Improve salt-master configuration

Dockerfile

@@ -19,6 +19,7 @@ ENV SALT_VERSION="2018.3.3" \
 
 ENV SALT_DOCKER_DIR="/etc/docker-salt" \
     SALT_ROOT_DIR="/etc/salt" \
+    SALT_CACHE_DIR='/var/cache/salt' \
     SALT_USER="salt" \
     SALT_HOME="/home/salt"
 
@@ -42,7 +43,7 @@ RUN apt-get update
 RUN apt-get install --yes --quiet --no-install-recommends \
     sudo ca-certificates wget locales pkg-config openssh-client \
     python${PYTHON_VERSION} python${PYTHON_VERSION}-dev \
-    python3-pip python3-setuptools python3-wheel
+    python3-pip python3-setuptools python3-wheel gettext-base
 
 # Configure locales
 RUN update-locale LANG=C.UTF-8 LC_MESSAGES=POSIX \

assets/build/install.sh

@@ -23,7 +23,7 @@ EOF
 
 # Compile libssh2
 echo "Building libssh2 v${LIBSSH2_VERSION} ..."
-wget https://github.com/libssh2/libssh2/archive/libssh2-${LIBSSH2_VERSION}.tar.gz 
+wget https://github.com/libssh2/libssh2/archive/libssh2-${LIBSSH2_VERSION}.tar.gz
 tar xzf libssh2-${LIBSSH2_VERSION}.tar.gz
 cd libssh2-libssh2-${LIBSSH2_VERSION}/
 cmake -DCMAKE_BUILD_TYPE=Release -DBUILD_SHARED_LIBS=ON -DENABLE_ZLIB_COMPRESSION=ON .

