0

I am getting permission denied errors when trying to run minion as non-root. I created a special user called 'salt-master' and gave it sudo privileges. Yet I am still seeing permission denied errors. I am using the salt master and minion on the same server for testing otherwise the user name would be named salt-minion for the client. How do I get salt to use sudo for everything?

/etc/sudoers

# salt-master user allowed root with no password
salt-master ALL=(ALL) NOPASSWD:ALL

/etc/salt/minion

# The user to run salt
#user: root
user: salt-master

/srv/salt/gedit/init.sls

gedit:
  pkg:
    - installed

command

salt 'SaltStack-01' state.sls gedit

command results

SaltStack-01:
----------
          ID: gedit
    Function: pkg.installed
      Result: False
     Comment: The following packages failed to install/update: gedit.
     Changes:   

Summary
------------
Succeeded: 0
Failed:    1
------------
Total:     1

minion logs /var/log/salt/minion

2014-09-17 13:35:05,199 [salt.loaded.int.module.cmdmod][ERROR] Command 'zypper refresh' failed with return code: 5
2014-09-17 13:35:05,200 [salt.loaded.int.module.cmdmod][ERROR] output: Root privileges are required for refreshing system repositories.
2014-09-17 13:35:05,243 [salt.loaded.int.module.cmdmod][ERROR] Command 'zypper --non-interactive install --name --auto-agree-with-licenses "gedit"' failed with return code: 5
2014-09-17 13:35:05,244 [salt.loaded.int.module.cmdmod][ERROR] output: Root privileges are required for installing or uninstalling packages.
Ryan Currah
  • 1,067
  • 6
  • 15
  • 30
  • I would argue that it beats the purpose. It's not running as root, but still has unlimited privilegies. Unless you lock it down, saying it can do _some_ things with sudo (install packages, i.e.), but not everything. Still need to do some patching with the salt packages I think. – sastorsl Sep 17 '14 at 18:05

1 Answers1

3

http://docs.saltstack.com/en/latest/ref/configuration/nonroot.html

The minion has it's own user parameter as well, but running the minion as an unprivileged user will keep it from making changes to things like users, installed packages, etc. unless access controls (sudo, etc.) are setup on the minion to permit the non-root user to make the needed changes.

In order to allow Salt to successfully run as a non-root user, ownership and permissions need to be set such that the desired user can read from and write to the following directories (and their subdirectories, where applicable):

Josh Correia
  • 3,807
  • 3
  • 33
  • 50
sastorsl
  • 2,015
  • 1
  • 16
  • 17
  • I have already read/done that and checked the permissions they are all under 'salt-master'. I ran `chown -R salt-master /etc/salt /var/cache/salt /var/log/salt /var/run/salt` – Ryan Currah Sep 17 '14 at 17:56
  • So basically you want to let your "salt-master" user automatically run everything with "sudo" first? – sastorsl Sep 17 '14 at 17:57
  • Yes that would be the goal. Unless there is another way to run the salt-minion without using root user. – Ryan Currah Sep 17 '14 at 17:59
  • 1
    https://groups.google.com/forum/#!topic/salt-users/0D0fUjmFxAU, which involves patching cmd.run.. – sastorsl Sep 17 '14 at 18:01
  • Do you know if this works properly "officially" with the latest release of salt? – Shikhar Jul 28 '15 at 22:19