chaos/docker-salt-master
Archived
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #116 from cdalvaro/feature/change_user_mapping_variables

Browse Source 
Change user mapping variables
This commit is contained in:
Carlos D. Álvaro
2021-12-19 21:25:58 +01:00
committed by GitHub
parent 67a9b758fc 8a908ed6fb
commit 99310c5c1e
9 changed files with 128 additions and 51 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
CHANGELOG.md
View File

@@ -4,6 +4,14 @@ This file only reflects the changes that are made in this image.
Please refer to the [Salt 3004 Release Notes](https://docs.saltstack.com/en/latest/topics/releases/3004.html)
for the list of changes in SaltStack.
**3004_3**
- Deprecate `USERMAP_UID` env variable in favor of `PUID`.
- Deprecate `USERMAP_GID` env variable in favor of `PGID`.
- Add `TZ` in addition to `TIMEZONE` to the list of accepted env variables.
Support for the `USERMAP_UID` and `USERMAP_GID` env variables will be removed with Salt 3005.
**3004_2**
- Support for automatically restart `salt-master` after config changes

2
Dockerfile
View File

@@ -7,7 +7,7 @@ ARG VCS_REF
ENV SALT_VERSION="3004" \
PYTHON_VERSION="3.9"
ENV IMAGE_VERSION="${SALT_VERSION}_2"
ENV IMAGE_VERSION="${SALT_VERSION}_3"
ENV SALT_DOCKER_DIR="/etc/docker-salt" \
SALT_ROOT_DIR="/etc/salt" \

2
Makefile
View File

@@ -24,7 +24,7 @@ quickstart:
@echo "Starting docker-salt-master container..."
@docker run --name='docker-salt-master-demo' --detach \
--publish=4505:4505/tcp --publish=4506:4506/tcp \
--env "USERMAP_UID=$(shell id -u)" --env "USERMAP_GID=$(shell id -g)" \
--env "PUID=$(shell id -u)" --env "PGID=$(shell id -g)" \
--env SALT_LOG_LEVEL=info \
--volume $(shell pwd)/roots/:/home/salt/data/srv/ \
--volume $(shell pwd)/keys/:/home/salt/data/keys/ \

14
README.md
View File

@@ -295,12 +295,12 @@ pepper '*' test.ping
Per default the container is configured to run `salt-master` as user and group `salt` with `uid` and `gid` `1000`. From the host it appears as if the mounted data volumes are owned by the host's user/group `1000` and maybe leading to unfavorable effects.
Also the container processes seem to be executed as the host's user/group `1000`. The container can be configured to map the uid and gid of git to different ids on host by passing the environment variables `USERMAP_UID` and `USERMAP_GID`. The following command maps the ids to the current user and group on the host.
Also the container processes seem to be executed as the host's user/group `1000`. The container can be configured to map the uid and gid of git to different ids on host by passing the environment variables `PUID` and `PGID`. The following command maps the ids to the current user and group on the host.
```sh
docker run --name salt_stack -it --rm \
--publish 4505:4505 --publish 4506:4506 \
--env "USERMAP_UID=$(id -u)" --env "USERMAP_GID=$(id -g)" \
--env "PUID=$(id -u)" --env "PGID=$(id -g)" \
--volume $(pwd)/roots/:/home/salt/data/srv/ \
--volume $(pwd)/keys/:/home/salt/data/keys/ \
cdalvaro/docker-salt-master:latest
@@ -393,7 +393,7 @@ For that case, you can mount a volume containing all your third party formulas s
```sh
docker run --name salt_stack -it --rm \
--publish 4505:4505 --publish 4506:4506 \
--env "USERMAP_UID=$(id -u)" --env "USERMAP_GID=$(id -g)" \
--env "PUID=$(id -u)" --env "PGID=$(id -g)" \
--volume $(pwd)/roots/:/home/salt/data/srv/ \
--volume $(pwd)/3pfs/:/home/salt/data/3pfs/ \
--volume $(pwd)/keys/:/home/salt/data/keys/ \
@@ -509,7 +509,7 @@ Below you can find a list with the available options that can be used to customi
| Parameter | Description |
| :------------------------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `DEBUG` | Set this to `true` to enable entrypoint debugging. |
| `TIMEZONE` | Set the container timezone. Defaults to `UTC`. Values are expected to be in Canonical format. Example: `Europe/Madrid`. See the list of [acceptable values](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones). |
| `TIMEZONE` / `TZ` | Set the container timezone. Defaults to `UTC`. Values are expected to be in Canonical format. Example: `Europe/Madrid`. See the list of [acceptable values](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones). |
| `SALT_RESTART_MASTER_ON_CONFIG_CHANGE` | Set this to `true` to restart `salt-master` service when configuration files change. Default: `false` |
| `SALT_LOG_LEVEL` | The level of messages to send to the console. One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'. Default: `warning` |
| `SALT_LOG_ROTATE_FREQUENCY` | Logrotate frequency for salt logs. Available options are 'daily', 'weekly', 'monthly', and 'yearly'. Default: `weekly` |
@@ -526,8 +526,10 @@ Below you can find a list with the available options that can be used to customi
| `SALT_MASTER_ROOT_USER` | Forces `salt-master` to be runned as `root` instead of `salt`. Default: `False` |
| `SALT_GITFS_SSH_PRIVATE_KEY` | The name of the ssh private key for gitfs. Default: `gitfs_ssh` |
| `SALT_GITFS_SSH_PUBLIC_KEY` | The name of the ssh public key for gitfs. Default: `gitfs_ssh.pub` |
| `USERMAP_UID` | Sets the uid for user `salt` to the specified uid. Default: `1000`. |
| `USERMAP_GID` | Sets the gid for user `salt` to the specified gid. Default: `1000`. |
| `PUID` | Sets the uid for user `salt` to the specified uid. Default: `1000`. |
| `PGID` | Sets the gid for user `salt` to the specified gid. Default: `1000`. |
| `USERMAP_UID` (**deprecated**) | Same as `PUID`. Support will be removed in Salt 3005 release in favor of `PUID`. |
| `USERMAP_GID` (**deprecated**) | Same as `PGID`. Support will be removed in Salt 3005 release in favor of `PGID`. |
Any parameter not listed in the above table and available in the following [link](https://docs.saltproject.io/en/latest/ref/configuration/examples.html#configuration-examples-master), can be set by creating the directory `config` and adding into it a `.conf` file with the desired parameters:

