enable Salt Minion in a privileged container to manage it's Host

[nickgarber]

This would make the salt-minion installable on slim container-host OS's such as CoreOS, Photon, etc [ref:2].

I think it should be possible to have this work as long as the container is privileged.

The kubelet has managed to make this work [ref:1].

Might the Proxy system provide a way forward?

[ref:1]
https://coreos.com/kubernetes/docs/latest/kubelet-wrapper.html
[ref:2]
saltstack/salt-bootstrap#1106

[SEJeff]

Seems like a better idea would be to have salt (the kubernetes module/state) talk to the apiserver and deploy whatever you want to the Container Linux boxes for most things. While it absolutely would be possible, it wasn't really built with local config management whatsoever in mind for managing it.

[nickgarber]

Hi @SEJeff, kubernetes integration is a good thing but not a substitute for a minion process so is distinct from my feature request.

A few notable points:

• Slim container host OS's are increasingly common, and increasingly slim.
• Containers are an important means for packaging software and deploying services.
• At a minimum, the minion agent is useful to track fleet-wide resource inventory health and metrics.
• This issue seeks to make it useful to run the minion as a container.
• Deploying host-focused software in containers is convenient.
• In VMware's Photon OS support salt-bootstrap#1106 you can see an example of installing the minion directly to the container-host OS, (in that case Photon). Install via docker may be the more forward-thinking compliment to that.

I see a meaningful benefit as well as a tangible path forward.

Thanks for your time and consideration.

References:

• https://stackoverflow.com/questions/33397382/host-monitoring-from-a-docker-container/33409766#33409766
• https://www.sysdig.org/wiki/how-to-install-sysdig-for-linux/#user-content-installation-inside-a-docker-container
• https://prometheus.io/docs/prometheus/latest/installation/#using-docker
• https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux_atomic_host/7/html/managing_containers/running_super_privileged_containers

[bartelsb]

AFAIK, this is already doable. If you run the container as privileged and mount the root volume into it (or whatever volumes you need access to), you should have access to everything you need. I haven't looked into this extensively myself, but my team is running containerized salt minions that configure things like iptables and our kubernetes control plane. What specifically do you need your minion to do?

[nickgarber]

Hey @bartelsb, totally 100% yes!

For this issue I wanted to make sure it was a consideration for the Salt project, that it was openly acknowledged and documented.

Thanks for commenting! I think it'll help to make the request and value-proposition more clear.

[nickgarber]

Hey @bartelsb you're definitely farther along than me in using this technique.

I'm hoping to start testing use-cases in the next couple months. Any examples or advice you could share?

[bartelsb]

Sure, I'm happy to help where I can!

As I mentioned above, one of our use cases was configuring our firewall rules on the hosts via the salt minions. We chose to use a bash script running iptables commands rather than using the actual iptables salt module. We included the options --network host, --cap-add=NET_ADMIN, and --cap-add=NET_RAW with our docker run command to give the container access to the host's network configuration. We also mounted in the volume containing the iptables executable. If I remember correctly, that was all it took!

[nickgarber]

Very cool, thanks for the explainer @bartelsb!

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

If this issue is closed prematurely, please leave a comment and we will gladly reopen the issue.