Saltstack Official Salt Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

f_defaults.conf 51KB

8 vuotta sitten
8 vuotta sitten
8 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
11 vuotta sitten
1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270
  1. # This file managed by Salt, do not edit by hand!!
  2. # Based on salt version 2016.11 default config
  3. #
  4. {% set reserved_keys = ['master', 'minion', 'cloud', 'salt_cloud_certs', 'engines', 'beacons', 'reactors', 'return'] -%}
  5. {% set cfg_salt = pillar.get('salt', {}) -%}
  6. {% set cfg_minion = cfg_salt.get('minion', {}) -%}
  7. {% set default_keys = [] -%}
  8. {%- macro get_config(configname, default_value) -%}
  9. {%- do default_keys.append(configname) %}
  10. {%- if configname in cfg_minion -%}
  11. {{ configname }}: {{ cfg_minion[configname]|json }}
  12. {%- elif configname in cfg_salt and configname not in reserved_keys -%}
  13. {{ configname }}: {{ cfg_salt[configname]|json }}
  14. {%- else -%}
  15. #{{ configname }}: {{ default_value|json }}
  16. {%- endif -%}
  17. {%- endmacro -%}
  18. {%- from 'salt/formulas.jinja' import file_roots, formulas with context -%}
  19. ##### Primary configuration settings #####
  20. ##########################################
  21. # This configuration file is used to manage the behavior of the Salt Minion.
  22. # With the exception of the location of the Salt Master Server, values that are
  23. # commented out but have an empty line after the comment are defaults that need
  24. # not be set in the config. If there is no blank line after the comment, the
  25. # value is presented as an example and is not the default.
  26. # Per default the minion will automatically include all config files
  27. # from minion.d/*.conf (minion.d is a directory in the same directory
  28. # as the main minion config file).
  29. {{ get_config('default_include', 'minion.d/*.conf') }}
  30. # Set the location of the salt master server. If the master server cannot be
  31. # resolved, then the minion will fail to start.
  32. {%- if 'master' in cfg_minion and cfg_minion['master'] is not string %}
  33. master:
  34. {% for name in cfg_minion['master'] -%}
  35. - {{ name }}
  36. {% endfor -%}
  37. {%- else %}
  38. {{ get_config('master', 'salt') }}
  39. {%- endif %}
  40. # Set http proxy information for the minion when doing requests
  41. {% if 'proxy_host' in cfg_minion -%}
  42. {%- do default_keys.append('proxy_host') %}
  43. proxy_host: {{ cfg_minion['proxy_host'] }}
  44. {% else -%}
  45. #proxy_host:
  46. {%- endif %}
  47. {% if 'proxy_port' in cfg_minion -%}
  48. {%- do default_keys.append('proxy_port') %}
  49. proxy_port: {{ cfg_minion['proxy_port'] }}
  50. {% else -%}
  51. #proxy_port:
  52. {%- endif %}
  53. {% if 'proxy_username' in cfg_minion -%}
  54. {%- do default_keys.append('proxy_username') %}
  55. proxy_username: {{ cfg_minion['proxy_username'] }}
  56. {% else -%}
  57. #proxy_username:
  58. {%- endif %}
  59. {% if 'proxy_password' in cfg_minion -%}
  60. {%- do default_keys.append('proxy_password') %}
  61. proxy_password: {{ cfg_minion['proxy_password'] }}
  62. {% else -%}
  63. #proxy_password:
  64. {%- endif %}
  65. # If multiple masters are specified in the 'master' setting, the default behavior
  66. # is to always try to connect to them in the order they are listed. If random_master is
  67. # set to True, the order will be randomized instead. This can be helpful in distributing
  68. # the load of many minions executing salt-call requests, for example, from a cron job.
  69. # If only one master is listed, this setting is ignored and a warning will be logged.
  70. # NOTE: If master_type is set to failover, use master_shuffle instead.
  71. {{ get_config('random_master', 'False') }}
  72. # Use if master_type is set to failover.
  73. {{ get_config('master_shuffle', 'False') }}
  74. # Minions can connect to multiple masters simultaneously (all masters
  75. # are "hot"), or can be configured to failover if a master becomes
  76. # unavailable. Multiple hot masters are configured by setting this
  77. # value to "str". Failover masters can be requested by setting
  78. # to "failover". MAKE SURE TO SET master_alive_interval if you are
  79. # using failover.
