diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 2235e19b8..23abbdf8d 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -2,7 +2,7 @@ minimum_pre_commit_version: 1.15.2 repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.5.0 + rev: v5.0.0 hooks: - id: check-merge-conflict # Check for files that contain merge conflict strings. - id: trailing-whitespace # Trims trailing whitespace. diff --git a/README.rst b/README.rst index aca13c758..829a1081f 100644 --- a/README.rst +++ b/README.rst @@ -199,6 +199,9 @@ To view the latest options and descriptions for ``salt-bootstrap``, use ``-h`` a -r Disable all repository configuration performed by this script. This option assumes all necessary repository configuration is already present on the system. + -T If set this overrides the use of /tmp for script execution. This is + to allow for systems in which noexec is applied to temp filesystem mounts + for security reasons -U If set, fully upgrade the system prior to bootstrapping Salt -v Display script version -V Install Salt into virtualenv diff --git a/bootstrap-salt.sh b/bootstrap-salt.sh index adb5a3b56..5e42aba4f 100755 --- a/bootstrap-salt.sh +++ b/bootstrap-salt.sh @@ -48,6 +48,7 @@ __ScriptArgs="$*" # * BS_GENTOO_USE_BINHOST: If 1 add `--getbinpkg` to gentoo's emerge # * BS_SALT_MASTER_ADDRESS: The IP or DNS name of the salt-master the minion should connect to # * BS_SALT_GIT_CHECKOUT_DIR: The directory where to clone Salt on git installations +# * BS_TMP_DIR: The directory to use for executing the installation (defaults to /tmp) #====================================================================================================================== @@ -171,12 +172,12 @@ __check_config_dir() { case "$CC_DIR_NAME" in http://*|https://*) - __fetch_url "/tmp/${CC_DIR_BASE}" "${CC_DIR_NAME}" - CC_DIR_NAME="/tmp/${CC_DIR_BASE}" + __fetch_url "${_TMP_DIR}/${CC_DIR_BASE}" "${CC_DIR_NAME}" + CC_DIR_NAME="${_TMP_DIR}/${CC_DIR_BASE}" ;; ftp://*) - __fetch_url "/tmp/${CC_DIR_BASE}" "${CC_DIR_NAME}" - CC_DIR_NAME="/tmp/${CC_DIR_BASE}" + __fetch_url "${_TMP_DIR}/${CC_DIR_BASE}" "${CC_DIR_NAME}" + CC_DIR_NAME="${_TMP_DIR}/${CC_DIR_BASE}" ;; *://*) echoerror "Unsupported URI scheme for $CC_DIR_NAME" @@ -194,22 +195,22 @@ __check_config_dir() { case "$CC_DIR_NAME" in *.tgz|*.tar.gz) - tar -zxf "${CC_DIR_NAME}" -C /tmp + tar -zxf "${CC_DIR_NAME}" -C ${_TMP_DIR} CC_DIR_BASE=$(basename "${CC_DIR_BASE}" ".tgz") CC_DIR_BASE=$(basename "${CC_DIR_BASE}" ".tar.gz") - CC_DIR_NAME="/tmp/${CC_DIR_BASE}" + CC_DIR_NAME="${_TMP_DIR}/${CC_DIR_BASE}" ;; *.tbz|*.tar.bz2) - tar -xjf "${CC_DIR_NAME}" -C /tmp + tar -xjf "${CC_DIR_NAME}" -C ${_TMP_DIR} CC_DIR_BASE=$(basename "${CC_DIR_BASE}" ".tbz") CC_DIR_BASE=$(basename "${CC_DIR_BASE}" ".tar.bz2") - CC_DIR_NAME="/tmp/${CC_DIR_BASE}" + CC_DIR_NAME="${_TMP_DIR}/${CC_DIR_BASE}" ;; *.txz|*.tar.xz) - tar -xJf "${CC_DIR_NAME}" -C /tmp + tar -xJf "${CC_DIR_NAME}" -C ${_TMP_DIR} CC_DIR_BASE=$(basename "${CC_DIR_BASE}" ".txz") CC_DIR_BASE=$(basename "${CC_DIR_BASE}" ".tar.xz") - CC_DIR_NAME="/tmp/${CC_DIR_BASE}" + CC_DIR_NAME="${_TMP_DIR}/${CC_DIR_BASE}" ;; esac @@ -245,6 +246,7 @@ __check_unparsed_options() { #---------------------------------------------------------------------------------------------------------------------- _KEEP_TEMP_FILES=${BS_KEEP_TEMP_FILES:-$BS_FALSE} _TEMP_CONFIG_DIR="null" +_TMP_DIR=${BS_TMP_DIR:-"/tmp"} _SALTSTACK_REPO_URL="https://github.com/saltstack/salt.git" _SALT_REPO_URL=${_SALTSTACK_REPO_URL} _TEMP_KEYS_DIR="null" @@ -281,7 +283,7 @@ _SIMPLIFY_VERSION=$BS_TRUE _LIBCLOUD_MIN_VERSION="0.14.0" _EXTRA_PACKAGES="" _HTTP_PROXY="" -_SALT_GIT_CHECKOUT_DIR=${BS_SALT_GIT_CHECKOUT_DIR:-/tmp/git/salt} +_SALT_GIT_CHECKOUT_DIR=${BS_SALT_GIT_CHECKOUT_DIR:-${_TMP_DIR}/git/salt} _NO_DEPS=$BS_FALSE _FORCE_SHALLOW_CLONE=$BS_FALSE _DISABLE_SSL=$BS_FALSE @@ -367,7 +369,7 @@ __usage() { also be specified. Salt installation will be ommitted, but some of the dependencies could be installed to write configuration with -j or -J. -d Disables checking if Salt services are enabled to start on system boot. - You can also do this by touching /tmp/disable_salt_checks on the target + You can also do this by touching ${BS_TMP_DIR}/disable_salt_checks on the target host. Default: \${BS_FALSE} -D Show debug output -f Force shallow cloning for git installations. @@ -424,6 +426,9 @@ __usage() { -r Disable all repository configuration performed by this script. This option assumes all necessary repository configuration is already present on the system. + -T If set this overrides the use of /tmp for script execution. This is + to allow for systems in which noexec is applied to temp filesystem mounts + for security reasons -U If set, fully upgrade the system prior to bootstrapping Salt -v Display script version -V Install Salt into virtualenv @@ -436,7 +441,7 @@ __usage() { EOT } # ---------- end of function __usage ---------- -while getopts ':hvnDc:g:Gx:k:s:MSWNXCPFUKIA:i:Lp:dH:bflV:J:j:rR:aqQ' opt +while getopts ':hvnDc:g:Gx:k:s:MSWNXCPFUKIA:i:Lp:dH:bflV:J:j:rR:T:aqQ' opt do case "${opt}" in @@ -478,6 +483,7 @@ do a ) _PIP_ALL=$BS_TRUE ;; r ) _DISABLE_REPOS=$BS_TRUE ;; R ) _CUSTOM_REPO_URL=$OPTARG ;; + T ) _TMP_DIR="$OPTARG" ;; J ) _CUSTOM_MASTER_CONFIG=$OPTARG ;; j ) _CUSTOM_MINION_CONFIG=$OPTARG ;; q ) _QUIET_GIT_INSTALLATION=$BS_TRUE ;; @@ -495,10 +501,10 @@ done shift $((OPTIND-1)) # Define our logging file and pipe paths -LOGFILE="/tmp/$( echo "$__ScriptName" | sed s/.sh/.log/g )" -LOGPIPE="/tmp/$( echo "$__ScriptName" | sed s/.sh/.logpipe/g )" +LOGFILE="${_TMP_DIR}/$( echo "$__ScriptName" | sed s/.sh/.log/g )" +LOGPIPE="${_TMP_DIR}/$( echo "$__ScriptName" | sed s/.sh/.logpipe/g )" # Ensure no residual pipe exists -rm "$LOGPIPE" 2>/dev/null +rm -f "$LOGPIPE" 2>/dev/null # Create our logging pipe # On FreeBSD we have to use mkfifo instead of mknod @@ -534,7 +540,7 @@ exec 2>"$LOGPIPE" # 14 SIGALRM # 15 SIGTERM #---------------------------------------------------------------------------------------------------------------------- -APT_ERR=$(mktemp /tmp/apt_error.XXXXXX) +APT_ERR=$(mktemp ${_TMP_DIR}/apt_error.XXXXXX) __exit_cleanup() { EXIT_CODE=$? @@ -927,6 +933,11 @@ if [ -d "${_VIRTUALENV_DIR}" ]; then exit 1 fi +# Make sure the designated temp directory exists +if [ ! -d "${_TMP_DIR}" ]; then + mkdir -p "${_TMP_DIR}" +fi + #--- FUNCTION ------------------------------------------------------------------------------------------------------- # NAME: __fetch_url # DESCRIPTION: Retrieves a URL and writes it to a given path @@ -1996,14 +2007,14 @@ __apt_get_upgrade_noinput() { #---------------------------------------------------------------------------------------------------------------------- __temp_gpg_pub() { if __check_command_exists mktemp; then - tempfile="$(mktemp /tmp/salt-gpg-XXXXXXXX.pub 2>/dev/null)" + tempfile="$(mktemp ${_TMP_DIR}/salt-gpg-XXXXXXXX.pub 2>/dev/null)" if [ -z "$tempfile" ]; then - echoerror "Failed to create temporary file in /tmp" + echoerror "Failed to create temporary file in ${_TMP_DIR}" return 1 fi else - tempfile="/tmp/salt-gpg-$$.pub" + tempfile="${_TMP_DIR}/salt-gpg-$$.pub" fi echo $tempfile @@ -2043,7 +2054,7 @@ __rpm_import_gpg() { __fetch_url "$tempfile" "$url" || return 1 # At least on CentOS 8, a missing newline at the end causes: - # error: /tmp/salt-gpg-n1gKUb1u.pub: key 1 not an armored public key. + # error: ${_TMP_DIR}/salt-gpg-n1gKUb1u.pub: key 1 not an armored public key. # shellcheck disable=SC1003,SC2086 sed -i -e '$a\' $tempfile @@ -2109,7 +2120,7 @@ __git_clone_and_checkout() { fi __SALT_GIT_CHECKOUT_PARENT_DIR=$(dirname "${_SALT_GIT_CHECKOUT_DIR}" 2>/dev/null) - __SALT_GIT_CHECKOUT_PARENT_DIR="${__SALT_GIT_CHECKOUT_PARENT_DIR:-/tmp/git}" + __SALT_GIT_CHECKOUT_PARENT_DIR="${__SALT_GIT_CHECKOUT_PARENT_DIR:-${_TMP_DIR}/git}" __SALT_CHECKOUT_REPONAME="$(basename "${_SALT_GIT_CHECKOUT_DIR}" 2>/dev/null)" __SALT_CHECKOUT_REPONAME="${__SALT_CHECKOUT_REPONAME:-salt}" [ -d "${__SALT_GIT_CHECKOUT_PARENT_DIR}" ] || mkdir "${__SALT_GIT_CHECKOUT_PARENT_DIR}" @@ -2162,7 +2173,7 @@ __git_clone_and_checkout() { if [ "$__SHALLOW_CLONE" -eq $BS_TRUE ]; then # Let's try 'treeless' cloning to speed up. Treeless cloning omits trees and blobs ('files') - # but includes metadata (commit history, tags, branches etc. + # but includes metadata (commit history, tags, branches etc. # Test for "--filter" option introduced in git 2.19, the minimal version of git where the treeless # cloning we need actually works if [ "$(git clone 2>&1 | grep 'filter')" != "" ]; then @@ -2390,14 +2401,14 @@ __overwriteconfig() { # Make a tempfile to dump any python errors into. if __check_command_exists mktemp; then - tempfile="$(mktemp /tmp/salt-config-XXXXXXXX 2>/dev/null)" + tempfile="$(mktemp ${_TMP_DIR}/salt-config-XXXXXXXX 2>/dev/null)" if [ -z "$tempfile" ]; then - echoerror "Failed to create temporary file in /tmp" + echoerror "Failed to create temporary file in ${_TMP_DIR}" return 1 fi else - tempfile="/tmp/salt-config-$$" + tempfile="${_TMP_DIR}/salt-config-$$" fi if [ -n "$_PY_EXE" ]; then @@ -2760,8 +2771,8 @@ __install_salt_from_repo() { echoinfo "Installing salt using ${_py_exe}, $(${_py_exe} --version)" cd "${_SALT_GIT_CHECKOUT_DIR}" || return 1 - mkdir -p /tmp/git/deps - echodebug "Created directory /tmp/git/deps" + mkdir -p ${_TMP_DIR}/git/deps + echodebug "Created directory ${_TMP_DIR}/git/deps" if [ ${DISTRO_NAME_L} = "ubuntu" ] && [ "$DISTRO_MAJOR_VERSION" -eq 22 ]; then echodebug "Ubuntu 22.04 has problem with base.txt requirements file, not parsing sys_platform == 'win32', upgrading from default pip works" @@ -2774,7 +2785,7 @@ __install_salt_from_repo() { fi fi - rm -f /tmp/git/deps/* + rm -f ${_TMP_DIR}/git/deps/* echodebug "Installing Salt requirements from PyPi, ${_pip_cmd} install ${_USE_BREAK_SYSTEM_PACKAGES} --ignore-installed ${_PIP_INSTALL_ARGS} -r requirements/static/ci/py${_py_version}/linux.txt" ${_pip_cmd} install ${_USE_BREAK_SYSTEM_PACKAGES} --ignore-installed ${_PIP_INSTALL_ARGS} -r "requirements/static/ci/py${_py_version}/linux.txt" @@ -2799,7 +2810,7 @@ __install_salt_from_repo() { echodebug "Running '${_py_exe} setup.py --salt-config-dir=$_SALT_ETC_DIR --salt-cache-dir=${_SALT_CACHE_DIR} ${SETUP_PY_INSTALL_ARGS} bdist_wheel'" ${_py_exe} setup.py --salt-config-dir="$_SALT_ETC_DIR" --salt-cache-dir="${_SALT_CACHE_DIR} ${SETUP_PY_INSTALL_ARGS}" bdist_wheel || return 1 - mv dist/salt*.whl /tmp/git/deps/ || return 1 + mv dist/salt*.whl ${_TMP_DIR}/git/deps/ || return 1 cd "${__SALT_GIT_CHECKOUT_PARENT_DIR}" || return 1 @@ -2813,14 +2824,14 @@ __install_salt_from_repo() { ${_pip_cmd} install --force-reinstall --break-system-packages "${_arch_dep}" fi - echodebug "Running '${_pip_cmd} install ${_USE_BREAK_SYSTEM_PACKAGES} --no-deps --force-reinstall ${_PIP_INSTALL_ARGS} /tmp/git/deps/salt*.whl'" + echodebug "Running '${_pip_cmd} install ${_USE_BREAK_SYSTEM_PACKAGES} --no-deps --force-reinstall ${_PIP_INSTALL_ARGS} ${_TMP_DIR}/git/deps/salt*.whl'" - echodebug "Running ${_pip_cmd} install ${_USE_BREAK_SYSTEM_PACKAGES} --no-deps --force-reinstall ${_PIP_INSTALL_ARGS} --global-option=--salt-config-dir=$_SALT_ETC_DIR --salt-cache-dir=${_SALT_CACHE_DIR} ${SETUP_PY_INSTALL_ARGS} /tmp/git/deps/salt*.whl" + echodebug "Running ${_pip_cmd} install ${_USE_BREAK_SYSTEM_PACKAGES} --no-deps --force-reinstall ${_PIP_INSTALL_ARGS} --global-option=--salt-config-dir=$_SALT_ETC_DIR --salt-cache-dir=${_SALT_CACHE_DIR} ${SETUP_PY_INSTALL_ARGS} ${_TMP_DIR}/git/deps/salt*.whl" ${_pip_cmd} install ${_USE_BREAK_SYSTEM_PACKAGES} --no-deps --force-reinstall \ ${_PIP_INSTALL_ARGS} \ --global-option="--salt-config-dir=$_SALT_ETC_DIR --salt-cache-dir=${_SALT_CACHE_DIR} ${SETUP_PY_INSTALL_ARGS}" \ - /tmp/git/deps/salt*.whl || return 1 + ${_TMP_DIR}/git/deps/salt*.whl || return 1 echoinfo "Checking if Salt can be imported using ${_py_exe}" CHECK_SALT_SCRIPT=$(cat << EOM @@ -7797,7 +7808,7 @@ install_macosx_git_deps() { export PATH=/usr/local/bin:$PATH fi - __fetch_url "/tmp/get-pip.py" "https://bootstrap.pypa.io/get-pip.py" || return 1 + __fetch_url "${_TMP_DIR}/get-pip.py" "https://bootstrap.pypa.io/get-pip.py" || return 1 if [ -n "$_PY_EXE" ]; then _PYEXE="${_PY_EXE}" @@ -7807,7 +7818,7 @@ install_macosx_git_deps() { fi # Install PIP - $_PYEXE /tmp/get-pip.py || return 1 + $_PYEXE ${_TMP_DIR}/get-pip.py || return 1 # shellcheck disable=SC2119 __git_clone_and_checkout || return 1 @@ -7819,9 +7830,9 @@ install_macosx_stable() { install_macosx_stable_deps || return 1 - __fetch_url "/tmp/${PKG}" "${SALTPKGCONFURL}" || return 1 + __fetch_url "${_TMP_DIR}/${PKG}" "${SALTPKGCONFURL}" || return 1 - /usr/sbin/installer -pkg "/tmp/${PKG}" -target / || return 1 + /usr/sbin/installer -pkg "${_TMP_DIR}/${PKG}" -target / || return 1 return 0 } @@ -7830,9 +7841,9 @@ install_macosx_onedir() { install_macosx_onedir_deps || return 1 - __fetch_url "/tmp/${PKG}" "${SALTPKGCONFURL}" || return 1 + __fetch_url "${_TMP_DIR}/${PKG}" "${SALTPKGCONFURL}" || return 1 - /usr/sbin/installer -pkg "/tmp/${PKG}" -target / || return 1 + /usr/sbin/installer -pkg "${_TMP_DIR}/${PKG}" -target / || return 1 return 0 }