using apt-cache

Closes #211

.drone.yml

@@ -0,0 +1,18 @@
+kind: pipeline
+type: docker
+name: docker-salt-master
+
+platform:
+  os: linux
+  arch: arm64
+
+steps:
+  - name: build
+    image: plugins/docker 
+    settings:
+      repo: cr.wks/salt
+      registry: http://cr.wks
+      insecure: true
+      debug: true
+      tags:
+        - latest

.github/workflows/build-and-test.yml

@@ -26,10 +26,10 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
         with:
           driver-opts: network=host
 
@@ -60,7 +60,7 @@ jobs:
           echo "Cache contents available at: ${CACHE_PATH}"
 
       - name: Build docker-salt-master image
-        uses: docker/build-push-action@v4.1.1
+        uses: docker/build-push-action@v5.0.0
         with:
           context: .
           file: ./Dockerfile

.github/workflows/publish.yml

@@ -84,10 +84,10 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
 
       - name: Cache Docker layers
         id: cache-docker-layers
@@ -110,27 +110,27 @@ jobs:
           echo "Cache contents available at: ${CACHE_PATH}"
 
       - name: Login to Docker Container Registry
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           username: ${{ github.repository_owner }}
           password: ${{ secrets.DOCKER_PASSWORD }}
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.CR_PAT }}
 
       - name: Login to Quay.io Container Registry
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           registry: quay.io
           username: ${{ secrets.QUAYIO_USERNAME }}
           password: ${{ secrets.QUAYIO_PASSWORD }}
 
       - name: Build
-        uses: docker/build-push-action@v4.1.1
+        uses: docker/build-push-action@v5.0.0
         with:
           context: .
           file: ./Dockerfile

.github/workflows/security-analysis.yml

@@ -22,11 +22,11 @@ jobs:
 
       - name: Set up QEMU
         if: github.event_name != 'schedule'
-        uses: docker/setup-qemu-action@v2.1.0
+        uses: docker/setup-qemu-action@v3
 
       - name: Set up Docker Buildx
         if: github.event_name != 'schedule'
-        uses: docker/setup-buildx-action@v2.5.0
+        uses: docker/setup-buildx-action@v3
 
       - name: Cache Docker layers
         if: github.event_name != 'schedule'
@@ -39,7 +39,7 @@ jobs:
 
       - name: Build docker-salt-master image
         if: github.event_name != 'schedule'
-        uses: docker/build-push-action@v4.1.1
+        uses: docker/build-push-action@v5.0.0
         with:
           context: .
           file: ./Dockerfile

.project

@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<projectDescription>
+	<name>docker-salt-master</name>
+	<comment></comment>
+	<projects>
+	</projects>
+	<buildSpec>
+	</buildSpec>
+	<natures>
+	</natures>
+</projectDescription>

CHANGELOG.md

@@ -4,10 +4,15 @@ This file only reflects the changes that are made in this image.
 Please refer to the [Salt 3006.3 Release Notes](https://docs.saltstack.com/en/latest/topics/releases/3006.3.html)
 for the list of changes in SaltStack.
 
+**3006.3_1**
+
+- Fix salt home directory permissions. Issue #211
+
 **3006.3**
 
 - Upgrade `salt-master` to `3006.3` *Sulfur*.
 - Change Docker base image to `ubuntu:jammy-20230816`.
+- Upgrade `pygit2` to version `1.12.2`.
 