  80. # Setting master_type to 'disable' let's you have a running minion (with engines and
  81. # beacons) without a master connection
  82. {{ get_config('master_type', 'str') }}
  83. # verify_master_pubkey_sign
  84. {{ get_config('verify_master_pubkey_sign', 'False') }}
  85. # Poll interval in seconds for checking if the master is still there. Only
  86. # respected if master_type above is "failover". To disable the interval entirely,
  87. # set the value to -1. (This may be necessary on machines which have high numbers
  88. # of TCP connections, such as load balancers.)
  89. {{ get_config('master_alive_interval', '30') }}
  90. # If the minion is in multi-master mode and the master_type configuration option
  91. # is set to "failover", this setting can be set to "True" to force the minion
  92. # to fail back to the first master in the list if the first master is back online.
  93. {{ get_config('master_fallback', 'False') }}
  94. # If the minion is in multi-master mode, the "master_type" configuration is set to
  95. # "failover", and the "master_failback" option is enabled, the master failback
  96. # interval can be set to ping the top master with this interval, in seconds.
  97. {{ get_config('master_fallback_interval', '0') }}
  98. # Set whether the minion should connect to the master via IPv6:
  99. {{ get_config('ipv6', 'False') }}
  100. # Set the number of seconds to wait before attempting to resolve
  101. # the master hostname if name resolution fails. Defaults to 30 seconds.
  102. # Set to zero if the minion should shutdown and not retry.
  103. {{ get_config('retry_dns', '30') }}
  104. # Set the port used by the master reply and authentication server.
  105. {{ get_config('master_port', '4506') }}
  106. # The user to run salt.
  107. {{ get_config('user', 'root') }}
  108. # The user to run salt remote execution commands as via sudo. If this option is
  109. # enabled then sudo will be used to change the active user executing the remote
  110. # command. If enabled the user will need to be allowed access via the sudoers
  111. # file for the user that the salt minion is configured to run as. The most
  112. # common option would be to use the root user. If this option is set the user
  113. # option should also be set to a non-root user. If migrating from a root minion
  114. # to a non root minion the minion cache should be cleared and the minion pki
  115. # directory will need to be changed to the ownership of the new user.
  116. {{ get_config('sudo_user', 'saltdev') }}
  117. # Specify the location of the daemon process ID file.
  118. {{ get_config('pidfile', '/var/run/salt-minion.pid') }}
  119. # The root directory prepended to these options: pki_dir, cachedir, log_file,
  120. # sock_dir, pidfile.
  121. {{ get_config('root_dir', '/') }}
  122. # The path to the minion's configuration file.
  123. {{ get_config('conf_file', '/etc/salt/minion') }}
  124. # The directory to store the pki information in
  125. {{ get_config('pki_dir', '/etc/salt/pki/minion') }}
  126. # Explicitly declare the id for this minion to use, if left commented the id
  127. # will be the hostname as returned by the python call: socket.getfqdn()
  128. # Since salt uses detached ids it is possible to run multiple minions on the
  129. # same machine but with different ids, this can be useful for salt compute
  130. # clusters.
  131. {% if 'id' in cfg_minion -%}
  132. {%- do default_keys.append('id') %}
  133. id: {{ cfg_minion['id'] }}
  134. {% else -%}
  135. #id:
  136. {%- endif %}
  137. # Cache the minion id to a file when the minion's id is not statically defined
  138. # in the minion config. Defaults to "True". This setting prevents potential
  139. # problems when automatic minion id resolution changes, which can cause the
  140. # minion to lose connection with the master. To turn off minion id caching,
  141. # set this config to ``False``.
  142. {{ get_config('minion_id_caching', 'True') }}
  143. # Append a domain to a hostname in the event that it does not exist. This is
  144. # useful for systems where socket.getfqdn() does not actually result in a
  145. # FQDN (for instance, Solaris).
  146. {{ get_config('append_domain', '') }}
  147. # Custom static grains for this minion can be specified here and used in SLS
  148. # files just like all other grains. This example sets 4 custom grains, with
  149. # the 'roles' grain having two values that can be matched against.
  150. #grains:
  151. # roles:
  152. # - webserver
  153. # - memcache
  154. # deployment: datacenter4
  155. # cabinet: 13
  156. # cab_u: 14-15
  157. {{ get_config('grains', '{}') }}
  158. # Where cache data goes.
  159. # This data may contain sensitive data and should be protected accordingly.
