Running salt-minion as a sudo user but not root
2,184 views
Skip to first unread message
Lucas Vickers
May 22, 2013, 3:05:27 PM5/22/13
to salt-users
Hello,
Can I run the salt-minion as a non root user and have it use sudo for commands? My salt-minion will still need to create groups/users and edit system files, etc.
My sysadmin is balking at the idea of running salt-master as root, but from what I am reading it's meant to be run as root. I could use some feedback from you guys. Is there another approach that's possible?
thanks
Corey Quinn
May 22, 2013, 3:07:19 PM5/22/13
to salt-...@googlegroups.com
If you set user: you in /etc/salt/minion, does it work?
-- Corey
--
You received this message because you are subscribed to the Google Groups "Salt-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to salt-users+...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
ed.lane
May 22, 2013, 3:43:45 PM5/22/13
to salt-...@googlegroups.com
Lucas,
We have successfully run minions as "non-root" AND used sudo for commands in our environment.
"root" is the default but this is settable in the minion config file.
-ed
Markus Törnqvist
May 31, 2013, 6:23:11 AM5/31/13
to salt-...@googlegroups.com
ed.lane <ed.lane.0@...> writes:
>
> We have successfully run minions as "non-root" AND used sudo for commands
in our environment.
>
> http://docs.saltstack.com/ref/configuration/minion.html#user
>
> "root" is the default but this is settable in the minion config file.
How did you get sudo working?
>
> We have successfully run minions as "non-root" AND used sudo for commands
in our environment.
>
> http://docs.saltstack.com/ref/configuration/minion.html#user
>
> "root" is the default but this is settable in the minion config file.
I look at salt/modules/apt.py and it doesn't pass sudo to the command
anywhere. Did you try this with package managers?
Did you write your own (eg.) apt module to replace this, and if so, could
you give pointers on how to do it?
I tried creating my own custom state for pkg, but that didn't pan out
at all. No time to learn how to hack the internals, so I went with running
as root for now.
Any tips more than welcome, thanks!
lu...@localprojects.net
Jun 28, 2013, 2:11:56 PM6/28/13
to salt-...@googlegroups.com
I managed to convince my manager running as root makes sense,
but I also wonder if you were able to wrap commands in sudo, or how you worked around the limitations?
Stephen Murray
Aug 19, 2013, 9:14:01 AM8/19/13
to salt-...@googlegroups.com
I am facing similar Operations requirement roadblocks (strict policy of processes not running as root). I am hitting a few roadblocks when using a minion configured to run via a nonroot user.
For instance, in a state file (example below) is there a way to for the service module to wrap a command with sudo?
For instance, in a state file (example below) is there a way to for the service module to wrap a command with sudo?
httpd:
service:
- running
Alan Jurčić
Feb 3, 2014, 1:15:57 PM2/3/14
to salt-...@googlegroups.com
Since all modules use "cmd" module for command execution you only need to modify that one module to get going with sudo.
Open cmdmod.py and look for this part of code:
try:
proc = salt.utils.timed_subprocess.TimedProc(cmd, **kwargs)
except (OSError, IOError) as exc:
raise CommandExecutionError('Unable to run command: {0}'.format(exc))
You could simply prepend "sudo " to cmd parameter but you don't really want to wrap everything with sudo. You need some way to define what to wrap and what to leave as is.
I've solved this by adding a parameter to my minion configuration:
cmd.wrapper: /var/lib/salt/wrapper/maybesudo
Initialize our new parameter at the beginning in cmdmod.py:
__opts__ = {
'cmd.wrapper': ""
}
And before command gets executed add this:
if __opts__['cmd.wrapper']:
if isinstance(cmd, str):
cmd = __opts__['cmd.wrapper'] + ' ' + cmd
else:
cmd.insert(0, __opts__['cmd.wrapper'])
So instead of wrapping everything with sudo we've wrapped everything with a simple bash script that check whether it needs to run command as sudo or not.
My maybesudo script:
#!/bin/sh
if /bin/grep -q -x "$1" /var/lib/salt/wrapper/commands
then
exec /usr/bin/sudo "$@"
else
exec "$@"
fi
Commands file lists commands that need to be executed as sudo. You also need to define the same commands in sudoers file to allow passwordless execution for the user that runs salt-minion.
Now you can control what your minions can and cannot do. We use our distro's packaging system to deploy this configuration and add any new commands we want to use.
Possibly can be done more elegantly, but it works for us.
Tested with salt version 0.17.2.
Open cmdmod.py and look for this part of code:
try:
proc = salt.utils.timed_subprocess.TimedProc(cmd, **kwargs)
except (OSError, IOError) as exc:
raise CommandExecutionError('Unable to run command: {0}'.format(exc))
You could simply prepend "sudo " to cmd parameter but you don't really want to wrap everything with sudo. You need some way to define what to wrap and what to leave as is.
I've solved this by adding a parameter to my minion configuration:
cmd.wrapper: /var/lib/salt/wrapper/maybesudo
Initialize our new parameter at the beginning in cmdmod.py:
__opts__ = {
'cmd.wrapper': ""
}
And before command gets executed add this:
if __opts__['cmd.wrapper']:
if isinstance(cmd, str):
cmd = __opts__['cmd.wrapper'] + ' ' + cmd
else:
cmd.insert(0, __opts__['cmd.wrapper'])
So instead of wrapping everything with sudo we've wrapped everything with a simple bash script that check whether it needs to run command as sudo or not.
My maybesudo script:
#!/bin/sh
if /bin/grep -q -x "$1" /var/lib/salt/wrapper/commands
then
exec /usr/bin/sudo "$@"
else
exec "$@"
fi
Commands file lists commands that need to be executed as sudo. You also need to define the same commands in sudoers file to allow passwordless execution for the user that runs salt-minion.
Now you can control what your minions can and cannot do. We use our distro's packaging system to deploy this configuration and add any new commands we want to use.
Possibly can be done more elegantly, but it works for us.
Tested with salt version 0.17.2.
Oliver Guggenbühl
Feb 7, 2017, 3:43:45 PM2/7/17
to Salt-users
Hi I wrapped the command list in the minion config works goods thanks for inspiration.
cheers oli
/etc/salt/minion.d/sudo.conf sudocmdlist: - service - systemctl - yum - zypper - dnf - systemd-run
Reply all
Reply to author
Forward
0 new messages