Saltstack Official Salt Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

f_defaults.conf 54KB

11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
8 vuotta sitten
11 vuotta sitten
Fixed pillar_roots generation for salt-master. With a simple pillar like this:: $ sudo salt-call --config-dir /srv/etc/bootstrap --pillar-root /srv/pillar pillar.get salt:pillar_roots local: ---------- base: - /srv/pillar This was generated in /etc/salt/master.d/f_defaults.conf:: # highstate format, and is generally just key/value pairs. pillar_roots:base:- /srv/pillar # Resulting in parse errors by salt:: $ sudo salt '*' state.highstate [ERROR ] Error parsing configuration file: /etc/salt/master.d/f_defaults.conf - while scanning a simple key in "<string>", line 531, column 1: pillar_roots:base:- /srv/pillar ^ could not found expected ':' in "<string>", line 532, column 1: # ^ [ERROR ] Error parsing configuration file: /etc/salt/master.d/f_defaults.conf - while scanning a simple key in "<string>", line 531, column 1: pillar_roots:base:- /srv/pillar ^ could not found expected ':' in "<string>", line 532, column 1: # ^ This patch will fix it as such:: ID: salt-master Function: file.recurse Name: /etc/salt/master.d Result: True Comment: Recursively updated /etc/salt/master.d Started: 11:37:12.946823 Duration: 6255.296 ms Changes: ---------- /etc/salt/master.d/f_defaults.conf: ---------- diff: --- +++ @@ -528,7 +528,9 @@ # Pillar is laid out in the same fashion as the file server, with environments, # a top file and sls files. However, pillar data does not need to be in the # highstate format, and is generally just key/value pairs. -pillar_roots:base:- /srv/pillar +pillar_roots: + base: + - /srv/pillar # Resulting in:: # highstate format, and is generally just key/value pairs. pillar_roots: base: - /srv/pillar #
9 vuotta sitten
Fixed pillar_roots generation for salt-master. With a simple pillar like this:: $ sudo salt-call --config-dir /srv/etc/bootstrap --pillar-root /srv/pillar pillar.get salt:pillar_roots local: ---------- base: - /srv/pillar This was generated in /etc/salt/master.d/f_defaults.conf:: # highstate format, and is generally just key/value pairs. pillar_roots:base:- /srv/pillar # Resulting in parse errors by salt:: $ sudo salt '*' state.highstate [ERROR ] Error parsing configuration file: /etc/salt/master.d/f_defaults.conf - while scanning a simple key in "<string>", line 531, column 1: pillar_roots:base:- /srv/pillar ^ could not found expected ':' in "<string>", line 532, column 1: # ^ [ERROR ] Error parsing configuration file: /etc/salt/master.d/f_defaults.conf - while scanning a simple key in "<string>", line 531, column 1: pillar_roots:base:- /srv/pillar ^ could not found expected ':' in "<string>", line 532, column 1: # ^ This patch will fix it as such:: ID: salt-master Function: file.recurse Name: /etc/salt/master.d Result: True Comment: Recursively updated /etc/salt/master.d Started: 11:37:12.946823 Duration: 6255.296 ms Changes: ---------- /etc/salt/master.d/f_defaults.conf: ---------- diff: --- +++ @@ -528,7 +528,9 @@ # Pillar is laid out in the same fashion as the file server, with environments, # a top file and sls files. However, pillar data does not need to be in the # highstate format, and is generally just key/value pairs. -pillar_roots:base:- /srv/pillar +pillar_roots: + base: + - /srv/pillar # Resulting in:: # highstate format, and is generally just key/value pairs. pillar_roots: base: - /srv/pillar #
9 vuotta sitten
Fixed pillar_roots generation for salt-master. With a simple pillar like this:: $ sudo salt-call --config-dir /srv/etc/bootstrap --pillar-root /srv/pillar pillar.get salt:pillar_roots local: ---------- base: - /srv/pillar This was generated in /etc/salt/master.d/f_defaults.conf:: # highstate format, and is generally just key/value pairs. pillar_roots:base:- /srv/pillar # Resulting in parse errors by salt:: $ sudo salt '*' state.highstate [ERROR ] Error parsing configuration file: /etc/salt/master.d/f_defaults.conf - while scanning a simple key in "<string>", line 531, column 1: pillar_roots:base:- /srv/pillar ^ could not found expected ':' in "<string>", line 532, column 1: # ^ [ERROR ] Error parsing configuration file: /etc/salt/master.d/f_defaults.conf - while scanning a simple key in "<string>", line 531, column 1: pillar_roots:base:- /srv/pillar ^ could not found expected ':' in "<string>", line 532, column 1: # ^ This patch will fix it as such:: ID: salt-master Function: file.recurse Name: /etc/salt/master.d Result: True Comment: Recursively updated /etc/salt/master.d Started: 11:37:12.946823 Duration: 6255.296 ms Changes: ---------- /etc/salt/master.d/f_defaults.conf: ---------- diff: --- +++ @@ -528,7 +528,9 @@ # Pillar is laid out in the same fashion as the file server, with environments, # a top file and sls files. However, pillar data does not need to be in the # highstate format, and is generally just key/value pairs. -pillar_roots:base:- /srv/pillar +pillar_roots: + base: + - /srv/pillar # Resulting in:: # highstate format, and is generally just key/value pairs. pillar_roots: base: - /srv/pillar #
9 vuotta sitten
11 vuotta sitten
9 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450
  1. # This file managed by Salt, do not edit by hand!!
  2. # Based on salt version 2015.8.7 default config
  3. {% set reserved_keys = ['master', 'minion', 'cloud', 'salt_cloud_certs'] -%}
  4. {% set cfg_salt = pillar.get('salt', {}) -%}
  5. {% set cfg_master = cfg_salt.get('master', {}) -%}
  6. {%- macro get_config(configname, default_value) -%}
  7. {%- if configname in cfg_master -%}
  8. {{ configname }}: {{ cfg_master[configname]|json }}
  9. {%- elif configname in cfg_salt and configname not in reserved_keys -%}
  10. {{ configname }}: {{ cfg_salt[configname]|json }}
  11. {%- else -%}
  12. #{{ configname }}: {{ default_value|json }}
  13. {%- endif -%}
  14. {%- endmacro -%}
  15. {%- from 'salt/formulas.jinja' import file_roots, formulas with context -%}
  16. ##### Primary configuration settings #####
  17. ##########################################
  18. # This configuration file is used to manage the behavior of the Salt Master.
  19. # Values that are commented out but have an empty line after the comment are
  20. # defaults that do not need to be set in the config. If there is no blank line
  21. # after the comment then the value is presented as an example and is not the
  22. # default.
  23. # Per default, the master will automatically include all config files
  24. # from master.d/*.conf (master.d is a directory in the same directory
  25. # as the main master config file).
  26. {{ get_config('default_include', 'master.d/*.conf') }}
  27. # The address of the interface to bind to:
  28. {{ get_config('interface', '0.0.0.0') }}
  29. # Whether the master should listen for IPv6 connections. If this is set to True,
  30. # the interface option must be adjusted, too. (For example: "interface: '::'")
  31. {{ get_config('ipv6', 'False') }}
  32. # The tcp port used by the publisher:
  33. {{ get_config('publish_port', '4505') }}
  34. # The user under which the salt master will run. Salt will update all
  35. # permissions to allow the specified user to run the master. The exception is
  36. # the job cache, which must be deleted if this user is changed. If the
  37. # modified files cause conflicts, set verify_env to False.
  38. {{ get_config('user', 'root') }}
  39. # The port used by the communication interface. The ret (return) port is the
  40. # interface used for the file server, authentication, job returns, etc.
  41. {{ get_config('ret_port', '4506') }}
  42. # Specify the location of the daemon process ID file:
  43. {{ get_config('pidfile', '/var/run/salt-master.pid') }}
  44. # The root directory prepended to these options: pki_dir, cachedir,
  45. # sock_dir, log_file, autosign_file, autoreject_file, extension_modules,
  46. # key_logfile, pidfile:
  47. {{ get_config('root_dir', '/') }}
  48. # Directory used to store public key data:
  49. {{ get_config('pki_dir', '/etc/salt/pki/master') }}
  50. # Directory to store job and cache data:
  51. # This directory may contain sensitive data and should be protected accordingly.
  52. #
  53. {{ get_config('cachedir', '/var/cache/salt/master') }}
  54. # Directory for custom modules. This directory can contain subdirectories for
  55. # each of Salt's module types such as "runners", "output", "wheel", "modules",
  56. # "states", "returners", etc.
