From c26bd71772de825c29204d93f3f6c51c7a1a7b5d Mon Sep 17 00:00:00 2001 From: Gwyn Ciesla Date: Wed, 24 May 2023 16:34:21 -0500 Subject: [PATCH] Run master as salt user --- salt.spec | 27 +++++++++++++++++++++------ salt.sysusers | 3 +++ 2 files changed, 24 insertions(+), 6 deletions(-) create mode 100644 salt.sysusers diff --git a/salt.spec b/salt.spec index 9d4e9ba..7fe537b 100644 --- a/salt.spec +++ b/salt.spec @@ -11,7 +11,7 @@ Name: salt Version: 3006.1 -Release: 1%{?dist} +Release: 2%{?dist} Summary: A parallel remote execution system Group: System Environment/Daemons License: ASL 2.0 @@ -38,6 +38,7 @@ Source18: %{name}-master.fish Source19: %{name}-minion.fish Source20: %{name}-run.fish Source21: %{name}-syndic.fish +Source22: %{name}.sysusers Patch0: contextvars.patch BuildArch: noarch @@ -53,7 +54,7 @@ Requires: logrotate BuildRequires: systemd-rpm-macros BuildRequires: python3-devel - +%{?sysusers_requires_compat} %description Salt is a distributed remote execution system used to execute commands and @@ -167,6 +168,8 @@ install -d -m 0755 %{buildroot}%{_sysconfdir}/%{name}/proxy.d # Add the config files install -p -m 0640 conf/minion %{buildroot}%{_sysconfdir}/%{name}/minion install -p -m 0640 conf/master %{buildroot}%{_sysconfdir}/%{name}/master +# Use salt user on nre master installations +sed -i 's/#user: root/user: salt/g' %{buildroot}%{_sysconfdir}/%{name}/master install -p -m 0600 conf/cloud %{buildroot}%{_sysconfdir}/%{name}/cloud install -p -m 0640 conf/roster %{buildroot}%{_sysconfdir}/%{name}/roster install -p -m 0640 conf/proxy %{buildroot}%{_sysconfdir}/%{name}/proxy @@ -204,6 +207,9 @@ install -p -m 0644 %{SOURCE21} %{buildroot}%{fish_dir}/%{name}-syndic.fish mkdir -p %{buildroot}%{zsh_dir} install -p -m 0644 pkg/common/%{name}.zsh %{buildroot}%{zsh_dir}/_%{name} +# Salt user and group +install -p -D -m 0644 %{SOURCE22} %{buildroot}%{_sysusersdir}/salt.conf +mkdir -p %{buildroot}%{_sysconfdir}/%{name}/gpgkeys %check %pyproject_check_import -t @@ -214,7 +220,7 @@ install -p -m 0644 pkg/common/%{name}.zsh %{buildroot}%{zsh_dir}/_%{name} %doc README.fedora %config(noreplace) %{_sysconfdir}/logrotate.d/%{name} %config(noreplace) %{_sysconfdir}/bash_completion.d/%{name}.bash -%{_var}/cache/%{name} +%dir %{_var}/cache/%{name}/ %{_var}/log/%{name} %{_bindir}/spm %doc %{_mandir}/man1/spm.1* @@ -238,9 +244,11 @@ install -p -m 0644 pkg/common/%{name}.zsh %{buildroot}%{zsh_dir}/_%{name} %{_bindir}/%{name}-master %{_bindir}/%{name}-run %{_unitdir}/%{name}-master.service -%config(noreplace) %{_sysconfdir}/%{name}/master -%config(noreplace) %{_sysconfdir}/%{name}/master.d -%config(noreplace) %{_sysconfdir}/%{name}/pki/master +%{_sysusersdir}/salt.conf +%config(noreplace) %attr(0750, salt, salt) %{_sysconfdir}/%{name}/master +%config(noreplace) %attr(0750, salt, salt) %{_sysconfdir}/%{name}/master.d +%config(noreplace) %attr(0750, salt, salt) %{_sysconfdir}/%{name}/pki/master +%config(noreplace) %attr(0750, salt, salt) %{_sysconfdir}/%{name}/gpgkeys %files minion %doc %{_mandir}/man1/%{name}-call.1* @@ -292,7 +300,11 @@ install -p -m 0644 pkg/common/%{name}.zsh %{buildroot}%{zsh_dir}/_%{name} %preun api %systemd_preun %{name}-api.service +%pre master +%sysusers_create_compat %{SOURCE22} + %post master +chown salt:salt %{_sysconfdir}/%{name}/gpgkeys -R %systemd_post %{name}-master.service %post syndic @@ -318,6 +330,9 @@ install -p -m 0644 pkg/common/%{name}.zsh %{buildroot}%{zsh_dir}/_%{name} %changelog +* Wed May 24 2023 Gwyn Ciesla - 3006.1-2 +- Add salt user for master per upstream. + * Wed May 24 2023 Gwyn Ciesla - 3006.1-1 - 3006.1 diff --git a/salt.sysusers b/salt.sysusers new file mode 100644 index 0000000..c872610 --- /dev/null +++ b/salt.sysusers @@ -0,0 +1,3 @@ +#Type Name ID GECOS Home directory Shell +u salt - "Salt" /etc/salt /sbin/nologin +g salt -