pool/salt
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 546088 from home:mdinca:branches:systemsmanagement:saltstack

Browse Source 
- Run salt master as dedicated salt user
- Run salt-api as user salt (bsc#1064520)
- Added:
 * run-salt-master-as-dedicated-salt-user.patch
 * run-salt-api-as-user-salt-bsc-1064520.patch

OBS-URL: https://build.opensuse.org/request/show/546088
OBS-URL: https://build.opensuse.org/package/show/systemsmanagement:saltstack/salt?expand=0&rev=101
This commit is contained in:
Pablo Suárez Hernández 2017-11-27 17:18:19 +00:00 committed by Git OBS Bridge
parent a8f280f24d
commit 77b505ab99
5 changed files with 94 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
_service
View File

@ -1,21 +0,0 @@
<services>
<service name="tar_scm" mode="localonly">
<param name="scm">git</param>
<param name="url">https://github.com/opensuse/salt.git</param>
<param name="exclude">.git</param>
<param name="filename">package</param>
<param name="revision">openSUSE-2017.7.2-python3-only</param>
</service>
<service name="extract_file" mode="localonly">
<param name="archive">*package*.tar</param>
<param name="files">
*/obs/*
*/scripts/suse/zypper/plugins/commit/zyppnotify
</param>
</service>
<service name="verify_file" mode="localonly">
<param name="file">_service:extract_file:salt-2017.7.2.tar.gz</param>
<param name="verifier">sha256</param>
<param name="checksum">ff3bc7de5abf01b8acbd144db5811b00867179b2353f5c6f7f19241e2eff2840</param>
</service>
</services>

24
run-salt-api-as-user-salt-bsc-1064520.patch Normal file
View File

@ -0,0 +1,24 @@
From 8f81bee8d8929cc4cd30dabc7cbc92d2cba9760e Mon Sep 17 00:00:00 2001
From: Christian Lanig <clanig@suse.com>
Date: Mon, 27 Nov 2017 13:10:26 +0100
Subject: [PATCH 2/2] Run salt-api as user salt (bsc#1064520)
---
pkg/salt-api.service | 1 +
1 file changed, 1 insertion(+)
diff --git a/pkg/salt-api.service b/pkg/salt-api.service
index 7ca582dfb4..bf513e4dbd 100644
--- a/pkg/salt-api.service
+++ b/pkg/salt-api.service
@@ -6,6 +6,7 @@ After=network.target
[Service]
Type=notify
NotifyAccess=all
+User=salt
LimitNOFILE=8192
ExecStart=/usr/bin/salt-api
TimeoutStopSec=3
--
2.14.2

46
run-salt-master-as-dedicated-salt-user.patch Normal file
View File

@ -0,0 +1,46 @@
From 3902fe4183d169808b9d248b9b963926035ba954 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Klaus=20K=C3=A4mpf?= <kkaempf@suse.de>
Date: Wed, 20 Jan 2016 11:01:06 +0100
Subject: [PATCH 1/2] Run salt master as dedicated salt user
* Minion runs always as a root
---
conf/master | 3 ++-
pkg/salt-common.logrotate | 2 ++
2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/conf/master b/conf/master
index abfc1fa808..bd28f6d406 100644
--- a/conf/master
+++ b/conf/master
@@ -25,7 +25,8 @@
# permissions to allow the specified user to run the master. The exception is
# the job cache, which must be deleted if this user is changed. If the
# modified files cause conflicts, set verify_env to False.
-#user: root
+user: salt
+syndic_user: salt
# The port used by the communication interface. The ret (return) port is the
# interface used for the file server, authentication, job returns, etc.
diff --git a/pkg/salt-common.logrotate b/pkg/salt-common.logrotate
index 3cd002308e..0d99d1b801 100644
--- a/pkg/salt-common.logrotate
+++ b/pkg/salt-common.logrotate
@@ -1,4 +1,5 @@
/var/log/salt/master {
+ su salt salt
weekly
missingok
rotate 7
@@ -15,6 +16,7 @@
}
/var/log/salt/key {
+ su salt salt
weekly
missingok
rotate 7
--
2.14.2

