From d98a0d596790664e9226db63639d2299dc57312c Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sun, 26 Apr 2020 10:33:06 +0200 Subject: salt: T2382: XML: run as user nobody --- src/conf_mode/salt-minion.py | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) (limited to 'src/conf_mode/salt-minion.py') diff --git a/src/conf_mode/salt-minion.py b/src/conf_mode/salt-minion.py index 236480854..15bf18a3d 100755 --- a/src/conf_mode/salt-minion.py +++ b/src/conf_mode/salt-minion.py @@ -23,10 +23,9 @@ from sys import exit from urllib3 import PoolManager from vyos.config import Config -from vyos import ConfigError -from vyos.util import call from vyos.template import render - +from vyos.util import call +from vyos import ConfigError config_file = r'/etc/salt/minion' @@ -35,7 +34,7 @@ default_config_data = { 'log_file': '/var/log/salt/minion', 'log_level': 'warning', 'master' : 'salt', - 'user': 'minion', + 'user': 'nobody', 'salt_id': gethostname(), 'mine_interval': '60', 'verify_master_pubkey_sign': 'false' @@ -79,14 +78,14 @@ def get_config(): return salt def generate(salt): + if not salt: + return None + paths = ['/etc/salt/','/var/run/salt','/opt/vyatta/etc/config/salt/'] directory = '/opt/vyatta/etc/config/salt/pki/minion' uid = getpwnam(salt['user']).pw_uid http = PoolManager() - if salt is None: - return None - if not os.path.exists(directory): os.makedirs(directory) @@ -117,10 +116,10 @@ def generate(salt): def apply(salt): if salt is not None: - call("sudo systemctl restart salt-minion") + call('systemctl restart salt-minion.service') else: # Salt access is removed in the commit - call("sudo systemctl stop salt-minion") + call('systemctl stop salt-minion.service') os.unlink(config_file) return None -- cgit v1.2.3 From e47502b6de539e3da8fb9ceeb4c96708f86dd5c7 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sun, 26 Apr 2020 10:36:05 +0200 Subject: salt: T2382: add missing verify() --- src/conf_mode/salt-minion.py | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'src/conf_mode/salt-minion.py') diff --git a/src/conf_mode/salt-minion.py b/src/conf_mode/salt-minion.py index 15bf18a3d..78eda08f3 100755 --- a/src/conf_mode/salt-minion.py +++ b/src/conf_mode/salt-minion.py @@ -77,6 +77,9 @@ def get_config(): return salt +def verify(salt): + return None + def generate(salt): if not salt: return None @@ -127,6 +130,7 @@ def apply(salt): if __name__ == '__main__': try: c = get_config() + verify(c) generate(c) apply(c) except ConfigError as e: -- cgit v1.2.3 From 2102c7c318ef02f3506a8d3003ed1d41a04b190e Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sun, 26 Apr 2020 10:51:10 +0200 Subject: salt: T2382: id and master nodes are mandatory - use in verify() --- src/conf_mode/salt-minion.py | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'src/conf_mode/salt-minion.py') diff --git a/src/conf_mode/salt-minion.py b/src/conf_mode/salt-minion.py index 78eda08f3..55139dca1 100755 --- a/src/conf_mode/salt-minion.py +++ b/src/conf_mode/salt-minion.py @@ -78,6 +78,15 @@ def get_config(): return salt def verify(salt): + if not salt: + return None + + if not salt['salt_id']: + raise ConfigError('Missing mandatory salt id!') + + if not salt['master']: + raise ConfigError('Salt master must be defined!') + return None def generate(salt): -- cgit v1.2.3 From 07f2b18a8a3de0e1af38a1db7358a1a2f0869377 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sun, 26 Apr 2020 10:52:59 +0200 Subject: salt: T2382: migrate get_config() to list items --- src/conf_mode/salt-minion.py | 40 ++++++++++++++++++++-------------------- 1 file changed, 20 insertions(+), 20 deletions(-) (limited to 'src/conf_mode/salt-minion.py') diff --git a/src/conf_mode/salt-minion.py b/src/conf_mode/salt-minion.py index 55139dca1..c0c7c3080 100755 --- a/src/conf_mode/salt-minion.py +++ b/src/conf_mode/salt-minion.py @@ -43,36 +43,36 @@ default_config_data = { def get_config(): salt = deepcopy(default_config_data) conf = Config() - if not conf.exists('service salt-minion'): + base = ['service', 'salt-minion'] + + if not conf.exists(base): return None else: - conf.set_level('service salt-minion') + conf.set_level(base) - if