saltstack/saltinit.py at main · ttdockerfile/saltstack · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
#!/usr/bin/env python3
import asyncio
import json
import os
import signal
import pathlib
import subprocess


CERT_DIR = pathlib.Path("/etc/pki/tls/certs")
KEY_PATH = CERT_DIR / "localhost.key"
CRT_PATH = CERT_DIR / "localhost.crt"

SALT_UID = 450
SALT_GID = 450


def ensure_real_openssl_cert():
    """创建真正的 PEM 格式证书，避免 CherryPy PermissionError"""
    CERT_DIR.mkdir(parents=True, exist_ok=True)

    if KEY_PATH.exists() and CRT_PATH.exists():
        return

    print("Generating REAL openssl PEM certificate...")

    subprocess.run([
        "openssl", "req",
        "-x509",
        "-newkey", "rsa:2048",
        "-nodes",
        "-keyout", str(KEY_PATH),
        "-out", str(CRT_PATH),
        "-days", "3650",
        "-subj", "/CN=localhost"
    ], check=True)

    os.chown(KEY_PATH, SALT_UID, SALT_GID)
    os.chmod(KEY_PATH, 0o600)

    os.chown(CRT_PATH, SALT_UID, SALT_GID)
    os.chmod(CRT_PATH, 0o600)


async def main():
    # 生成真正的 PEM 证书
    ensure_real_openssl_cert()

    futures = []

    # minion 模式
    if "SALT_MINION_CONFIG" in os.environ:
        with open("/etc/salt/minion.d/minion.conf", "w") as f:
            json.dump(json.loads(os.environ["SALT_MINION_CONFIG"]), f)
        futures.append(await asyncio.create_subprocess_exec("salt-minion"))

    # proxy 模式
    elif "SALT_PROXY_ID" in os.environ or "SALT_PROXY_CONFIG" in os.environ:
        if "SALT_PROXY_CONFIG" in os.environ:
            with open("/etc/salt/proxy.d/proxy.conf", "w") as f:
                json.dump(json.loads(os.environ["SALT_PROXY_CONFIG"]), f)
        if "SALT_PROXY_ID" in os.environ:
            futures.append(await asyncio.create_subprocess_exec(
                "salt-proxy",
                f'--proxyid={os.environ["SALT_PROXY_ID"]}'
            ))
        else:
            futures.append(await asyncio.create_subprocess_exec("salt-proxy"))

    # master + api 模式
    else:
        if not os.path.exists("/etc/salt/master.d/api.conf"):
            with open("/etc/salt/master.d/api.conf", "w") as f:
                json.dump({
                    "rest_cherrypy": {
                        "port": 8000,
                        "ssl_crt": str(CRT_PATH),
                        "ssl_key": str(KEY_PATH),
                    },
                    "external_auth": {
                        "sharedsecret": {
                            "salt": [".*", "@wheel", "@jobs", "@runner"],
                        }
                    },
                    "sharedsecret": os.environ.get("SALT_SHARED_SECRET", "supersecret")
                }, f)

        with open("/etc/salt/master.d/user.conf", "w") as f:
            json.dump({"user": "salt"}, f)

        futures.append(await asyncio.create_subprocess_exec("salt-api"))
        futures.append(await asyncio.create_subprocess_exec("salt-master"))

    await asyncio.gather(*[p.communicate() for p in futures])


if __name__ == "__main__":
    loop = asyncio.get_event_loop()
    for sig in ("SIGINT", "SIGTERM"):
        loop.add_signal_handler(getattr(signal, sig), loop.stop)
    try:
        loop.run_until_complete(main())
    finally:
        loop.close()