11
salt.changes
View File

@ -1,3 +1,14 @@
-------------------------------------------------------------------
Mon Nov 27 17:13:03 UTC 2017 - mihai.dinca@suse.com
- Run salt master as dedicated salt user
- Run salt-api as user salt (bsc#1064520)
- Added:
* run-salt-master-as-dedicated-salt-user.patch
* run-salt-api-as-user-salt-bsc-1064520.patch
-------------------------------------------------------------------
Fri Nov 9 10:22:08 UTC 2017 - mdinca@suse.de Fri Nov 9 10:22:08 UTC 2017 - mdinca@suse.de
- Update to 2017.7.2 - Update to 2017.7.2

22
salt.spec
View File

@ -1,7 +1,7 @@
# #
# spec file for package salt # spec file for package salt
# #
# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
# #
# All modifications and additions to the file contributed by third parties # All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed # remain the property of their copyright owners, unless otherwise agreed
@ -57,10 +57,12 @@ Patch3: multiprocessing-minion-option-documentation-fixes.patch
Patch4: introduce-process_count_max-minion-configuration-par.patch Patch4: introduce-process_count_max-minion-configuration-par.patch
Patch5: bugfix-always-return-a-string-list-on-unknown-job-ta.patch Patch5: bugfix-always-return-a-string-list-on-unknown-job-ta.patch
Patch6: enable-with-salt-version-parameter-for-setup.py-scri.patch Patch6: enable-with-salt-version-parameter-for-setup.py-scri.patch
Patch7: run-salt-master-as-dedicated-salt-user.patch
Patch8: run-salt-api-as-user-salt-bsc-1064520.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: python-rpm-macros
BuildRequires: logrotate BuildRequires: logrotate
BuildRequires: python-rpm-macros
BuildRequires: python3 BuildRequires: python3
BuildRequires: python3-devel BuildRequires: python3-devel
# requirements/base.txt # requirements/base.txt
@ -70,11 +72,11 @@ BuildRequires: python3-jinja2
BuildRequires: python3-Jinja2 BuildRequires: python3-Jinja2
%endif %endif
BuildRequires: python3-MarkupSafe BuildRequires: python3-MarkupSafe
BuildRequires: python3-PyYAML
BuildRequires: python3-msgpack-python > 0.3 BuildRequires: python3-msgpack-python > 0.3
BuildRequires: python3-psutil BuildRequires: python3-psutil
BuildRequires: python3-requests >= 1.0.0 BuildRequires: python3-requests >= 1.0.0
BuildRequires: python3-tornado >= 4.2.1 BuildRequires: python3-tornado >= 4.2.1
BuildRequires: python3-PyYAML
# requirements/zeromq.txt # requirements/zeromq.txt
BuildRequires: python3-pycrypto >= 2.6.1 BuildRequires: python3-pycrypto >= 2.6.1
@ -110,8 +112,8 @@ Requires(pre): dbus-1
Requires(pre): dbus Requires(pre): dbus
%endif %endif
Requires: procps
Requires: logrotate Requires: logrotate
Requires: procps
Requires: python3 Requires: python3
# #
%if ! 0%{?suse_version} > 1110 %if ! 0%{?suse_version} > 1110
@ -119,20 +121,20 @@ Requires: python3-certifi
%endif %endif
# requirements/base.txt # requirements/base.txt
%if 0%{?rhel} %if 0%{?rhel}
Requires: python3-jinja2 Requires: python3-jinja2
Requires: yum Requires: yum
%if 0%{?rhel} == 6 %if 0%{?rhel} == 6
Requires: yum-plugin-security Requires: yum-plugin-security
%endif %endif
%else %else
Requires: python3-Jinja2 Requires: python3-Jinja2
%endif %endif
Requires: python3-MarkupSafe Requires: python3-MarkupSafe
Requires: python3-PyYAML
Requires: python3-msgpack-python > 0.3 Requires: python3-msgpack-python > 0.3
Requires: python3-psutil Requires: python3-psutil
Requires: python3-requests >= 1.0.0 Requires: python3-requests >= 1.0.0
Requires: python3-tornado >= 4.2.1 Requires: python3-tornado >= 4.2.1
Requires: python3-PyYAML
%if 0%{?suse_version} %if 0%{?suse_version}
# required for zypper.py # required for zypper.py
Requires: python3-rpm Requires: python3-rpm
@ -402,6 +404,8 @@ cp %{S:6} ./zyppnotify
%patch4 -p1 %patch4 -p1
%patch5 -p1 %patch5 -p1
%patch6 -p1 %patch6 -p1
%patch7 -p1
%patch8 -p1
%build %build
%{__python3} setup.py --salt-transport=both build %{__python3} setup.py --salt-transport=both build