conf.exists('hash_type'): - salt['hash_type'] = conf.return_value('hash_type') + if conf.exists(['hash_type']): + salt['hash_type'] = conf.return_value(['hash_type']) - if conf.exists('log_file'): - salt['log_file'] = conf.return_value('log_file') + if conf.exists(['log_file']): + salt['log_file'] = conf.return_value(['log_file']) - if conf.exists('log_level'): - salt['log_level'] = conf.return_value('log_level') + if conf.exists(['log_level']): + salt['log_level'] = conf.return_value(['log_level']) - if conf.exists('master'): - master = conf.return_values('master') - salt['master'] = master + if conf.exists(['master']): + salt['master'] = conf.return_values(['master']) - if conf.exists('id'): - salt['salt_id'] = conf.return_value('id') + if conf.exists(['id']): + salt['salt_id'] = conf.return_value(['id']) - if conf.exists('user'): - salt['user'] = conf.return_value('user') + if conf.exists(['user']): + salt['user'] = conf.return_value(['user']) - if conf.exists('mine_interval'): - salt['mine_interval'] = conf.return_value('mine_interval') + if conf.exists(['mine_interval']): + salt['mine_interval'] = conf.return_value(['mine_interval']) - salt['master-key'] = None - if conf.exists('master-key'): - salt['master-key'] = conf.return_value('master-key') + if conf.exists(['master-key']): + salt['master_key'] = conf.return_value(['master-key']) salt['verify_master_pubkey_sign'] = 'true' return salt -- cgit v1.2.3 From 3027a904c96b2972ab3112f671fa7aef48f8ecf1 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sun, 26 Apr 2020 10:53:26 +0200 Subject: salt: T2382: ease config generation --- src/conf_mode/salt-minion.py | 54 ++++++++++++++++++++------------------------ 1 file changed, 24 insertions(+), 30 deletions(-) (limited to 'src/conf_mode/salt-minion.py') diff --git a/src/conf_mode/salt-minion.py b/src/conf_mode/salt-minion.py index c0c7c3080..62a08f5ff 100755 --- a/src/conf_mode/salt-minion.py +++ b/src/conf_mode/salt-minion.py @@ -17,17 +17,17 @@ import os from copy import deepcopy -from pwd import getpwnam from socket import gethostname from sys import exit from urllib3 import PoolManager from vyos.config import Config from vyos.template import render -from vyos.util import call +from vyos.util import call, chown from vyos import ConfigError config_file = r'/etc/salt/minion' +master_keyfile = r'/opt/vyatta/etc/config/salt/pki/minion/master_sign.pub' default_config_data = { 'hash_type': 'sha256', @@ -35,9 +35,11 @@ default_config_data = { 'log_level': 'warning', 'master' : 'salt', 'user': 'nobody', + 'group': 'nogroup', 'salt_id': gethostname(), 'mine_interval': '60', - 'verify_master_pubkey_sign': 'false' + 'verify_master_pubkey_sign': 'false', + 'master_key': '' } def get_config(): @@ -93,46 +95,38 @@ def generate(salt): if not salt: return None - paths = ['/etc/salt/','/var/run/salt','/opt/vyatta/etc/config/salt/'] - directory = '/opt/vyatta/etc/config/salt/pki/minion' - uid = getpwnam(salt['user']).pw_uid - http = PoolManager() - - if not os.path.exists(directory): - os.makedirs(directory) + for file in [config_file, master_keyfile]: + dirname = os.path.dirname(file) + if not os.path.exists(dirname): + os.mkdir(dirname) render(config_file, 'salt-minion/minion.tmpl', salt) + chown(config_file, salt['user'], salt['group']) - path = "/etc/salt/" - for path in paths: - for root, dirs, files in os.walk(path): - for usgr in dirs: - os.chown(os.path.join(root, usgr), uid, 100) - for usgr in files: - os.chown(os.path.join(root, usgr), uid, 100) - - if not os.path.exists('/opt/vyatta/etc/config/salt/pki/minion/master_sign.pub'): - if not salt['master-key'] is None: - r = http.request('GET', salt['master-key'], preload_content=False) + if not os.path.exists(master_keyfile): + if salt['master_key']: + req = PoolManager().request('GET', salt['master_key'], preload_content=False) - with open('/opt/vyatta/etc/config/salt/pki/minion/master_sign.pub', 'wb') as out: + with open(master_keyfile, 'wb') as f: while True: - data = r.read(1024) + data = req.read(1024) if not data: break - out.write(data) + f.write(data) - r.release_conn() + req.release_conn() + chown(master_keyfile, salt['user'], salt['group']) return None def apply(salt): - if salt