search

saltstack / salt

Software to automate the management and configuration of any infrastructure or application at scale. Install Salt from the Salt package repositories here:
https://docs.saltproject.io/salt/install-guide/en/latest/
Apache License 2.0
14.18k stars 5.48k forks source link

[BUG] minion does not respect systemd UMask 022 #66055

Open davama opened 8 months ago

davama commented 8 months ago

Description Posted details of the issue here: https://groups.google.com/g/salt-users/c/5DEzzb5xLq4

I can gladly paste it here if that is the desire.

Setup

Please be as specific as possible and give set-up details.

Steps to Reproduce the behavior Set UMask=022 on the salt-minion.service file, restart the service and see salt minion1 cmd.run 'umask' report 077 instead. When i create a file on all the minions the permissions are mixed:

salt \* cmd.run "ls -al file1.txt"
jid: 20240213155817815117
<redactedminion_name>:
    -rw-r--r-- 1 root root 0 Feb 13 15:58 file1.txt
<redactedminion_name>:
    -rw-r--r-- 1 root root 0 Feb 13 15:58 file1.txt
<redactedminion_name>:
    -rw------- 1 root root 0 Feb 13 15:58 file1.txt
<redactedminion_name>:
    -rw-r--r-- 1 root root 0 Feb 13 15:58 file1.txt
<redactedminion_name>:
    -rw-r--r-- 1 root root 0 Feb 13 15:58 file1.txt
<redactedminion_name>:
    -rw------- 1 root root 0 Feb 13 15:58 file1.txt
<redactedminion_name>:
    -rw-r--r-- 1 root root 0 Feb 13 15:58 file1.txt
<redactedminion_name>:
    -rw------- 1 root root 0 Feb 13 15:58 file1.txt
<redactedminion_name>:
    -rw-r--r-- 1 root root 0 Feb 13 15:58 file1.txt
<redactedminion_name>:
    -rw-------. 1 root root 0 Feb 13 15:58 file1.txt
<redactedminion_name>:
    -rw-r--r-- 1 root root 0 Feb 13 15:58 file1.txt
<redactedminion_name>:
    -rw-r--r-- 1 root root 0 Feb 13 15:58 file1.txt
<redactedminion_name>:
    -rw-r--r-- 1 root root 0 Feb 13 15:58 file1.txt
<redactedminion_name>:
    -rw------- 1 root root 0 Feb 13 15:58 file1.txt
<redactedminion_name>:
    -rw-r--r-- 1 root root 0 Feb 13 15:58 file1.txt
<redactedminion_name>:
    -rw------- 1 root root 0 Feb 13 15:58 file1.txt
<redactedminion_name>:
    -rw-r--r-- 1 root root 0 Feb 13 15:58 file1.txt
<redactedminion_name>:
    -rw-r--r-- 1 root root 0 Feb 13 15:58 file1.txt
<redactedminion_name>:
    -rw-r--r-- 1 root root 0 Feb 13 15:58 file1.txt
<redactedminion_name>:
    -rw-r--r-- 1 root root 0 Feb 13 15:58 file1.txt
<redactedminion_name>:
    -rw-r--r-- 1 root root 0 Feb 13 15:58 file1.txt
<redactedminion_name>:
    -rw-r--r-- 1 root root 0 Feb 13 15:58 file1.txt
<redactedminion_name>:
    -rw-r--r-- 1 root root 0 Feb 13 15:58 file1.txt
<redactedminion_name>:
    -rw-r--r-- 1 root root 0 Feb 13 15:58 file1.txt
<redactedminion_name>:
    -rw------- 1 root root 0 Feb 13 15:58 file1.txt
<redactedminion_name>:
    -rw------- 1 root root 0 Feb 13 15:57 file1.txt
<redactedminion_name>:
    -rw------- 1 root root 0 Feb 13 15:58 file1.txt
<redactedminion_name>:
    -rw------- 1 root root 0 Feb 13 15:58 file1.txt

Expected behavior cmd.run 'umask' should report 022 and newly created file permissions should also be according to the umask set. salt minion1 cmd.run 'touch file.txt' , salt minion1 cmd.run 'ls -al file.txt'

Screenshots If applicable, add screenshots to help explain your problem.

