From 6b4aed73cbb16d6f0d4b310230a517d36578c8ae Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sun, 5 Apr 2020 23:10:55 +0200 Subject: salt-minion: T2230: move inlined templates to dedicated files --- data/templates/salt-minion/minion.tmpl | 63 ++++++++++++++++++ src/conf_mode/salt-minion.py | 113 ++++++++------------------------- 2 files changed, 89 insertions(+), 87 deletions(-) create mode 100644 data/templates/salt-minion/minion.tmpl diff --git a/data/templates/salt-minion/minion.tmpl b/data/templates/salt-minion/minion.tmpl new file mode 100644 index 000000000..5e50d588c --- /dev/null +++ b/data/templates/salt-minion/minion.tmpl @@ -0,0 +1,63 @@ +### Autogenerated by salt-minion.py ### + +##### Primary configuration settings ##### +########################################## + +# The hash_type is the hash to use when discovering the hash of a file on +# the master server. The default is sha256, but md5, sha1, sha224, sha384 and +# sha512 are also supported. +# +# WARNING: While md5 and sha1 are also supported, do not use them due to the +# high chance of possible collisions and thus security breach. +# +# Prior to changing this value, the master should be stopped and all Salt +# caches should be cleared. +hash_type: {{ hash_type }} + +##### Logging settings ##### +########################################## +# The location of the minion log file +# The minion log can be sent to a regular file, local path name, or network +# location. Remote logging works best when configured to use rsyslogd(8) (e.g.: +# ``file:///dev/log``), with rsyslogd(8) configured for network logging. The URI +# format is: ://:/ +#log_file: /var/log/salt/minion +#log_file: file:///dev/log +#log_file: udp://loghost:10514 +# +log_file: {{ log_file }} + +# The level of messages to send to the console. +# One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'. +# +# The following log levels are considered INSECURE and may log sensitive data: +# ['garbage', 'trace', 'debug'] +# +# Default: 'warning' +log_level: {{ log_level }} + +# Set the location of the salt master server, if the master server cannot be +# resolved, then the minion will fail to start. +master: +{% for host in master -%} +- {{ host }} +{% endfor %} + +# The user to run salt +user: {{ user }} + +# The directory to store the pki information in +pki_dir: /config/salt/pki/minion + +# Explicitly declare the id for this minion to use, if left commented the id +# will be the hostname as returned by the python call: socket.getfqdn() +# Since salt uses detached ids it is possible to run multiple minions on the +# same machine but with different ids, this can be useful for salt compute +# clusters. +id: {{ salt_id }} + + +# The number of minutes between mine updates. +mine_interval: {{ mine_interval }} + +verify_master_pubkey_sign: {{ verify_master_pubkey_sign }} diff --git a/src/conf_mode/salt-minion.py b/src/conf_mode/salt-minion.py index 303ddae48..bc1767454 100755 --- a/src/conf_mode/salt-minion.py +++ b/src/conf_mode/salt-minion.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2018 VyOS maintainers and contributors +# Copyright (C) 2018-2020 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -13,102 +13,35 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . -# -# -import sys import os -import pwd -import socket -import urllib3 -import jinja2 +from copy import deepcopy +from jinja2 import FileSystemLoader, Environment +from pwd import getpwnam +from socket import gethostname +from sys import exit +from urllib3 import PoolManager from vyos.config import Config +from vyos.defaults import directories as vyos_data_dir from vyos import ConfigError config_file = r'/etc/salt/minion' -# Please be careful if you edit the template. -config_tmpl = """ -### Autogenerated by salt-minion.py ### - -##### Primary configuration settings ##### -########################################## - -# The hash_type is the hash to use when discovering the hash of a file on -# the master server. The default is sha256, but md5, sha1, sha224, sha384 