8
assets/build/functions.sh
View File

@@ -8,7 +8,7 @@ set -e
#----------------------------------------------------------------------------------------------------------------------
function log_debug() {
if [[ "${DEBUG}" == 'true' || "${ECHO_DEBUG}" == 'true' ]]; then
echo " * DEBUG: $*"
echo "[DEBUG] - $*"
fi
}
@@ -17,7 +17,7 @@ function log_debug() {
# DESCRIPTION: Echo information to stdout.
#----------------------------------------------------------------------------------------------------------------------
function log_info() {
echo " * INFO: $*"
echo "[INFO] - $*"
}
#--- FUNCTION -------------------------------------------------------------------------------------------------------
@@ -25,7 +25,7 @@ function log_info() {
# DESCRIPTION: Echo warning information to stdout.
#----------------------------------------------------------------------------------------------------------------------
function log_warn() {
echo " * WARN: $*"
(>&2 echo "[WARN] - $*")
}
#--- FUNCTION -------------------------------------------------------------------------------------------------------
@@ -34,7 +34,7 @@ function log_warn() {
#----------------------------------------------------------------------------------------------------------------------
function log_error()
{
(>&2 echo " * ERROR: $*")
(>&2 echo "[ERROR] - $*")
}
#--- FUNCTION -------------------------------------------------------------------------------------------------------

2
assets/runtime/env-defaults.sh
View File

@@ -1,7 +1,7 @@
#!/usr/bin/env bash
DEBUG=${DEBUG:-false}
TIMEZONE=${TIMEZONE:-UTC}
TIMEZONE=${TIMEZONE:-${TZ:-UTC}}
SALT_API_SERVICE_ENABLED=${SALT_API_SERVICE_ENABLED:-false}
SALT_API_USER=${SALT_API_USER:-salt_api}