  57. {{ get_config('extension_modules', '<no default>') }}
  58. # Directory for custom modules. This directory can contain subdirectories for
  59. # each of Salt's module types such as "runners", "output", "wheel", "modules",
  60. # "states", "returners", etc.
  61. # Like 'extension_modules' but can take an array of paths
  62. {% if 'module_dirs' in cfg_master -%}
  63. module_dirs:
  64. {%- for dir in cfg_master['module_dirs'] %}
  65. - {{ dir}}
  66. {%- endfor -%}
  67. {% elif 'module_dirs' in cfg_salt -%}
  68. module_dirs:
  69. {%- for dir in cfg_salt['module_dirs'] %}
  70. - {{ dir}}
  71. {%- endfor -%}
  72. {% else -%}
  73. #module_dirs: <no default>
  74. # - /var/cache/salt/minion/extmods
  75. {% endif %}
  76. # Verify and set permissions on configuration directories at startup:
  77. {{ get_config('verify_env', 'True') }}
  78. # Set the number of hours to keep old job information in the job cache:
  79. {{ get_config('keep_jobs', '24') }}
  80. # Set the default timeout for the salt command and api. The default is 5
  81. # seconds.
  82. {{ get_config('timeout', '5') }}
  83. # The loop_interval option controls the seconds for the master's maintenance
  84. # process check cycle. This process updates file server backends, cleans the
  85. # job cache and executes the scheduler.
  86. {{ get_config('loop_interval', '60') }}
  87. # Set the default outputter used by the salt command. The default is "nested".
  88. {{ get_config('output', 'nested') }}
  89. # Return minions that timeout when running commands like test.ping
  90. {{ get_config('show_timeout', 'True') }}
  91. # By default, output is colored. To disable colored output, set the color value
  92. # to False.
  93. {{ get_config('color', 'True') }}
  94. # Do not strip off the colored output from nested results and state outputs
  95. # (true by default).
  96. {{ get_config('strip_colors', 'False') }}
  97. # Set the directory used to hold unix sockets:
  98. {{ get_config('sock_dir', '/var/run/salt/master') }}
  99. # The master can take a while to start up when lspci and/or dmidecode is used
  100. # to populate the grains for the master. Enable if you want to see GPU hardware
  101. # data for your master.
  102. {{ get_config('enable_gpu_grains', 'False') }}
  103. # The master maintains a job cache. While this is a great addition, it can be
  104. # a burden on the master for larger deployments (over 5000 minions).
  105. # Disabling the job cache will make previously executed jobs unavailable to
  106. # the jobs system and is not generally recommended.
  107. {{ get_config('job_cache', 'True') }}
  108. # Cache minion grains and pillar data in the cachedir.
  109. {{ get_config('minion_data_cache', 'True') }}
  110. # Store all returns in the given returner.
  111. # Setting this option requires that any returner-specific configuration also
  112. # be set. See various returners in salt/returners for details on required
  113. # configuration values. (See also, event_return_queue below.)
  114. {{ get_config('event_return', 'mysql') }}
  115. # On busy systems, enabling event_returns can cause a considerable load on
  116. # the storage system for returners. Events can be queued on the master and
  117. # stored in a batched fashion using a single transaction for multiple events.
  118. # By default, events are not queued.
  119. {{ get_config('event_return_queue', '0') }}
  120. # Only events returns matching tags in a whitelist
  121. {% if 'event_return_whitelist' in cfg_master -%}
  122. event_return_whitelist:
  123. {%- for event_return in cfg_master['event_return_whitelist'] %}
  124. - {{ event_return }}
  125. {%- endfor -%}
  126. {% elif 'event_return_whitelist' in cfg_salt -%}
  127. event_return_whitelist:
  128. {%- for event_return in cfg_salt['event_return_whitelist'] %}
  129. - {{ event_return }}
  130. {%- endfor -%}
  131. {% else -%}
  132. # event_return_whitelist:
  133. # - salt/master/a_tag
  134. # - salt/master/another_tag
  135. {% endif %}
  136. # Store all event returns _except_ the tags in a blacklist
  137. {% if 'event_return_blacklist' in cfg_master -%}
  138. event_return_blacklist:
  139. {%- for event_return in cfg_master['event_return_blacklist'] %}
  140. - {{ event_return }}
  141. {%- endfor -%}
  142. {% elif 'event_return_blacklist' in cfg_salt -%}
  143. event_return_blacklist:
  144. {%- for event_return in cfg_salt['event_return_blacklist'] %}
  145. - {{ event_return }}
  146. {%- endfor -%}
  147. {% else -%}
  148. # event_return_blacklist:
  149. # - salt/master/not_this_tag
  150. # - salt/master/or_this_one
  151. {% endif %}
  152. # Passing very large events can cause the minion to consume large amounts of
  153. # memory. This value tunes the maximum size of a message allowed onto the
  154. # master event bus. The value is expressed in bytes.
  155. {{ get_config('max_event_size', '1048576') }}
  156. # By default, the master AES key rotates every 24 hours. The next command
  157. # following a key rotation will trigger a key refresh from the minion which may
  158. # result in minions which do not respond to the first command after a key refresh.
  159. #
  160. # To tell the master to ping all minions immediately after an AES key refresh, set
  161. # ping_on_rotate to True. This should mitigate the issue where a minion does not
  162. # appear to initially respond after a key is rotated.
  163. #
  164. # Note that ping_on_rotate may cause high load on the master immediately after
  165. # the key rotation event as minions reconnect. Consider this carefully if this
  166. # salt master is managing a large number of minions.
  167. #
  168. # If disabled, it is recommended to handle this event by listening for the
  169. # 'aes_key_rotate' event with the 'key' tag and acting appropriately.
  170. {{ get_config('ping_on_rotate', 'False') }}
  171. # By default, the master deletes its cache of minion data when the key for that
  172. # minion is removed. To preserve the cache after key deletion, set
  173. # 'preserve_minion_cache' to True.
  174. #
  175. # WARNING: This may have security implications if compromised minions auth with
  176. # a previous deleted minion ID.
  177. {{ get_config('preserve_minion_cache', 'False') }}
  178. # If max_minions is used in large installations, the master might experience
  179. # high-load situations because of having to check the number of connected
  180. # minions for every authentication. This cache provides the minion-ids of
  181. # all connected minions to all MWorker-processes and greatly improves the
  182. # performance of max_minions.
  183. {{ get_config('con_cache', 'False') }}
  184. # The master can include configuration from other files. To enable this,
  185. # pass a list of paths to this option. The paths can be either relative or
  186. # absolute; if relative, they are considered to be relative to the directory
  187. # the main master configuration file lives in (this file). Paths can make use
  188. # of shell-style globbing. If no files are matched by a path passed to this
  189. # option, then the master will log a warning message.
  190. #
  191. # Include a config file from some other path:
  192. # include: /etc/salt/extra_config
  193. #
  194. # Include config from several files and directories:
  195. # include:
  196. # - /etc/salt/extra_config
  197. {{ get_config('include', '[]') }}
  198. ##### Large-scale tuning settings #####
  199. ##########################################
  200. # Max open files
  201. #
  202. # Each minion connecting to the master uses AT LEAST one file descriptor, the
  203. # master subscription connection. If enough minions connect you might start
  204. # seeing on the console (and then salt-master crashes):
  205. # Too many open files (tcp_listener.cpp:335)
  206. # Aborted (core dumped)
  207. #
  208. # By default this value will be the one of `ulimit -Hn`, ie, the hard limit for
  209. # max open files.
  210. #
  211. # If you wish to set a different value than the default one, uncomment and
  212. # configure this setting. Remember that this value CANNOT be higher than the
  213. # hard limit. Raising the hard limit depends on your OS and/or distribution,
  214. # a good way to find the limit is to search the internet. For example:
  215. # raise max open files hard limit debian
  216. #
  217. {{ get_config('max_open_files', '100000') }}
  218. # The number of worker threads to start. These threads are used to manage
  219. # return calls made from minions to the master. If the master seems to be
  220. # running slowly, increase the number of threads. This setting can not be
  221. # set lower than 3.
  222. {{ get_config('worker_threads', '5') }}
  223. # Set the ZeroMQ high water marks
  224. # http://api.zeromq.org/3-2:zmq-setsockopt
  225. # The publisher interface ZeroMQPubServerChannel
  226. {{ get_config('pub_hwm', '1000') }}
  227. # These two ZMQ HWM settings, salt_event_pub_hwm and event_publisher_pub_hwm
  228. # are significant for masters with thousands of minions. When these are
  229. # insufficiently high it will manifest in random responses missing in the CLI
  230. # and even missing from the job cache. Masters that have fast CPUs and many
  231. # cores with appropriate worker_threads will not need these set as high.
