Bug#919231: Salt-master unable to access directories

Stijn Segers stijn.segers at protonmail.com
Thu Feb 7 18:46:28 GMT 2019


Thanks, that workaround fixes it indeed.

Verzonden met ProtonMail Mobile

-------- Oorspronkelijk bericht --------
Aan 6 feb. 2019 19:19, Benjamin Drung schreef:

> reassign 919231 systemd 240-5
> retitle 919231 CacheDirectory/StateDirectory does not change owner/group
> thanks
>
> Hi Stijn,
>
> your bug description was enough for me to reproduce this misbehavior
> and tracked it down to systemd not behaving like the documentation
> describes:
>
> StateDirectory=, CacheDirectory=
> Except in case of ConfigurationDirectory=, the innermost specified
> directories will be owned by the user and group specified in User=
> and Group=. If the specified directories already exist and their
> owning user or group do not match the configured ones, all files
> and directories below the specified directories as well as the
> directories themselves will have their file ownership recursively
> changed to match what is configured. As an optimization, if the
> specified directories are already owned by the right user and
> group, files and directories below of them are left as-is, even
> if they do not match what is requested.
>
> The salt-master systemd service is configured to use
> /var/lib/salt/pki/master and /var/cache/salt/master as state and cache
> directory. salt should change the ownership, but it does not. Steps to
> reproduce:
>
> Take a minimal Debian 9 installation and:
>
> ```
> root at debian:~# apt install salt-master
> root at debian:~# sed -i 's/stretch/buster/g' /etc/apt/sources.list
> root at debian:~# apt upgrade
> [...]
> Setting up salt-master (2018.3.3+dfsg1-2) ...
> Installing new version of config file /etc/salt/master ...
> Job for salt-master.service failed because the control process exited
> with error code.
> See "systemctl status salt-master.service" and "journalctl -xe" for
> details.
> invoke-rc.d: initscript salt-master, action "restart" failed.
> ‚óŹ salt-master.service - The Salt Master Server
> Loaded: loaded (/lib/systemd/system/salt-master.service; enabled;
> vendor preset: enabled)
> Active: failed (Result: exit-code) since Wed 2019-02-06 16:16:37
> UTC; 8ms ago
> Docs: man:salt-master(1)
> file:///usr/share/doc/salt/html/contents.html
> https://docs.saltstack.com/en/latest/contents.html
> Process: 31417 ExecStart=/usr/bin/salt-master (code=exited,
> status=13)
> Main PID: 31417 (code=exited, status=13)
>
> Feb 06 16:16:37 debian systemd[1]: Starting The Salt Master Server...
> Feb 06 16:16:37 debian salt-master[31417]: Failed to create directory
> path "/var/lib/salt/pki/master/minions" - [Errno 13] Permission denied:
> '/var/lib/salt/pki/master/minions'
> Feb 06 16:16:37 debian systemd[1]: salt-master.service: Main process
> exited, code=exited, status=13/n/a
> Feb 06 16:16:37 debian systemd[1]: salt-master.service: Failed with
> result 'exit-code'.
> Feb 06 16:16:37 debian systemd[1]: Failed to start The Salt Master
> Server.
> dpkg: error processing package salt-master (--configure):
> installed salt-master package post-installation script subprocess
> returned error exit status 1
> [...]
> ```
>
> Instead of doing an upgrade test, you can just do the test on testing
> by stopping salt-master, changing the permission to root and starting
> salt-master.
>
> ```
> root at debian:~# systemctl cat salt-master.service
> # /lib/systemd/system/salt-master.service
> [Unit]
> Description=The Salt Master Server
> Documentation=man:salt-master(1)
> file:///usr/share/doc/salt/html/contents.html
> https://docs.saltstack.com/en/latest/contents.html
> After=network.target
>
> [Service]
> LimitNOFILE=100000
> Type=notify
> NotifyAccess=all
> ExecStart=/usr/bin/salt-master
> User=salt
> Group=salt
> CacheDirectory=salt/master
> RuntimeDirectory=salt
> StateDirectory=salt/pki/master
>
> [Install]
> WantedBy=multi-user.target
> root at debian:~# ls -ld /var/lib/salt /var/lib/salt/pki
> /var/lib/salt/pki/master
> drwxr-xr-x 3 salt salt 4096 Feb 6 16:16 /var/lib/salt
> drwxr-xr-x 3 root root 4096 Feb 6 16:16 /var/lib/salt/pki
> drwx------ 7 root root 4096 Feb 6 16:10 /var/lib/salt/pki/master
> root at debian:~# ls -ld /var/cache/salt /var/cache/salt/master
> drwxr-xr-x 3 root root 4096 Feb 6 16:10 /var/cache/salt
> drwxr-xr-x 8 root root 4096 Feb 6 16:11 /var/cache/salt/master
> rroot at debian:~# dpkg -l | grep systemd | sed 's/ \+amd64 .*$//'
> ii libnss-systemd:amd64 240-5
> ii libpam-systemd:amd64 240-5
> ii libsystemd0:amd64 240-5
> ii python-systemd 234-2+b1
> ii python3-systemd 234-2+b1
> ii systemd 240-5
> ii systemd-sysv 240-5
> ```
>
> The workaround is to manually change the owner/group to salt:
>
> root at debian:~# chown -R salt:salt /var/lib/salt/pki/master /var/cache/salt/master
> root at debian:~# systemctl start salt-master
>
> --
> Benjamin Drung
> System Developer
> Debian & Ubuntu Developer
>
> 1&1 IONOS Cloud GmbH | Greifswalder Str. 207 | 10405 Berlin | Germany
> E-mail: benjamin.drung at cloud.ionos.com | Web: www.ionos.de
>
> Head Office: Berlin, Germany
> District Court Berlin Charlottenburg, Registration number: HRB 125506 B
> Executive Management: Christoph Steffens, Matthias Steinberg, Achim
> Weiss
>
> Member of United Internet
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20190207/db2a132c/attachment-0001.html>


More information about the Pkg-systemd-maintainers mailing list