Usage of local user 'salt' on the salt minion machines created during minion deployments from Aria Automation Config
Article ID: 414763
Updated On:
Products
VCF Operations/Automation (formerly VMware Aria Suite)
Issue/Introduction
- This aims to provide insights on the validity of the local user 'salt' that can be found on the salt minion machines.
Environment
- Aria Automation Config 8.x
- Salt minion 300x
Resolution
- The 'salt' user is a local user that is created on the machines as a part of the 'salt-minion' rpm installations.
- This user was created with an intention to be used to run all tasks on the minion machine which are imitated as a part of the salt / Aria Automation Config jobs.
- However, due to limitations of permissions, as compared to the root user, only a subset of jobs could be administered using this 'salt' user and for full potential, the permissions for the 'salt' user would need to be bumped up to that of the root user.
- Thus, to avoid redundancy, the salt minion configs were modified to use the root user rather than the salt in recent releases.
- Currently the 'salt' user is created with the below configuration in the
/etc/passwdfile:
salt:x:999:999:Salt:/opt/saltstack/salt:/usr/sbin/nologin - The requirement of the 'salt' user for the salt-minion service can be validated by reviewing the code in
/usr/lib/systemd/system/salt-minion.service,
review the[Service]section and look for the presence of a line similar to:
[Service] User=salt
If the above line is not mentioned, then there is no strict binding of the salt minion service to the salt user. - Despite the change, the salt user is still created as a part of the installation, and can be used/ removed or permissions can be limited based on requirement.
Feedback
Yes
No
Powered by
