Browse Source
Secure salt minion files.
By default salt minion meta files are created with wide permissions. This makes OS tokens, keystone credentials unprotected. Patch fixes this. Prod-Related: CEEMCP-13 unprotected keystone credentials Customer-Found Change-Id: I18283cff4aec795e0656b7b3519381792e8a6e54pull/73/head
Dzmitry Stremkouski
6 years ago
4 changed files with 14 additions and 1 deletions
+ 3
- 1
salt/files/userdata
View File
| @@ -6,4 +6,6 @@ curl --insecure -L http://bootstrap.saltstack.org -o install_salt.sh | |||
| sh install_salt.sh | |||
| echo "id: {{ node_name }}.{{ cluster.domain }}" > /etc/salt/minion.d/minion.conf | |||
| echo "master: salt/master: {{ cluster.config.host }}" >> /etc/salt/minion.d/minion.conf | |||
| service salt-minion restart | |||
| chown root:root /etc/salt/minion.d/minion.conf | |||
| chmod 0600 /etc/salt/minion.d/minion.conf | |||
| service salt-minion restart | |||
+ 2
- 0
salt/master/minion.sls
View File
| @@ -8,6 +8,8 @@ include: | |||
| file.managed: | |||
| - source: salt://salt/files/_orchestration.conf | |||
| - user: root | |||
| - group: root | |||
| - mode: 600 | |||
| - template: jinja | |||
| - makedirs: true | |||
| - require: | |||
+ 3
- 0
salt/minion/base.sls
View File
| @@ -32,6 +32,7 @@ salt_minion_dependency_packages: | |||
| - source: salt://salt/files/minion.conf | |||
| - user: root | |||
| - group: root | |||
| - mode: 600 | |||
| - template: jinja | |||
| - require: | |||
| - {{ minion.install_state }} | |||
| @@ -42,6 +43,8 @@ salt_minion_dependency_packages: | |||
| file.managed: | |||
| - source: salt://salt/files/_renderer.conf | |||
| - user: root | |||
| - group: root | |||
| - mode: 600 | |||
| - template: jinja | |||
| - require: | |||
| - {{ minion.install_state }} | |||
+ 6
- 0
salt/minion/service.sls
View File
| @@ -31,6 +31,7 @@ salt_minion_dependency_packages: | |||
| - source: salt://salt/files/minion.conf | |||
| - user: root | |||
| - group: root | |||
| - mode: 600 | |||
| - template: jinja | |||
| - require: | |||
| - {{ minion.install_state }} | |||
| @@ -45,6 +46,9 @@ salt_minion_dependency_packages: | |||
| salt_minion_config_{{ service_name }}_{{ name }}: | |||
| file.managed: | |||
| - name: /etc/salt/minion.d/_{{ name }}.conf | |||
| - user: root | |||
| - group: root | |||
| - mode: 600 | |||
| - contents: | | |||
| {{ conf|yaml(False)|indent(8) }} | |||
| - require: | |||
| @@ -99,6 +103,8 @@ salt_minion_{{ service_name }}_dependencies_pip: | |||
| file.managed: | |||
| - source: salt://salt/files/_renderer.conf | |||
| - user: root | |||
| - group: root | |||
| - mode: 600 | |||
| - template: jinja | |||
| - require: | |||
| - {{ minion.install_state }} | |||
Loading…