salt
/
salt-formula
Watch 2
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 7 Wiki Activity
Browse Source

Secure salt minion files. 

By default salt minion meta files are created with wide
permissions.

This makes OS tokens, keystone credentials unprotected.

Patch fixes this.

Prod-Related: CEEMCP-13 unprotected keystone credentials
Customer-Found

Change-Id: I18283cff4aec795e0656b7b3519381792e8a6e54
pull/73/head
Dzmitry Stremkouski 6 years ago
parent
ff1730eca2
commit
be5d5552f5
4 changed files with 14 additions and 1 deletions
Unified View Show Diff Stats
  1. +3
    -1
      salt/files/userdata
  2. +2
    -0
      salt/master/minion.sls
  3. +3
    -0
      salt/minion/base.sls
  4. +6
    -0
      salt/minion/service.sls

+ 3
- 1
salt/files/userdata View File

sh install_salt.sh sh install_salt.sh
echo "id: {{ node_name }}.{{ cluster.domain }}" > /etc/salt/minion.d/minion.conf echo "id: {{ node_name }}.{{ cluster.domain }}" > /etc/salt/minion.d/minion.conf
echo "master: salt/master: {{ cluster.config.host }}" >> /etc/salt/minion.d/minion.conf echo "master: salt/master: {{ cluster.config.host }}" >> /etc/salt/minion.d/minion.conf
service salt-minion restart
chown root:root /etc/salt/minion.d/minion.conf
chmod 0600 /etc/salt/minion.d/minion.conf
service salt-minion restart

+ 2
- 0
salt/master/minion.sls View File

file.managed: file.managed:
- source: salt://salt/files/_orchestration.conf - source: salt://salt/files/_orchestration.conf
- user: root - user: root
- group: root
- mode: 600
- template: jinja - template: jinja
- makedirs: true - makedirs: true
- require: - require:

+ 3
- 0
salt/minion/base.sls View File

- source: salt://salt/files/minion.conf - source: salt://salt/files/minion.conf
- user: root - user: root
- group: root - group: root
- mode: 600
- template: jinja - template: jinja
- require: - require:
- {{ minion.install_state }} - {{ minion.install_state }}
file.managed: file.managed:
- source: salt://salt/files/_renderer.conf - source: salt://salt/files/_renderer.conf
- user: root - user: root
- group: root
- mode: 600
- template: jinja - template: jinja
- require: - require:
- {{ minion.install_state }} - {{ minion.install_state }}

+ 6
- 0
salt/minion/service.sls View File

- source: salt://salt/files/minion.conf - source: salt://salt/files/minion.conf
- user: root - user: root
- group: root - group: root
- mode: 600
- template: jinja - template: jinja
- require: - require:
- {{ minion.install_state }} - {{ minion.install_state }}
salt_minion_config_{{ service_name }}_{{ name }}: salt_minion_config_{{ service_name }}_{{ name }}:
file.managed: file.managed:
- name: /etc/salt/minion.d/_{{ name }}.conf - name: /etc/salt/minion.d/_{{ name }}.conf
- user: root
- group: root
- mode: 600
- contents: | - contents: |
{{ conf|yaml(False)|indent(8) }} {{ conf|yaml(False)|indent(8) }}
- require: - require:
file.managed: file.managed:
- source: salt://salt/files/_renderer.conf - source: salt://salt/files/_renderer.conf
- user: root - user: root
- group: root
- mode: 600
- template: jinja - template: jinja
- require: - require:
- {{ minion.install_state }} - {{ minion.install_state }}

Write Preview
Loading…
Cancel
Save