 **3006.2**
 

Dockerfile

@@ -1,11 +1,11 @@
-FROM ubuntu:jammy-20230816
+FROM docker.io/debian:bullseye-slim 
 
 ARG BUILD_DATE
 ARG VCS_REF
 
 # https://github.com/saltstack/salt/releases
-ENV SALT_VERSION="3006.3"
-ENV IMAGE_VERSION="${SALT_VERSION}"
+ENV SALT_VERSION="3002.6+dfsg1-4+deb11u1"
+ENV IMAGE_VERSION="${SALT_VERSION}_1"
 
 ENV SALT_DOCKER_DIR="/etc/docker-salt" \
     SALT_ROOT_DIR="/etc/salt" \
@@ -28,6 +28,8 @@ WORKDIR ${SALT_BUILD_DIR}
 
 # Install packages
 # hadolint ignore=DL3008
+RUN sed -i 's@deb.debian.org@apt-cache.service.nr5/deb.debian.org@g' /etc/apt/sources.list && \
+    sed -i 's@security.debian.org@apt-cache.service.nr5/security.debian.org@g' /etc/apt/sources.list
 RUN apt-get update \
  && DEBIAN_FRONTEND=noninteractive apt-get install --yes --quiet --no-install-recommends \
     sudo ca-certificates apt-transport-https wget locales openssh-client gpg gpg-agent \

README.md

@@ -23,7 +23,7 @@ Automated builds of the image are available on
 the recommended method of installation.
 
 ```sh
-docker pull ghcr.io/cdalvaro/docker-salt-master:3006.3
+docker pull ghcr.io/cdalvaro/docker-salt-master:3006.3_1
 ```
 
 You can also pull the latest tag which is built from the repository `HEAD`

assets/build/functions.sh

@@ -139,10 +139,10 @@ function add_salt_repository()
   local arch=amd64
   is_arm64 && arch=arm64
   source /etc/os-release
-
+  mkdir -p /etc/apt/keyrings 
   local keyring_file="/etc/apt/keyrings/salt-archive-keyring.gpg"
-  local root_url="https://repo.saltproject.io/salt/py3/ubuntu/${VERSION_ID:?}/${arch}"
-
+   #https://repo.saltproject.io/salt/py3/debian/11/arm64/SALT-PROJECT-GPG-PUBKEY-2023.gpg
+  local root_url="https://repo.saltproject.io/salt/py3/debian/${VERSION_ID:?}/${arch}"
   download "${root_url}/SALT-PROJECT-GPG-PUBKEY-2023.gpg" "${keyring_file}"
   echo "deb [signed-by=${keyring_file} arch=${arch}] ${root_url}/minor/${SALT_VERSION} ${VERSION_CODENAME:?} main" > /etc/apt/sources.list.d/salt.list
 }

assets/build/install.sh

@@ -11,13 +11,13 @@ source "${FUNCTIONS_FILE}"
 
 log_info "Installing required packages and build dependencies ..."
 REQUIRED_PACKAGES=(
-  binutils patchelf
+  binutils patchelf python3-pip
 )
 
 BUILD_DEPENDENCIES=()
 
-log_info "Adding salt repository..."
-add_salt_repository
+#log_info "Adding salt repository..."
+#add_salt_repository
 
 apt-get update
 install_pkgs "${REQUIRED_PACKAGES[@]}" "${BUILD_DEPENDENCIES[@]}"
@@ -28,6 +28,7 @@ log_info "Creating ${SALT_USER} user ..."
 useradd --home-dir "${SALT_HOME}" --create-home \
   --shell /bin/bash --user-group "${SALT_USER}" \
   --groups shadow
+id ${SALT_USER} 
 
 # Set PATH
 exec_as_salt cat >> "${SALT_HOME}/.profile" <<EOF
@@ -39,7 +40,8 @@ log_info "Installing salt packages ..."
 install_pkgs salt-master="${SALT_VERSION}" salt-api="${SALT_VERSION}"
 
 # Install python packages
-exec_as_salt salt-pip install pygit2==1.12.0
+log_info "Installing python packages ..."
+pip3 install pygit2==1.12.2
 
