Software to automate the management and configuration of any infrastructure or application at scale. Install Salt from the Salt package repositories here:
When using the instructions for running development salt here:
https://docs.saltproject.io/en/latest/topics/development/contributing.html#running-development-salt,
running salt-master under a user that has sudoer privileges results in a permissions error.
This appears to occur since running salt-master for the first time creates the pki
directory in local/etc/salt that is owned by root, not by the user specified in the master
configuration file nor the user under which salt-master is run. The expected behavior
would be that the owner of pki should be the user specified in the master configuration file.
Here is the contents of the master configuration file:
User dnessett (which is also the user under which salt-master is run) has sudoer privileges.
Here is the output of running salt-master for the first time under dnessett:
salt-master '--config-dir=../local/etc/salt/' --log-level=debug
[DEBUG ] Reading configuration from /home/dnessett/SaltSource/3006.x/salt/local/etc/salt/master
[WARNING ] Insecure logging configuration detected! Sensitive data may be logged.
[DEBUG ] Configuration file path: /home/dnessett/SaltSource/3006.x/salt/local/etc/salt/master
[CRITICAL] Unable to securely set the permissions of "/home/dnessett/SaltSource/3006.x/salt/local/etc/salt/pki/master".
[INFO ] Setting up the Salt Master
[DEBUG ] Marking 'base64_encode' as a jinja filter
[DEBUG ] Marking 'base64_decode' as a jinja filter
[DEBUG ] Marking 'md5' as a jinja filter
[DEBUG ] Marking 'sha1' as a jinja filter
[DEBUG ] Marking 'sha256' as a jinja filter
[DEBUG ] Marking 'sha512' as a jinja filter
[DEBUG ] Marking 'hmac' as a jinja filter
[DEBUG ] Marking 'hmac_compute' as a jinja filter
[DEBUG ] Marking 'random_hash' as a jinja filter
[DEBUG ] Marking 'rand_str' as a jinja filter
[DEBUG ] Marking 'file_hashsum' as a jinja filter
[DEBUG ] Marking 'http_query' as a jinja filter
[DEBUG ] Marking 'ifelse' as a jinja global
[DEBUG ] Marking 'strftime' as a jinja filter
[DEBUG ] Marking 'date_format' as a jinja filter
[DEBUG ] Marking 'raise' as a jinja global
[DEBUG ] Marking 'match' as a jinja test
[DEBUG ] Marking 'equalto' as a jinja test
[DEBUG ] Marking 'skip' as a jinja filter
[DEBUG ] Marking 'sequence' as a jinja filter
[DEBUG ] Marking 'to_bool' as a jinja filter
[DEBUG ] Marking 'indent' as a jinja filter
[DEBUG ] Marking 'tojson' as a jinja filter
[DEBUG ] Marking 'quote' as a jinja filter
[DEBUG ] Marking 'regex_escape' as a jinja filter
[DEBUG ] Marking 'regex_search' as a jinja filter
[DEBUG ] Marking 'regex_match' as a jinja filter
[DEBUG ] Marking 'regex_replace' as a jinja filter
[DEBUG ] Marking 'uuid' as a jinja filter
[DEBUG ] Marking 'unique' as a jinja filter
[DEBUG ] Marking 'min' as a jinja filter
[DEBUG ] Marking 'max' as a jinja filter
[DEBUG ] Marking 'avg' as a jinja filter
[DEBUG ] Marking 'union' as a jinja filter
[DEBUG ] Marking 'intersect' as a jinja filter
[DEBUG ] Marking 'difference' as a jinja filter
[DEBUG ] Marking 'symmetric_difference' as a jinja filter
[DEBUG ] Marking 'method_call' as a jinja filter
[DEBUG ] Marking 'yaml_dquote' as a jinja filter
[DEBUG ] Marking 'yaml_squote' as a jinja filter
[DEBUG ] Marking 'yaml_encode' as a jinja filter
[INFO ] Generating master keys: /home/dnessett/SaltSource/3006.x/salt/local/etc/salt/pki/master
[ERROR ] An un-handled exception was caught by Salt's global exception handler:
OSError: Write access denied to "/home/dnessett/SaltSource/3006.x/salt/local/etc/salt/pki/master" for user "dnessett".