Versions Report

salt --versions-report (master inside docker) (Provided by running salt --versions-report. Please also mention any differences in master/minion versions.) ```yaml Salt Version: Salt: 3006.6 Python Version: Python: 3.9.18 (main, Jan 27 2024, 07:41:26) Dependency Versions: cffi: 1.16.0 cherrypy: unknown dateutil: 2.8.2 docker-py: Not Installed gitdb: Not Installed gitpython: Not Installed Jinja2: 3.1.3 libgit2: Not Installed looseversion: 1.3.0 M2Crypto: Not Installed Mako: Not Installed msgpack: 1.0.7 msgpack-pure: Not Installed mysql-python: Not Installed packaging: 23.2 pycparser: 2.21 pycrypto: Not Installed pycryptodome: 3.20.0 pygit2: Not Installed python-gnupg: Not Installed PyYAML: 6.0.1 PyZMQ: 25.1.2 relenv: Not Installed smmap: Not Installed timelib: Not Installed Tornado: 4.5.3 ZMQ: 4.3.4 Salt Extensions: salt-nornir: 0.21.0 System Versions: dist: alpine 3.19.1 locale: utf-8 machine: x86_64 release: 5.14.0-362.18.1.el9_3.x86_64 system: Linux version: Alpine Linux 3.19.1 ```
salt-minion --versions-report (minion rocky8) (Provided by running salt --versions-report. Please also mention any differences in master/minion versions.) ```yaml Salt Version: Salt: 3006.6 Python Version: Python: 3.9.18 (main, Nov 18 2023, 01:00:14) Dependency Versions: cffi: 1.15.1 cherrypy: 18.8.0 dateutil: 2.8.2 docker-py: 6.1.3 gitdb: 4.0.10 gitpython: 3.1.31 Jinja2: 3.1.2 libgit2: Not Installed looseversion: 1.2.0 M2Crypto: Not Installed Mako: Not Installed msgpack: 1.0.5 msgpack-pure: Not Installed mysql-python: Not Installed packaging: 23.1 pycparser: 2.21 pycrypto: Not Installed pycryptodome: 3.18.0 pygit2: Not Installed python-gnupg: 0.5.0 PyYAML: 5.4.1 PyZMQ: 25.0.2 relenv: Not Installed smmap: 5.0.0 timelib: Not Installed Tornado: 4.5.3 ZMQ: 4.3.4 System Versions: dist: rocky 8.8 Green Obsidian locale: utf-8 machine: x86_64 release: 4.18.0-477.15.1.el8_8.x86_64 system: Linux version: Rocky Linux 8.8 Green Obsidian ```

salt-minion --versions-report (minion rocky9) (Provided by running salt --versions-report. Please also mention any differences in master/minion versions.) ```yaml Salt Version: Salt: 3006.6 Python Version: Python: 3.9.18 (main, Jan 4 2024, 00:00:00) Dependency Versions: cffi: Not Installed cherrypy: Not Installed dateutil: 2.8.1 docker-py: 6.1.3 gitdb: Not Installed gitpython: Not Installed Jinja2: 3.1.2 libgit2: Not Installed looseversion: 1.3.0 M2Crypto: Not Installed Mako: Not Installed msgpack: 1.0.5 msgpack-pure: Not Installed mysql-python: Not Installed packaging: 23.1 pycparser: Not Installed pycrypto: Not Installed pycryptodome: 3.18.0 pygit2: Not Installed python-gnupg: 0.5.1 PyYAML: 6.0.1 PyZMQ: 25.0.2 relenv: Not Installed smmap: Not Installed timelib: Not Installed Tornado: 4.5.3 ZMQ: 4.3.4 System Versions: dist: rocky 9.3 Blue Onyx locale: utf-8 machine: x86_64 release: 5.14.0-362.18.1.el9_3.x86_64 system: Linux version: Rocky Linux 9.3 Blue Onyx ```