121
assets/runtime/functions.sh
View File

@@ -22,13 +22,75 @@ function exec_as_salt()
fi
}
#--- FUNCTION -------------------------------------------------------------------------------------------------------
# NAME: log_debug
# DESCRIPTION: Echo debug information to stdout.
#----------------------------------------------------------------------------------------------------------------------
function log_debug() {
if [[ "${DEBUG}" == 'true' || "${ECHO_DEBUG}" == 'true' ]]; then
echo "[DEBUG] - $*"
fi
}
#--- FUNCTION -------------------------------------------------------------------------------------------------------
# NAME: log_info
# DESCRIPTION: Echo information to stdout.
#----------------------------------------------------------------------------------------------------------------------
function log_info() {
echo "[INFO] - $*"
}
#--- FUNCTION -------------------------------------------------------------------------------------------------------
# NAME: log_warn
# DESCRIPTION: Echo warning information to stdout.
#----------------------------------------------------------------------------------------------------------------------
function log_warn() {
(>&2 echo "[WARN] - $*")
}
#--- FUNCTION -------------------------------------------------------------------------------------------------------
# NAME: log_error
# DESCRIPTION: Echo errors to stderr.
#----------------------------------------------------------------------------------------------------------------------
function log_error()
{
(>&2 echo " * ERROR: $*")
(>&2 echo "[ERROR] - $*")
}
#--- FUNCTION -------------------------------------------------------------------------------------------------------
# NAME: __check_puid_pgid_env
# DESCRIPTION: Check if the PUID and PGID environment variables are set correctly.
#----------------------------------------------------------------------------------------------------------------------
function __check_puid_pgid_env
{
if [[ "${SALT_VERSION}" -ge "3005" ]]; then
log_error "The USERMAP_UID and USERMAP_GID environment variables are not supported in Salt >= 3005"
exit 1
fi
if [[ -n "${USERMAP_UID}" ]]; then
log_warn "The USERMAP_UID environment variable is deprecated. Please use PUID instead."
log_warn "Support for USERMAP_UID will be removed in Salt 3005 release."
if [[ -z "${PUID}" ]]; then
log_warn "Setting PUID to USERMAP_UID (${USERMAP_UID})"
export PUID="${USERMAP_UID}"
else
log_error "The PUID and USERMAP_UID environment variables are set. PUID will be used."
fi
unset USERMAP_UID
fi
if [[ -n "${USERMAP_GID}" ]]; then
log_warn "The USERMAP_GID environment variable is deprecated. Please use PGID instead."
log_warn "Support for USERMAP_GID will be removed in Salt 3005 release."
if [[ -z "${PGID}" ]]; then
log_info "Setting PGID to USERMAP_GID (${USERMAP_GID})"
export PGID="${USERMAP_GID}"
else
log_error "The PGID and USERMAP_GID environment variables are set. PGID will be used."
fi
unset USERMAP_GID
fi
}
#--- FUNCTION -------------------------------------------------------------------------------------------------------
@@ -37,14 +99,19 @@ function log_error()
#----------------------------------------------------------------------------------------------------------------------
function map_uidgid()
{
USERMAP_ORIG_UID=$(id -u "${SALT_USER}")
USERMAP_ORIG_GID=$(id -g "${SALT_USER}")
USERMAP_GID=${USERMAP_GID:-${USERMAP_UID:-$USERMAP_ORIG_GID}}
USERMAP_UID=${USERMAP_UID:-$USERMAP_ORIG_UID}
if [[ "${USERMAP_UID}" != "${USERMAP_ORIG_UID}" ]] || [[ "${USERMAP_GID}" != "${USERMAP_ORIG_GID}" ]]; then
echo "Mapping UID and GID for ${SALT_USER}:${SALT_USER} to ${USERMAP_UID}:${USERMAP_GID} ..."
groupmod -o -g "${USERMAP_GID}" "${SALT_USER}"
sed -i -e "s|:${USERMAP_ORIG_UID}:${USERMAP_GID}:|:${USERMAP_UID}:${USERMAP_GID}:|" /etc/passwd
__check_puid_pgid_env
# Move this into env-defaults.sh
[ -z "${PUID}" ] && export PUID=1000
[ -z "${PGID}" ] && export PGID=1000
ORIG_PUID=$(id -u "${SALT_USER}")
ORIG_PGID=$(id -g "${SALT_USER}")
PGID=${PGID:-${PUID:-$ORIG_PGID}}
PUID=${PUID:-$ORIG_PUID}
if [[ "${PUID}" != "${ORIG_PUID}" ]] || [[ "${PGID}" != "${ORIG_PGID}" ]]; then
log_info "Mapping UID and GID for ${SALT_USER}:${SALT_USER} to ${PUID}:${PGID} ..."
groupmod -o -g "${PGID}" "${SALT_USER}"
sed -i -e "s|:${ORIG_PUID}:${PGID}:|:${PUID}:${PGID}:|" /etc/passwd
find "${SALT_HOME}" \
-not -path "${SALT_CONFS_DIR}*" \
-not -path "${SALT_KEYS_DIR}*" \
@@ -52,7 +119,7 @@ function map_uidgid()
-not -path "${SALT_LOGS_DIR}*" \
-not -path "${SALT_FORMULAS_DIR}*" \
-path "${SALT_DATA_DIR}/*" \
\( ! -uid "${USERMAP_ORIG_UID}" -o ! -gid "${USERMAP_ORIG_GID}" \) \
\( ! -uid "${ORIG_PUID}" -o ! -gid "${ORIG_PGID}" \) \
-print0 | xargs -0 chown -h "${SALT_USER}": "${SALT_HOME}"
fi
}
@@ -96,11 +163,11 @@ function update_template()
#----------------------------------------------------------------------------------------------------------------------
function configure_timezone()
{
echo "Configuring container timezone ..."
log_info "Configuring container timezone ..."
# Perform sanity check of provided timezone value
if [ -e "/usr/share/zoneinfo/${TIMEZONE}" ]; then
echo "Setting TimeZone -> ${TIMEZONE} ..."
log_info "Setting TimeZone -> ${TIMEZONE} ..."