Traceback (most recent call last):
File "/home/dnessett/.pyenv/versions/3.10.15/bin/salt-master", line 8, in
sys.exit(salt_master())
File "/home/dnessett/.pyenv/versions/3.10.15/lib/python3.10/site-packages/salt/scripts.py", line 86, in salt_master
master.start()
File "/home/dnessett/.pyenv/versions/3.10.15/lib/python3.10/site-packages/salt/cli/daemons.py", line 199, in start
super().start()
File "/home/dnessett/.pyenv/versions/3.10.15/lib/python3.10/site-packages/salt/utils/parsers.py", line 1053, in start
self.prepare()
File "/home/dnessett/.pyenv/versions/3.10.15/lib/python3.10/site-packages/salt/cli/daemons.py", line 183, in prepare
self.master = salt.master.Master(self.config)
File "/home/dnessett/.pyenv/versions/3.10.15/lib/python3.10/site-packages/salt/master.py", line 548, in init
SMaster.init(self, opts)
File "/home/dnessett/.pyenv/versions/3.10.15/lib/python3.10/site-packages/salt/master.py", line 99, in init
self.master_key = salt.crypt.MasterKeys(self.opts)
File "/home/dnessett/.pyenv/versions/3.10.15/lib/python3.10/site-packages/salt/crypt.py", line 451, in init
self.key = self.get_keys(passphrase=key_pass)
File "/home/dnessett/.pyenv/versions/3.10.15/lib/python3.10/site-packages/salt/crypt.py", line 516, in get_keys
gen_keys(
File "/home/dnessett/.pyenv/versions/3.10.15/lib/python3.10/site-packages/salt/crypt.py", line 156, in gen_keys
raise OSError(
OSError: Write access denied to "/home/dnessett/SaltSource/3006.x/salt/local/etc/salt/pki/master" for user "dnessett".
Traceback (most recent call last):
File "/home/dnessett/.pyenv/versions/3.10.15/bin/salt-master", line 8, in
sys.exit(salt_master())
File "/home/dnessett/.pyenv/versions/3.10.15/lib/python3.10/site-packages/salt/scripts.py", line 86, in salt_master
master.start()
File "/home/dnessett/.pyenv/versions/3.10.15/lib/python3.10/site-packages/salt/cli/daemons.py", line 199, in start
super().start()
File "/home/dnessett/.pyenv/versions/3.10.15/lib/python3.10/site-packages/salt/utils/parsers.py", line 1053, in start
self.prepare()
File "/home/dnessett/.pyenv/versions/3.10.15/lib/python3.10/site-packages/salt/cli/daemons.py", line 183, in prepare
self.master = salt.master.Master(self.config)
File "/home/dnessett/.pyenv/versions/3.10.15/lib/python3.10/site-packages/salt/master.py", line 548, in init
SMaster.init(self, opts)
File "/home/dnessett/.pyenv/versions/3.10.15/lib/python3.10/site-packages/salt/master.py", line 99, in init
self.master_key = salt.crypt.MasterKeys(self.opts)
File "/home/dnessett/.pyenv/versions/3.10.15/lib/python3.10/site-packages/salt/crypt.py", line 451, in init
self.key = self.get_keys(passphrase=key_pass)
File "/home/dnessett/.pyenv/versions/3.10.15/lib/python3.10/site-packages/salt/crypt.py", line 516, in get_keys
gen_keys(
File "/home/dnessett/.pyenv/versions/3.10.15/lib/python3.10/site-packages/salt/crypt.py", line 156, in gen_keys
raise OSError(
OSError: Write access denied to "/home/dnessett/SaltSource/3006.x/salt/local/etc/salt/pki/master" for user "dnessett".
Here is the directory listing for local/etc/salt:
pwd
/home/dnessett/SaltSource/3006.x/salt/local/etc/salt
ls -al
total 20
drwxrwxr-x 3 dnessett dnessett 4096 Nov 21 13:54 .
drwxrwxr-x 3 dnessett dnessett 4096 Nov 15 13:55 ..
