[Pkg-salt-team] Bug#919231: Salt-master unable to access directories

Wed Feb 6 18:19:14 GMT 2019

reassign 919231 systemd 240-5
retitle 919231 CacheDirectory/StateDirectory does not change owner/group
thanks

Hi Stijn,

your bug description was enough for me to reproduce this misbehavior
and tracked it down to systemd not behaving like the documentation
describes:

  StateDirectory=, CacheDirectory=
    Except in case of ConfigurationDirectory=, the innermost specified
    directories will be owned by the user and group specified in User=
    and Group=. If the specified directories already exist and their
    owning user or group do not match the configured ones, all files
    and directories below the specified directories as well as the
    directories themselves will have their file ownership recursively
    changed to match what is configured. As an optimization, if the
    specified directories are already owned by the right user and
    group, files and directories below of them are left as-is, even
    if they do not match what is requested.

The salt-master systemd service is configured to use
/var/lib/salt/pki/master and /var/cache/salt/master as state and cache
directory. salt should change the ownership, but it does not. Steps to
reproduce:

Take a minimal Debian 9 installation and:

```
root at debian:~# apt install salt-master
root at debian:~# sed -i 's/stretch/buster/g' /etc/apt/sources.list
root at debian:~# apt upgrade
[...]
Setting up salt-master (2018.3.3+dfsg1-2) ...
Installing new version of config file /etc/salt/master ...
Job for salt-master.service failed because the control process exited
with error code.
See "systemctl status salt-master.service" and "journalctl -xe" for
details.
invoke-rc.d: initscript salt-master, action "restart" failed.
● salt-master.service - The Salt Master Server
   Loaded: loaded (/lib/systemd/system/salt-master.service; enabled;
vendor preset: enabled)
   Active: failed (Result: exit-code) since Wed 2019-02-06 16:16:37
UTC; 8ms ago
     Docs: man:salt-master(1)
           file:///usr/share/doc/salt/html/contents.html
           https://docs.saltstack.com/en/latest/contents.html
  Process: 31417 ExecStart=/usr/bin/salt-master (code=exited,
status=13)
 Main PID: 31417 (code=exited, status=13)

Feb 06 16:16:37 debian systemd[1]: Starting The Salt Master Server...
Feb 06 16:16:37 debian salt-master[31417]: Failed to create directory
path "/var/lib/salt/pki/master/minions" - [Errno 13] Permission denied:
'/var/lib/salt/pki/master/minions'
Feb 06 16:16:37 debian systemd[1]: salt-master.service: Main process
exited, code=exited, status=13/n/a
Feb 06 16:16:37 debian systemd[1]: salt-master.service: Failed with
result 'exit-code'.
Feb 06 16:16:37 debian systemd[1]: Failed to start The Salt Master
Server.
dpkg: error processing package salt-master (--configure):
 installed salt-master package post-installation script subprocess
returned error exit status 1
[...]
```

Instead of doing an upgrade test, you can just do the test on testing
by stopping salt-master, changing the permission to root and starting
salt-master.

```
root at debian:~# systemctl cat salt-master.service 
# /lib/systemd/system/salt-master.service
[Unit]
Description=The Salt Master Server
Documentation=man:salt-master(1)
file:///usr/share/doc/salt/html/contents.html 
https://docs.saltstack.com/en/latest/contents.html
After=network.target

[Service]
LimitNOFILE=100000
Type=notify
NotifyAccess=all
ExecStart=/usr/bin/salt-master
User=salt
Group=salt
CacheDirectory=salt/master
RuntimeDirectory=salt
StateDirectory=salt/pki/master

[Install]
WantedBy=multi-user.target
root at debian:~# ls -ld /var/lib/salt /var/lib/salt/pki
/var/lib/salt/pki/master
drwxr-xr-x 3 salt salt 4096 Feb  6 16:16 /var/lib/salt
drwxr-xr-x 3 root root 4096 Feb  6 16:16 /var/lib/salt/pki
drwx------ 7 root root 4096 Feb  6 16:10 /var/lib/salt/pki/master
root at debian:~# ls -ld /var/cache/salt /var/cache/salt/master
drwxr-xr-x 3 root root 4096 Feb  6 16:10 /var/cache/salt
drwxr-xr-x 8 root root 4096 Feb  6 16:11 /var/cache/salt/master
rroot at debian:~# dpkg -l | grep systemd | sed 's/ \+amd64 .*$//'
ii  libnss-systemd:amd64          240-5
ii  libpam-systemd:amd64          240-5
ii  libsystemd0:amd64             240-5
ii  python-systemd                234-2+b1
ii  python3-systemd               234-2+b1
ii  systemd                       240-5
ii  systemd-sysv                  240-5
```

The workaround is to manually change the owner/group to salt:

root at debian:~# chown -R salt:salt /var/lib/salt/pki/master /var/cache/salt/master
root at debian:~# systemctl start salt-master

-- 
Benjamin Drung
System Developer
Debian & Ubuntu Developer

1&1 IONOS Cloud GmbH | Greifswalder Str. 207 | 10405 Berlin | Germany
E-mail: benjamin.drung at cloud.ionos.com | Web: www.ionos.de

Head Office: Berlin, Germany
District Court Berlin Charlottenburg, Registration number: HRB 125506 B
Executive Management: Christoph Steffens, Matthias Steinberg, Achim
Weiss

Member of United Internet