assets/runtime/config/master.yml

@@ -0,0 +1,134 @@
+##### Primary configuration settings #####
+##########################################
+# This configuration file is used to manage the behavior of the Salt Master.
+# Values that are commented out but have an empty line after the comment are
+# defaults that do not need to be set in the config. If there is no blank line
+# after the comment then the value is presented as an example and is not the
+# default.
+
+# The master will automatically include all config files from:
+default_include: {{SALT_CONFS_DIR}}/*.conf
+
+# The user under which the salt master will run.
+user: {{SALT_USER}}
+
+# Directory used to store public key data:
+pki_dir: {{SALT_KEYS_DIR}}
+
+# Directory to store job and cache data:
+# This directory may contain sensitive data and should be protected accordingly.
+cachedir: {{SALT_CACHE_DIR}}/master
+
+# Directory for custom modules. This directory can contain subdirectories for
+# each of Salt's module types such as "runners", "output", "wheel", "modules",
+# "states", "returners", "engines", "utils", etc.
+extension_modules: {{SALT_CACHE_DIR}}/master/extmods
+
+
+#####        Security settings       #####
+##########################################
+# Enable passphrase protection of the Master signing_key. This only applies if
+# master_sign_pubkey is set to True.  This is disabled by default.
+master_sign_pubkey: {{SALT_MASTER_SIGN_PUBKEY}}
+master_sign_key_name: {{SALT_MASTER_SIGN_KEY_NAME}}
+master_pubkey_signature: {{SALT_MASTER_PUBKEY_SIGNATURE}}
+master_use_pubkey_signature: {{SALT_MASTER_USE_PUBKEY_SIGNATURE}}
+
+# Use TLS/SSL encrypted connection between master and minion.
+# Can be set to a dictionary containing keyword arguments corresponding to Python's
+# 'ssl.wrap_socket' method.
+# Default is None.
+#ssl:
+#    keyfile: <path_to_keyfile>
+#    certfile: <path_to_certfile>
+#    ssl_version: PROTOCOL_TLSv1_2
+
+
+#####     Salt-SSH Configuration     #####
+##########################################
+# The log file of the salt-ssh command:
+ssh_log_file: {{SALT_LOGS_DIR}}/ssh
+
+
+#####      File Server settings      #####
+##########################################
+# Salt runs a lightweight file server written in zeromq to deliver files to
+# minions. This file server is built into the master daemon and does not
+# require a dedicated port.
+
+# The file server works on environments passed to the master, each environment
+# can have multiple root directories, the subdirectories in the multiple file
+# roots cannot match, otherwise the downloaded files will not be able to be
+# reliably ensured. A base environment is required to house the top file.
+file_roots:
+  base:
+    - {{SALT_BASE_DIR}}/salt
+
+# The master_roots setting configures a master-only copy of the file_roots dictionary,
+# used by the state compiler.
+master_roots:
+  base:
+    - {{SALT_BASE_DIR}}/salt-master
+
+
+#####         Pillar settings        #####
+##########################################
+# Salt Pillars allow for the building of global data that can be made selectively
+# available to different minions based on minion grain filtering. The Salt
+# Pillar is laid out in the same fashion as the file server, with environments,
+# a top file and sls files. However, pillar data does not need to be in the
+# highstate format, and is generally just key/value pairs.
+pillar_roots:
+  base:
+    - {{SALT_BASE_DIR}}/pillar
+
+
+#####          Syndic settings       #####
+##########################################
+# The Salt syndic is used to pass commands through a master from a higher
+# master. Using the syndic is simple. If this is a master that will have
+# syndic servers(s) below it, then set the "order_masters" setting to True.
+#
+# If this is a master that will be running a syndic daemon for passthrough, then
+# the "syndic_master" setting needs to be set to the location of the master server
+# to receive commands from.
+
+# The log file of the salt-syndic daemon:
+syndic_log_file: {{SALT_LOGS_DIR}}/syndic
+
+
+#####         Logging settings       #####
+##########################################
+# The location of the master log file
+log_file: {{SALT_LOGS_DIR}}/master
+key_logfile: {{SALT_LOGS_DIR}}/key
+
+# The level of messages to send to the console.
+# One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'.
+#
+# The following log levels are considered INSECURE and may log sensitive data:
+# ['garbage', 'trace', 'debug']
+#
+log_level: {{SALT_LOG_LEVEL}}
+
+# The level of messages to send to the log file.
+# One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'.
+# If using 'log_granular_levels' this must be set to the highest desired level.
+log_level_logfile: {{SALT_LEVEL_LOGFILE}}
+
+
+#####  Windows Software Repo settings #####
+###########################################
+# Location of the repo on the master:
+winrepo_dir_ng: '{{SALT_BASE_DIR}}/salt/win/repo-ng'
+
+
+#####  Windows Software Repo settings - Pre 2015.8 #####
+########################################################
+# Legacy repo settings for pre-2015.8 Windows minions.
+#
+# Location of the repo on the master:
+winrepo_dir: '{{SALT_BASE_DIR}}/salt/win/repo'
+#
+# Location of the master's repo cache file:
+winrepo_mastercachefile: '{{SALT_BASE_DIR}}/salt/win/repo/winrepo.p'

assets/runtime/functions.sh

@@ -3,6 +3,16 @@
 set -e
 source ${SALT_RUNTIME_DIR}/env-defaults.sh
 
+# Execute a command as SALT_USER
+function exec_as_salt()
+{
+  if [[ $(whoami) == ${SALT_USER} ]]; then
+    $@
+  else
+    sudo -HEu ${SALT_USER} "$@"
+  fi
+}
+
 # Map salt user with host user
 function map_uidgid()
 {
@@ -18,6 +28,35 @@ function map_uidgid()
   fi
 }
 