-rw-rw-r-- 1 dnessett dnessett 106 Nov 16 18:36 master
-rw-rw-r-- 1 dnessett dnessett 118 Nov 20 11:38 minion
drwxr-xr-x 3 root dnessett 4096 Nov 21 13:54 pki
This can be remediated by specifying and running salt-master (for the first time and
subsequently) under a user that does not have sudoer privileges. This is reproducible by
installing a fresh salt source tree using git clone, following the instructions for
running development salt (link given above) using a non-sudoer user. That works exactly
as expected.
Note: here is the output of salt --versions-report. However, while it gives the salt
version as 3007.0, that is incorrect. The branch I am working on is 3006.x. There seems
to be a problem with salt/version.py. It wasn't updated when 3007 was released. See the
end of: https://discord.com/channels/1200072194781368340/1299024966733533306
Dependency Versions:
cffi: 1.17.1
cherrypy: Not Installed
cryptography: 43.0.3
dateutil: 2.9.0.post0
docker-py: Not Installed
gitdb: Not Installed
gitpython: Not Installed
Jinja2: 3.1.4
libgit2: Not Installed
looseversion: 1.3.0
M2Crypto: Not Installed
Mako: Not Installed
msgpack: 1.1.0
msgpack-pure: Not Installed
mysql-python: Not Installed
packaging: 24.1
pycparser: 2.22
pycrypto: Not Installed
pycryptodome: 3.21.0
pygit2: Not Installed
python-gnupg: Not Installed
PyYAML: 6.0.2
PyZMQ: 26.2.0
relenv: Not Installed
smmap: Not Installed
timelib: Not Installed
Tornado: 4.5.3
ZMQ: 4.3.5
System Versions:
dist: linuxmint 21.3 virginia
locale: utf-8
machine: x86_64
release: 6.8.0-49-generic
system: Linux
version: Linux Mint 21.3 virginia
When using the instructions for running development salt here: https://docs.saltproject.io/en/latest/topics/development/contributing.html#running-development-salt, running salt-master under a user that has sudoer privileges results in a permissions error. This appears to occur since running salt-master for the first time creates the pki directory in local/etc/salt that is owned by root, not by the user specified in the master configuration file nor the user under which salt-master is run. The expected behavior would be that the owner of pki should be the user specified in the master configuration file.
Here is the contents of the master configuration file:
user: dnessett root_dir: /home/dnessett/SaltSource/3006.x/salt/local/ publish_port: 55505 ret_port: 55506
User dnessett (which is also the user under which salt-master is run) has sudoer privileges.
Here is the output of running salt-master for the first time under dnessett:
salt-master '--config-dir=../local/etc/salt/' --log-level=debug [DEBUG ] Reading configuration from /home/dnessett/SaltSource/3006.x/salt/local/etc/salt/master [WARNING ] Insecure logging configuration detected! Sensitive data may be logged. [DEBUG ] Configuration file path: /home/dnessett/SaltSource/3006.x/salt/local/etc/salt/master [CRITICAL] Unable to securely set the permissions of "/home/dnessett/SaltSource/3006.x/salt/local/etc/salt/pki/master". [INFO ] Setting up the Salt Master [DEBUG ] Marking 'base64_encode' as a jinja filter [DEBUG ] Marking 'base64_decode' as a jinja filter [DEBUG ] Marking 'md5' as a jinja filter [DEBUG ] Marking 'sha1' as a jinja filter [DEBUG ] Marking 'sha256' as a jinja filter [DEBUG ] Marking 'sha512' as a jinja filter [DEBUG ] Marking 'hmac' as a jinja filter [DEBUG ] Marking 