Domů Procházet Nápověda
Registrovat se Přihlásit se
nee2c
/
salt
zrcadlo https://github.com/nee2c/salt.git
1
0
Rozštěpit 0
Soubory Úkoly 0 Wiki
Strom: 54b47afeb7
Větve Značky
salt
/
doc
/
ref
/
configuration
/
nonroot.rst

nonroot.rst 2.1 KB
Historie Surový

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849 
  1. .. _configuration-non-root-user:
    2. 

  2. 

  3. ======================================================
    4. 

  4. Running the Salt Master/Minion as an Unprivileged User
    5. 

  5. ======================================================
    6. 

  6. 

  7. While the default setup runs the master and minion as the root user, some
    8. 

  8. may consider it an extra measure of security to run the master as a non-root
    9. 

  9. user. Keep in mind that doing so does not change the master's capability
    10. 

  10. to access minions as the user they are running as. Due to this many feel that
    11. 

  11. running the master as a non-root user does not grant any real security advantage
    12. 

  12. which is why the master has remained as root by default.
    13. 

  13. 

  14. .. note::
    15. 

  15. 

  16.     Some of Salt's operations cannot execute correctly when the master is not
    17. 

  17.     running as root, specifically the pam external auth system, as this system
    18. 

  18.     needs root access to check authentication.
    19. 

  19. 

  20. As of Salt 0.9.10 it is possible to run Salt as a non-root user. This can be
    21. 

  21. done by setting the :conf_master:`user` parameter in the master configuration
    22. 

  22. file. and restarting the ``salt-master`` service.
    23. 

  23. 

  24. The minion has its own :conf_minion:`user` parameter as well, but running the
    25. 

  25. minion as an unprivileged user will keep it from making changes to things like
    26. 

  26. users, installed packages, etc. unless access controls (sudo, etc.) are setup
    27. 

  27. on the minion to permit the non-root user to make the needed changes.
    28. 

  28. 

  29. In order to allow Salt to successfully run as a non-root user, ownership, and
    30. 

  30. permissions need to be set such that the desired user can read from and write
    31. 

  31. to the following directories (and their subdirectories, where applicable):
    32. 

  32. 

  33. * /etc/salt
    34. 

  34. * /var/cache/salt
    35. 

  35. * /var/log/salt
    36. 

  36. * /var/run/salt
    37. 

  37. 

  38. Ownership can be easily changed with ``chown``, like so:
    39. 

  39. 

  40. .. code-block:: bash
    41. 

  41. 

  42.     # chown -R user /etc/salt /var/cache/salt /var/log/salt /var/run/salt
    43. 

  43. 

  44. .. warning::
    45. 

  45. 

  46.     Running either the master or minion with the :conf_master:`root_dir`
    47. 

  47.     parameter specified will affect these paths, as will setting options like
    48. 

  48.     :conf_master:`pki_dir`, :conf_master:`cachedir`, :conf_master:`log_file`,
    49. 

  49.     and other options that normally live in the above directories.
    50.