  160. {{ get_config('cachedir', '/var/cache/salt/minion') }}
  161. # Append minion_id to these directories. Helps with
  162. # multiple proxies and minions running on the same machine.
  163. # Allowed elements in the list: pki_dir, cachedir, extension_modules
  164. # Normally not needed unless running several proxies and/or minions on the same machine
  165. # Defaults to ['cachedir'] for proxies, [] (empty list) for regular minions
  166. {% if 'append_minionid_config_dirs' in cfg_minion -%}
  167. append_minionid_config_dirs:
  168. {% for dir in cfg_minion['append_minionid_config_dirs'] -%}
  169. - {{ dir }}
  170. {% endfor -%}
  171. {%- else %}
  172. #append_minionid_config_dirs:
  173. {%- endif %}
  174. # Verify and set permissions on configuration directories at startup.
  175. {{ get_config('verify_env', 'True') }}
  176. # The minion can locally cache the return data from jobs sent to it, this
  177. # can be a good way to keep track of jobs the minion has executed
  178. # (on the minion side). By default this feature is disabled, to enable, set
  179. # cache_jobs to True.
  180. {{ get_config('cache_jobs', 'False') }}
  181. # Set the directory used to hold unix sockets.
  182. {{ get_config('sock_dir', '/var/run/salt/minion') }}
  183. # Set the default outputter used by the salt-call command. The default is
  184. # "nested".
  185. {{ get_config('output', 'nested') }}
  186. # By default output is colored. To disable colored output, set the color value
  187. # to False.
  188. {{ get_config('color', 'True') }}
  189. # Do not strip off the colored output from nested results and state outputs
  190. # (true by default).
  191. {{ get_config('strip_colors', 'False') }}
  192. # Backup files that are replaced by file.managed and file.recurse under
  193. # 'cachedir'/file_backups relative to their original location and appended
  194. # with a timestamp. The only valid setting is "minion". Disabled by default.
  195. #
  196. # Alternatively this can be specified for each file in state files:
  197. # /etc/ssh/sshd_config:
  198. # file.managed:
  199. # - source: salt://ssh/sshd_config
  200. # - backup: minion
  201. #
  202. {{ get_config('backup_mode', 'minion') }}
  203. # When waiting for a master to accept the minion's public key, salt will
  204. # continuously attempt to reconnect until successful. This is the time, in
  205. # seconds, between those reconnection attempts.
  206. {{ get_config('acceptance_wait_time', '10') }}
  207. # If this is nonzero, the time between reconnection attempts will increase by
  208. # acceptance_wait_time seconds per iteration, up to this maximum. If this is
  209. # set to zero, the time between reconnection attempts will stay constant.
  210. {{ get_config('acceptance_wait_time_max', '0') }}
  211. # If the master rejects the minion's public key, retry instead of exiting.
  212. # Rejected keys will be handled the same as waiting on acceptance.
  213. {{ get_config('rejected_retry', 'False') }}
  214. # When the master key changes, the minion will try to re-auth itself to receive
  215. # the new master key. In larger environments this can cause a SYN flood on the
  216. # master because all minions try to re-auth immediately. To prevent this and
  217. # have a minion wait for a random amount of time, use this optional parameter.
  218. # The wait-time will be a random number of seconds between 0 and the defined value.
  219. {{ get_config('random_reauth_delay', '60') }}
  220. # When waiting for a master to accept the minion's public key, salt will
  221. # continuously attempt to reconnect until successful. This is the timeout value,
  222. # in seconds, for each individual attempt. After this timeout expires, the minion
  223. # will wait for acceptance_wait_time seconds before trying again. Unless your master
  224. # is under unusually heavy load, this should be left at the default.
  225. {{ get_config('auth_timeout', '60') }}
  226. # Number of consecutive SaltReqTimeoutError that are acceptable when trying to
  227. # authenticate.
  228. {{ get_config('auth_tries', '7') }}
  229. # The number of attempts to connect to a master before giving up.
  230. # Set this to -1 for unlimited attempts. This allows for a master to have
  231. # downtime and the minion to reconnect to it later when it comes back up.
  232. # In 'failover' mode, it is the number of attempts for each set of masters.
  233. # In this mode, it will cycle through the list of masters for each attempt.
