Project

General

Profile

Actions
Copy link

Bug #37835

open

Salt 3006.8 needs explicit netapi and user configuration

Added by Bastian Schmidt about 1 month ago. Updated about 1 month ago.

Status:
Ready For Testing
Priority:
Normal
Assignee:
Bastian Schmidt
Category:
-
Target version:
-
Difficulty:
Triaged:
No
Bugzilla link:
Pull request:
https://github.com/theforeman/puppet-foreman_proxy/pull/839
Fixed in Releases:
Found in Releases:
Red Hat JIRA:

Description

Since 3006, Salt installs with an explicit user that runs the Salt Master daemon in order to limit the daemon permissions. If that users differs from the user that we execute the salt ... commands with (when triggering Salt from Smart Proxy), we get some permission issues. More specifically, sudo -u foreman-proxy salt '*' test.ping runs into the following error:

[ERROR   ] Unable to connect to the salt master publisher at /var/run/salt/master
The salt master could not be contacted. Is master running?

When executing salt '*' test.ping, that command wants to connect to the Salt Master whose PID is stored in /var/run/salt/master/*. But, with the 3006-explicit-user update, they limit access to the /var/run/salt folder to the same user which runs the Salt Master daemon.

Salt docs: https://docs.saltproject.io/en/3006/topics/releases/3006.0.html#linux-packaging-salt-master-salt-user-and-group

Moreover, netapi which is used for Salt-API calls needs an explicit configuration, as it is nowadays more restricted:

https://docs.saltproject.io/en/master/topics/netapi/netapi-enable-clients.html#select-client-interfaces-to-enable

Actions
Copy link

Also available in: Atom PDF