  232. # On deployment with 8,000 minions, 2.4GHz CPUs, 24 cores, 32GiB memory has
  233. # these settings:
  234. #
  235. # salt_event_pub_hwm: 128000
  236. # event_publisher_pub_hwm: 64000
  237. # ZMQ high-water-mark for SaltEvent pub socket
  238. {{ get_config('salt_event_pub_hwm', '20000') }}
  239. # ZMQ high-water-mark for EventPublisher pub socket
  240. {{ get_config('event_publisher_pub_hwm', '10000') }}
  241. ##### Security settings #####
  242. ##########################################
  243. # Enable "open mode", this mode still maintains encryption, but turns off
  244. # authentication, this is only intended for highly secure environments or for
  245. # the situation where your keys end up in a bad state. If you run in open mode
  246. # you do so at your own risk!
  247. {{ get_config('open_mode', 'False') }}
  248. # Enable auto_accept, this setting will automatically accept all incoming
  249. # public keys from the minions. Note that this is insecure.
  250. {{ get_config('auto_accept', 'False') }}
  251. # Time in minutes that a incoming public key with a matching name found in
  252. # pki_dir/minion_autosign/keyid is automatically accepted. Expired autosign keys
  253. # are removed when the master checks the minion_autosign directory.
  254. # 0 equals no timeout
  255. {{ get_config('autosign_timeout', '120') }}
  256. # If the autosign_file is specified, incoming keys specified in the
  257. # autosign_file will be automatically accepted. This is insecure. Regular
  258. # expressions as well as globing lines are supported.
  259. {{ get_config('autosign_file', '/etc/salt/autosign.conf') }}
  260. # Works like autosign_file, but instead allows you to specify minion IDs for
  261. # which keys will automatically be rejected. Will override both membership in
  262. # the autosign_file and the auto_accept setting.
  263. {{ get_config('autoreject_file', '/etc/salt/autoreject.conf') }}
  264. # Enable permissive access to the salt keys. This allows you to run the
  265. # master or minion as root, but have a non-root group be given access to
  266. # your pki_dir. To make the access explicit, root must belong to the group
  267. # you've given access to. This is potentially quite insecure. If an autosign_file
  268. # is specified, enabling permissive_pki_access will allow group access to that
  269. # specific file.
  270. {{ get_config('permissive_pki_access', 'False') }}
  271. # Allow users on the master access to execute specific commands on minions.
  272. # This setting should be treated with care since it opens up execution
  273. # capabilities to non root users. By default this capability is completely
  274. # disabled.
  275. {% if 'client_acl' in cfg_master -%}
  276. client_acl:
  277. {%- for name, user in cfg_master['client_acl']|dictsort %}
  278. {{ name}}:
  279. {%- for command in user %}
  280. - {% raw %}'{% endraw %}{{ command }}{% raw %}'{% endraw %}
  281. {%- endfor -%}
  282. {%- endfor -%}
  283. {% elif 'client_acl' in cfg_salt -%}
  284. client_acl:
  285. {%- for name, user in cfg_salt['client_acl']|dictsort %}
  286. {{ name }}:
  287. {%- for command in user %}
  288. - {% raw %}'{% endraw %}{{ command }}{% raw %}'{% endraw %}
  289. {%- endfor -%}
  290. {%- endfor -%}
  291. {% else -%}
  292. #client_acl:
  293. # larry:
  294. # - test.ping
  295. # - network.*
  296. {%- endif %}
  297. # Blacklist any of the following users or modules
  298. #
  299. # This example would blacklist all non sudo users, including root from
  300. # running any commands. It would also blacklist any use of the "cmd"
  301. # module. This is completely disabled by default.
  302. {% if 'client_acl_blacklist' in cfg_master %}
  303. client_acl_blacklist:
  304. users:
  305. {% for user in cfg_master['client_acl_blacklist'].get('users', []) %}
  306. - {{ user }}
  307. {% endfor %}
  308. modules:
  309. {% for mod in cfg_master['client_acl_blacklist'].get('modules', []) %}
  310. - {{ mod }}
  311. {% endfor %}
  312. {% elif 'client_acl_blacklist' in cfg_salt %}
  313. client_acl_blacklist:
  314. users:
  315. {% for user in cfg_salt['client_acl_blacklist'].get('users', []) %}
  316. - {{ user }}
  317. {% endfor %}
  318. modules:
  319. {% for mod in cfg_salt['client_acl_blacklist'].get('modules', []) %}
  320. - {{ mod }}
  321. {% endfor %}
  322. {% else %}
  323. #client_acl_blacklist:
  324. # users:
  325. # - root
  326. # - '^(?!sudo_).*$' # all non sudo users
  327. # modules:
  328. # - cmd
  329. {% endif %}
  330. # Enforce client_acl & client_acl_blacklist when users have sudo
  331. # access to the salt command.
  332. {{ get_config('sudo_acl', 'False') }}
  333. # The external auth system uses the Salt auth modules to authenticate and
  334. # validate users to access areas of the Salt system.
  335. #external_auth:
  336. # pam:
  337. # fred:
  338. # - test.*
  339. {{ get_config('external_auth', '{}') }}
  340. # Time (in seconds) for a newly generated token to live. Default: 12 hours
  341. {{ get_config('token_expire', '43200') }}
  342. # Allow minions to push files to the master. This is disabled by default, for
  343. # security purposes.
  344. {{ get_config('file_recv', 'False') }}
  345. # Set a hard-limit on the size of the files that can be pushed to the master.
  346. # It will be interpreted as megabytes. Default: 100
  347. {{ get_config('file_recv_max_size', '100') }}
  348. # Signature verification on messages published from the master.
  349. # This causes the master to cryptographically sign all messages published to its event
  350. # bus, and minions then verify that signature before acting on the message.
  351. #
  352. # This is False by default.
  353. #
  354. # Note that to facilitate interoperability with masters and minions that are different
  355. # versions, if sign_pub_messages is True but a message is received by a minion with
  356. # no signature, it will still be accepted, and a warning message will be logged.
  357. # Conversely, if sign_pub_messages is False, but a minion receives a signed
  358. # message it will be accepted, the signature will not be checked, and a warning message
  359. # will be logged. This behavior went away in Salt 2014.1.0 and these two situations
  360. # will cause minion to throw an exception and drop the message.
  361. {{ get_config('sign_pub_message', 'False') }}
  362. # Sign the master auth-replies with a cryptographic signature of the masters public key.
  363. # Please see the tutorial how to use these settings in the Multimaster-PKI with Failover Tutorial
  364. {{ get_config('master_sign_pubkey', 'False') }}
  365. # The customizable name of the signing-key-pair without suffix.
  366. # master_sign_key_name: <filename_without_suffix>
  367. {{ get_config('master_sign', '{}') }}
  368. # The name of the file in the masters pki-directory that holds the pre-calculated
  369. # signature of the masters public-key.
  370. # master_pubkey_signature: <filename>
  371. {{ get_config('master_pubkey_signature', '{}') }}
  372. # Instead of computing the signature for each auth-reply, use a pre-calculated signature.
  373. # The master_pubkey_signature must also be set for this.
  374. {{ get_config('master_use_pubkey_signature', 'False') }}
  375. # Rotate the salt-masters AES-key when a minion-public is deleted with salt-key.
  376. # This is a very important security-setting. Disabling it will enable deleted minions to still
  377. # listen in on the messages published by the salt-master.
  378. # Do not disable this unless it is absolutely clear what this does.
  379. {{ get_config('rotate_aes_key', 'True') }}
  380. # Unique ID attribute name for the user. For Active Directory should be set
  381. # to 'sAMAccountName'. Default value is 'memberUid'.
  382. {{ get_config('auth.ldap.accountattributename', 'memberUid') }}
  383. # Set this to True if LDAP is Active Directory. Default is False
  384. {{ get_config('auth.ldap.activedirectory', False) }}
  385. # Bind to LDAP anonymously to determine group membership
  386. # Active Directory does not allow anonymous binds without special configuration
  387. {{ get_config('auth.ldap.anonymous', False) }}
  388. # The base DN under which users can be found in LDAP
  389. {{ get_config('auth.ldap.basedn', '') }}
  390. # The user Salt authenticates to search for a users' Distinguished Name and
  391. # group membership.
  392. {{ get_config('auth.ldap.binddn', '') }}
  393. # The bind password to go along with the bind dn (binddn).