is not None: - call('systemctl restart salt-minion.service') - else: - # Salt access is removed in the commit + if not salt: + # Salt removed from running config call('systemctl stop salt-minion.service') - os.unlink(config_file) + if os.path.exists(config_file): + os.unlink(config_file) + else: + call('systemctl restart salt-minion.service') return None -- cgit v1.2.3 From 529cf467098d1a31e07b4053722e2f9779b16142 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sun, 26 Apr 2020 11:08:22 +0200 Subject: Revert "salt: T2382: id and master nodes are mandatory - use in verify()" This reverts commit 2102c7c318ef02f3506a8d3003ed1d41a04b190e. --- src/conf_mode/salt-minion.py | 9 --------- 1 file changed, 9 deletions(-) (limited to 'src/conf_mode/salt-minion.py') diff --git a/src/conf_mode/salt-minion.py b/src/conf_mode/salt-minion.py index 62a08f5ff..a460c95b3 100755 --- a/src/conf_mode/salt-minion.py +++ b/src/conf_mode/salt-minion.py @@ -80,15 +80,6 @@ def get_config(): return salt def verify(salt): - if not salt: - return None - - if not salt['salt_id']: - raise ConfigError('Missing mandatory salt id!') - - if not salt['master']: - raise ConfigError('Salt master must be defined!') - return None def generate(salt): -- cgit v1.2.3 From 52817fc97de3e5a5af4a43f2a2acfe05509f6258 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sun, 26 Apr 2020 11:11:32 +0200 Subject: salt: T2384: always log to syslog --- data/templates/salt-minion/minion.tmpl | 6 +---- interface-definitions/salt-minion.xml.in | 39 -------------------------------- src/conf_mode/salt-minion.py | 8 +------ 3 files changed, 2 insertions(+), 51 deletions(-) (limited to 'src/conf_mode/salt-minion.py') diff --git a/data/templates/salt-minion/minion.tmpl b/data/templates/salt-minion/minion.tmpl index 5e50d588c..0b97c0524 100644 --- a/data/templates/salt-minion/minion.tmpl +++ b/data/templates/salt-minion/minion.tmpl @@ -21,11 +21,7 @@ hash_type: {{ hash_type }} # location. Remote logging works best when configured to use rsyslogd(8) (e.g.: # ``file:///dev/log``), with rsyslogd(8) configured for network logging. The URI # format is: ://:/ -#log_file: /var/log/salt/minion -#log_file: file:///dev/log -#log_file: udp://loghost:10514 -# -log_file: {{ log_file }} +log_file: file:///dev/log # The level of messages to send to the console. # One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'. diff --git a/interface-definitions/salt-minion.xml.in b/interface-definitions/salt-minion.xml.in index 02501c5e8..f62465a64 100644 --- a/interface-definitions/salt-minion.xml.in +++ b/interface-definitions/salt-minion.xml.in @@ -1,5 +1,4 @@ - @@ -14,44 +13,6 @@ The hash_type is the hash to use when discovering the hash of a file on the master server. - - - The location of the minion log file. - - - - - Log level - - garbage - log garbage info - - - trace - log trace info - - - debug - log debug info - - - info - log info - - - warning - log warning info - - - error - log error info - - - critical - log critical info - - - The hostname or IP address of the master. diff --git a/src/conf_mode/salt-minion.py b/src/conf_mode/salt-minion.py index a460c95b3..d3412b7ef 100755 --- a/src/conf_mode/salt-minion.py +++ b/src/conf_mode/salt-minion.py @@ -31,7 +31,6 @@ master_keyfile = r'/opt/vyatta/etc/config/salt/pki/minion/master_sign.pub' default_config_data = { 'hash_type': 'sha256', - 'log_file': '/var/log/salt/minion', 'log_level': 'warning', 'master' : 'salt', 'user': 'nobody', @@ -55,12 +54,6 @@ def get_config(): if conf.exists(['hash_type']): salt['hash_type'] = conf.return_value(['hash_type']) - if conf.exists(['log_file']): - salt['log_file'] = conf.return_value(['log_file']) - - if conf.exists(['log_level']): - salt['log_level'] = conf.return_value(['log_level']) - if conf.exists(['master']): salt['master'] = conf.return_values(['master']) @@ -90,6 +83,7 @@ def generate(salt): dirname = os.path.dirname(file) if not os.path.exists(dirname): os.mkdir(dirname) + chown(dirname, salt['user'], salt['group']) render(config_file, 'salt-minion/minion.tmpl', salt) chown(config_file, salt['user'], salt['group']) -- cgit v1.2.3 From 6a3938cbf595ea24d2d2e3802cf78a0519483339 