Make default pki directory configurable

The files in `/etc/salt/pki` are not configuration files in the sense of the FHS ("local file used to control the operation of a program"). Debian wants to change the default location to `/var/lib/salt/pki` (to properly follow FHS and to allow setting StateDirectory in the salt master systemd configuration). Therefore introduce a `STATE_DIR` syspaths variable which defaults to `CONFIG_DIR`, but can be individually customized. fixes saltstack#3396 Bug-Debian: https://bugs.debian.org/698898 Forwarded: saltstack#61453 Signed-off-by: Benjamin Drung <benjamin.drung@ionos.com>
bdrung · Apr 15, 2022 · 3195234 · 3195234
1 parent 5c67357
commit 3195234
Show file tree

Hide file tree

Showing 7 changed files with 61 additions and 5 deletions.
diff --git a/changelog/3396.added b/changelog/3396.added
@@ -0,0 +1,5 @@
+Introduce a `STATE_DIR` syspaths variable which defaults to `CONFIG_DIR`, but
+can be individually customized during installation by specifying
+`--salt-state-dir` during installation. Change the default `pki_dir` to
+`<STATE_DIR>/pki/master` (for the master) and `<STATE_DIR>/pki/minion` (for
+the minion).
diff --git a/doc/ref/configuration/master.rst b/doc/ref/configuration/master.rst
@@ -180,7 +180,7 @@ The path to the master's configuration file.
 ``pki_dir``
 -----------
 
-Default: ``/etc/salt/pki/master``
+Default: ``<STATE_DIR>/pki/master``
 
 The directory to store the pki authentication keys.
 

diff --git a/doc/ref/configuration/minion.rst b/doc/ref/configuration/minion.rst
@@ -595,7 +595,7 @@ The path to the minion's configuration file.
 ``pki_dir``
 -----------
 
-Default: ``/etc/salt/pki/minion``
+Default: ``<STATE_DIR>/pki/minion``
 
 The directory used to store the minion's public and private keys.
 

diff --git a/doc/topics/installation/index.rst b/doc/topics/installation/index.rst
@@ -146,6 +146,44 @@ provided like:
     minimal installation, you might need to install some additional packages
     from your OS vendor.
 
+Default directories
+-------------------
+
+During installation several default directories can be configured:
+
+======================  ============================
+variable                setup.py config option
+======================  ============================
+ROOT_DIR                --salt-root-dir
+SHARE_DIR               --salt-share-dir
+CONFIG_DIR              --salt-config-dir
+CACHE_DIR               --salt-cache-dir
+SOCK_DIR                --salt-sock-dir
+SRV_ROOT_DIR            --salt-srv-root-dir
+STATE_DIR               --salt-state-dir
+BASE_FILE_ROOTS_DIR     --salt-base-file-roots-dir
+BASE_PILLAR_ROOTS_DIR   --salt-base-pillar-roots-dir
+BASE_MASTER_ROOTS_DIR   --salt-base-master-roots-dir
+LOGS_DIR                --salt-logs-dir
+PIDFILE_DIR             --salt-pidfile-dir
+SPM_FORMULA_PATH        --salt-spm-formula-dir
+SPM_PILLAR_PATH         --salt-spm-pillar-dir
+SPM_REACTOR_PATH        --salt-spm-reactor-dir
+HOME_DIR                --salt-home-dir
+======================  ============================
+
+By default, salt tries to determine useful default values for the directories.
+You can override them during installation by specifying the config option. E.g.
+to change `STATE_DIR` from the default `/etc/salt` to `/var/lib/salt`, specify
+`--salt-state-dir` during installation:
+
+.. code-block:: bash
+
+  python setup.py --salt-state-dir=/var/lib/salt install
+
+All the variables listed in the table above are stored in `salt/_syspaths.py`
+during installation.
+
 Optional Dependencies
 ---------------------
 