  394. {{ get_config('auth.ldap.bindpw', '') }}
  395. # The filter used to find the DN associated with a user. For most LDAPs use
  396. # the value {% raw %}'uid={{ username }}'{% endraw %}. For Active Directory use the value
  397. # {% raw %}'sAMAccountName={{username}}'{% endraw %}.
  398. {{ get_config('auth.ldap.filter', '') }}
  399. # The attribute used for user group membership. Defaults to 'memberOf'
  400. {{ get_config('auth.ldap.groupattribute', 'memberOf') }}
  401. # LDAP group class. Use 'group' for Active Directory. Defaults to 'posixGroup'
  402. {{ get_config('auth.ldap.groupclass', 'posixGroup') }}
  403. # To specify an OU that contains group data. Not used for Active Directory
  404. # Default value: 'Groups'
  405. {{ get_config('auth.ldap.groupou', 'Groups') }}
  406. # Allows the administrator to strip off a certain set of domain names
  407. # so the hostnames looked up in the directory service can match the minion IDs.
  408. {{ get_config('auth.ldap.minion_stripdomains', []) }}
  409. # Verify server's TLS certificate. Default value: False
  410. {{ get_config('auth.ldap.no_verify', False) }}
  411. # Only for Active Directory. Default value: 'person'
  412. {{ get_config('auth.ldap.persontype', 'person') }}
  413. # Port to connect via. Default value: '389'
  414. {{ get_config('auth.ldap.port', '389') }}
  415. # LDAP scope level, almost always 2. Default value: 2
  416. {{ get_config('auth.ldap.scope', 2) }}
  417. # Server to auth against. Default value: 'localhost'
  418. {{ get_config('auth.ldap.server', 'localhost') }}
  419. # Use TLS when connecting. Default value: False
  420. {{ get_config('auth.ldap.tls', False) }}
  421. # Server specified in URI format. Overrides .ldap.server, .ldap.port,
  422. # .ldap.tls. Default value: ''
  423. {{ get_config('auth.ldap.uri', '') }}
  424. ##### Salt-SSH Configuration #####
  425. ##########################################
  426. # Pass in an alternative location for the salt-ssh roster file
  427. {{ get_config('roster_file', '/etc/salt/roster') }}
  428. # Pass in minion option overrides that will be inserted into the SHIM for
  429. # salt-ssh calls. The local minion config is not used for salt-ssh. Can be
  430. # overridden on a per-minion basis in the roster (`minion_opts`)
  431. #ssh_minion_opts:
  432. # gpg_keydir: /root/gpg
  433. {{ get_config('ssh_minion_opts', '{}') }}
  434. ##### Master Module Management #####
  435. ##########################################
  436. # Manage how master side modules are loaded.
  437. # Add any additional locations to look for master runners:
  438. {{ get_config('runner_dirs', '[]') }}
  439. # Enable Cython for master side modules:
  440. {{ get_config('cython_enable', 'False') }}
  441. ##### State System settings #####
  442. ##########################################
  443. # The state system uses a "top" file to tell the minions what environment to
  444. # use and what modules to use. The state_top file is defined relative to the
  445. # root of the base environment as defined in "File Server settings" below.
  446. {{ get_config('state_top', 'top.sls') }}
  447. # The master_tops option replaces the external_nodes option by creating
  448. # a plugable system for the generation of external top data. The external_nodes
  449. # option is deprecated by the master_tops option.
  450. #
  451. # To gain the capabilities of the classic external_nodes system, use the
  452. # following configuration:
  453. # master_tops:
  454. # ext_nodes: <Shell command which returns yaml>
  455. #
  456. #master_tops: {}
  457. {% if 'master_tops' in cfg_master %}
  458. master_tops:
  459. {%- for master in cfg_master['master_tops'] -%}
  460. {%- if cfg_master['master_tops'][master] is string %}
  461. {{ master }}: {{ cfg_master['master_tops'][master] }}
  462. {%- else %}
  463. {{ master}}:
  464. {%- for parameter in cfg_master['master_tops'][master] %}
  465. {{ parameter }}: {{ cfg_master['master_tops'][master][parameter] }}
  466. {%- endfor -%}
  467. {%- endif -%}
  468. {%- endfor %}
  469. {% endif %}
  470. # The external_nodes option allows Salt to gather data that would normally be
  471. # placed in a top file. The external_nodes option is the executable that will
  472. # return the ENC data. Remember that Salt will look for external nodes AND top
  473. # files and combine the results if both are enabled!
  474. {{ get_config('external_nodes', 'None') }}
  475. # The renderer to use on the minions to render the state data
  476. {{ get_config('renderer', 'yaml_jinja') }}
  477. # The Jinja renderer can strip extra carriage returns and whitespace
  478. # See http://jinja.pocoo.org/docs/api/#high-level-api
  479. #
  480. # If this is set to True the first newline after a Jinja block is removed
  481. # (block, not variable tag!). Defaults to False, corresponds to the Jinja
  482. # environment init variable "trim_blocks".
  483. {{ get_config('jinja_trim_blocks', 'False') }}
  484. # If this is set to True leading spaces and tabs are stripped from the start
  485. # of a line to a block. Defaults to False, corresponds to the Jinja
  486. # environment init variable "lstrip_blocks".
  487. {{ get_config('jinja_lstrip_blocks', 'False') }}
  488. # The failhard option tells the minions to stop immediately after the first
  489. # failure detected in the state execution, defaults to False
  490. {{ get_config('failhard', 'False') }}
  491. # The state_verbose and state_output settings can be used to change the way
  492. # state system data is printed to the display. By default all data is printed.
  493. # The state_verbose setting can be set to True or False, when set to False
  494. # all data that has a result of True and no changes will be suppressed.
  495. {{ get_config('state_verbose', 'True') }}
  496. # The state_output setting changes if the output is the full multi line
  497. # output for each changed state if set to 'full', but if set to 'terse'
  498. # the output will be shortened to a single line. If set to 'mixed', the output
  499. # will be terse unless a state failed, in which case that output will be full.
  500. # If set to 'changes', the output will be full unless the state didn't change.
  501. {{ get_config('state_output', 'full') }}
  502. # Automatically aggregate all states that have support for mod_aggregate by
  503. # setting to 'True'. Or pass a list of state module names to automatically
  504. # aggregate just those types.
  505. #
  506. # state_aggregate:
  507. # - pkg
  508. #
  509. #state_aggregate: False
  510. {{ get_config('state_aggregate', '{}') }}
  511. # Send progress events as each function in a state run completes execution
  512. # by setting to 'True'. Progress events are in the format
  513. # 'salt/job/<JID>/prog/<MID>/<RUN NUM>'.
  514. {{ get_config('state_events', 'False') }}
  515. # Enable extra routines for YAML renderer used states containing UTF characters.
  516. {{ get_config('yaml_utf8', 'False') }}
  517. ##### File Server settings #####
  518. ##########################################
  519. # Salt runs a lightweight file server written in zeromq to deliver files to
  520. # minions. This file server is built into the master daemon and does not
  521. # require a dedicated port.
  522. # The file server works on environments passed to the master, each environment
  523. # can have multiple root directories, the subdirectories in the multiple file
  524. # roots cannot match, otherwise the downloaded files will not be able to be
  525. # reliably ensured. A base environment is required to house the top file.
  526. # Example:
  527. # file_roots:
  528. # base:
  529. # - /srv/salt/
  530. # dev:
  531. # - /srv/salt/dev/services
  532. # - /srv/salt/dev/states
  533. # prod:
  534. # - /srv/salt/prod/services
  535. # - /srv/salt/prod/states
  536. #
  537. {% if 'file_roots' in cfg_master -%}
  538. {{ file_roots(cfg_master['file_roots']) }}
  539. {%- elif 'file_roots' in cfg_salt -%}
  540. {{ file_roots(cfg_salt['file_roots']) }}
  541. {%- elif formulas|length -%}
  542. {{ file_roots({'base': ['/srv/salt']}) }}
  543. {%- else -%}
  544. #file_roots:
  545. # base:
  546. # - /srv/salt
  547. {%- endif %}
  548. # When using multiple environments, each with their own top file, the
  549. # default behaviour is an unordered merge. To prevent top files from
  550. # being merged together and instead to only use the top file from the
  551. # requested environment, set this value to 'same'.
  552. {{ get_config('top_file_merging_strategy', 'merge') }}
  553. # To specify the order in which environments are merged, set the ordering
  554. # in the env_order option. Given a conflict, the last matching value will
  555. # win.
