-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathDockerfile
More file actions
169 lines (134 loc) Β· 7.09 KB
/
Dockerfile
File metadata and controls
169 lines (134 loc) Β· 7.09 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
# Multi-stage Salt infrastructure - consolidates salt-master, salt-minion-deb, salt-minion-rpm
# Build targets: salt-master, salt-minion-deb, salt-minion-rpm
# ============================================================================
# STAGE 0: keygen
# Generate pre-shared keys for test minions at build time
# Keys are baked into images - no runtime bind mounts needed
# Salt uses standard RSA keys in PEM format
# ============================================================================
FROM ubuntu:24.04 AS keygen
ENV DEBIAN_FRONTEND=noninteractive
RUN apt-get update && \
apt-get install -y --no-install-recommends openssl && \
apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/*
# Generate RSA keys for test minions (Salt-compatible format)
WORKDIR /keys
RUN for minion in ubuntu-test rhel-test windows-test; do \
openssl genrsa -out ${minion}.pem 4096 2>/dev/null && \
openssl rsa -in ${minion}.pem -pubout -out ${minion}.pub 2>/dev/null; \
done && \
chmod 644 /keys/*.pub && \
chmod 600 /keys/*.pem
# ============================================================================
# STAGE 1: salt-base-deb
# Common Debian/Ubuntu base with Salt repos configured
# ============================================================================
FROM ubuntu:24.04 AS salt-base-deb
ENV DEBIAN_FRONTEND=noninteractive
# Build arguments for package manager compatibility
ARG APT_MIRROR=archive.ubuntu.com
ARG APT_SECURITY_MIRROR=security.ubuntu.com
ARG DEBIAN_CODENAME=noble
# Clean up any inherited sources and set Ubuntu repos (handles Kali host environments)
RUN rm -f /etc/apt/sources.list.d/* && \
rm -f /etc/apt/sources.list && \
echo "deb http://${APT_MIRROR}/ubuntu/ ${DEBIAN_CODENAME} main restricted universe multiverse" > /etc/apt/sources.list && \
echo "deb http://${APT_MIRROR}/ubuntu/ ${DEBIAN_CODENAME}-updates main restricted universe multiverse" >> /etc/apt/sources.list && \
echo "deb http://${APT_SECURITY_MIRROR}/ubuntu/ ${DEBIAN_CODENAME}-security main restricted universe multiverse" >> /etc/apt/sources.list && \
apt-get update && \
apt-get install -y --no-install-recommends curl ca-certificates && \
echo "deb [arch=amd64 trusted=yes] \
https://packages.broadcom.com/artifactory/saltproject-deb/ stable main" > \
/etc/apt/sources.list.d/salt.list && \
apt-get update && \
apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/*
# Copy entrypoint script (shared for all minion variants)
COPY scripts/docker/entrypoint-minion.sh /usr/local/bin/
RUN chmod +x /usr/local/bin/entrypoint-minion.sh
# ============================================================================
# STAGE 2: salt-master
# Salt Master 3007+ with master, minion, and SSH client
# ============================================================================
FROM salt-base-deb AS salt-master
ENV DEBIAN_FRONTEND=noninteractive
# Install Salt Master, Minion, and SSH from pre-configured repos
RUN apt-get update && \
apt-get install -y --no-install-recommends \
netcat-openbsd avahi-daemon wsdd-server tini\
salt-master salt-minion salt-ssh && \
apt-get clean && \
rm -rf /var/lib/apt/lists/* /tmp/*
# Create mount points with correct ownership
# Note: /srv/salt/files is for provisioning files mounted separately
RUN mkdir -p /srv/salt/files /srv/pillar /srv/data /var/cache/salt /var/log/salt && \
chown -R salt:salt /srv /var/cache/salt /var/log/salt /etc/salt
