Salt minion how to elevate non-root user with sudo?
Question:
I am getting permission denied errors when trying to run minion as non-root. I created a special user called ‘salt-master’ and gave it sudo privileges. Yet I am still seeing permission denied errors. I am using the salt master and minion on the same server for testing otherwise the user name would be named salt-minion for the client. How do I get salt to use sudo for everything?
/etc/sudoers
# salt-master user allowed root with no password
salt-master ALL=(ALL) NOPASSWD:ALL
/etc/salt/minion
# The user to run salt
#user: root
user: salt-master
/srv/salt/gedit/init.sls
gedit:
pkg:
- installed
command
salt 'SaltStack-01' state.sls gedit
command results
SaltStack-01:
----------
ID: gedit
Function: pkg.installed
Result: False
Comment: The following packages failed to install/update: gedit.
Changes:
Summary
------------
Succeeded: 0
Failed: 1
------------
Total: 1
minion logs /var/log/salt/minion
2014-09-17 13:35:05,199 [salt.loaded.int.module.cmdmod][ERROR] Command 'zypper refresh' failed with return code: 5
2014-09-17 13:35:05,200 [salt.loaded.int.module.cmdmod][ERROR] output: Root privileges are required for refreshing system repositories.
2014-09-17 13:35:05,243 [salt.loaded.int.module.cmdmod][ERROR] Command 'zypper --non-interactive install --name --auto-agree-with-licenses "gedit"' failed with return code: 5
2014-09-17 13:35:05,244 [salt.loaded.int.module.cmdmod][ERROR] output: Root privileges are required for installing or uninstalling packages.
Answers:
http://docs.saltstack.com/en/latest/ref/configuration/nonroot.html
The minion has it’s own user parameter as well, but running the minion as an unprivileged user will keep it from making changes to things like users, installed packages, etc. unless access controls (sudo, etc.) are setup on the minion to permit the non-root user to make the needed changes.
In order to allow Salt to successfully run as a non-root user, ownership and permissions need to be set such that the desired user can read from and write to the following directories (and their subdirectories, where applicable):
I am getting permission denied errors when trying to run minion as non-root. I created a special user called ‘salt-master’ and gave it sudo privileges. Yet I am still seeing permission denied errors. I am using the salt master and minion on the same server for testing otherwise the user name would be named salt-minion for the client. How do I get salt to use sudo for everything?
/etc/sudoers
# salt-master user allowed root with no password
salt-master ALL=(ALL) NOPASSWD:ALL
/etc/salt/minion
# The user to run salt
#user: root
user: salt-master
/srv/salt/gedit/init.sls
gedit:
pkg:
- installed
command
salt 'SaltStack-01' state.sls gedit
command results
SaltStack-01:
----------
ID: gedit
Function: pkg.installed
Result: False
Comment: The following packages failed to install/update: gedit.
Changes:
Summary
------------
Succeeded: 0
Failed: 1
------------
Total: 1
minion logs /var/log/salt/minion
2014-09-17 13:35:05,199 [salt.loaded.int.module.cmdmod][ERROR] Command 'zypper refresh' failed with return code: 5
2014-09-17 13:35:05,200 [salt.loaded.int.module.cmdmod][ERROR] output: Root privileges are required for refreshing system repositories.
2014-09-17 13:35:05,243 [salt.loaded.int.module.cmdmod][ERROR] Command 'zypper --non-interactive install --name --auto-agree-with-licenses "gedit"' failed with return code: 5
2014-09-17 13:35:05,244 [salt.loaded.int.module.cmdmod][ERROR] output: Root privileges are required for installing or uninstalling packages.
http://docs.saltstack.com/en/latest/ref/configuration/nonroot.html
The minion has it’s own user parameter as well, but running the minion as an unprivileged user will keep it from making changes to things like users, installed packages, etc. unless access controls (sudo, etc.) are setup on the minion to permit the non-root user to make the needed changes.
In order to allow Salt to successfully run as a non-root user, ownership and permissions need to be set such that the desired user can read from and write to the following directories (and their subdirectories, where applicable):