  556. {{ get_config('env_order', '["base", "dev", "prod"]') }}
  557. # If top_file_merging_strategy is set to 'same' and an environment does not
  558. # contain a top file, the top file in the environment specified by default_top
  559. # will be used instead.
  560. {{ get_config('default_top', 'base') }}
  561. # The hash_type is the hash to use when discovering the hash of a file on
  562. # the master server. The default is md5, but sha1, sha224, sha256, sha384
  563. # and sha512 are also supported.
  564. #
  565. # Prior to changing this value, the master should be stopped and all Salt
  566. # caches should be cleared.
  567. {{ get_config('hash_type', 'md5') }}
  568. # The buffer size in the file server can be adjusted here:
  569. {{ get_config('file_buffer_size', '1048576') }}
  570. # A regular expression (or a list of expressions) that will be matched
  571. # against the file path before syncing the modules and states to the minions.
  572. # This includes files affected by the file.recurse state.
  573. # For example, if you manage your custom modules and states in subversion
  574. # and don't want all the '.svn' folders and content synced to your minions,
  575. # you could set this to '/\.svn($|/)'. By default nothing is ignored.
  576. {% if 'file_ignore_regex' in cfg_master %}
  577. file_ignore_regex:
  578. {% for regex in cfg_master['file_ignore_regex'] %}
  579. - {{ regex }}
  580. {% endfor %}
  581. {% elif 'file_ignore_regex' in cfg_salt %}
  582. file_ignore_regex:
  583. {% for regex in cfg_salt['file_ignore_regex'] %}
  584. - {{ regex }}
  585. {% endfor %}
  586. {% else %}
  587. #file_ignore_regex:
  588. # - '/\.svn($|/)'
  589. # - '/\.git($|/)'
  590. {% endif %}
  591. # A file glob (or list of file globs) that will be matched against the file
  592. # path before syncing the modules and states to the minions. This is similar
  593. # to file_ignore_regex above, but works on globs instead of regex. By default
  594. # nothing is ignored.
  595. {% if 'file_ignore_glob' in cfg_master %}
  596. file_ignore_glob:
  597. {% for glob in cfg_master['file_ignore_glob'] %}
  598. - {{ glob }}
  599. {% endfor %}
  600. {% elif 'file_ignore_glob' in cfg_salt %}
  601. file_ignore_glob:
  602. {% for glob in cfg_salt['file_ignore_glob'] %}
  603. - {{ glob }}
  604. {% endfor %}
  605. {% else %}
  606. # file_ignore_glob:
  607. # - '*.pyc'
  608. # - '*/somefolder/*.bak'
  609. # - '*.swp'
  610. {% endif %}
  611. # File Server Backend
  612. #
  613. # Salt supports a modular fileserver backend system, this system allows
  614. # the salt master to link directly to third party systems to gather and
  615. # manage the files available to minions. Multiple backends can be
  616. # configured and will be searched for the requested file in the order in which
  617. # they are defined here. The default setting only enables the standard backend
  618. # "roots" which uses the "file_roots" option.
  619. #fileserver_backend:
  620. # - roots
  621. #
  622. # To use multiple backends list them in the order they are searched:
  623. #fileserver_backend:
  624. # - git
  625. # - roots
  626. {% if 'fileserver_backend' in cfg_master -%}
  627. fileserver_backend:
  628. {%- for backend in cfg_master['fileserver_backend'] %}
  629. - {{ backend }}
  630. {%- endfor -%}
  631. {%- endif %}
  632. # Uncomment the line below if you do not want the file_server to follow
  633. # symlinks when walking the filesystem tree. This is set to True
  634. # by default. Currently this only applies to the default roots
  635. # fileserver_backend.
  636. {{ get_config('fileserver_followsymlinks', 'False') }}
  637. # Uncomment the line below if you do not want symlinks to be
  638. # treated as the files they are pointing to. By default this is set to
  639. # False. By uncommenting the line below, any detected symlink while listing
  640. # files on the Master will not be returned to the Minion.
  641. {{ get_config('fileserver_ignoresymlinks', 'True') }}
  642. # By default, the Salt fileserver recurses fully into all defined environments
  643. # to attempt to find files. To limit this behavior so that the fileserver only
  644. # traverses directories with SLS files and special Salt directories like _modules,
  645. # enable the option below. This might be useful for installations where a file root
  646. # has a very large number of files and performance is impacted. Default is False.
  647. {{ get_config('fileserver_limit_traversal', 'False') }}
  648. # The fileserver can fire events off every time the fileserver is updated,
  649. # these are disabled by default, but can be easily turned on by setting this
  650. # flag to True
  651. {{ get_config('fileserver_events', 'False') }}
  652. # Git File Server Backend Configuration
  653. #
  654. # Optional parameter used to specify the provider to be used for gitfs. Must
  655. # be one of the following: pygit2, gitpython, or dulwich. If unset, then each
  656. # will be tried in that same order, and the first one with a compatible
  657. # version installed will be the provider that is used.
  658. {{ get_config('gitfs_provider', 'pygit2') }}
  659. # Along with gitfs_password, is used to authenticate to HTTPS remotes.
  660. {{ get_config('gitfs_user', 'git') }}
  661. # Along with gitfs_user, is used to authenticate to HTTPS remotes.
  662. # This parameter is not required if the repository does not use authentication.
  663. {{ get_config('gitfs_password', '') }}
  664. # By default, Salt will not authenticate to an HTTP (non-HTTPS) remote.
  665. # This parameter enables authentication over HTTP. Enable this at your own risk.
  666. {{ get_config('gitfs_insecure_auth', 'False') }}
  667. # Along with gitfs_privkey (and optionally gitfs_passphrase), is used to
  668. # authenticate to SSH remotes. This parameter (or its per-remote counterpart)
  669. # is required for SSH remotes.
  670. {{ get_config('gitfs_pubkey', '') }}
  671. # Along with gitfs_pubkey (and optionally gitfs_passphrase), is used to
  672. # authenticate to SSH remotes. This parameter (or its per-remote counterpart)
  673. # is required for SSH remotes.
  674. {{ get_config('gitfs_privkey', '') }}
  675. # This parameter is optional, required only when the SSH key being used to
  676. # authenticate is protected by a passphrase.
  677. {{ get_config('gitfs_passphrase', '') }}
  678. # When using the git fileserver backend at least one git remote needs to be
  679. # defined. The user running the salt master will need read access to the repo.
  680. #
  681. # The repos will be searched in order to find the file requested by a client
  682. # and the first repo to have the file will return it.
  683. # When using the git backend branches and tags are translated into salt
  684. # environments.
  685. # Note: file:// repos will be treated as a remote, so refs you want used must
  686. # exist in that repo as *local* refs.
  687. {% if 'gitfs_remotes' in cfg_master -%}
  688. gitfs_remotes:
  689. {%- for remote in cfg_master['gitfs_remotes'] %}
  690. {%- if remote is iterable and remote is not string %}
  691. {%- for repo, children in remote.items() %}
  692. - {{ repo }}:
  693. {%- for child in children %}
  694. {%- for key, value in child.items() %}
  695. - {{ key }}: {{ value }}
  696. {%- endfor -%}
  697. {%- endfor -%}
  698. {%- endfor -%}
  699. {%- else %}
  700. - {{ remote }}
  701. {%- endif -%}
  702. {%- endfor -%}
  703. {%- endif %}
  704. #gitfs_remotes:
  705. # - git://github.com/saltstack/salt-states.git
  706. # - file:///var/git/saltmaster
  707. #
  708. # The gitfs_ssl_verify option specifies whether to ignore ssl certificate
  709. # errors when contacting the gitfs backend. You might want to set this to
  710. # false if you're using a git backend that uses a self-signed certificate but
  711. # keep in mind that setting this flag to anything other than the default of True
  712. # is a security concern, you may want to try using the ssh transport.
  713. {{ get_config('gitfs_ssl_verify', 'True') }}
  714. # The gitfs_root option gives the ability to serve files from a subdirectory
  715. # within the repository. The path is defined relative to the root of the
  716. # repository and defaults to the repository root.
  717. {{ get_config('gitfs_root', 'somefolder/otherfolder') }}
  718. # The gitfs_env_whitelist and gitfs_env_blacklist parameters allow for greater
  719. # control over which branches/tags are exposed as fileserver environments.
