Run salt master as non root user.

The salt master service should not run as root. Run it as salt instead. Change-Id: Ia5cdedf8c98684e25c5d88c59130cae3361c9fc3 Reviewed-on: https://review.openstack.org/14311 Approved: James E. Blair <corvus@inaugust.com> Reviewed-by: James E. Blair <corvus@inaugust.com> Tested-by: Jenkins
2012-10-10 14:17:12 -07:00 · 2012-10-10 14:17:12 -07:00 · cd64a94b4c
commit cd64a94b4c
parent a54bdc86b0
2 changed files with 26 additions and 2 deletions
--- a/modules/salt/manifests/master.pp
+++ b/modules/salt/manifests/master.pp
@ -18,6 +18,27 @@ class salt::master {
    require => Apt::Ppa['ppa:saltstack/salt'],
  }

+  group { 'salt':
+    ensure => present,
+    system => true,
+  }
+
+  user { 'salt':
+    ensure => present,
+    gid    => 'salt',
+    home   => '/home/salt',
+    shell  => '/bin/bash',
+    system => true,
+  }
+
+  file { '/home/salt':
+    ensure  => directory,
+    owner   => 'salt',
+    group   => 'salt',
+    mode    => '0755',
+    require => User['salt'],
+  }
+
  file { '/etc/salt/master':
    ensure => present,
    owner   => 'root',
@ -31,7 +52,10 @@ class salt::master {
  service { 'salt-master':
    ensure    => running,
    enable    => true,
-    require   => File['/etc/salt/master'],
+    require   => [
+      User['salt'],
+      File['/etc/salt/master'],
+    ],
    subscribe => [
      Package['salt-master'],
      File['/etc/salt/master'],
--- a/modules/salt/templates/master.erb
+++ b/modules/salt/templates/master.erb
@ -18,7 +18,7 @@
 # The user to run the salt-master as. Salt will update all permissions to
 # allow the specified user to run the master. If the modified files cause
 # conflicts set verify_env to False.
-#user: root
+user: salt

 # Max open files
 # Each minion connecting to the master uses AT LEAST one file descriptor, the