diff --git a/salt/config/__init__.py b/salt/config/__init__.py
@@ -984,7 +984,7 @@ def _gather_buffer_space():
         "syndic_finger": "",
         "user": salt.utils.user.get_user(),
         "root_dir": salt.syspaths.ROOT_DIR,
-        "pki_dir": os.path.join(salt.syspaths.CONFIG_DIR, "pki", "minion"),
+        "pki_dir": os.path.join(salt.syspaths.STATE_DIR, "pki", "minion"),
         "id": "",
         "id_function": {},
         "cachedir": os.path.join(salt.syspaths.CACHE_DIR, "minion"),
@@ -1279,7 +1279,7 @@ def _gather_buffer_space():
         "keep_jobs": 24,
         "archive_jobs": False,
         "root_dir": salt.syspaths.ROOT_DIR,
-        "pki_dir": os.path.join(salt.syspaths.CONFIG_DIR, "pki", "master"),
+        "pki_dir": os.path.join(salt.syspaths.STATE_DIR, "pki", "master"),
         "key_cache": "",
         "cachedir": os.path.join(salt.syspaths.CACHE_DIR, "master"),
         "file_roots": {
@@ -1628,7 +1628,7 @@ def _gather_buffer_space():
         "proxy_always_alive": True,
         "proxy_keep_alive": True,  # by default will try to keep alive the connection
         "proxy_keep_alive_interval": 1,  # frequency of the proxy keepalive in minutes
-        "pki_dir": os.path.join(salt.syspaths.CONFIG_DIR, "pki", "proxy"),
+        "pki_dir": os.path.join(salt.syspaths.STATE_DIR, "pki", "proxy"),
         "cachedir": os.path.join(salt.syspaths.CACHE_DIR, "proxy"),
         "sock_dir": os.path.join(salt.syspaths.SOCK_DIR, "proxy"),
     }

diff --git a/salt/syspaths.py b/salt/syspaths.py
@@ -47,6 +47,7 @@
     "SPM_PILLAR_PATH",
     "SPM_REACTOR_PATH",
     "SHARE_DIR",
+    "STATE_DIR",
 )
 
 try:
@@ -177,6 +178,10 @@ def _get_windows_root_dir():
 if SRV_ROOT_DIR is None:
     SRV_ROOT_DIR = os.path.join(ROOT_DIR, "srv")
 
+STATE_DIR = __generated_syspaths.STATE_DIR
+if STATE_DIR is None:
+    STATE_DIR = CONFIG_DIR
+
 BASE_FILE_ROOTS_DIR = __generated_syspaths.BASE_FILE_ROOTS_DIR
 if BASE_FILE_ROOTS_DIR is None:
     BASE_FILE_ROOTS_DIR = os.path.join(SRV_ROOT_DIR, "salt")

diff --git a/setup.py b/setup.py
@@ -349,6 +349,7 @@ def run(self):
                 cache_dir=self.distribution.salt_cache_dir,
                 sock_dir=self.distribution.salt_sock_dir,
                 srv_root_dir=self.distribution.salt_srv_root_dir,
+                state_dir=self.distribution.salt_state_dir,
                 base_file_roots_dir=self.distribution.salt_base_file_roots_dir,
                 base_pillar_roots_dir=self.distribution.salt_base_pillar_roots_dir,
                 base_master_roots_dir=self.distribution.salt_base_master_roots_dir,
@@ -746,6 +747,7 @@ def finalize_options(self):
 CACHE_DIR = {cache_dir!r}
 SOCK_DIR = {sock_dir!r}
 SRV_ROOT_DIR= {srv_root_dir!r}
+STATE_DIR = {state_dir!r}
 BASE_FILE_ROOTS_DIR = {base_file_roots_dir!r}
 BASE_PILLAR_ROOTS_DIR = {base_pillar_roots_dir!r}
 BASE_MASTER_ROOTS_DIR = {base_master_roots_dir!r}
@@ -945,6 +947,11 @@ class SaltDistribution(distutils.dist.Distribution):
             ("salt-cache-dir=", None, "Salt's pre-configured cache directory"),
             ("salt-sock-dir=", None, "Salt's pre-configured socket directory"),
             ("salt-srv-root-dir=", None, "Salt's pre-configured service directory"),
+            (
+                "salt-state-dir=",
+                None,
+                "Salt's pre-configured variable state directory (used for storing pki data)",
+            ),
             (
                 "salt-base-file-roots-dir=",
                 None,
@@ -994,6 +1001,7 @@ def __init__(self, attrs=None):
         self.salt_cache_dir = None
         self.salt_sock_dir = None
         self.salt_srv_root_dir = None
+        self.salt_state_dir = None
         self.salt_base_file_roots_dir = None
         self.salt_base_thorium_roots_dir = None
         self.salt_base_pillar_roots_dir = None