[Pkg-salt-team] Bug#919231: Salt-master unable to access directories
Benjamin Drung
benjamin.drung at cloud.ionos.com
Wed Feb 6 18:19:14 GMT 2019
reassign 919231 systemd 240-5
retitle 919231 CacheDirectory/StateDirectory does not change owner/group
thanks
Hi Stijn,
your bug description was enough for me to reproduce this misbehavior
and tracked it down to systemd not behaving like the documentation
describes:
StateDirectory=, CacheDirectory=
Except in case of ConfigurationDirectory=, the innermost specified
directories will be owned by the user and group specified in User=
and Group=. If the specified directories already exist and their
owning user or group do not match the configured ones, all files
and directories below the specified directories as well as the
directories themselves will have their file ownership recursively
changed to match what is configured. As an optimization, if the
specified directories are already owned by the right user and
group, files and directories below of them are left as-is, even
if they do not match what is requested.
The salt-master systemd service is configured to use
/var/lib/salt/pki/master and /var/cache/salt/master as state and cache
directory. salt should change the ownership, but it does not. Steps to
reproduce:
Take a minimal Debian 9 installation and:
```
root at debian:~# apt install salt-master
root at debian:~# sed -i 's/stretch/buster/g' /etc/apt/sources.list
root at debian:~# apt upgrade
[...]
Setting up salt-master (2018.3.3+dfsg1-2) ...
Installing new version of config file /etc/salt/master ...
Job for salt-master.service failed because the control process exited
with error code.
See "systemctl status salt-master.service" and "journalctl -xe" for
details.
invoke-rc.d: initscript salt-master, action "restart" failed.
● salt-master.service - The Salt Master Server
Loaded: loaded (/lib/systemd/system/salt-master.service; enabled;
vendor preset: enabled)
Active: failed (Result: exit-code) since Wed 2019-02-06 16:16:37
UTC; 8ms ago
Docs: man:salt-master(1)
file:///usr/share/doc/salt/html/contents.html
https://docs.saltstack.com/en/latest/contents.html
Process: 31417 ExecStart=/usr/bin/salt-master (code=exited,
status=13)
Main PID: 31417 (code=exited, status=13)
Feb 06 16:16:37 debian systemd[1]: Starting The Salt Master Server...
Feb 06 16:16:37 debian salt-master[31417]: Failed to create directory
path "/var/lib/salt/pki/master/minions" - [Errno 13] Permission denied:
'/var/lib/salt/pki/master/minions'
Feb 06 16:16:37 debian systemd[1]: salt-master.service: Main process
exited, code=exited, status=13/n/a
Feb 06 16:16:37 debian systemd[1]: salt-master.service: Failed with
result 'exit-code'.
Feb 06 16:16:37 debian systemd[1]: Failed to start The Salt Master
Server.
dpkg: error processing package salt-master (--configure):
installed salt-master package post-installation script subprocess
returned error exit status 1
[...]
```
Instead of doing an upgrade test, you can just do the test on testing
by stopping salt-master, changing the permission to root and starting
salt-master.
```
root at debian:~# systemctl cat salt-master.service
# /lib/systemd/system/salt-master.service
[Unit]
Description=The Salt Master Server
Documentation=man:salt-master(1)
file:///usr/share/doc/salt/html/contents.html
https://docs.saltstack.com/en/latest/contents.html
After=network.target
[Service]
LimitNOFILE=100000
Type=notify
NotifyAccess=all
ExecStart=/usr/bin/salt-master
User=salt
Group=salt
CacheDirectory=salt/master
RuntimeDirectory=salt
StateDirectory=salt/pki/master
[Install]
WantedBy=multi-user.target
root at debian:~# ls -ld /var/lib/salt /var/lib/salt/pki
/var/lib/salt/pki/master
drwxr-xr-x 3 salt salt 4096 Feb 6 16:16 /var/lib/salt
drwxr-xr-x 3 root root 4096 Feb 6 16:16 /var/lib/salt/pki
drwx------ 7 root root 4096 Feb 6 16:10 /var/lib/salt/pki/master
root at debian:~# ls -ld /var/cache/salt /var/cache/salt/master
drwxr-xr-x 3 root root 4096 Feb 6 16:10 /var/cache/salt
drwxr-xr-x 8 root root 4096 Feb 6 16:11 /var/cache/salt/master
rroot at debian:~# dpkg -l | grep systemd | sed 's/ \+amd64 .*$//'
ii libnss-systemd:amd64 240-5
ii libpam-systemd:amd64 240-5
ii libsystemd0:amd64 240-5
ii python-systemd 234-2+b1
ii python3-systemd 234-2+b1
ii systemd 240-5
ii systemd-sysv 240-5
```
The workaround is to manually change the owner/group to salt:
root at debian:~# chown -R salt:salt /var/lib/salt/pki/master /var/cache/salt/master
root at debian:~# systemctl start salt-master
--
Benjamin Drung
System Developer
Debian & Ubuntu Developer
1&1 IONOS Cloud GmbH | Greifswalder Str. 207 | 10405 Berlin | Germany
E-mail: benjamin.drung at cloud.ionos.com | Web: www.ionos.de
Head Office: Berlin, Germany
District Court Berlin Charlottenburg, Registration number: HRB 125506 B
Executive Management: Christoph Steffens, Matthias Steinberg, Achim
Weiss
Member of United Internet
More information about the pkg-salt-team
mailing list