[3006.x] Update 3006 packaging to reduce permissions given to salt user for running salt-master #64194

Updates Debian and RPM packages so that /opt/saltstack/salt and the python packages don't have to be owned by salt user. It shouldn't be necessary for salt user, used to run salt-master to be able to write/modify files in that directory hierarchy. Add postinst scripts to call the python compileall module to create byte-compiled python modules. This should preserve performance whilst not requiring write access for salt user. Also cleans up .pyc files and __pycache__ dirs on removal.

Reduces the permissions granted to the salt user used to run the salt-master: * Under /etc/salt limit ownership to /etc/salt/pki/master and /etc/salt/master.d * Until saltstack#64219 is resolved also include /etc/salt/minion.d * Under /var/cache/salt and /var/run/salt only give ownership on master directories * Under /var/log/salt, ensure /var/log/salt/master exists and give ownership oof that. Also update logrotate config to create that with correct ownership and perms and install that on debian packages.

Updates lists of files to check in package tests when starting master. We now set the following as owned by salt:salt in master postinst * /etc/salt/pki/master * /etc/salt/master.d * /var/log/salt/master * /var/cache/salt/master * /var/run/salt/master

Creates /var/run/salt/master directory - if we don't create that specifically the postinst script will fail

Corrects docstrings for salt user tests - they were all the same.

Moves log creation for /var/log/salt/master and /var/log/salt/cloud and setting ownership to salt:salt to the %posttrans scriplets. Whilst using %post work fine for fresh installs, upgrading means that the previous package %postun removes those files. Using %posttrans ensures the logs are created at the end of the full install/upgrade transaction.

Creates empty log for salt-api owned by salt user in same way we do for the master and salt-cloud

Adds test that checks that files and directories created by the packages that should be owned by salt:salt are owned by that user and that the other files/directories created are owned by root:root.

Removes group test for ownership on files by the salt user. Files that are created by the salt-master process can be owned by salt:root, rather than salt:salt and that's valid

Handles permission changes caused by test suite running as root and the creation of /var/cache/salt/master/.root_key. Running the test suite as root means that /etc/salt/pki/master subdirs get their ownership changed to root - clean that up in conftest.py. No longer need to fix /var/log/salt as we handle the files in there individually. Adds exclusion for /var/cache/salt/master/.root_key as that gets created by salt* cli tools running as root.

Ensure salt-api service is enabled now we've added a postinst script

Removes check on /etc/salt/minion.d - it's causing issues in CI that I can't reproduce locally and we'll deal with it in saltstack#64235 anyway.

Remove checks for perms on /var/log/salt/master and /var/run/salt/master in the salt_master fixture as they may not existing during an upgrade test and it's not critical to test them in the fixture.

Adds support for fixing old package (3006.0/3006.1) perms that used the salt user too widely. Without doing this, tests don't pass for upgrades.

Removes seperate salt-cloud path tests as they are now covered by test_pkg_paths

No longer changes ownership of /etc/salt/minion.d to salt user for the salt-master. Requires saltstack#64219 to be resolved.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[3006.x] Update 3006 packaging to reduce permissions given to salt user for running salt-master #64194

[3006.x] Update 3006 packaging to reduce permissions given to salt user for running salt-master #64194

Commits on Aug 16, 2023