Hi everyone
With the recent updates to Salt (versions 3006.9 and 3007.1), we’ve taken the opportunity to reassess our current Salt configuration within Foreman. As a result, we’d like to open a discussion regarding the user permissions of the salt-master service and its interaction with Foreman.
From version 3006.3 on, Salt ships their own non-root salt
user which runs the salt-master service by default. This leads to permission issues with Foreman at certain points. However, changing it back to running the salt-master as root
also leads to issues due to a bug in the Salt Publisher ACL interface which we utilize for our remote execution Salt runner. The bug affects all versions from 3006.3 up to the latest releases 3006.9 and 3007.0/1 (see here and here) and is supposed to be resolved in 3006.10 and 3007.2 (see here).
However, with Salt shipping their own non-root user nowadays, we might think about moving away from runnig Salt as root
as well. We propose adding a user foreman-salt
to run the salt-master and to interact with it.
We identify the following interfaces which would be affected by such a change:
Salt API
Salt API is used within foreman_salt to read Salt environments and Salt states.
By default, we use PAM as authentication method to access the API. According to the documentation, a new user is added which we use only for Salt API access: saltuser
. If the salt-master service shall authenticate the user with PAM, it must run as root
(only root
can authenticate other users, see link). In a non-root scenario, the salt-master user can only authenticate itself. Therefore, we would have to use the same user to run salt-master and to access the Salt API.
- Create a user
foreman-salt
with the following properties:- no-login
- has a password
- Put the credentials in
/etc/foreman-proxy/settings.d/salt.yml
- Adapt salt-master config:
external_auth:
pam:
foreman-salt:
- '@runner'
Remote Execution Runner (Dispatching Salt Jobs)
We run the salt
command as foreman-proxy
user to dispatch a remote execution Salt job. In order to execute salt as foreman-proxy
, we use the Salt Publisher ACL interface. As mentioned in the introduction, a bug prevents us from calling the salt
command if the salt-master runs as root
. So, this is for all latest Salt versions broken (probably being fixed in the upcoming Salt releases).
When changing to the non-root foreman-salt
user, we could add foreman-proxy
to the foreman-salt
user group giving it the necessary file permissions to execute the salt
command.
- Add
foreman-proxy
to theforeman-salt
user group
Salt-Call (Dispatching Salt Jobs)
The smart proxy calls the salt
command for host provisioning tasks and provides a second option for Salt job execution. It uses sudo
to switch to a certain user which is by default root
. We change this to foreman-salt
:
- Configure
salt_command_user
in
/etc/foreman-proxy/settings.d/salt.yml
to beforeman-salt
File Permissions
The foreman-salt
user would require certain file permissions:
- r x -
/usr/bin/foreman-node
- rw -
/var/lib/foreman-proxy/salt/
← read Salt reactors and write the lock file forforeman-node
- r -
/var/share/foreman-proxy/salt
← read autosign grains for host/minion authentication - r -
/srv/salt
← read Salt states/enviroments and custom Foreman runners - r -
/etc/pki/katllo/puppet/*
← configured inforeman.yaml
for Foreman API access - r -
/etc/salt/foreman.yaml
- r -
/etc/salt/master.d/foreman.conf
- rw -
/var/cache/salt
← must be configured once after restarting the salt-master first time asforeman-salt
.
Alternatively: delete the dir before restarting the service
foreman-node
script uses a lock file which must be accessible by the non-root user too:
→ Change lock file from /var/lock/salt-report-upload.lock
to
/var/lib/foreman-proxy/salt/salt-report-upload.lock
I would like to add all the necessary configuration steps for such user in foreman-installer
. We could add an option like salt-non-root
to decide which steps must be performed. I would propose the option to be true
by default, since Salt ships with a non-root user too.
I’ve also heard from the community (see @Jeff_Sparrow in Unique Hosts in Foreman (salt) - #22 by Jeff_Sparrow) that they might keep running salt-master as root. So, this should always be an option still.
I’d love to hear your thoughts! While writing this up, I was also wondering whether we actually need all three interfaces (Salt API, Salt-Call, and REX Runner) or whether we could reduce it to Salt-Call.