Salt: [BUG] Centos 8: Adding root user to group with group.present gives false failure

Created on 14 Sep 2020 · 2Comments · Source: saltstack/salt

Description
When creating a group and adding users with group.present if the user root is added Salt reports a false failure.

In my project I have a salt state that creates a group and adds an existing user and root to the group. Upon applying the salt state it fails at that specific state, stopping any other states that rely on it from running. However, if I look at /etc/group I can see the group and the correct users.

Setup
I have been able to replicate this with minimal config needed.

# top.sls
base:
  '*':
    - addUser
    - addGroup

``` yaml

addUser.sls

test:
user.present:
- fullname: test user
- home: /home/test

test2:
user.present:
- fullname: test2 user
- home: /home/test2

``` yaml
# addGroup.sls
Backup users:
  group.present:
    - name: testgroup
    - addusers:
      - test
      - test2
      - root  # leaving this line out will let the state succeed, adding it will cause a false fail.

I am using a masterless set up with Vagrant handling the creation of the Centos 8 VM.

Steps to Reproduce the behavior
Run the Salt state either manually or using Vagrant.

Screenshots
I don't have screen shots, but this is output I get when I run the state Backup Users manually using -ldebug. This was run after the users were created.

*SNIP*
[DEBUG   ] LazyLoaded config.option
[DEBUG   ] LazyLoaded group.present
[INFO    ] Running state [testgroup] at time 05:14:04.441145
[INFO    ] Executing state group.present for [testgroup]
[DEBUG   ] LazyLoaded group.info
[DEBUG   ] LazyLoaded cmd.retcode
[INFO    ] Executing command ['gpasswd', '--members', 'test,test2,root', 'testgroup'] in directory '/root'
[DEBUG   ] LazyLoaded test.ping
[ERROR   ] {'Failed': {'members': ['test', 'test2', 'root']}}
[INFO    ] Completed state [testgroup] at time 05:14:04.823030 (duration_in_ms=381.883)
[DEBUG   ] File /var/cache/salt/minion/accumulator/140649583073656 does not exist, no need to cleanup
[DEBUG   ] LazyLoaded state.check_result
[DEBUG   ] LazyLoaded highstate.output
[DEBUG   ] LazyLoaded nested.output
local:
----------
          ID: Backup users
    Function: group.present
        Name: testgroup
      Result: False
     Comment: The following group attributes are set to be changed:
              members: ['test', 'test2', 'root']
              Some changes could not be applied
     Started: 05:14:04.441147
    Duration: 381.883 ms
     Changes:   
              ----------
              Failed:
                  ----------
                  members:
                      - test
                      - test2
                      - root

Summary for local
------------
Succeeded: 0 (changed=1)
Failed:    1
------------
Total states run:     1
Total run time: 381.883 ms

The final line of /etc/group:

testgroup:x:1003:test,test2,root

Versions Report

salt --versions-report

(Provided by running salt --versions-report. Please also mention any differences in master/minion versions.)

Salt Version:
           Salt: 3001

Dependency Versions:
           cffi: 1.11.5
       cherrypy: Not Installed
       dateutil: 2.6.1
      docker-py: Not Installed
          gitdb: Not Installed
      gitpython: Not Installed
         Jinja2: 2.11.2
        libgit2: Not Installed
       M2Crypto: Not Installed
           Mako: Not Installed
   msgpack-pure: Not Installed
 msgpack-python: 0.6.2
   mysql-python: Not Installed
      pycparser: 2.14
       pycrypto: Not Installed
   pycryptodome: 3.9.8
         pygit2: Not Installed
         Python: 3.6.8 (default, Apr 16 2020, 01:36:27)
   python-gnupg: Not Installed
         PyYAML: 5.3.1
          PyZMQ: 19.0.2
          smmap: Not Installed
        timelib: Not Installed
        Tornado: 4.5.3
            ZMQ: 4.3.2

System Versions:
           dist: centos 8 Core
         locale: UTF-8
        machine: x86_64
        release: 4.18.0-193.14.2.el8_2.x86_64
         system: Linux
        version: CentOS Linux 8 Core

Bug Confirmed severity-medium

Source

lmeerwood

All 2 comments

@lmeerwood Thank you for reporting this issue.

I am seeing the same thing in my environment.

Thanks.

frogunder on 15 Sep 2020

👍1

Hi,

The change is correctly applied by the groupadd module, but it fails when verified by group state, the verification of group membership miss the root user.

This is due an upstream bug in sssd that filter outs the root user and group. The operating system getent also doesn't returns the root user:

[root@li529-177 modules]# getent group testegroup
testegroup:x:1003:teste1,teste2
[root@li529-177 modules]# grep testegroup /etc/group
testegroup:x:1003:teste1,teste2,root

The default nsswitch.conf in CentOS8 first uses sssd and then the system files. The workaround indicated here is to swap "sss files" to "files sss":

[root@li529-177 modules]# grep ^group /etc/nsswitch.conf
group:      files sss systemd
[root@li529-177 modules]# getent group testegroup
testegroup:x:1003:teste1,teste2,root

After that change in nsswitch.conf, the state runs as expected:

local:
----------
          ID: teste1
    Function: user.present
      Result: True
     Comment: User teste1 is present and up to date
     Started: 13:51:13.673390
    Duration: 39.782 ms
     Changes:   
----------
          ID: teste2
    Function: user.present
      Result: True
     Comment: User teste2 is present and up to date
     Started: 13:51:13.713494
    Duration: 5.356 ms
     Changes:   
----------
          ID: Backup_users
    Function: group.present
        Name: testegroup
      Result: True
     Comment: The following group attributes are set to be changed:
              addusers: ['teste2', 'root']
     Started: 13:51:13.719809
    Duration: 663.696 ms
     Changes:   
              ----------
              Final:
                  All changes applied successfully

Summary for local
------------
Succeeded: 3 (changed=1)
Failed:    0
------------
Total states run:     3
Total run time: 708.834 ms