  720. {% if 'gitfs_env_whitelist' in cfg_master -%}
  721. gitfs_env_whitelist:
  722. {%- for git_env in cfg_master['gitfs_env_whitelist'] %}
  723. - {{ git_env }}
  724. {%- endfor -%}
  725. {% else -%}
  726. # gitfs_env_whitelist:
  727. # - base
  728. # - v1.*
  729. {% endif %}
  730. {% if 'gitfs_env_blacklist' in cfg_master -%}
  731. gitfs_env_blacklist:
  732. {%- for git_env in cfg_master['gitfs_env_blacklist'] %}
  733. - {{ git_env }}
  734. {%- endfor -%}
  735. {% else -%}
  736. # gitfs_env_blacklist:
  737. # - bug/*
  738. # - feature/*
  739. {% endif %}
  740. # S3 File Server Backend Configuration
  741. #
  742. # S3 credentials must be set in the master config file.
  743. # Alternatively, if on EC2 these credentials can be automatically
  744. # loaded from instance metadata.
  745. {% if 's3.keyid' in cfg_master -%}
  746. {{ get_config('s3.keyid', '<no default>') }}
  747. {{ get_config('s3.key', '<no default>') }}
  748. {% else -%}
  749. # s3.keyid: GKTADJGHEIQSXMKKRBJ08H
  750. # s3.key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs
  751. {% endif %}
  752. # This fileserver supports two modes of operation for the buckets:
  753. # - A single bucket per environment
  754. # - Multiple environments per bucket
  755. #
  756. # Note that bucket names must be all lowercase both in the AWS console
  757. # and in Salt, otherwise you may encounter SignatureDoesNotMatch
  758. # errors.
  759. #
  760. # A multiple-environment bucket must adhere to the following root
  761. # directory structure:
  762. #
  763. # s3://<bucket name>/<environment>/<files>
  764. #
  765. # This fileserver back-end requires the use of the MD5 hashing
  766. # algorithm. MD5 may not be compliant with all security policies.
  767. {% if 's3.buckets' in cfg_master -%}
  768. {{ get_config('s3.buckets', '<no default>') }}
  769. {% else -%}
  770. # s3.buckets: #single bucket per environment
  771. # production:
  772. # - bucket1
  773. # - bucket2
  774. # staging:
  775. # - bucket3
  776. # - bucket4
  777. #
  778. # s3.buckets: #multiple environments per bucket
  779. # - bucket1
  780. # - bucket2
  781. # - bucket3
  782. # - bucket4
  783. {% endif %}
  784. ##### Pillar settings #####
  785. ##########################################
  786. # Salt Pillars allow for the building of global data that can be made selectively
  787. # available to different minions based on minion grain filtering. The Salt
  788. # Pillar is laid out in the same fashion as the file server, with environments,
  789. # a top file and sls files. However, pillar data does not need to be in the
  790. # highstate format, and is generally just key/value pairs.
  791. {% if 'pillar_roots' in cfg_master -%}
  792. pillar_roots:
  793. {%- for name, roots in cfg_master['pillar_roots']|dictsort %}
  794. {{ name }}:
  795. {%- for dir in roots %}
  796. - {{ dir }}
  797. {%- endfor -%}
  798. {%- endfor -%}
  799. {% elif 'pillar_roots' in cfg_salt -%}
  800. pillar_roots:
  801. {%- for name, roots in cfg_salt['pillar_roots']|dictsort %}
  802. {{ name }}:
  803. {%- for dir in roots %}
  804. - {{ dir }}
  805. {%- endfor -%}
  806. {%- endfor -%}
  807. {%- else -%}
  808. #pillar_roots:
  809. # base:
  810. # - /srv/pillar
  811. {%- endif %}
  812. {% if 'ext_pillar' in cfg_master %}
  813. ext_pillar:
  814. {%- for pillar in cfg_master['ext_pillar'] -%}
  815. {%- for key in pillar -%}
  816. {%- if pillar[key] is string %}
  817. - {{ key }}: {{ pillar[key] }}
  818. {%- elif pillar[key] is iterable and pillar[key] is not mapping %}
  819. - {{ key }}:
  820. {%- for parameter in pillar[key] %}
  821. - {{ parameter }}
  822. {%- endfor -%}
  823. {%- elif pillar[key] is mapping and pillar[key] is not string %}
  824. - {{ key }}:
  825. {%- for parameter in pillar[key] %}
  826. {{ parameter }}: {{pillar[key][parameter]}}
  827. {%- endfor %}
  828. {%- else %}
  829. # Error in rendering {{ key }}, please read https://docs.saltstack.com/en/latest/topics/development/external_pillars.html#configuration
  830. {% endif %}
  831. {%- endfor -%}
  832. {%- endfor %}
  833. {% elif 'ext_pillar' in cfg_salt %}
  834. ext_pillar:
  835. {% for pillar in cfg_salt['ext_pillar'] %}
  836. - {{ pillar.items()[0][0] }}: {{ pillar.items()[0][1] }}
  837. {% endfor %}
  838. {% else %}
  839. #ext_pillar:
  840. # - hiera: /etc/hiera.yaml
  841. # - cmd_yaml: cat /etc/salt/yaml
  842. {% endif %}
  843. # The ext_pillar_first option allows for external pillar sources to populate
  844. # before file system pillar. This allows for targeting file system pillar from
  845. # ext_pillar.
  846. {{ get_config('ext_pillar_first', 'False') }}
  847. # The pillar_gitfs_ssl_verify option specifies whether to ignore ssl certificate
  848. # errors when contacting the pillar gitfs backend. You might want to set this to
  849. # false if you're using a git backend that uses a self-signed certificate but
  850. # keep in mind that setting this flag to anything other than the default of True
  851. # is a security concern, you may want to try using the ssh transport.
  852. {{ get_config('pillar_gitfs_ssl_verify', 'True') }}
  853. # The pillar_opts option adds the master configuration file data to a dict in
  854. # the pillar called "master". This is used to set simple configurations in the
  855. # master config file that can then be used on minions.
  856. {{ get_config('pillar_opts', 'True') }}
  857. # The pillar_safe_render_error option prevents the master from passing pillar
  858. # render errors to the minion. This is set on by default because the error could
  859. # contain templating data which would give that minion information it shouldn't
  860. # have, like a password! When set true the error message will only show:
  861. # Rendering SLS 'my.sls' failed. Please see master log for details.
  862. {{ get_config('pillar_safe_render_error', 'True') }}
  863. # The pillar_source_merging_strategy option allows you to configure merging strategy
  864. # between different sources. It accepts four values: recurse, aggregate, overwrite,
  865. # or smart. Recurse will merge recursively mapping of data. Aggregate instructs
  866. # aggregation of elements between sources that use the #!yamlex renderer. Overwrite
  867. # will verwrite elements according the order in which they are processed. This is
  868. # behavior of the 2014.1 branch and earlier. Smart guesses the best strategy based
  869. # on the "renderer" setting and is the default value.
  870. {{ get_config('pillar_source_merging_strategy', 'smart') }}
  871. # Recursively merge lists by aggregating them instead of replacing them.
  872. {{ get_config('pillar_merge_lists', False) }}
  873. # Git External Pillar (git_pillar) Configuration Options
  874. #
  875. # Specify the provider to be used for git_pillar. Must be either pygit2 or
  876. # gitpython. If unset, then both will be tried in that same order, and the
  877. # first one with a compatible version installed will be the provider that
  878. # is used.
  879. {{ get_config('git_pillar_provider', 'pygit2') }}
  880. # If the desired branch matches this value, and the environment is omitted
  881. # from the git_pillar configuration, then the environment for that git_pillar
  882. # remote will be base.
  883. {{ get_config('git_pillar_base', 'master') }}
  884. # If the branch is omitted from a git_pillar remote, then this branch will
  885. # be used instead.
  886. {{ get_config('git_pillar_branch', 'master') }}
  887. # Environment to use for git_pillar remotes. This is normally derived from
  888. # the branch/tag (or from a per-remote env parameter), but if set this will
  889. # override the process of deriving the env from the branch/tag name.
  890. {{ get_config('git_pillar_env', '') }}
  891. # Path relative to the root of the repository where the git_pillar top file
  892. # and SLS files are located.
  893. {{ get_config('git_pillar_root', 'pillar') }}
  894. # Specifies whether or not to ignore SSL certificate errors when contacting
  895. # the remote repository.
  896. {{ get_config('git_pillar_ssl_verify', True) }}
  897. # When set to False, if there is an update/checkout lock for a git_pillar
  898. # remote and the pid written to it is not running on the master, the lock
  899. # file will be automatically cleared and a new lock will be obtained.
  900. {{ get_config('git_pillar_global_lock', False) }}
  901. # Git External Pillar Authentication Options
  902. #
  903. # Along with git_pillar_password, is used to authenticate to HTTPS remotes.
