Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] 3006 Inconsistency with minion and master permissions on /etc/salt #64158

Closed
2 of 9 tasks
DaAwesomeP opened this issue Apr 25, 2023 · 1 comment · Fixed by #64174
Closed
2 of 9 tasks

[BUG] 3006 Inconsistency with minion and master permissions on /etc/salt #64158

DaAwesomeP opened this issue Apr 25, 2023 · 1 comment · Fixed by #64174
Assignees
@dwoz
Labels
Bug broken, incorrect, or confusing behavior Packaging Related to packaging of Salt, not Salt's support for package management.
Milestone
Sulfur v3006.1

Comments

@DaAwesomeP
Copy link
Contributor

Description
The salt-master package creates a group called salt and expects all files in /etc/salt to be readable by that user/group. However, the salt-minion package does not install the salt user. Strangely, salt-master requires access to be able to read minion config files. This creates a permissions inconsistency between machines that have only the master installed or both the master and minion installed.

For example the following works fine on a machine with only the minion installed:

include:
  - repo.salt # provides repo_salt

salt-minion:
  pkg.installed:
    - require:
      - repo_salt
  file.managed:
    - user: root
    - group: root
    - mode: '0440'
    - makedirs: True
    - template: jinja
    - names:
      - /etc/salt/minion.d/99-myconf.conf:
        - contents: |
            master:
              - salt.example.com
              - salt2.example.com
            master_type: failover
            master_alive_interval: 30
            retry_dns: 0

But on a machine with both the master and minion installed, I get the exception shown below.

If I set this file to be owned by the salt group then it fixes the issue on the master but this group does not exist on the minion:

  file.managed:
    - user: root
    - group: salt # fails on minion that does not have salt-master installed as well

Setup
Debian 11 amd64 with salt-master and salt-minion 3006.0.

  • on-prem machine
  • VM (Virtualbox, KVM, etc. please specify)
  • VM running on a cloud service, please be explicit and add details
  • container (Kubernetes, Docker, containerd, etc. please specify)
  • or a combination, please be explicit
  • jails if it is FreeBSD
  • classic packaging
  • onedir packaging
  • used bootstrap to install

Steps to Reproduce the behavior
See above

Expected behavior
The master should not require read access to minion files.

Screenshots

salt-master[261583]: [ERROR   ] An un-handled exception was caught by Salt's global exception handler:
salt-master[261583]: PermissionError: [Errno 13] Permission denied: '/etc/salt/minion.d/99-myconf.conf'
salt-master[261583]: Traceback (most recent call last):
salt-master[261583]:   File "/usr/bin/salt-master", line 11, in <module>
salt-master[261583]:     sys.exit(salt_master())
salt-master[261583]:   File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/scripts.py", line 89, in salt_master
salt-master[261583]:     master.start()
salt-master[261583]:   File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/cli/daemons.py", line 204, in start
salt-master[261583]:     self.master.start()
salt-master[261583]:   File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/master.py", line 723, in start
salt-master[261583]:     chan = salt.channel.server.PubServerChannel.factory(opts)
salt-master[261583]:   File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/channel/server.py", line 721, in factory
salt-master[261583]:     return cls(opts, transport, presence_events=presence_events)
salt-master[261583]:   File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/channel/server.py", line 727, in __init__
salt-master[261583]:     self.aes_funcs = salt.master.AESFuncs(self.opts)
salt-master[261583]:   File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/master.py", line 1233, in __init__
salt-master[261583]:     self.mminion = salt.minion.MasterMinion(
salt-master[261583]:   File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/minion.py", line 974, in __init__
salt-master[261583]:     self.opts = salt.config.mminion_config(
salt-master[261583]:   File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/config/__init__.py", line 2323, in mminion_config
salt-master[261583]:     opts = minion_config(path, ignore_config_errors=ignore_config_errors, role="master")
salt-master[261583]:   File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/config/__init__.py", line 2299, in minion_config
salt-master[261583]:     include_config(
salt-master[261583]:   File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/config/__init__.py", line 2178, in include_config
salt-master[261583]:     opts = _read_conf_file(fn_)
salt-master[261583]:   File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/config/__init__.py", line 2015, in _read_conf_file
salt-master[261583]:     with salt.utils.files.fopen(path, "r") as conf_file:
salt-master[261583]:   File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/utils/files.py", line 393, in fopen
salt-master[261583]:     f_handle = open(*args, **kwargs)  # pylint: disable=resource-leakage
salt-master[261583]: PermissionError: [Errno 13] Permission denied: '/etc/salt/minion.d/99-myconf.conf'
salt-master[261583]: Traceback (most recent call last):
salt-master[261583]:   File "/usr/bin/salt-master", line 11, in <module>
salt-master[261583]:     sys.exit(salt_master())
salt-master[261583]:   File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/scripts.py", line 89, in salt_master
salt-master[261583]:     master.start()
salt-master[261583]:   File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/cli/daemons.py", line 204, in start
salt-master[261583]:     self.master.start()
salt-master[261583]:   File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/master.py", line 723, in start
salt-master[261583]:     chan = salt.channel.server.PubServerChannel.factory(opts)
salt-master[261583]:   File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/channel/server.py", line 721, in factory
salt-master[261583]:     return cls(opts, transport, presence_events=presence_events)
salt-master[261583]:   File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/channel/server.py", line 727, in __init__
salt-master[261583]:     self.aes_funcs = salt.master.AESFuncs(self.opts)
salt-master[261583]:   File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/master.py", line 1233, in __init__
salt-master[261583]:     self.mminion = salt.minion.MasterMinion(
salt-master[261583]:   File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/minion.py", line 974, in __init__
salt-master[261583]:     self.opts = salt.config.mminion_config(
salt-master[261583]:   File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/config/__init__.py", line 2323, in mminion_config
salt-master[261583]:     opts = minion_config(path, ignore_config_errors=ignore_config_errors, role="master")
salt-master[261583]:   File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/config/__init__.py", line 2299, in minion_config
salt-master[261583]:     include_config(
salt-master[261583]:   File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/config/__init__.py", line 2178, in include_config
salt-master[261583]:     opts = _read_conf_file(fn_)
salt-master[261583]:   File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/config/__init__.py", line 2015, in _read_conf_file
salt-master[261583]:     with salt.utils.files.fopen(path, "r") as conf_file:
salt-master[261583]:   File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/utils/files.py", line 393, in fopen
salt-master[261583]:     f_handle = open(*args, **kwargs)  # pylint: disable=resource-leakage
salt-master[261583]: PermissionError: [Errno 13] Permission denied: '/etc/salt/minion.d/99-myconf.conf'