# Set localtime
ln -snf "/usr/share/zoneinfo/${TIMEZONE}" /etc/localtime
@@ -108,7 +175,7 @@ function configure_timezone()
# Set timezone
echo "${TIMEZONE}" > /etc/timezone
else
echo "Timezone: '${TIMEZONE}' is not valid. Check available timezones at: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones"
log_error "Timezone: '${TIMEZONE}' is not valid. Check available timezones at: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones"
return 1
fi
}
@@ -136,14 +203,14 @@ function gen_signed_keys()
#----------------------------------------------------------------------------------------------------------------------
function setup_salt_keys()
{
echo "Setting up salt keys ..."
log_info "Setting up salt keys ..."
if [ ! -f "${SALT_KEYS_DIR}/master.pem" ]; then
echo "Generating keys ..."
log_info "Generating keys ..."
salt-key --gen-keys master --gen-keys-dir "${SALT_KEYS_DIR}"
fi
if [ ! -f "${SALT_KEYS_DIR}/${SALT_MASTER_SIGN_KEY_NAME}.pem" ] && [ "${SALT_MASTER_SIGN_PUBKEY}" == True ]; then
echo "Generating signed keys ..."
log_info "Generating signed keys ..."
salt-key --gen-signature --auto-create --pub "${SALT_KEYS_DIR}/master.pub" --signature-path "${SALT_KEYS_DIR}"
fi
@@ -166,7 +233,7 @@ function setup_salt_keys()
#----------------------------------------------------------------------------------------------------------------------
function setup_ssh_keys()
{
echo "Configuring ssh ..."
log_info "Configuring ssh ..."
sed -i \
-e "s|^[# ]*IdentityFile salt_ssh_key$| IdentityFile ${SALT_KEYS_DIR}/${SALT_GITFS_SSH_PRIVATE_KEY}|" \
@@ -187,7 +254,7 @@ function setup_ssh_keys()
#----------------------------------------------------------------------------------------------------------------------
function configure_salt_master()
{
echo "Configuring salt-master service ..."
log_info "Configuring salt-master service ..."
# https://docs.saltstack.com/en/latest/ref/configuration/master.html
exec_as_salt cp -p "${SALT_RUNTIME_DIR}/config/master.yml" "${SALT_ROOT_DIR}/master"
@@ -233,14 +300,14 @@ function configure_salt_api()
fi
if ! id -u "${SALT_API_USER}" &>/dev/null; then
echo "Creating '${SALT_API_USER}' user for salt-api ..."
log_info "Creating '${SALT_API_USER}' user for salt-api ..."
adduser --quiet --disabled-password --gecos "Salt API" "${SALT_API_USER}"
fi
echo "${SALT_API_USER}:${SALT_API_USER_PASS}" | chpasswd
unset SALT_API_USER_PASS
fi
echo "Configuring salt-api service ..."
log_info "Configuring salt-api service ..."
CERTS_PATH=/etc/pki
rm -rf "${CERTS_PATH}"/tls/certs/*
@@ -284,7 +351,7 @@ EOF
#----------------------------------------------------------------------------------------------------------------------
function configure_salt_formulas()
{
echo "Configuring 3rd-party salt-formulas ..."
log_info "Configuring 3rd-party salt-formulas ..."
local master_yml_id="${SELF_MANAGED_BLOCK_STRING} - file_roots-base"
local begin_delim="${master_yml_id} - begin"
local end_delim="${master_yml_id} - end"
@@ -307,7 +374,7 @@ function configure_salt_formulas()
#----------------------------------------------------------------------------------------------------------------------
function initialize_datadir()
{
echo "Configuring directories ..."
log_info "Configuring directories ..."
# This symlink simplifies paths for loading sls files
[[ -d /srv ]] && [[ ! -L /srv ]] && rm -rf /srv
@@ -315,14 +382,14 @@ function initialize_datadir()
if [[ -w "${SALT_BASE_DIR}" ]]; then
chown -R "${SALT_USER}": "${SALT_BASE_DIR}" || log_error "Unable to change '${SALT_BASE_DIR}' ownership"
else
echo "${SALT_BASE_DIR} is mounted as a read-only volume. Ownership won't be changed."
log_info "${SALT_BASE_DIR} is mounted as a read-only volume. Ownership won't be changed."
fi
# Salt configuration directory
if [[ -w "${SALT_CONFS_DIR}" ]]; then
chown -R "${SALT_USER}": "${SALT_CONFS_DIR}" || log_error "Unable to change '${SALT_CONFS_DIR}' ownership"
else
echo "${SALT_CONFS_DIR} is mounted as a read-only volume. Ownership won't be changed."
log_info "${SALT_CONFS_DIR} is mounted as a read-only volume. Ownership won't be changed."
fi
# Set Salt root permissions
@@ -357,7 +424,7 @@ function initialize_datadir()
if [[ -w "${SALT_FORMULAS_DIR}" ]]; then
chown -R "${SALT_USER}": "${SALT_FORMULAS_DIR}" || log_error "Unable to change '${SALT_FORMULAS_DIR}' ownership"
else
echo "${SALT_FORMULAS_DIR} is mounted as a read-only volume. Ownership won't be changed."
log_info "${SALT_FORMULAS_DIR} is mounted as a read-only volume. Ownership won't be changed."
fi
[[ -d /var/log/salt ]] && [[ ! -L /var/log/salt ]] && rm -rf /var/log/salt
@@ -372,7 +439,7 @@ function initialize_datadir()
#----------------------------------------------------------------------------------------------------------------------
function configure_logrotate()
{
echo "Configuring logrotate ..."
log_info "Configuring logrotate ..."
rm -f /etc/logrotate.d/salt-common
@@ -437,7 +504,7 @@ function configure_config_reloader()
rm -f /etc/supervisor/conf.d/config-reloader.conf
[ "${SALT_RESTART_MASTER_ON_CONFIG_CHANGE}" == true ] || return 0
echo "Configuring config reloader ..."
log_info "Configuring config reloader ..."
# configure supervisord to start config-reloader
cat > /etc/supervisor/conf.d/config-reloader.conf <<EOF

