-
Notifications
You must be signed in to change notification settings - Fork 130
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Set group owner to foreman-proxy for Salt config #815
Conversation
Why would the proxy user need to be able to write that file? |
I have an internal ticket that says Salt REX jobs do not work. A documented and tested workaround is running Do you think this change is undesired in general, or should I fix the mode to make it read-only? Also: My bad for opening such a bare-bone PR without any background info! |
Can you share more info what is meant by "do not work"? The contents of the file come from a template (https://github.com/theforeman/puppet-foreman_proxy/blob/master/templates/plugin/salt_master.conf.erb) and any changes to it would be overwritten at the next installer run anyway, so IMHO nobody (but the installer) should be writing it. As for reading… Your change should not have any effect for the Unless… There is something that does a "is file owned by my user, error otherwise" check somewhere. |
And to elaborate the current setting a bit: changing the file allows to reconfigure the salt master, which usually runs as |
ab08807
to
cb75481
Compare
I could not find out why the file is read when running Salt REX on Foreman. However, I investigated some more with @sbernhard together. It looks like there is already a command to fix this, but it does not have a working default value yet. I have changed my PR to reflect that. We have tested this on Foreman:
|
cb75481
to
4ef32b0
Compare
I still don't understand the need for that, tho. The only place I can see any code in |
4ef32b0
to
bcab4fe
Compare
bcab4fe
to
3f4ee8f
Compare
Hey! 👋 We just had a look at the problem. The following error occurs, when executing a Salt REX task:
The call origins here in smart_proxy_salt and I assume those runners are executed as But, in order to run salt, the corresponding user must be able to read For example, Ansible has the following permissions on one of its configs:
@evgeni what do you think? |
3f4ee8f
to
4660f46
Compare
LGTM! Technically, you could also swap the Optional[String[1]] $group = undef, to a String $group = $foreman_proxy::user, I think I prefer the way it is now (as it keeps the "default" empty, and thus doesn't even store the value in the answers file), but wanted to point it out. @ekohl opinions on the style? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I prefer this style.
Fixes 4ea5cf8