Versions Report

salt --versions-report (Provided by running salt --versions-report. Please also mention any differences in master/minion versions.) 
Salt Version:
          Salt: 3006.0
 
Python Version:
        Python: 3.10.11 (main, Apr 14 2023, 05:57:16) [GCC 11.2.0]
 
Dependency Versions:
          cffi: 1.15.1
      cherrypy: unknown
      dateutil: 2.8.1
     docker-py: 1.10.6
         gitdb: Not Installed
     gitpython: Not Installed
        Jinja2: 3.1.2
       libgit2: 1.3.0
  looseversion: 1.0.2
      M2Crypto: Not Installed
          Mako: Not Installed
       msgpack: 1.0.2
  msgpack-pure: Not Installed
  mysql-python: Not Installed
     packaging: 22.0
     pycparser: 2.21
      pycrypto: Not Installed
  pycryptodome: 3.9.8
        pygit2: 1.7.0
  python-gnupg: 0.4.8
        PyYAML: 5.4.1
         PyZMQ: 23.2.0
        relenv: 0.11.2
         smmap: Not Installed
       timelib: 0.2.4
       Tornado: 4.5.3
           ZMQ: 4.3.4
 
System Versions:
          dist: debian 11 bullseye
        locale: utf-8
       machine: x86_64
       release: 5.10.0-21-cloud-amd64
        system: Linux
       version: Debian GNU/Linux 11 bullseye

Additional context
N/A
@DaAwesomeP DaAwesomeP added Bug broken, incorrect, or confusing behavior needs-triage labels Apr 25, 2023
@dwoz dwoz removed the needs-triage label Apr 25, 2023
@anilsil anilsil added this to the Sulfur v3006.1 milestone Apr 25, 2023
@dwoz dwoz assigned dwoz and unassigned Ch3LL Apr 26, 2023
@OrangeDog OrangeDog added the Packaging Related to packaging of Salt, not Salt's support for package management. label Apr 27, 2023
@barneysowood barneysowood mentioned this issue Apr 29, 2023
Closed
1 task
@dwoz dwoz mentioned this issue Apr 29, 2023
Merged
6 tasks
dwoz added a commit to dwoz/salt that referenced this issue May 2, 2023
@dwoz
Add chahgelogs for saltstack#64141 and saltstack#64158
3822ee1
dwoz added a commit to dwoz/salt that referenced this issue May 2, 2023
@dwoz
Add chahgelogs for saltstack#64141 and saltstack#64158
173d476
dwoz added a commit to dwoz/salt that referenced this issue May 2, 2023
@dwoz
Add chahgelogs for saltstack#64141 and saltstack#64158
460670b
dwoz added a commit to dwoz/salt that referenced this issue May 2, 2023
@dwoz
Add chahgelogs for saltstack#64141 and saltstack#64158
8016284
dwoz added a commit to dwoz/salt that referenced this issue May 2, 2023
@dwoz
Add chahgelogs for saltstack#64141 and saltstack#64158
b223395
dwoz added a commit to dwoz/salt that referenced this issue May 3, 2023
@dwoz
Add chahgelogs for saltstack#64141 and saltstack#64158
ba4ecc5
@s0undt3ch s0undt3ch linked a pull request May 3, 2023 that will close this issue
[3006.x] Run salt minion with salt group permissions #64174
Merged
6 tasks
@barneysowood barneysowood mentioned this issue May 3, 2023
Closed
s0undt3ch pushed a commit to dwoz/salt that referenced this issue May 3, 2023
@dwoz @s0undt3ch
Add chahgelogs for saltstack#64141 and saltstack#64158
91eed27
garethgreenaway pushed a commit that referenced this issue May 3, 2023
@dwoz @garethgreenaway
Add chahgelogs for #64141 and #64158
28d87c1
@dwoz
Copy link
Contributor

dwoz commented May 3, 2023

Fixed by #64174

@dwoz dwoz closed this as completed May 3, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dwoz dwoz

Labels
Bug broken, incorrect, or confusing behavior Packaging Related to packaging of Salt, not Salt's support for package management.
Projects
None yet
Milestone
Sulfur v3006.1
Development

Successfully merging a pull request may close this issue.

[3006.x] Run salt minion with salt group permissions dwoz/salt
5 participants
@OrangeDog @dwoz @anilsil @DaAwesomeP @Ch3LL