以非特权用户身份运行Salt Master/Minion

While the default setup runs the master and minion as the root user, some may consider it an extra measure of security to run the master as a non-root user. Keep in mind that doing so does not change the master's capability to access minions as the user they are running as. Due to this many feel that running the master as a non-root user does not grant any real security advantage which is why the master has remained as root by default.

注解

Some of Salt's operations cannot execute correctly when the master is not running as root, specifically the pam external auth system, as this system needs root access to check authentication.

As of Salt 0.9.10 it is possible to run Salt as a non-root user. This can be done by setting the user parameter in the master configuration file. and restarting the salt-master service.

minion同样自带:conf_minion:`user`参数,但是以非特权用户身份运行minion将会阻止如用户修改,安装软件包,等等,除非在minion上授权使用非root用户执行需要的变化(如sudo)。

In order to allow Salt to successfully run as a non-root user, ownership, and permissions need to be set such that the desired user can read from and write to the following directories (and their subdirectories, where applicable):

  • /etc/salt
  • /var/cache/salt
  • /var/log/salt
  • /var/run/salt

属主可以简单使用``chown``改变,像这样:

# chown -R user /etc/salt /var/cache/salt /var/log/salt /var/run/salt

警告

Running either the master or minion with the root_dir parameter specified will affect these paths, as will setting options like pki_dir, cachedir, log_file, and other options that normally live in the above directories.