  904. {{ get_config('git_pillar_user', '') }}
  905. # Along with git_pillar_user, is used to authenticate to HTTPS remotes.
  906. # This parameter is not required if the repository does not use authentication.
  907. {{ get_config('git_pillar_password', '') }}
  908. # By default, Salt will not authenticate to an HTTP (non-HTTPS) remote.
  909. # This parameter enables authentication over HTTP.
  910. {{ get_config('git_pillar_insecure_auth', False) }}
  911. # Along with git_pillar_privkey (and optionally git_pillar_passphrase),
  912. # is used to authenticate to SSH remotes.
  913. {{ get_config('git_pillar_pubkey', '') }}
  914. # Along with git_pillar_pubkey (and optionally git_pillar_passphrase),
  915. # is used to authenticate to SSH remotes.
  916. {{ get_config('git_pillar_privkey', '') }}
  917. # This parameter is optional, required only when the SSH key being used
  918. # to authenticate is protected by a passphrase.
  919. {{ get_config('git_pillar_passphrase', '') }}
  920. ##### Syndic settings #####
  921. ##########################################
  922. # The Salt syndic is used to pass commands through a master from a higher
  923. # master. Using the syndic is simple. If this is a master that will have
  924. # syndic servers(s) below it, then set the "order_masters" setting to True.
  925. #
  926. # If this is a master that will be running a syndic daemon for passthrough, then
  927. # the "syndic_master" setting needs to be set to the location of the master server
  928. # to receive commands from.
  929. # Set the order_masters setting to True if this master will command lower
  930. # masters' syndic interfaces.
  931. {{ get_config('order_masters', 'False') }}
  932. # If this master will be running a salt syndic daemon, syndic_master tells
  933. # this master where to receive commands from.
  934. {{ get_config('syndic_master', 'masterofmaster') }}
  935. # This is the 'ret_port' of the MasterOfMaster:
  936. {{ get_config('syndic_master_port', '4506') }}
  937. # PID file of the syndic daemon:
  938. {{ get_config('syndic_pidfile', '/var/run/salt-syndic.pid') }}
  939. # LOG file of the syndic daemon:
  940. {{ get_config('syndic_log_file', 'syndic.log') }}
  941. ##### Peer Publish settings #####
  942. ##########################################
  943. # Salt minions can send commands to other minions, but only if the minion is
  944. # allowed to. By default "Peer Publication" is disabled, and when enabled it
  945. # is enabled for specific minions and specific commands. This allows secure
  946. # compartmentalization of commands based on individual minions.
  947. # The configuration uses regular expressions to match minions and then a list
  948. # of regular expressions to match functions. The following will allow the
  949. # minion authenticated as foo.example.com to execute functions from the test
  950. # and pkg modules.
  951. #peer:
  952. # foo.example.com:
  953. # - test.*
  954. # - pkg.*
  955. #
  956. # This will allow all minions to execute all commands:
  957. #peer:
  958. # .*:
  959. # - .*
  960. #
  961. # This is not recommended, since it would allow anyone who gets root on any
  962. # single minion to instantly have root on all of the minions!
  963. {% if 'peer' in cfg_master %}
  964. peer:
  965. {% for name, roots in cfg_master['peer'].items() %}
  966. {{ name }}:
  967. {% for mod in roots %}
  968. - {{ mod }}
  969. {% endfor %}
  970. {% endfor %}
  971. {% elif 'peer' in cfg_salt %}
  972. peer:
  973. {% for name, roots in cfg_salt['peer'].items() %}
  974. {{ name }}:
  975. {% for mod in roots %}
  976. - {{ mod }}
  977. {% endfor %}
  978. {% endfor %}
  979. {% endif %}
  980. # Minions can also be allowed to execute runners from the salt master.
  981. # Since executing a runner from the minion could be considered a security risk,
  982. # it needs to be enabled. This setting functions just like the peer setting
  983. # except that it opens up runners instead of module functions.
  984. #
  985. # All peer runner support is turned off by default and must be enabled before
  986. # using. This will enable all peer runners for all minions:
  987. #peer_run:
  988. # .*:
  989. # - .*
  990. #
  991. # To enable just the manage.up runner for the minion foo.example.com:
  992. #peer_run:
  993. # foo.example.com:
  994. # - manage.up
  995. {% if 'peer_run' in cfg_master %}
  996. peer_run:
  997. {% for name, roots in cfg_master['peer_run'].items() %}
  998. {{ name }}:
  999. {% for mod in roots %}
  1000. - {{ mod }}
  1001. {% endfor %}
  1002. {% endfor %}
  1003. {% elif 'peer_run' in cfg_salt %}
  1004. peer_run:
  1005. {% for name, roots in cfg_salt['peer_run'].items() %}
  1006. {{ name }}:
  1007. {% for mod in roots %}
  1008. - {{ mod }}
  1009. {% endfor %}
  1010. {% endfor %}
  1011. {% endif %}
  1012. ##### Mine settings #####
  1013. #####################################
  1014. # Restrict mine.get access from minions. By default any minion has a full access
  1015. # to get all mine data from master cache. In acl definion below, only pcre matches
  1016. # are allowed.
  1017. # mine_get:
  1018. # .*:
  1019. # - .*
  1020. #
  1021. # The example below enables minion foo.example.com to get 'network.interfaces' mine
  1022. # data only, minions web* to get all network.* and disk.* mine data and all other
  1023. # minions won't get any mine data.
  1024. {% if 'mine_get' in cfg_master -%}
  1025. mine_get:
  1026. {%- for minion, data in cfg_master['mine_get']|dictsort %}
  1027. {{ minion }}:
  1028. {%- for command in data %}
  1029. - {% raw %}'{% endraw %}{{ command }}{% raw %}'{% endraw %}
  1030. {%- endfor -%}
  1031. {%- endfor -%}
  1032. {% elif 'mine_get' in cfg_salt -%}
  1033. mine_get:
  1034. {%- for minion, data in cfg_salt['mine_get']|dictsort %}
  1035. {{ minion }}:
  1036. {%- for command in data %}
  1037. - {% raw %}'{% endraw %}{{ command }}{% raw %}'{% endraw %}
  1038. {%- endfor -%}
  1039. {%- endfor -%}
  1040. {% else -%}
  1041. # mine_get:
  1042. # foo.example.com:
  1043. # - network.interfaces
  1044. # web.*:
  1045. # - network.*
  1046. # - disk.*
  1047. {%- endif %}
  1048. ##### Logging settings #####
  1049. ##########################################
  1050. # The location of the master log file
  1051. # The master log can be sent to a regular file, local path name, or network
  1052. # location. Remote logging works best when configured to use rsyslogd(8) (e.g.:
  1053. # ``file:///dev/log``), with rsyslogd(8) configured for network logging. The URI
  1054. # format is: <file|udp|tcp>://<host|socketpath>:<port-if-required>/<log-facility>
  1055. #log_file: /var/log/salt/master
  1056. #log_file: file:///dev/log
  1057. #log_file: udp://loghost:10514
  1058. {{ get_config('log_file', '/var/log/salt/master') }}
  1059. {{ get_config('key_logfile', '/var/log/salt/key') }}
  1060. # The level of messages to send to the console.
  1061. # One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'.
  1062. #
  1063. # The following log levels are considered INSECURE and may log sensitive data:
  1064. # ['garbage', 'trace', 'debug']
  1065. #
  1066. {{ get_config('log_level', 'warning') }}
  1067. # The level of messages to send to the log file.
  1068. # One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'.
  1069. # If using 'log_granular_levels' this must be set to the highest desired level.
  1070. {{ get_config('log_level_logfile', 'warning') }}
  1071. # The date and time format used in log messages. Allowed date/time formating
  1072. # can be seen here: http://docs.python.org/library/time.html#time.strftime
  1073. {{ get_config('log_datefmt', "'%H:%M:%S'") }}
  1074. {{ get_config('log_datefmt_logfile', "'%Y-%m-%d %H:%M:%S'") }}
  1075. # The format of the console logging messages. Allowed formatting options can
  1076. # be seen here: http://docs.python.org/library/logging.html#logrecord-attributes
  1077. #
  1078. # Console log colors are specified by these additional formatters:
  1079. #
  1080. # %(colorlevel)s
  1081. # %(colorname)s
  1082. # %(colorprocess)s
  1083. # %(colormsg)s
  1084. #
  1085. # Since it is desirable to include the surrounding brackets, '[' and ']', in
  1086. # the coloring of the messages, these color formatters also include padding as
  1087. # well. Color LogRecord attributes are only available for console logging.