'hmac_compute' as a jinja filter [DEBUG ] Marking 'random_hash' as a jinja filter [DEBUG ] Marking 'rand_str' as a jinja filter [DEBUG ] Marking 'file_hashsum' as a jinja filter [DEBUG ] Marking 'http_query' as a jinja filter [DEBUG ] Marking 'ifelse' as a jinja global [DEBUG ] Marking 'strftime' as a jinja filter [DEBUG ] Marking 'date_format' as a jinja filter [DEBUG ] Marking 'raise' as a jinja global [DEBUG ] Marking 'match' as a jinja test [DEBUG ] Marking 'equalto' as a jinja test [DEBUG ] Marking 'skip' as a jinja filter [DEBUG ] Marking 'sequence' as a jinja filter [DEBUG ] Marking 'to_bool' as a jinja filter [DEBUG ] Marking 'indent' as a jinja filter [DEBUG ] Marking 'tojson' as a jinja filter [DEBUG ] Marking 'quote' as a jinja filter [DEBUG ] Marking 'regex_escape' as a jinja filter [DEBUG ] Marking 'regex_search' as a jinja filter [DEBUG ] Marking 'regex_match' as a jinja filter [DEBUG ] Marking 'regex_replace' as a jinja filter [DEBUG ] Marking 'uuid' as a jinja filter [DEBUG ] Marking 'unique' as a jinja filter [DEBUG ] Marking 'min' as a jinja filter [DEBUG ] Marking 'max' as a jinja filter [DEBUG ] Marking 'avg' as a jinja filter [DEBUG ] Marking 'union' as a jinja filter [DEBUG ] Marking 'intersect' as a jinja filter [DEBUG ] Marking 'difference' as a jinja filter [DEBUG ] Marking 'symmetric_difference' as a jinja filter [DEBUG ] Marking 'method_call' as a jinja filter [DEBUG ] Marking 'yaml_dquote' as a jinja filter [DEBUG ] Marking 'yaml_squote' as a jinja filter [DEBUG ] Marking 'yaml_encode' as a jinja filter [INFO ] Generating master keys: /home/dnessett/SaltSource/3006.x/salt/local/etc/salt/pki/master [ERROR ] An un-handled exception was caught by Salt's global exception handler: OSError: Write access denied to "/home/dnessett/SaltSource/3006.x/salt/local/etc/salt/pki/master" for user "dnessett". Traceback (most recent call last): File "/home/dnessett/.pyenv/versions/3.10.15/bin/salt-master", line 8, in
sys.exit(salt_master())
File "/home/dnessett/.pyenv/versions/3.10.15/lib/python3.10/site-packages/salt/scripts.py", line 86, in salt_master
master.start()
File "/home/dnessett/.pyenv/versions/3.10.15/lib/python3.10/site-packages/salt/cli/daemons.py", line 199, in start
super().start()
File "/home/dnessett/.pyenv/versions/3.10.15/lib/python3.10/site-packages/salt/utils/parsers.py", line 1053, in start
self.prepare()
File "/home/dnessett/.pyenv/versions/3.10.15/lib/python3.10/site-packages/salt/cli/daemons.py", line 183, in prepare
self.master = salt.master.Master(self.config)
File "/home/dnessett/.pyenv/versions/3.10.15/lib/python3.10/site-packages/salt/master.py", line 548, in init
SMaster.init(self, opts)
File "/home/dnessett/.pyenv/versions/3.10.15/lib/python3.10/site-packages/salt/master.py", line 99, in init
self.master_key = salt.crypt.MasterKeys(self.opts)
File "/home/dnessett/.pyenv/versions/3.10.15/lib/python3.10/site-packages/salt/crypt.py", line 451, in init
self.key = self.get_keys(passphrase=key_pass)
File "/home/dnessett/.pyenv/versions/3.10.15/lib/python3.10/site-packages/salt/crypt.py", line 516, in get_keys
gen_keys(
File "/home/dnessett/.pyenv/versions/3.10.15/lib/python3.10/site-packages/salt/crypt.py", line 156, in gen_keys
raise OSError(
OSError: Write access denied to "/home/dnessett/SaltSource/3006.x/salt/local/etc/salt/pki/master" for user "dnessett".
