By default, the salt-master process runs as root , which is, firstly, unnecessary, because listening to two ports (4505 and 4506 by default) can also be a process started from an ordinary user, and secondly, it is inconvenient: when trying to use auto-complement (for salt* commands), the shell “swears” to the inaccessibility of files (in particular, logs, into which it “climbs” for something necessary).

How to “teach” salt-master to work on behalf of an unprivileged user?

    1 answer 1

    First, it is necessary to change the ownership of some files / directories (but in no case do not have access rights to them!).

    I give the names for the package from the repository of the debian gnu / linux distribution, in your build / installation they may differ:

    • /etc/salt/pki - directory with keys for master and minions
    • /var/cache/salt , /var/run/salt - caches, sockets, etc.
    • /var/log/salt - logs
    • /srv/salt - directory with state descriptions ( states ) and files accessible via the virtual salt:// protocol salt://

    accordingly, the command sounds like this:

     $ sudo chown -R пользователь /etc/salt/pki /var/cache/salt /var/run/salt /var/log/salt /srv/salt

    secondly, you need to specify this user in the master configuration. Create a file in the /etc/salt/master.d directory with an arbitrary name ending with the .conf suffix (for example, /etc/salt/master.d/user.conf ) and enter the line in it:

     user: пользователь

    is ready! Now you can restart the salt-master process.

    identified problems:

    1. when updating salt* packages, the ownership of some files / directories may be reverted. i.e., after updating, it will be better to execute the above command again.

    2. each time any of the salt* commands are executed, a line of the following type is added to the log:

      [WARNING] Although it was not found, it’s impossible to follow it. Grains output might not be accurate.

      in general, do not worry, this is not a mistake. but, first, these lines “pollute” the logs, making it difficult to find really useful information, and secondly, the same message pops up on the command line when trying to use auto-completion (for salt* commands).

      at the moment I found only one way to remove this message - just delete the lines that form it (good, nothing [re] need to be compiled).

      they are in the file belonging to the salt-common package - /usr/lib/python2.7/dist-packages/salt/grains/core.py (the path may differ in your build / install). here is the patch:

       --- a/usr/lib/python2.7/dist-packages/salt/grains/core.py 2016-11-02 08:06:29.000000000 +0000 +++ b/usr/lib/python2.7/dist-packages/salt/grains/core.py 2016-11-28 16:00:16.122461154 +0000 @@ -827,12 +827,6 @@ if os.path.isfile('/var/run/xenconsoled.pid'): grains['virtual_subtype'] = 'Xen Dom0' - for command in failed_commands: - log.warn( - 'Although \'{0}\' was found in path, the current user ' - 'cannot execute it. Grains output might not be ' - 'accurate.'.format(command) - ) return grains эта строка добавлена ввиду того, что so «съедает» финальные пустые строки. на работу программы patch она влиять не должна.

      how to "apply" a patch, I will not tell here. tea, all reading - programmers, and such a primitive action should be able to perform.