Search code examples
pythonsalt-project

Salt minion how to elevate non-root user with sudo?

I am getting permission denied errors when trying to run minion as non-root. I created a special user called 'salt-master' and gave it sudo privileges. Yet I am still seeing permission denied errors. I am using the salt master and minion on the same server for testing otherwise the user name would be named salt-minion for the client. How do I get salt to use sudo for everything?

/etc/sudoers

# salt-master user allowed root with no password
salt-master ALL=(ALL) NOPASSWD:ALL

/etc/salt/minion

# The user to run salt
#user: root
user: salt-master

/srv/salt/gedit/init.sls

gedit:
  pkg:
    - installed

command

salt 'SaltStack-01' state.sls gedit

command results

SaltStack-01:
----------
          ID: gedit
    Function: pkg.installed
      Result: False
     Comment: The following packages failed to install/update: gedit.
     Changes:   

Summary
------------
Succeeded: 0
Failed:    1
------------
Total:     1

minion logs /var/log/salt/minion

2014-09-17 13:35:05,199 [salt.loaded.int.module.cmdmod][ERROR] Command 'zypper refresh' failed with return code: 5
2014-09-17 13:35:05,200 [salt.loaded.int.module.cmdmod][ERROR] output: Root privileges are required for refreshing system repositories.
2014-09-17 13:35:05,243 [salt.loaded.int.module.cmdmod][ERROR] Command 'zypper --non-interactive install --name --auto-agree-with-licenses "gedit"' failed with return code: 5
2014-09-17 13:35:05,244 [salt.loaded.int.module.cmdmod][ERROR] output: Root privileges are required for installing or uninstalling packages.
Solution

  • http://docs.saltstack.com/en/latest/ref/configuration/nonroot.html

    The minion has it's own user parameter as well, but running the minion as an unprivileged user will keep it from making changes to things like users, installed packages, etc. unless access controls (sudo, etc.) are setup on the minion to permit the non-root user to make the needed changes.

    In order to allow Salt to successfully run as a non-root user, ownership and permissions need to be set such that the desired user can read from and write to the following directories (and their subdirectories, where applicable):