and -# sha512 are also supported. -# -# WARNING: While md5 and sha1 are also supported, do not use them due to the -# high chance of possible collisions and thus security breach. -# -# Prior to changing this value, the master should be stopped and all Salt -# caches should be cleared. -hash_type: {{ hash_type }} - -##### Logging settings ##### -########################################## -# The location of the minion log file -# The minion log can be sent to a regular file, local path name, or network -# location. Remote logging works best when configured to use rsyslogd(8) (e.g.: -# ``file:///dev/log``), with rsyslogd(8) configured for network logging. The URI -# format is: ://:/ -#log_file: /var/log/salt/minion -#log_file: file:///dev/log -#log_file: udp://loghost:10514 -# -log_file: {{ log_file }} - -# The level of messages to send to the console. -# One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'. -# -# The following log levels are considered INSECURE and may log sensitive data: -# ['garbage', 'trace', 'debug'] -# -# Default: 'warning' -log_level: {{ log_level }} - -# Set the location of the salt master server, if the master server cannot be -# resolved, then the minion will fail to start. -master: -{% for host in master -%} -- {{ host }} -{% endfor %} - -# The user to run salt -user: {{ user }} - -# The directory to store the pki information in -pki_dir: /config/salt/pki/minion - -# Explicitly declare the id for this minion to use, if left commented the id -# will be the hostname as returned by the python call: socket.getfqdn() -# Since salt uses detached ids it is possible to run multiple minions on the -# same machine but with different ids, this can be useful for salt compute -# clusters. -id: {{ salt_id }} - - -# The number of minutes between mine updates. -mine_interval: {{ mine_interval }} - -verify_master_pubkey_sign: {{ verify_master_pubkey_sign }} -""" - default_config_data = { 'hash_type': 'sha256', 'log_file': '/var/log/salt/minion', 'log_level': 'warning', 'master' : 'salt', 'user': 'minion', - 'salt_id': socket.gethostname(), + 'salt_id': gethostname(), 'mine_interval': '60', 'verify_master_pubkey_sign': 'false' } def get_config(): - salt = default_config_data + salt = deepcopy(default_config_data) conf = Config() if not conf.exists('service salt-minion'): return None @@ -145,25 +78,31 @@ def get_config(): return salt def generate(salt): - paths = ['/etc/salt/','/var/run/salt','/opt/vyatta/etc/config/salt/'] + paths = ['/etc/salt/','/var/run/salt','/opt/vyatta/etc/config/salt/'] directory = '/opt/vyatta/etc/config/salt/pki/minion' - uid = pwd.getpwnam(salt['user']).pw_uid - http = urllib3.PoolManager() + uid = getpwnam(salt['user']).pw_uid + http = PoolManager() if salt is None: return None + # Prepare Jinja2 template loader from files + tmpl_path = os.path.join(vyos_data_dir['data'], 'templates', 'salt-minion') + fs_loader = FileSystemLoader(tmpl_path) + env = Environment(loader=fs_loader) + if not os.path.exists(directory): os.makedirs(directory) - tmpl = jinja2.Template(config_tmpl) + tmpl = env.get_template('minion.tmpl') config_text = tmpl.render(salt) with open(config_file, 'w') as f: f.write(config_text) - path = "/etc/salt/" + + path = "/etc/salt/" for path in paths: - for root, dirs, files in os.walk(path): - for usgr in dirs: + for root, dirs, files in os.walk(path): + for usgr in dirs: os.chown(os.path.join(root, usgr), uid, 100) for usgr in files: os.chown(os.path.join(root, usgr), uid, 100) @@ -171,14 +110,14 @@ def generate(salt): if not os.path.exists('/opt/vyatta/etc/config/salt/pki/minion/master_sign.pub'): if not salt['master-key'] is None: r = http.request('GET', salt['master-key'], preload_content=False) - + with open('/opt/vyatta/etc/config/salt/pki/minion/master_sign.pub', 'wb') as out: while True: data = r.read(1024) if not data: break out.write(data) - + r.release_conn() return None @@ -200,4 +139,4 @@ if __name__ == '__main__': apply(c) except ConfigError as e: print(e) - sys.exit(1) + exit(1) -- cgit v1.2.3