corpix/saltmaster-base-Dockerfile

## saltmaster-base-Dockerfile
FROM stackbrew/ubuntu:saucy

RUN apt-get update
RUN apt-get install -y --force-yes \
        software-properties-common \
        pciutils \
        debconf-utils
RUN add-apt-repository -y ppa:saltstack/salt

RUN apt-get update
# Make sure, the Salt installation succeeds, although it can't find any running Upstart
RUN dpkg-divert --local --rename --add /sbin/initctl
RUN ln -sf /bin/true /sbin/initctl
RUN apt-get install -y --force-yes \
        salt-common \
        salt-master \
        python-pip \
        python-cherrypy3 \
        python-ldap \
        python-git
RUN pip install -U halite

# SSH identity for accessing the git repository for saltmaster's gitfs
ADD id_rsa /root/.ssh/id_rsa
ADD id_rsa.pub /root/.ssh/id_rsa.pub
ADD known_hosts /root/.ssh/known_hosts

ENV HOME /root
WORKDIR /root

## saltmaster-daemon-Dockerfile
FROM dep/saltmaster-base

ADD external_auth.conf /etc/salt/master.d/external_auth.conf
ADD fileserver.conf /etc/salt/master.d/fileserver.conf
ADD halite.conf /etc/salt/master.d/halite.conf
ADD https://raw.github.com/eliasp/salt/auth-ldap/salt/auth/ldap.py /usr/share/pyshared/salt/auth/ldap.py

EXPOSE 4505 4506 8080

VOLUME /etc/salt
VOLUME /var/cache/salt/master
VOLUME /run/salt/master
VOLUME /srv/salt

RUN mkdir -p /var/cache/salt/master/gitfs

ENV HOME /root

# Using CMD instead of ENTRYPOINT allows overwriting the log-level in cases where manual debugging of the saltmaster daemon is required
CMD ["/usr/bin/salt-master", "-l", "info"]

## saltmaster-daemon-external_auth.conf
external_auth:
  pam:
    salt:
      - .*
      - '@runner'
      - '@wheel'
  ldap:
    # As long as there's no group support for external auth ACLs (https://github.com/saltstack/salt/issues/3238),
    # the IT staff members need to be listed individually
    it-user-001:
      - .*
    it-user-002:
      - .*

# Requires LDAP SRV lookup implementation in salt/auth/ldap.py
#auth.ldap.uri: "ldap:///dc=institution,dc=tld"
auth.ldap.uri: "ldap://dc01.institution.tld"
auth.ldap.binddn: "{{ username }}@institution.tld"

## saltmaster-daemon-fileserver.conf
fileserver_backend:
  - roots
  - git

file_roots:
  base:
    - /srv/salt/roots/base
  dev:
    - /srv/salt/roots/dev

gitfs_remotes:
  - git@git.dep.institution.tld:salt-states.git

## saltmaster-daemon-halite.conf
halite:
  # Needs to be changed before being used in production
  level: 'debug'
  server: 'cherrypy'
  host: '0.0.0.0'
  port: '8080'
  cors: False
  # Needs to be changed before being used in production
  tls: False

## saltmaster-shell-Dockerfile
FROM dep/saltmaster-base

RUN apt-get install -y --force-yes vim git openssh-client
# Workaround for https://github.com/saltstack/salt/issues/8009
ADD local-salt.conf /root/.salt

ENV HOME /root

CMD ["/bin/bash"]

## saltmaster-shell-local-salt.conf
# to be removed once https://github.com/saltstack/salt/issues/8009 is fixed
interface: IP.of.the.saltmaster
	FROM stackbrew/ubuntu:saucy

	RUN apt-get update
	RUN apt-get install -y --force-yes \
	software-properties-common \
	pciutils \
	debconf-utils
	RUN add-apt-repository -y ppa:saltstack/salt

	RUN apt-get update
	# Make sure, the Salt installation succeeds, although it can't find any running Upstart
	RUN dpkg-divert --local --rename --add /sbin/initctl
	RUN ln -sf /bin/true /sbin/initctl
	RUN apt-get install -y --force-yes \
	salt-common \
	salt-master \
	python-pip \
	python-cherrypy3 \
	python-ldap \
	python-git
	RUN pip install -U halite

	# SSH identity for accessing the git repository for saltmaster's gitfs
	ADD id_rsa /root/.ssh/id_rsa
	ADD id_rsa.pub /root/.ssh/id_rsa.pub
	ADD known_hosts /root/.ssh/known_hosts

	ENV HOME /root
	WORKDIR /root
	FROM dep/saltmaster-base

	ADD external_auth.conf /etc/salt/master.d/external_auth.conf
	ADD fileserver.conf /etc/salt/master.d/fileserver.conf
	ADD halite.conf /etc/salt/master.d/halite.conf
	ADD https://raw.github.com/eliasp/salt/auth-ldap/salt/auth/ldap.py /usr/share/pyshared/salt/auth/ldap.py

	EXPOSE 4505 4506 8080

	VOLUME /etc/salt
	VOLUME /var/cache/salt/master
	VOLUME /run/salt/master
	VOLUME /srv/salt

	RUN mkdir -p /var/cache/salt/master/gitfs

	ENV HOME /root

	# Using CMD instead of ENTRYPOINT allows overwriting the log-level in cases where manual debugging of the saltmaster daemon is required
	CMD ["/usr/bin/salt-master", "-l", "info"]
	external_auth:
	pam:
	salt:
	- .*
	- '@runner'
	- '@wheel'
	ldap:
	# As long as there's no group support for external auth ACLs (https://github.com/saltstack/salt/issues/3238),
	# the IT staff members need to be listed individually
	it-user-001:
	- .*
	it-user-002:
	- .*

	# Requires LDAP SRV lookup implementation in salt/auth/ldap.py
	#auth.ldap.uri: "ldap:///dc=institution,dc=tld"
	auth.ldap.uri: "ldap://dc01.institution.tld"
	auth.ldap.binddn: "{{ username }}@institution.tld"
	fileserver_backend:
	- roots
	- git

	file_roots:
	base:
	- /srv/salt/roots/base
	dev:
	- /srv/salt/roots/dev

	gitfs_remotes:
	- git@git.dep.institution.tld:salt-states.git
	halite:
	# Needs to be changed before being used in production
	level: 'debug'
	server: 'cherrypy'
	host: '0.0.0.0'
	port: '8080'
	cors: False
	# Needs to be changed before being used in production
	tls: False
	FROM dep/saltmaster-base

	RUN apt-get install -y --force-yes vim git openssh-client
	# Workaround for https://github.com/saltstack/salt/issues/8009
	ADD local-salt.conf /root/.salt

	ENV HOME /root

	CMD ["/bin/bash"]
	# to be removed once https://github.com/saltstack/salt/issues/8009 is fixed
	interface: IP.of.the.saltmaster