Merge pull request #394 from cdalvaro/upgrade/sts/3008.0

3008.0 STS

Author: cdalvaro

CHANGELOG.md

@@ -4,6 +4,21 @@ This file only reflects the changes that are made in this image.
 Please refer to the [Salt 3007.14 Release Notes](https://docs.saltstack.com/en/latest/topics/releases/3007.14.html)
 for the list of changes in SaltStack.
 
+**3008.0**
+
+- Update `salt-master` to `3008.0` _Chlorine_.
+
+**3008.0rc4**
+
+- Update `salt-master` to `3008.0rc4` _Chlorine_.
+
+**3008.0rc3**
+
+- Update `salt-master` to `3008.0rc3` _Chlorine_.
+- Change Docker base image to `ubuntu:resolute-20260413`.
+- Install `libgit2-dev 1.9.1` from apt as a build dependency to support `pygit2 1.19.2`.
+- Dearmor Salt GPG key for APT compatibility.
+
 **3006.25**
 
 - Update `salt-master` to `3006.25` _Sulfur_.

Dockerfile

@@ -1,4 +1,4 @@
-FROM public.ecr.aws/docker/library/ubuntu:noble-20260113
+FROM public.ecr.aws/docker/library/ubuntu:resolute-20260413
 
 ARG SALT_VERSION
 ARG BUILD_DATE
@@ -32,7 +32,7 @@ WORKDIR ${SALT_BUILD_DIR}
 # hadolint ignore=DL3008
 RUN apt-get update \
   && DEBIAN_FRONTEND=noninteractive apt-get install --yes --quiet --no-install-recommends \
-  sudo ca-certificates apt-transport-https wget locales openssh-client gpg gpg-agent \
+  sudo ca-certificates apt-transport-https wget locales openssh-client gpg gpg-agent openssl \
   supervisor logrotate git gettext-base tzdata inotify-tools psmisc \
   && DEBIAN_FRONTEND=noninteractive update-locale LANG=C.UTF-8 LC_MESSAGES=POSIX \
   locale-gen en_US.UTF-8 \
@@ -74,7 +74,7 @@ LABEL org.opencontainers.image.vendor="cdalvaro"
 LABEL org.opencontainers.image.created="${BUILD_DATE}"
 LABEL org.opencontainers.image.version="${IMAGE_VERSION}"
 LABEL org.opencontainers.image.revision="${VCS_REF}"
-LABEL org.opencontainers.image.base.name="public.ecr.aws/docker/library/ubuntu:noble-20260113"
+LABEL org.opencontainers.image.base.name="public.ecr.aws/docker/library/ubuntu:resolute-20260413"
 LABEL org.opencontainers.image.licenses="MIT"
 
 ENTRYPOINT [ "/sbin/entrypoint.sh" ]

README.md

@@ -9,7 +9,7 @@
 <p align="center">
   <a href="https://docs.saltproject.io/en/latest/topics/releases/3007.14.html"><img alt="Salt Project" src="https://img.shields.io/badge/salt-3007.14%20sts-57BCAD.svg?logo=SaltProject"/></a>
   <a href="https://docs.saltproject.io/en/3006/topics/releases/3006.25.html"><img alt="Salt Project" src="https://img.shields.io/badge/salt-3006.25%20lts-57BCAD.svg?logo=SaltProject"/></a>
-  <a href="https://gallery.ecr.aws/ubuntu/ubuntu"><img alt="Ubuntu Image" src="https://img.shields.io/badge/ubuntu-noble--20260113-E95420.svg?logo=Ubuntu"/></a>
+  <a href="https://gallery.ecr.aws/ubuntu/ubuntu"><img alt="Ubuntu Image" src="https://img.shields.io/badge/ubuntu-resolute--20260413-E95420.svg?logo=Ubuntu"/></a>
   <a href="https://hub.docker.com/repository/docker/cdalvaro/docker-salt-master/tags"><img alt="Docker Image Size" src="https://img.shields.io/docker/image-size/cdalvaro/docker-salt-master/latest?logo=docker&color=2496ED"/></a>
   <a href="https://github.com/users/cdalvaro/packages/container/package/docker-salt-master"><img alt="Architecture AMD64" src="https://img.shields.io/badge/arch-amd64-inactive.svg"/></a>
   <a href="https://github.com/users/cdalvaro/packages/container/package/docker-salt-master"><img alt="Architecture ARM64" src="https://img.shields.io/badge/arch-arm64-inactive.svg"/></a>
@@ -250,6 +250,40 @@ Where `XXXXX` is a random code to avoid possible collisions with previous genera
 