  1088. #
  1089. {{ get_config('log_fmt_console', "'%(colorlevel)s %(colormsg)s'") }}
  1090. {{ get_config('log_fmt_console', "'[%(levelname)-8s] %(message)s'") }}
  1091. {{ get_config('log_fmt_logfile', "'%(asctime)s,%(msecs)03.0f [%(name)-17s][%(levelname)-8s] %(message)s'") }}
  1092. # This can be used to control logging levels more specificically. This
  1093. # example sets the main salt library at the 'warning' level, but sets
  1094. # 'salt.modules' to log at the 'debug' level:
  1095. # log_granular_levels:
  1096. # 'salt': 'warning'
  1097. # 'salt.modules': 'debug'
  1098. #
  1099. {% if 'log_granular_levels' in cfg_master %}
  1100. log_granular_levels:
  1101. {% for name, lvl in cfg_master['log_granular_levels'].items() %}
  1102. {{ name }}: {{ lvl }}
  1103. {% endfor %}
  1104. {% elif 'log_granular_levels' in cfg_salt %}
  1105. log_granular_levels:
  1106. {% for name, lvl in cfg_salt['log_granular_levels'].items() %}
  1107. {{ name }}: {{ lvl }}
  1108. {% endfor %}
  1109. {% else %}
  1110. #log_granular_levels: {}
  1111. {% endif %}
  1112. ##### Node Groups ######
  1113. ##########################################
  1114. # Node groups allow for logical groupings of minion nodes. A group consists of a group
  1115. # name and a compound target.
  1116. #nodegroups:
  1117. # group1: 'L@foo.domain.com,bar.domain.com,baz.domain.com and bl*.domain.com'
  1118. # group2: 'G@os:Debian and foo.domain.com'
  1119. {%- if 'nodegroups' in cfg_master %}
  1120. nodegroups:
  1121. {%- for name, lvl in cfg_master['nodegroups'].items() %}
  1122. {{ name }}: {{ lvl }}
  1123. {%- endfor %}
  1124. {%- elif 'nodegroups' in cfg_salt %}
  1125. nodegroups:
  1126. {%- for name, lvl in cfg_salt['nodegroups'].items() %}
  1127. {{ name }}: {{ lvl }}
  1128. {%- endfor %}
  1129. {%- endif %}
  1130. ##### Range Cluster settings #####
  1131. ##########################################
  1132. # The range server (and optional port) that serves your cluster information
  1133. # https://github.com/ytoolshed/range/wiki/%22yamlfile%22-module-file-spec
  1134. #
  1135. {{ get_config('range_server', 'range:80') }}
  1136. ##### Windows Software Repo settings #####
  1137. ###########################################
  1138. # Specify the provider to be used for git_pillar. Must be either pygit2 or
  1139. # gitpython. If unset, then both will be tried in that same order, and the
  1140. # first one with a compatible version installed will be the provider that
  1141. # is used.
  1142. {{ get_config('winrepo_provider', 'pygit2') }}
  1143. # Repo settings for 2015.8+ master used with 2015.8+ Windows minions
  1144. #
  1145. # Location of the repo on the master:
  1146. {{ get_config('winrepo_dir_ng', '/srv/salt/win/repo-ng') }}
  1147. # List of git repositories to include with the local repo:
  1148. {% if 'winrepo_remotes_ng' in cfg_master %}
  1149. winrepo_remotes_ng:
  1150. {% for repo in cfg_master['winrepo_remotes_ng'] %}
  1151. - {{ repo }}
  1152. {% endfor %}
  1153. {% elif 'winrepo_remotes_ng' in cfg_salt %}
  1154. winrepo_remotes_ng:
  1155. {% for repo in cfg_salt['winrepo_remotes_ng'] %}
  1156. - {{ repo }}
  1157. {% endfor %}
  1158. {% else %}
  1159. #winrepo_remotes_ng:
  1160. # - 'https://github.com/saltstack/salt-winrepo-ng.git'
  1161. {% endif %}
  1162. # Repo settings for 2015.8+ master used with pre-2015.8 Windows minions
  1163. #
  1164. # Location of the repo on the master:
  1165. {{ get_config('winrepo_dir', '/srv/salt/win/repo') }}
  1166. # Location of the master's repo cache file:
  1167. {{ get_config('winrepo_cachefile', 'winrepo.p') }}
  1168. # List of git repositories to include with the local repo:
  1169. {% if 'winrepo_remotes' in cfg_master %}
  1170. winrepo_remotes:
  1171. {% for repo in cfg_master['winrepo_remotes'] %}
  1172. - {{ repo }}
  1173. {% endfor %}
  1174. {% elif 'winrepo_remotes' in cfg_salt %}
  1175. winrepo_remotes:
  1176. {% for repo in cfg_salt['winrepo_remotes'] %}
  1177. - {{ repo }}
  1178. {% endfor %}
  1179. {% else %}
  1180. #winrepo_remotes:
  1181. # - 'https://github.com/saltstack/salt-winrepo.git'
  1182. {% endif %}
  1183. ##### Windows Software Repo settings - Pre 2015.8 #####
  1184. ########################################################
  1185. # Legacy repo settings for pre-2015.8 Windows minions.
  1186. #
  1187. # Location of the repo on the master:
  1188. {{ get_config('win_repo', '/srv/salt/win/repo') }}
  1189. # Location of the master's repo cache file:
  1190. {{ get_config('win_repo_mastercachefile', '/srv/salt/win/repo/winrepo.p') }}
  1191. # List of git repositories to include with the local repo:
  1192. {% if 'win_gitrepos' in cfg_master %}
  1193. win_gitrepos:
  1194. {% for repo in cfg_master['win_gitrepos'] %}
  1195. - {{ repo }}
  1196. {% endfor %}
  1197. {% elif 'win_gitrepos' in cfg_salt %}
  1198. win_gitrepos:
  1199. {% for repo in cfg_salt['win_gitrepos'] %}
  1200. - {{ repo }}
  1201. {% endfor %}
  1202. {% else %}
  1203. #winrepo_remotes:
  1204. # - 'https://github.com/saltstack/salt-winrepo.git'
  1205. {% endif %}
  1206. ##### Returner settings ######
  1207. ############################################
  1208. # Which returner(s) will be used for minion's result:
  1209. #return: mysql
  1210. {{ get_config('return', '')}}
  1211. ###### Miscellaneous settings ######
  1212. ############################################
  1213. # Default match type for filtering events tags: startswith, endswith, find, regex, fnmatch
  1214. {{ get_config('event_match_type', 'startswith') }}
  1215. {%- if 'halite' in cfg_master %}
  1216. ##### Halite #####
  1217. ##########################################
  1218. halite:
  1219. {%- for name, value in cfg_master['halite'].items() %}
  1220. {{ name }}: {{ value }}
  1221. {%- endfor %}
  1222. {%- endif %}
  1223. {%- if 'rest_cherrypy' in cfg_master %}
  1224. ##### rest_cherrypy #####
  1225. ##########################################
  1226. rest_cherrypy:
  1227. {%- for name, value in cfg_master['rest_cherrypy'].items() %}
  1228. {{ name }}: {{ value }}
  1229. {%- endfor %}
  1230. {%- endif %}
  1231. {%- if 'rest_tornado' in cfg_master %}
  1232. ##### rest_tornado #####
  1233. ###########################################
  1234. rest_tornado:
  1235. {%- for name, value in cfg_master['rest_tornado'].items() %}
  1236. {{ name }}: {{ value }}
  1237. {%- endfor %}
  1238. {%- endif %}
  1239. {%- if 'presence_events' in cfg_master %}
  1240. ##### presence events #####
  1241. ##########################################
  1242. {{ get_config('presence_events', 'False') }}
  1243. {%- endif %}
  1244. {%- if 'consul_config' in cfg_master %}
  1245. ##### consul_config #####
  1246. ##########################################
  1247. consul_config:
  1248. {%- for name, value in cfg_master['consul_config'].items() %}
  1249. {{ name }}: {{ value }}
  1250. {%- endfor %}
  1251. {%- endif %}
  1252. {% if 'mongo' in cfg_master -%}
  1253. ##### mongodb connection settings #####
  1254. ##########################################
  1255. {%- for name, value in cfg_master['mongo'].items() %}
  1256. mongo.{{ name }}: {{ value }}
  1257. {%- endfor %}
  1258. {% if 'alternative.mongo' in cfg_master -%}
  1259. {%- for name, value in cfg_master['alternative.mongo'].items() %}
  1260. alternative.mongo.{{ name }}: {{ value }}
  1261. {%- endfor %}
  1262. {% endif %}
  1263. {%- endif %}