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sun, 26 Apr 2020 11:31:16 +0200 Subject: salt: T2384: migrate config options - delete log_file, log_level and user nodes - rename hash_type to hash - rename mine_interval to interval --- data/templates/salt-minion/minion.tmpl | 4 +-- interface-definitions/salt-minion.xml.in | 9 ++--- src/conf_mode/salt-minion.py | 10 +++--- src/migration-scripts/salt/0-to-1 | 58 ++++++++++++++++++++++++++++++++ 4 files changed, 67 insertions(+), 14 deletions(-) create mode 100755 src/migration-scripts/salt/0-to-1 (limited to 'src/conf_mode/salt-minion.py') diff --git a/data/templates/salt-minion/minion.tmpl b/data/templates/salt-minion/minion.tmpl index 0b97c0524..9369573a4 100644 --- a/data/templates/salt-minion/minion.tmpl +++ b/data/templates/salt-minion/minion.tmpl @@ -12,7 +12,7 @@ # # Prior to changing this value, the master should be stopped and all Salt # caches should be cleared. -hash_type: {{ hash_type }} +hash_type: {{ hash }} ##### Logging settings ##### ########################################## @@ -54,6 +54,6 @@ id: {{ salt_id }} # The number of minutes between mine updates. -mine_interval: {{ mine_interval }} +mine_interval: {{ interval }} verify_master_pubkey_sign: {{ verify_master_pubkey_sign }} diff --git a/interface-definitions/salt-minion.xml.in b/interface-definitions/salt-minion.xml.in index 1c1dee2fb..d0e8e3e2b 100644 --- a/interface-definitions/salt-minion.xml.in +++ b/interface-definitions/salt-minion.xml.in @@ -8,7 +8,7 @@ 500 - + Hash used when discovering file on master server (default: sha256) @@ -43,12 +43,7 @@ Explicitly declare the id for this minion to use. - - - The user to run the Salt processes. - - - + The number of minutes between mine updates. diff --git a/src/conf_mode/salt-minion.py b/src/conf_mode/salt-minion.py index d3412b7ef..515019014 100755 --- a/src/conf_mode/salt-minion.py +++ b/src/conf_mode/salt-minion.py @@ -30,7 +30,7 @@ config_file = r'/etc/salt/minion' master_keyfile = r'/opt/vyatta/etc/config/salt/pki/minion/master_sign.pub' default_config_data = { - 'hash_type': 'sha256', + 'hash': 'sha256', 'log_level': 'warning', 'master' : 'salt', 'user': 'nobody', @@ -51,8 +51,8 @@ def get_config(): else: conf.set_level(base) - if conf.exists(['hash_type']): - salt['hash_type'] = conf.return_value(['hash_type']) + if conf.exists(['hash']): + salt['hash'] = conf.return_value(['hash']) if conf.exists(['master']): salt['master'] = conf.return_values(['master']) @@ -63,8 +63,8 @@ def get_config(): if conf.exists(['user']): salt['user'] = conf.return_value(['user']) - if conf.exists(['mine_interval']): - salt['mine_interval'] = conf.return_value(['mine_interval']) + if conf.exists(['interval']): + salt['interval'] = conf.return_value(['interval']) if conf.exists(['master-key']): salt['master_key'] = conf.return_value(['master-key']) diff --git a/src/migration-scripts/salt/0-to-1 b/src/migration-scripts/salt/0-to-1 new file mode 100755 index 000000000..79053c056 --- /dev/null +++ b/src/migration-scripts/salt/0-to-1 @@ -0,0 +1,58 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2020 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +# Delete log_file, log_level and user nodes +# rename hash_type to hash +# rename mine_interval to interval + +from sys import argv,exit + +from vyos.configtree import ConfigTree + +if (len(argv) < 1): + print("Must specify file name!") + exit(1) + +file_name = argv[1] + +with open(file_name, 'r') as f: + config_file = f.read() + +config = ConfigTree(config_file) + +base = ['service', 'salt-minion'] +if not config.exists(base): + # Nothing to do + exit(0) +else: + + # delete nodes which are now populated with sane defaults + for node in ['log_file', 'log_level', 'user']: + if config.exists(base + [node]): + config.delete(base + [node]) + + if config.exists(base + ['hash_type']): + config.rename(base + ['hash_type'], 'hash') + + if config.exists(base + ['mine_interval']): + config.rename(base + ['mine_interval'], 'interval') + + try: + with open(file_name, 'w') as f: + f.write(config.to_string()) + except OSError as e: + print("Failed to save the modified config: {}".format(e)) + exit(1) -- cgit v1.2.3