Traceback (most recent call last):
File "/home/dnessett/.pyenv/versions/3.10.15/bin/salt-master", line 8, in
sys.exit(salt_master())
File "/home/dnessett/.pyenv/versions/3.10.15/lib/python3.10/site-packages/salt/scripts.py", line 86, in salt_master
master.start()
File "/home/dnessett/.pyenv/versions/3.10.15/lib/python3.10/site-packages/salt/cli/daemons.py", line 199, in start
super().start()
File "/home/dnessett/.pyenv/versions/3.10.15/lib/python3.10/site-packages/salt/utils/parsers.py", line 1053, in start
self.prepare()
File "/home/dnessett/.pyenv/versions/3.10.15/lib/python3.10/site-packages/salt/cli/daemons.py", line 183, in prepare
self.master = salt.master.Master(self.config)
File "/home/dnessett/.pyenv/versions/3.10.15/lib/python3.10/site-packages/salt/master.py", line 548, in init
SMaster.init(self, opts)
File "/home/dnessett/.pyenv/versions/3.10.15/lib/python3.10/site-packages/salt/master.py", line 99, in init
self.master_key = salt.crypt.MasterKeys(self.opts)
File "/home/dnessett/.pyenv/versions/3.10.15/lib/python3.10/site-packages/salt/crypt.py", line 451, in init
self.key = self.get_keys(passphrase=key_pass)
File "/home/dnessett/.pyenv/versions/3.10.15/lib/python3.10/site-packages/salt/crypt.py", line 516, in get_keys
gen_keys(
File "/home/dnessett/.pyenv/versions/3.10.15/lib/python3.10/site-packages/salt/crypt.py", line 156, in gen_keys
raise OSError(
OSError: Write access denied to "/home/dnessett/SaltSource/3006.x/salt/local/etc/salt/pki/master" for user "dnessett".
Here is the directory listing for local/etc/salt:
pwd /home/dnessett/SaltSource/3006.x/salt/local/etc/salt ls -al total 20 drwxrwxr-x 3 dnessett dnessett 4096 Nov 21 13:54 . drwxrwxr-x 3 dnessett dnessett 4096 Nov 15 13:55 .. -rw-rw-r-- 1 dnessett dnessett 106 Nov 16 18:36 master -rw-rw-r-- 1 dnessett dnessett 118 Nov 20 11:38 minion drwxr-xr-x 3 root dnessett 4096 Nov 21 13:54 pki
This can be remediated by specifying and running salt-master (for the first time and subsequently) under a user that does not have sudoer privileges. This is reproducible by installing a fresh salt source tree using git clone, following the instructions for running development salt (link given above) using a non-sudoer user. That works exactly as expected.
Note: here is the output of salt --versions-report. However, while it gives the salt version as 3007.0, that is incorrect. The branch I am working on is 3006.x. There seems to be a problem with salt/version.py. It wasn't updated when 3007 was released. See the end of: https://discord.com/channels/1200072194781368340/1299024966733533306
Salt Version: Salt: 3007.0
Python Version: Python: 3.10.15 (main, Oct 14 2024, 13:34:24) [GCC 11.4.0]
Dependency Versions: cffi: 1.17.1 cherrypy: Not Installed cryptography: 43.0.3 dateutil: 2.9.0.post0 docker-py: Not Installed gitdb: Not Installed gitpython: Not Installed Jinja2: 3.1.4 libgit2: Not Installed looseversion: 1.3.0 M2Crypto: Not Installed Mako: Not Installed msgpack: 1.1.0 msgpack-pure: Not Installed mysql-python: Not Installed packaging: 24.1 pycparser: 2.22 pycrypto: Not Installed pycryptodome: 3.21.0 pygit2: Not Installed python-gnupg: Not Installed PyYAML: 6.0.2 PyZMQ: 26.2.0 relenv: Not Installed smmap: Not Installed timelib: Not Installed Tornado: 4.5.3 ZMQ: 4.3.5
System Versions: dist: linuxmint 21.3 virginia locale: utf-8 machine: x86_64 release: 6.8.0-49-generic system: Linux version: Linux Mint 21.3 virginia