  234. #
  235. # This is different than auth_tries because auth_tries attempts to
  236. # retry auth attempts with a single master. auth_tries is under the
  237. # assumption that you can connect to the master but not gain
  238. # authorization from it. master_tries will still cycle through all
  239. # the masters in a given try, so it is appropriate if you expect
  240. # occasional downtime from the master(s).
  241. {{ get_config('master_tries', '1') }}
  242. # If authentication fails due to SaltReqTimeoutError during a ping_interval,
  243. # cause sub minion process to restart.
  244. {{ get_config('auth_safemode', 'False') }}
  245. # Ping Master to ensure connection is alive (minutes).
  246. {{ get_config('ping_interval', '0') }}
  247. {%- if 'mine_functions' in cfg_minion %}
  248. {%- do default_keys.append('mine_functions') %}
  249. mine_functions:
  250. {%- for func, args in cfg_minion['mine_functions'].items() %}
  251. {{ func }}: {{ args }}
  252. {%- endfor %}
  253. {%- endif %}
  254. # To auto recover minions if master changes IP address (DDNS)
  255. # auth_tries: 10
  256. # auth_safemode: False
  257. # ping_interval: 90
  258. #
  259. # Minions won't know master is missing until a ping fails. After the ping fail,
  260. # the minion will attempt authentication and likely fails out and cause a restart.
  261. # When the minion restarts it will resolve the masters IP and attempt to reconnect.
  262. # If you don't have any problems with syn-floods, don't bother with the
  263. # three recon_* settings described below, just leave the defaults!
  264. #
  265. # The ZeroMQ pull-socket that binds to the masters publishing interface tries
  266. # to reconnect immediately, if the socket is disconnected (for example if
  267. # the master processes are restarted). In large setups this will have all
  268. # minions reconnect immediately which might flood the master (the ZeroMQ-default
  269. # is usually a 100ms delay). To prevent this, these three recon_* settings
  270. # can be used.
  271. # recon_default: the interval in milliseconds that the socket should wait before
  272. # trying to reconnect to the master (1000ms = 1 second)
  273. #
  274. # recon_max: the maximum time a socket should wait. each interval the time to wait
  275. # is calculated by doubling the previous time. if recon_max is reached,
  276. # it starts again at recon_default. Short example:
  277. #
  278. # reconnect 1: the socket will wait 'recon_default' milliseconds
  279. # reconnect 2: 'recon_default' * 2
  280. # reconnect 3: ('recon_default' * 2) * 2
  281. # reconnect 4: value from previous interval * 2
  282. # reconnect 5: value from previous interval * 2
  283. # reconnect x: if value >= recon_max, it starts again with recon_default
  284. #
  285. # recon_randomize: generate a random wait time on minion start. The wait time will
  286. # be a random value between recon_default and recon_default +
  287. # recon_max. Having all minions reconnect with the same recon_default
  288. # and recon_max value kind of defeats the purpose of being able to
  289. # change these settings. If all minions have the same values and your
  290. # setup is quite large (several thousand minions), they will still
  291. # flood the master. The desired behavior is to have timeframe within
  292. # all minions try to reconnect.
  293. #
  294. # Example on how to use these settings. The goal: have all minions reconnect within a
  295. # 60 second timeframe on a disconnect.
  296. # recon_default: 1000
  297. # recon_max: 59000
  298. # recon_randomize: True
  299. #
  300. # Each minion will have a randomized reconnect value between 'recon_default'
  301. # and 'recon_default + recon_max', which in this example means between 1000ms
  302. # 60000ms (or between 1 and 60 seconds). The generated random-value will be
  303. # doubled after each attempt to reconnect. Lets say the generated random
  304. # value is 11 seconds (or 11000ms).
  305. # reconnect 1: wait 11 seconds
  306. # reconnect 2: wait 22 seconds
  307. # reconnect 3: wait 33 seconds
  308. # reconnect 4: wait 44 seconds
  309. # reconnect 5: wait 55 seconds
  310. # reconnect 6: wait time is bigger than 60 seconds (recon_default + recon_max)
  311. # reconnect 7: wait 11 seconds
  312. # reconnect 8: wait 22 seconds
  313. # reconnect 9: wait 33 seconds
  314. # reconnect x: etc.
  315. #
  316. # In a setup with ~6000 thousand hosts these settings would average the reconnects
  317. # to about 100 per second and all hosts would be reconnected within 60 seconds.