+# This function replaces placeholders with values
+# $1: file with placeholders to replace
+# $x: placeholders to replace
+function update_template()
+{
+  local FILE=${1?missing argument}
+  shift
+
+  [[ ! -f ${FILE} ]] && return 1
+
+  local VARIABLES=($@)
+  local USR=$(stat -c %U ${FILE})
+  local tmp_file=$(mktemp)
+  cp -a "${FILE}" ${tmp_file}
+
+  local variables
+  for variable in ${VARIABLES[@]}; do
+    sed -ri "s|[{}]{2}$variable[}]{2}|\${$variable}|g" ${tmp_file}
+  done
+
+  # Replace placeholders
+  (
+    export ${VARIABLES[@]}
+    local IFS=":"; sudo -HEu ${USR} envsubst "${VARIABLES[*]/#/$}" < ${tmp_file} > ${FILE}
+  )
+
+  rm -f ${tmp_file}
+}
+
 # This function generates a master_sign key pair and its signature
 function gen_signed_keys()
 {
@@ -35,25 +74,7 @@ function gen_signed_keys()
 # This function repairs keys permissions and creates keys if neaded
 function setup_salt_keys()
 {
-  echo "Setting up keys ..."
-
-  sed -i \
-      -e "s|^[# ]*master_sign_pubkey:.*$|# master_sign_pubkey -> Overrided, see Custom Settings|" \
-      -e "s|^[# ]*master_sign_key_name:.*$|# master_sign_key_name -> Overrided, see Custom Settings|" \
-      -e "s|^[# ]*master_pubkey_signature:.*$|# master_pubkey_signature -> Overrided, see Custom Settings|" \
-      -e "s|^[# ]*master_use_pubkey_signature:.*$|# master_use_pubkey_signature -> Overrided, see Custom Settings|" \
-      ${SALT_ROOT_DIR}/master
-
-  cat >> ${SALT_ROOT_DIR}/master <<EOF
-#####         Security settings        #####
-############################################
-master_sign_pubkey: ${SALT_MASTER_SIGN_PUBKEY}
-master_sign_key_name: ${SALT_MASTER_SIGN_KEY_NAME}
-master_pubkey_signature: ${SALT_MASTER_PUBKEY_SIGNATURE}
-master_use_pubkey_signature: ${SALT_MASTER_USE_PUBKEY_SIGNATURE}
-
-EOF
-
+  echo "Setting up salt keys ..."
   if [ ! -f ${SALT_KEYS_DIR}/master.pem ]; then
     echo "Generating keys ..."
     salt-key --gen-keys master --gen-keys-dir ${SALT_KEYS_DIR}
@@ -100,39 +121,25 @@ function configure_salt_master()
   echo "Configuring salt-master ..."
   # https://docs.saltstack.com/en/latest/ref/configuration/master.html
 
-  # Backup file
-  if [ ! -f ${SALT_ROOT_DIR}/master.backup ]; then
-    cp -p ${SALT_ROOT_DIR}/master ${SALT_ROOT_DIR}/master.orig
-  else
-    cp -p ${SALT_ROOT_DIR}/master.orig ${SALT_ROOT_DIR}/master
-  fi
-
-  # Set env variables
-  sed -i \
-      -e "s|^[#]*user:.*$|user: ${SALT_USER}|" \
-      -e "s|^[#]*log_level:.*$|log_level: ${SALT_LOG_LEVEL}|" \
-      -e "s|^[#]*log_level_logfile:.*$|log_level_logfile: ${SALT_LEVEL_LOGFILE}|" \
-      -e "s|^[#]*default_include:.*$|default_include: ${SALT_CONFS_DIR}/*.conf|" \
-      -e "s|^[#]*pki_dir:.*$|pki_dir: ${SALT_KEYS_DIR}/|" \
-      -e "s|/var/log/salt|${SALT_LOGS_DIR}|g" \
-      ${SALT_ROOT_DIR}/master
-
-  cat >> ${SALT_ROOT_DIR}/master <<EOF
-
-######       Custom Settings          ######
-############################################
-
-######       Base Directories         ######
-############################################
-file_roots:
-  base:
-    - ${SALT_BASE_DIR}/salt
-
-pillar_roots:
-  base:
-    - ${SALT_BASE_DIR}/pillar
-
-EOF
+  exec_as_salt cp -p ${SALT_RUNTIME_DIR}/config/master.yml ${SALT_ROOT_DIR}/master
+
+  # Update main configuration
+  update_template ${SALT_ROOT_DIR}/master \
+    SALT_USER \
+    SALT_LOG_LEVEL \
+    SALT_LEVEL_LOGFILE \
+    SALT_LOGS_DIR \
+    SALT_BASE_DIR \
+    SALT_CACHE_DIR \
+    SALT_CONFS_DIR \
+    SALT_KEYS_DIR
+
+  # Update keys configuration
+  update_template ${SALT_ROOT_DIR}/master \
+    SALT_MASTER_SIGN_PUBKEY \
+    SALT_MASTER_SIGN_KEY_NAME \
+    SALT_MASTER_PUBKEY_SIGNATURE \
+    SALT_MASTER_USE_PUBKEY_SIGNATURE
 }
 
 # Initializes main directories