18
docker-compose.yml
View File

@@ -3,7 +3,7 @@ version: '3'
services:
master:
container_name: salt_master
image: cdalvaro/docker-salt-master:3004
image: cdalvaro/docker-salt-master:3004_3
restart: always
volumes:
- "roots/:/home/salt/data/srv"
@@ -18,12 +18,12 @@ services:
test: ["CMD", "/usr/local/sbin/healthcheck"]
start_period: 30s
environment:
- DEBUG=false
- TIMEZONE=Europe/Madrid
- USERMAP_UID=1000
- USERMAP_GID=1000
- SALT_LOG_LEVEL=info
DEBUG: 'false'
TZ: Europe/Madrid
PUID: 1000
PGID: 1000
SALT_LOG_LEVEL: info
### salt-api settings
# - SALT_API_SERVICE_ENABLED=true
# - SALT_API_USER=salt_api
# - SALT_API_USER_PASS=4wesome-Pass0rd
# SALT_API_SERVICE_ENABLED: 'true'
# SALT_API_USER: salt_api
# SALT_API_USER_PASS: 4wesome-Pass0rd

4
entrypoint.sh
View File

@@ -16,7 +16,7 @@ case "${1}" in
case "${1}" in
app:start)
echo "Starting supervisord ..."
log_info "Starting supervisord ..."
exec /usr/bin/supervisord -nc /etc/supervisor/supervisord.conf
;;
app:gen-signed-keys)
@@ -29,7 +29,7 @@ case "${1}" in
shift 1
case "${1}" in
salt-master|salt-api)
echo "Restarting ${1} service ..."
log_info "Restarting ${1} service ..."
exec supervisorctl restart "${1}"
;;
*)