  318. {{ get_config('recon_default', '100') }}
  319. {{ get_config('recon_max', '5000') }}
  320. {{ get_config('recon_randomize', 'False') }}
  321. # The loop_interval sets how long in seconds the minion will wait between
  322. # evaluating the scheduler and running cleanup tasks. This defaults to 1
  323. # second on the minion scheduler.
  324. {{ get_config('loop_interval', '1') }}
  325. # When using the scheduler at least one schedule needs to be
  326. # defined. The user running the salt master will need read access to the repo.
  327. {% if 'schedule' in cfg_minion -%}
  328. {%- do default_keys.append('schedule') %}
  329. schedule:
  330. {%- for schedule in cfg_minion['schedule'] %}
  331. {%- if schedule is iterable and schedule is not string %}
  332. {%- for name, children in schedule.items() %}
  333. {{ name }}:
  334. {%- for child in children %}
  335. {%- for key, value in child.items() %}
  336. {{ key }}: {{ value }}
  337. {%- endfor -%}
  338. {%- endfor -%}
  339. {%- endfor -%}
  340. {%- endif -%}
  341. {%- endfor -%}
  342. {%- endif %}
  343. # Some installations choose to start all job returns in a cache or a returner
  344. # and forgo sending the results back to a master. In this workflow, jobs
  345. # are most often executed with --async from the Salt CLI and then results
  346. # are evaluated by examining job caches on the minions or any configured returners.
  347. # WARNING: Setting this to False will **disable** returns back to the master.
  348. {{ get_config('pub_ret', 'True') }}
  349. # The grains can be merged, instead of overridden, using this option.
  350. # This allows custom grains to defined different subvalues of a dictionary
  351. # grain. By default this feature is disabled, to enable set grains_deep_merge
  352. # to ``True``.
  353. {{ get_config('grains_deep_merge', 'False') }}
  354. # The grains_refresh_every setting allows for a minion to periodically check
  355. # its grains to see if they have changed and, if so, to inform the master
  356. # of the new grains. This operation is moderately expensive, therefore
  357. # care should be taken not to set this value too low.
  358. #
  359. # Note: This value is expressed in __minutes__!
  360. #
  361. # A value of 10 minutes is a reasonable default.
  362. #
  363. # If the value is set to zero, this check is disabled.
  364. {{ get_config('grains_refresh_every', '1') }}
  365. # Cache grains on the minion. Default is False.
  366. {{ get_config('grains_cache', 'False') }}
  367. # Cache rendered pillar data on the minion. Default is False.
  368. # This may cause 'cachedir'/pillar to contain sensitive data that should be
  369. # protected accordingly.
  370. {{ get_config('minion_pillar_cache', 'False') }}
  371. # Grains cache expiration, in seconds. If the cache file is older than this
  372. # number of seconds then the grains cache will be dumped and fully re-populated
  373. # with fresh data. Defaults to 5 minutes. Will have no effect if 'grains_cache'
  374. # is not enabled.
  375. {{ get_config('grains_cache_expiration', '300') }}
  376. # Determines whether or not the salt minion should run scheduled mine updates.
  377. # Defaults to "True". Set to "False" to disable the scheduled mine updates
  378. # (this essentially just does not add the mine update function to the minion's
  379. # scheduler).
  380. {{ get_config('mine_enabled', 'True') }}
  381. # Determines whether or not scheduled mine updates should be accompanied by a job
  382. # return for the job cache. Defaults to "False". Set to "True" to include job
  383. # returns in the job cache for mine updates.
  384. {{ get_config('mine_return_job', 'False') }}
  385. # Example functions that can be run via the mine facility
  386. # NO mine functions are established by default.
  387. # Note these can be defined in the minion's pillar as well.
  388. #mine_functions:
  389. # test.ping: []
  390. # network.ip_addrs:
  391. # interface: eth0
  392. # cidr: '10.0.0.0/8'
  393. # Windows platforms lack posix IPC and must rely on slower TCP based inter-
  394. # process communications. Set ipc_mode to 'tcp' on such systems
  395. {{ get_config('ipc_mode', 'ipc') }}
  396. # Overwrite the default tcp ports used by the minion when in tcp mode
  397. {{ get_config('tcp_pub_port', '4510') }}
  398. {{ get_config('tcp_pull_port', '4511') }}
  399. # Passing very large events can cause the minion to consume large amounts of
  400. # memory. This value tunes the maximum size of a message allowed onto the
  401. # minion event bus. The value is expressed in bytes.