 # Configure ssh
 log_info "Configuring ssh ..."
@@ -107,3 +109,7 @@ apt-get clean --yes
 rm -rf /var/lib/apt/lists/*
 
 export -n DEBIAN_FRONTEND
+
+# Set home directory permissions
+log_info "Setting ${SALT_USER} home directory permissions ..."
+chown -R "${SALT_USER}:${SALT_USER}" "${SALT_HOME}"

assets/runtime/functions.sh

@@ -556,8 +556,11 @@ function initialize_datadir()
 function configure_logrotate()
 {
   log_info "Configuring logrotate ..."
+  local LOGROTATE_CONFIG_DIR='/etc/logrotate.d/salt'
+  local LOGROTATE_CONFIG_FILE="${LOGROTATE_CONFIG_DIR}/salt-common.logrotate"
 
-  rm -f /etc/logrotate.d/salt-common
+  rm -rf "${LOGROTATE_CONFIG_DIR}"
+  mkdir -p "${LOGROTATE_CONFIG_DIR}"
 
   # configure supervisord log rotation
   cat > /etc/logrotate.d/supervisord <<EOF
@@ -573,13 +576,14 @@ ${SALT_LOGS_DIR}/supervisor/*.log {
 EOF
 
   # configure salt master, minion and key log rotation
-  cat > /etc/logrotate.d/salt <<EOF
+  cat > "${LOGROTATE_CONFIG_FILE}" <<EOF
 ${SALT_LOGS_DIR}/salt/master.log {
   ${SALT_LOG_ROTATE_FREQUENCY}
   missingok
   rotate ${SALT_LOG_ROTATE_RETENTION}
   compress
   notifempty
+  create 0640 ${SALT_USER} ${SALT_USER}
 }
 
 ${SALT_LOGS_DIR}/salt/key.log {
@@ -588,20 +592,23 @@ ${SALT_LOGS_DIR}/salt/key.log {
   rotate ${SALT_LOG_ROTATE_RETENTION}
   compress
   notifempty
+  create 0640 ${SALT_USER} ${SALT_USER}
 }
+
 EOF
 
   if [[ "${SALT_API_SERVICE_ENABLED,,}" == true ]]; then
     # configure salt-api log rotation
-    cat >> /etc/logrotate.d/salt <<EOF
-
+    cat >> "${LOGROTATE_CONFIG_FILE}" <<EOF
 ${SALT_LOGS_DIR}/salt/api.log {
   ${SALT_LOG_ROTATE_FREQUENCY}
   missingok
   rotate ${SALT_LOG_ROTATE_RETENTION}
   compress
   notifempty
+  create 0640 ${SALT_USER} ${SALT_USER}
 }
+
 EOF
   fi
 
@@ -638,10 +645,10 @@ function initialize_system()
   initialize_datadir
   configure_logrotate
   configure_timezone
-  configure_salt_master
-  configure_salt_api
-  configure_salt_formulas
+  #configure_salt_master
+  #configure_salt_api
+  #configure_salt_formulas
   configure_config_reloader
-  setup_salt_keys
+  #setup_salt_keys
   rm -rf /var/run/supervisor.sock
 }

entrypoint.sh

@@ -23,7 +23,7 @@ case "${1}" in
         ;;
       app:gen-signed-keys)
         shift 1
-        gen_signed_keys "${1}"
+        #gen_signed_keys "${1}"
         ;;
     esac
     ;;
@@ -41,7 +41,7 @@ case "${1}" in
     esac
     ;;
   app:reload-3rd-formulas)
-    configure_salt_formulas
+    #configure_salt_formulas
     exec "$0" app:restart salt-master
     ;;
   app:help)

tests/basic/test.sh

@@ -46,3 +46,8 @@ ok "salt-minion started"
 
 salt "${TEST_MINION_ID}" test.ping || error "${TEST_MINION_ID} ping"
 ok "${TEST_MINION_ID} ping"
+
+# Test salt home permissions
+# shellcheck disable=SC2016
+docker-exec bash -c 'test $(stat -c "%U:%G" "${SALT_HOME}") = "${SALT_USER}:${SALT_USER}"' || error "salt home permissions"
+ok "salt home permissions"