[BUG] sls build module is broken when CMD base image matters

[fcayre]

Description
The sls_build module calls create with a cmd argument value equal to "sleep infinity". This cannot work for states which need a working daemon, e.g. postgres_user.present or postgres_database.present.

Setup

• Install onedir 3006.16 saltstack on a Debian Bookworm machine as described in https://docs.saltproject.io/salt/install-guide/en/latest/topics/install-by-operating-system/linux-deb.html

• Install saltext-dockermod with sudo /opt/saltstack/salt/bin/pip install git+https://github.com/salt-extensions/saltext-dockermod

• on-prem machine

• VM (Virtualbox, KVM, etc. please specify)

• VM running on a cloud service, please be explicit and add details

• container (Kubernetes, Docker, containerd, etc. please specify)

• or a combination, please be explicit

• jails if it is FreeBSD

• classic packaging

• onedir packaging

• used bootstrap to install

Steps to Reproduce the behavior

• write sls files:
  In /srv/salt/test.sls:

test:
  docker_image.present:
    - base: jgoerzen/debian-base-security:bookworm
    - name: test-image
    - tag: latest
    - sls: postgres

In /srv/salt/postgres.sls:

postgresql:
  pkg.installed

postgresql test user:
  postgres_user.present:
    - user: postgres
    - name: test
    - password: test

• apply the test state with sudo salt-call --local state.apply test

This results in an error "Failed to create user test" for state identifier "postgresql test user".

Expected behavior
A clear and concise description of what you expected to happen.

Screenshots
If applicable, add screenshots to help explain your problem.

Versions Report

salt --versions-report

Salt Version:
              Salt: 3006.16
 
Python Version:
            Python: 3.10.18 (main, Sep  5 2025, 22:48:51) [GCC 11.2.0]
 
Dependency Versions:
              cffi: 1.14.6
          cherrypy: 18.10.0
      cryptography: 42.0.5
          dateutil: 2.8.1
         docker-py: 7.1.0
             gitdb: Not Installed
         gitpython: Not Installed
            Jinja2: 3.1.6
           libgit2: Not Installed
      looseversion: 1.0.2
          M2Crypto: Not Installed
              Mako: Not Installed
           msgpack: 1.0.2
      msgpack-pure: Not Installed
      mysql-python: Not Installed
         packaging: 24.0
         pycparser: 2.21
          pycrypto: Not Installed
      pycryptodome: 3.19.1
            pygit2: Not Installed
      python-gnupg: 0.4.8
            PyYAML: 6.0.1
             PyZMQ: 23.2.0
            relenv: 0.20.6
             smmap: Not Installed
           timelib: 0.3.0
           Tornado: 4.5.3
               ZMQ: 4.3.4
 
Salt Extensions:
 saltext.dockermod: 0.1.dev326+gf35c7fcec
 
System Versions:
              dist: debian 12 bookworm
            locale: utf-8
           machine: x86_64
           release: 6.1.0-40-amd64
            system: Linux
           version: Debian GNU/Linux 12 bookworm

Additional context
For a description of base image "jgoerzen/debian-base-security:bookworm" see https://salsa.debian.org/jgoerzen/docker-debian-base-standard

As a summary, this image runs a script /usr/local/bin/boot-debian-base which starts systemd, which in turn is able to run the postgresql server once installed. This is required by the postgresql_user.present state.

The problems here are that:

1. postgresql_user.present crashes during the image build using the salt-created container because this container does not run with the required arguments documented in above page (environment variable DEBBASE_NO_STARTUP_APT, tmpfs /run and /run/lock, bind /sys/fs/cgroup:/sys/fs/cgroup:rw, cgroupns host and stop_signal: SIGRTMIN+3)
2. the cmd of the container is overriden by sleep infinity

The native docker_image.present state only passes saltenv, pillarenv and pillar arguments to sls_build, but this can be solved by a trivial patch, which solves point 1 above.

To solve point 2, the sls_build function of present module need a mecanism to leave cmd unchanged, which can be easily implemented with a non-breaking change (for instance interpreting cmd=None kwarg as a way to keep the original image CMD value untouched).

What do you think of this?

My opinion is that sls_build aims at being able to apply the same states in a docker container than on a bare metal computer. The images provided in jgoerzen/debian-base-security make docker containers look like complete systems, with running servers as required by a lot of states to work (postgres_user.present is illustrated here). So I think this bug is a major one and requires a fix.

I am new to contributing to saltstack and thus do not know how to contribute my (small) fixes, as they include a change in present module but also in salt's docker_image state. Any guidance welcome.

[fcayre]

Anyone here or should I consider this project as dead?