Additional context

As stated in the google groups link, I get mixed results. Sometimes after a service restart or a stop/start, salt-minion report the correct umask as declared in the service file, but other times it does not. I have to continually restart the minion service until it finally consistently reports umask as 022.

davama commented 7 months ago

Just to update

upgraded minions and master to v3007.0 via pip and still had this issue with some of my minions not running with umask=022

after running below several times on affected minions, umask is now 022

pkill salt-minion; systemctl stop salt-minion; sleep 5 ; systemctl restart salt-minion

davama commented 7 months ago

Update

had to revert to 3006.7 because many of my minions would no longer be responding.

see minion logs below:

2024-04-04 09:08:51,647 [salt.loader.salt.nwk.jwm2.net.int.module.cmdmod][INFO    ]  Executing command /usr/bin/systemctl in directory '/root'
2024-04-04 09:08:51,647 [salt.beacons     ][ERROR   ]  Unable to start service beacon, Unable to run command '['/usr/bin/systemctl', 'is-active', 'named.service']' with the context '{'cwd': '/root', 'shell': False, 'env': {'LANG': 'en_US.UTF-8', 'PATH': '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin', 'HOME': '/root', 'LOGNAME': 'root', 'USER': 'root', 'SHELL': '/bin/sh', 'INVOCATION_ID': '196a8e9e7364478181aae374f17a9d2e', 'JOURNAL_STREAM': '9:1100733466', 'PY3VE_IGNORE_UPDATER': '1', 'LC_CTYPE': 'C', 'LC_NUMERIC': 'C', 'LC_TIME': 'C', 'LC_COLLATE': 'C', 'LC_MONETARY': 'C', 'LC_MESSAGES': 'C', 'LC_PAPER': 'C', 'LC_NAME': 'C', 'LC_ADDRESS': 'C', 'LC_TELEPHONE': 'C', 'LC_MEASUREMENT': 'C', 'LC_IDENTIFICATION': 'C', 'LANGUAGE': 'C'}, 'stdin': None, 'stdout': -1, 'stderr': -2, 'with_communicate': True, 'timeout': None, 'bg': False, 'close_fds': True}', reason: [Errno 24] Too many open files
2024-04-04 09:08:51,648 [tornado.application][ERROR   ]  Exception in callback <function Minion.setup_beacons.<locals>.handle_beacons at 0x7fb6d5cc6820>
Traceback (most recent call last):
  File "/usr/local/lib64/python3.9/site-packages/tornado/ioloop.py", line 937, in _run
    val = self.callback()
  File "/usr/local/lib/python3.9/site-packages/salt/minion.py", line 3066, in handle_beacons
    event.fire_event({"beacons": beacons}, "__beacons_return")
  File "/usr/local/lib/python3.9/site-packages/salt/utils/event.py", line 765, in fire_event
    if not self.connect_pull(timeout=timeout_s):
  File "/usr/local/lib/python3.9/site-packages/salt/utils/event.py", line 379, in connect_pull
    self.pusher = salt.utils.asynchronous.SyncWrapper(
  File "/usr/local/lib/python3.9/site-packages/salt/utils/asynchronous.py", line 61, in __init__
    self.asyncio_loop = asyncio.new_event_loop()
  File "/usr/lib64/python3.9/asyncio/events.py", line 761, in new_event_loop
    return get_event_loop_policy().new_event_loop()
  File "/usr/lib64/python3.9/asyncio/events.py", line 659, in new_event_loop
    return self._loop_factory()
  File "/usr/lib64/python3.9/asyncio/unix_events.py", line 54, in __init__
    super().__init__(selector)
  File "/usr/lib64/python3.9/asyncio/selector_events.py", line 53, in __init__
    selector = selectors.DefaultSelector()
  File "/usr/lib64/python3.9/selectors.py", line 350, in __init__
    self._selector = self._selector_cls()
OSError: [Errno 24] Too many open files

This of course cause me to pkill/stop/restart salt-minion process until umask=022...