [ ! -f "${SALT_KEYS_DIR}/${SALT_MASTER_SIGN_KEY_NAME}" ] && [ ${SALT_MASTER_SIGN_PUBKEY} == True ]; then if [ ! -f ${SALT_KEYS_DIR}/master.pem ]; then
echo "Generating keys..."
salt-key --gen-keys master --gen-keys-dir ${SALT_KEYS_DIR}
fi
if [ ! -f "${SALT_KEYS_DIR}/${SALT_MASTER_SIGN_KEY_NAME}.pem" ] && [ ${SALT_MASTER_SIGN_PUBKEY} == True ]; then
echo "Generating signed keys..." echo "Generating signed keys..."
if [ ! -f ${SALT_KEYS_DIR}/master.pem ]; then
salt-key --gen-keys master --gen-keys-dir ${SALT_KEYS_DIR}
fi
salt-key --gen-signature --auto-create --pub ${SALT_KEYS_DIR}/master.pub --signature-path ${SALT_KEYS_DIR} salt-key --gen-signature --auto-create --pub ${SALT_KEYS_DIR}/master.pub --signature-path ${SALT_KEYS_DIR}
fi fi
for pub_key in $(find ${SALT_KEYS_DIR} -type f -maxdepth 2); do for pub_key in $(find ${SALT_KEYS_DIR} -type f -maxdepth 2); do
if [[ ${pub_key} =~ .*\.pem$ ]]; then if [[ ${pub_key} =~ .*\.pem$ ]]; then
chmod -v 400 ${pub_key} chmod 400 ${pub_key}
else else
chmod -v 644 ${pub_key} chmod 644 ${pub_key}
fi fi
done done
find ${SALT_HOME} -path ${SALT_KEYS_DIR}/\* -prune -o -print0 | xargs -0 chown -h ${SALT_USER}:
} }
# This functions cofigures master service # This functions cofigures master service
@@ -64,16 +83,16 @@ function configure_salt_master()
# Backup file # Backup file
if [ ! -f ${SALT_ROOT_DIR}/master.backup ]; then if [ ! -f ${SALT_ROOT_DIR}/master.backup ]; then
cp -pv ${SALT_ROOT_DIR}/master ${SALT_ROOT_DIR}/master.backup cp -p ${SALT_ROOT_DIR}/master ${SALT_ROOT_DIR}/master.backup
else else
cp -pv ${SALT_ROOT_DIR}/master.backup ${SALT_ROOT_DIR}/master cp -p ${SALT_ROOT_DIR}/master.backup ${SALT_ROOT_DIR}/master
fi fi
# Set env variables # Set env variables
sed -i \ sed -i \
-e "s|^[#]*log_level:.*$|log_level: ${SALT_LOG_LEVEL}|" \ -e "s|^[#]*log_level:.*$|log_level: ${SALT_LOG_LEVEL}|" \
-e "s|^[#]*log_level_logfile:.*$|log_level_logfile: ${SALT_LEVEL_LOGFILE}|" \ -e "s|^[#]*log_level_logfile:.*$|log_level_logfile: ${SALT_LEVEL_LOGFILE}|" \
-e "s|^[#]*default_include:.*$|default_include: ${SALT_ROOT_DIR}/master.d/*.conf|" \ -e "s|^[#]*default_include:.*$|default_include: ${SALT_CONFS_DIR}/*.conf|" \
-e "s|^[#]*pki_dir:.*$|pki_dir: ${SALT_KEYS_DIR}/|" \ -e "s|^[#]*pki_dir:.*$|pki_dir: ${SALT_KEYS_DIR}/|" \
${SALT_ROOT_DIR}/master ${SALT_ROOT_DIR}/master
@@ -81,12 +100,24 @@ function configure_salt_master()
###### Custom Settings ###### ###### Custom Settings ######
############################################ ############################################
EOF
# Sync config files ###### Base Directories ######
if [[ $(find ${SALT_CONFS_DIR} -type f -name '*.conf' | wc -l) -gt 0 ]]; then ############################################
rsync --verbose --delete ${SALT_CONFS_DIR}/*.conf ${SALT_ROOT_DIR}/master.d/ file_roots:
chown ${SALT_USER}:${SALT_USER} ${SALT_ROOT_DIR}/master.d/*.conf base:
chmod +rx-w ${SALT_ROOT_DIR}/master.d/*.conf - ${SALT_BASE_DIR}/salt
fi
pillar_roots:
base:
- ${SALT_BASE_DIR}/pillar
EOF
}
# Initializes the system
function initialize_system()
{
map_uidgid
configure_salt_master
setup_keys
} }

5
docker-compose.yml
View File

@@ -5,10 +5,13 @@ services:
container_name: salt_master container_name: salt_master
image: cdalvaro/saltstack-master:2018.3.2 image: cdalvaro/saltstack-master:2018.3.2
volumes: volumes:
- "./srv/:/srv/:ro" - "./srv/:/home/salt/data/srv"
ports: ports:
- "4505:4505/tcp" - "4505:4505/tcp"
- "4506:4506/tcp" - "4506:4506/tcp"
environment: environment:
- DEBUG=false - DEBUG=false
- USERMAP_UID=501
- USERMAP_GID=20
- SALT_LOG_LEVEL=info - SALT_LOG_LEVEL=info

7
entrypoint.sh
View File

@@ -8,17 +8,13 @@ source "${SALT_RUNTIME_DIR}/functions.sh"
case ${1} in case ${1} in
app:start|app:init|app:gen-signed-keys) app:start|app:init|app:gen-signed-keys)
configure_salt_master initialize_system
case ${1} in case ${1} in
app:start) app:start)
setup_keys
echo "Starting salt-master..." echo "Starting salt-master..."
exec salt-master exec salt-master
;; ;;
app:init)
setup_keys
;;
app:gen-signed-keys) app:gen-signed-keys)
shift 1 shift 1
gen_signed_keys ${1} gen_signed_keys ${1}
@@ -28,7 +24,6 @@ case ${1} in
app:help) app:help)
echo "Available options:" echo "Available options:"
echo " app:start - Start salt-master service. (default)" echo " app:start - Start salt-master service. (default)"
echo " app:init - Setup salt-master without launching the service."
echo " app:gen-signed-keys <key_name> - Create a master_sign key pair and its signature inside ${SALT_KEYS_DIR}/generated/" echo " app:gen-signed-keys <key_name> - Create a master_sign key pair and its signature inside ${SALT_KEYS_DIR}/generated/"
echo " app:help - Displays this help." echo " app:help - Displays this help."
echo " [command] - Execute the specified command, eg. bash." echo " [command] - Execute the specified command, eg. bash."