# Copy pre-generated public keys for test minions (pre-acceptance)
# Entrypoint copies these to /etc/salt/pki/master/minions/ on startup
COPY --from=keygen /keys/*.pub /etc/salt/pki/master/minions-preload/
# Enable master.d config drop-in directory
RUN sed -i 's/^#default_include: master.d\/\*.conf$/default_include: master.d\/*.conf/' /etc/salt/master
# Copy and set up entrypoint script (master-specific)
COPY scripts/docker/entrypoint-master.sh /usr/local/bin/
RUN chmod +x /usr/local/bin/entrypoint-master.sh
# Copy avahi service files
COPY srv/avahi/*.service /etc/avahi/services/
# Note: Healthcheck is defined in docker-compose.yaml (preferred for flexibility)
ENTRYPOINT ["/usr/bin/tini", "--", "/usr/local/bin/entrypoint-master.sh"]
EXPOSE 4505/tcp 4506/tcp 5353/udp
# ============================================================================
# STAGE 3: salt-minion-deb
# Debian/Ubuntu minion (Ubuntu 24.04)
# ============================================================================
FROM salt-base-deb AS salt-minion-deb
ENV DEBIAN_FRONTEND=noninteractive
# Install Salt Minion from pre-configured repos
# git required for git.latest states (common.vim etc) on first highstate run
RUN apt-get update && \
apt-get install -y --no-install-recommends salt-minion git && \
apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/*
# Pre-configure minion (master hostname will be set at runtime)
RUN mkdir -p /etc/salt/minion.d && \
chown -R salt:salt /etc/salt && \
chmod 755 /etc/salt /etc/salt/minion.d
# Copy pre-generated keys for test minions
# Entrypoint selects correct key based on MINION_ID
COPY --from=keygen /keys/ /etc/salt/pki/minion-preload/
ENTRYPOINT ["/usr/local/bin/entrypoint-minion.sh"]
# ============================================================================
# STAGE 4: salt-base-rpm
# Common RHEL/Rocky base with Salt repos configured
# ============================================================================
FROM rockylinux:9 AS salt-base-rpm
# Build arguments for package manager compatibility
ARG RHEL_VERSION=9
# Clean up any inherited repos (handles Kali host environments)
# but preserve system repos via subscription-manager or distro defaults
RUN rm -f /etc/yum.repos.d/kali* /etc/yum.repos.d/debian* 2>/dev/null || true && \
dnf install -y 'dnf-command(config-manager)' && \
dnf config-manager --set-enabled crb && \
dnf install -y epel-release && \
dnf clean all
# Install Salt Minion from Broadcom repo (3007+)
# Use official Salt Project repo configuration (automatically handles platform-specific paths)
RUN curl -fsSL https://github.com/saltstack/salt-install-guide/releases/latest/download/salt.repo -o /etc/yum.repos.d/salt.repo && \
dnf clean all && rm -rf /var/cache/dnf /tmp/*
# Copy entrypoint script
COPY scripts/docker/entrypoint-minion.sh /usr/local/bin/
RUN chmod +x /usr/local/bin/entrypoint-minion.sh
# ============================================================================
# STAGE 5: salt-minion-rpm
# RHEL/Rocky minion (Rocky Linux 9)
# ============================================================================
FROM salt-base-rpm AS salt-minion-rpm
# Install Salt Minion from pre-configured repos
# git required for git.latest states (common.vim etc) on first highstate run
RUN dnf install -y salt-minion git && \
dnf clean all && rm -rf /var/cache/dnf /tmp/*
# Pre-configure minion (master hostname will be set at runtime)
RUN mkdir -p /etc/salt/minion.d && \
chown -R salt:salt /etc/salt && \
chmod 755 /etc/salt /etc/salt/minion.d
# Copy pre-generated keys for test minions
# Entrypoint selects correct key based on MINION_ID
COPY --from=keygen /keys/ /etc/salt/pki/minion-preload/
ENTRYPOINT ["/usr/local/bin/entrypoint-minion.sh"]