 #### Working with Secrets
 
+> [!IMPORTANT]
+> **Change introduced in 3008.0 — please read if you use secrets.**
+>
+> Up to Salt 3007, master keys provided via secrets were **symlinked** into the
+> keys directory, so the private material never left `/run/secrets` even if the
+> whole keys volume was bind-mounted.
+>
+> Salt 3008.0 changed how the master loads its keys: the new `localfs_key`
+> cache driver **rejects symlinked key files**. To remain compatible, secret
+> keys are now **copied** into the keys directory (`/home/salt/data/keys`) as
+> regular files.
+>
+> **Consequence:** if you both provide keys via secrets **and** bind-mount the
+> full keys volume (`/home/salt/data/keys`), the master private key will be
+> **copied onto that persisted volume** and is therefore more exposed than
+> before. To keep the private material off persistent storage, when using
+> secrets it is **recommended to NOT bind-mount the whole keys volume**. Mount
+> only the minion key sub-directories you actually need to persist — usually
+> just the accepted minions:
+>
+> - `/home/salt/data/keys/minions` — accepted minion keys (most common)
+> - `/home/salt/data/keys/minions_rejected` — rejected minion keys (optional)
+> - `/home/salt/data/keys/minions_pre`, `minions_denied`, `minions_autosign` — optional
+>
+> These are bind-mounted directories (not symlinks), so Salt 3008.0 accepts
+> them while the master keys stay on the container's ephemeral layer, recreated
+> from the secrets on every start.
+>
+> **Migration / safety net:** on upgrade, any pre-existing **symlinked** master
+> key is automatically replaced by a copy of the secret. If a master key is
+> already present as a **regular file** (e.g. you mounted the full keys volume),
+> it is **not** overwritten: it is validated against the secret and, on
+> mismatch, a `WARN` is logged — the on-disk key wins and the secret is ignored.
+
 Master keys can be provided via Docker secrets. To do that, you have to set the following environment variable:
 
 - `SALT_MASTER_KEY_FILE`: The path to the master-key-pair {pem,pub} files without suffixes.
@@ -315,6 +349,17 @@ secrets:
     file: keys/master_pubkey_signature
 ```
 
+Note that the example above intentionally does **not** bind-mount the whole
+keys volume. To persist accepted minion keys across container recreation while
+keeping the master private key off persistent storage, mount only the minion
+sub-directory:
+
+```yml
+    volumes:
+      - ./config:/home/salt/data/config
+      - ./keys/minions:/home/salt/data/keys/minions
+```
+
 ### Salt API
 
 You can enable `salt-api` service by setting env variable `SALT_API_ENABLED` to `True`.

VERSION_STS

@@ -1 +1 @@
-3007.14
+3008.0

assets/build/functions.sh

@@ -136,10 +136,15 @@ function add_salt_repository() {
   local arch=amd64
   is_arm64 && arch=arm64
 
-  # Download public key
-  local keyring_file="/etc/apt/keyrings/salt-archive-keyring-2023.pgp"
+  # Download public key and dearmor it so APT can use it as a binary keyring
+  local keyring_file="/etc/apt/keyrings/salt-archive-keyring.gpg"
   local key_url="https://packages.broadcom.com/artifactory/api/security/keypair/SaltProjectKey/public"
-  download "${key_url}" "${keyring_file}"
+  local tmp_key
+  tmp_key=$(mktemp)
+  download "${key_url}" "${tmp_key}"
+  gpg --dearmor < "${tmp_key}" > "${keyring_file}"
+  rm -f "${tmp_key}"
+  chmod 644 "${keyring_file}"
 
   # Create apt repo target configuration
   local target_url="https://packages.broadcom.com/artifactory/saltproject-deb/"

assets/build/install.sh

@@ -12,11 +12,11 @@ source "${FUNCTIONS_FILE}"
 
 log_info "Installing required packages and build dependencies ..."
 REQUIRED_PACKAGES=(
-  binutils patchelf libldap-common
+  binutils patchelf libldap-common libgit2-1.9
 )
 
 BUILD_DEPENDENCIES=(
-  gcc libsasl2-dev libldap2-dev
+  gcc libssl-dev libsasl2-dev libldap2-dev libgit2-dev
 )
 
 log_info "Adding salt repository..."
@@ -51,16 +51,14 @@ EOF
 # Install salt packages
 log_info "Installing salt packages ..."
 install_pkgs \
-  salt-common="${SALT_VERSION}" \
-  salt-master="${SALT_VERSION}" \
-  salt-minion="${SALT_VERSION}" \
-  salt-api="${SALT_VERSION}"
+  salt-common="${SALT_VERSION/rc/~rc}" \
+  salt-master="${SALT_VERSION/rc/~rc}" \
+  salt-minion="${SALT_VERSION/rc/~rc}" \
+  salt-api="${SALT_VERSION/rc/~rc}"
 
 # Install python packages
 log_info "Installing python packages ..."
-# FIXME: Downgrade to pip 22.3.1 for bug: https://github.com/saltstack/salt/issues/65025
-salt-pip install pip==22.3.1
-salt-pip install pygit2==1.18.2
+salt-pip install pygit2==1.19.2
 salt-pip install python-ldap
 
 # Configure ssh

assets/runtime/config/master.yml

@@ -6,6 +6,10 @@
 # after the comment then the value is presented as an example and is not the
 # default.
 
+# Explicitly declare the id for this master to ensure key files are always
+# named master.pem/master.pub regardless of the container hostname.
+id: master
+
 # The master will automatically include all config files from:
 default_include: {{SALT_CONFS_DIR}}/*.conf
 

assets/runtime/config/minion.yml

@@ -13,7 +13,7 @@ default_include: {{SALT_MINION_CONFS_DIR}}/*.conf
 
 # Set the location of the salt master server. If the master server cannot be
 # resolved, then the minion will fail to start.
-master: 0.0.0.0
+master: localhost
 
 # Set the port used by the master reply and authentication server.
 master_port: 4506

assets/runtime/env-defaults.sh

@@ -7,7 +7,7 @@ export DEBUG=${DEBUG:-False}
 export TIMEZONE=${TIMEZONE:-${TZ:-UTC}}
 
 #####            Salt API            #####
-export SALT_API_ENABLED=${SALT_API_ENABLED:False}
+export SALT_API_ENABLED=${SALT_API_ENABLED:-False}
 if [[ -z ${SALT_API_USER+x} ]]; then
   export SALT_API_USER=salt_api
 fi