From cd64a94b4c5ad8cbeec6981e29923d8a97fa9116 Mon Sep 17 00:00:00 2001 From: Clark Boylan Date: Wed, 10 Oct 2012 14:17:12 -0700 Subject: [PATCH] Run salt master as non root user. The salt master service should not run as root. Run it as salt instead. Change-Id: Ia5cdedf8c98684e25c5d88c59130cae3361c9fc3 Reviewed-on: https://review.openstack.org/14311 Approved: James E. Blair Reviewed-by: James E. Blair Tested-by: Jenkins --- modules/salt/manifests/master.pp | 26 +++++++++++++++++++++++++- modules/salt/templates/master.erb | 2 +- 2 files changed, 26 insertions(+), 2 deletions(-) diff --git a/modules/salt/manifests/master.pp b/modules/salt/manifests/master.pp index 729590a33a..19406bc43d 100644 --- a/modules/salt/manifests/master.pp +++ b/modules/salt/manifests/master.pp @@ -18,6 +18,27 @@ class salt::master { require => Apt::Ppa['ppa:saltstack/salt'], } + group { 'salt': + ensure => present, + system => true, + } + + user { 'salt': + ensure => present, + gid => 'salt', + home => '/home/salt', + shell => '/bin/bash', + system => true, + } + + file { '/home/salt': + ensure => directory, + owner => 'salt', + group => 'salt', + mode => '0755', + require => User['salt'], + } + file { '/etc/salt/master': ensure => present, owner => 'root', @@ -31,7 +52,10 @@ class salt::master { service { 'salt-master': ensure => running, enable => true, - require => File['/etc/salt/master'], + require => [ + User['salt'], + File['/etc/salt/master'], + ], subscribe => [ Package['salt-master'], File['/etc/salt/master'], diff --git a/modules/salt/templates/master.erb b/modules/salt/templates/master.erb index ad73a74568..30fbfe2658 100644 --- a/modules/salt/templates/master.erb +++ b/modules/salt/templates/master.erb @@ -18,7 +18,7 @@ # The user to run the salt-master as. Salt will update all permissions to # allow the specified user to run the master. If the modified files cause # conflicts set verify_env to False. -#user: root +user: salt # Max open files # Each minion connecting to the master uses AT LEAST one file descriptor, the