  402. {{ get_config('max_event_size', '1048576') }}
  403. # The minion can include configuration from other files. To enable this,
  404. # pass a list of paths to this option. The paths can be either relative or
  405. # absolute; if relative, they are considered to be relative to the directory
  406. # the main minion configuration file lives in (this file). Paths can make use
  407. # of shell-style globbing. If no files are matched by a path passed to this
  408. # option then the minion will log a warning message.
  409. #
  410. # Include a config file from some other path:
  411. {% if 'include' in cfg_minion -%}
  412. {% do default_keys.append('include') -%}
  413. {% if cfg_minion['include'] is iterable and cfg_minion['include'] is not string -%}
  414. include:
  415. {%- for include in cfg_minion['include'] %}
  416. - {{ include }}
  417. {%- endfor -%}
  418. {% else -%}
  419. include: {{ cfg_minion['include'] }}
  420. {%- endif -%}
  421. {% elif 'include' in cfg_salt -%}
  422. {% if cfg_salt['include'] is iterable and cfg_salt['include'] is not string -%}
  423. include:
  424. {%- for include in cfg_salt['include'] %}
  425. - {{ include }}
  426. {%- endfor -%}
  427. {% else -%}
  428. include: {{ cfg_salt['include'] }}
  429. {%- endif -%}
  430. {% endif %}
  431. # The syndic minion can verify that it is talking to the correct master via the
  432. # key fingerprint of the higher-level master with the "syndic_finger" config.
  433. {{ get_config('syndic_finger', '') }}
  434. ##### Minion module management #####
  435. ##########################################
  436. # Disable specific modules. This allows the admin to limit the level of
  437. # access the master has to the minion. The default here is the empty list,
  438. # below is an example of how this needs to be formatted in the config file
  439. #disable_modules:
  440. # - cmdmod
  441. # - test
  442. #disable_returners: []
  443. {{ get_config('disable_modules', '[]') }}
  444. {{ get_config('disable_returners', '[]') }}
  445. # This is the reverse of disable_modules. The default, like disable_modules, is the empty list,
  446. # but if this option is set to *anything* then *only* those modules will load.
  447. # Note that this is a very large hammer and it can be quite difficult to keep the minion working
  448. # the way you think it should since Salt uses many modules internally itself. At a bare minimum
  449. # you need the following enabled or else the minion won't start.
  450. #whitelist_modules:
  451. # - cmdmod
  452. # - test
  453. # - config
  454. {{ get_config('whitelist_modules', '[]') }}
  455. # Modules can be loaded from arbitrary paths. This enables the easy deployment
  456. # of third party modules. Modules for returners and minions can be loaded.
  457. # Specify a list of extra directories to search for minion modules and
  458. # returners. These paths must be fully qualified!
  459. {{ get_config('module_dirs', '[]') }}
  460. {{ get_config('returner_dirs', '[]') }}
  461. {{ get_config('states_dirs', '[]') }}
  462. {{ get_config('render_dirs', '[]') }}
  463. {{ get_config('utils_dirs', '[]') }}
  464. # A module provider can be statically overwritten or extended for the minion
  465. # via the providers option, in this case the default module will be
  466. # overwritten by the specified module. In this example the pkg module will
  467. # be provided by the yumpkg5 module instead of the system default.
  468. #providers:
  469. # pkg: yumpkg5
  470. {{ get_config('providers', '{}') }}
  471. # Enable Cython modules searching and loading. (Default: False)
  472. {{ get_config('cython_enable', 'False') }}
  473. # Specify a max size (in bytes) for modules on import. This feature is currently
  474. # only supported on *nix operating systems and requires psutil.
  475. {{ get_config('modules_max_memory', '-1') }}
  476. ##### State Management Settings #####
  477. ###########################################
  478. # The state management system executes all of the state templates on the minion
  479. # to enable more granular control of system state management. The type of
  480. # template and serialization used for state management needs to be configured
  481. # on the minion, the default renderer is yaml_jinja. This is a yaml file
  482. # rendered from a jinja template, the available options are:
  483. # yaml_jinja
  484. # yaml_mako
  485. # yaml_wempy
  486. # json_jinja
  487. # json_mako
  488. # json_wempy
  489. #
  490. {{ get_config('renderer', 'yaml_jinja') }}
  491. # The failhard option tells the minions to stop immediately after the first
  492. # failure detected in the state execution. Defaults to False.
  493. {{ get_config('failhard', 'False') }}
  494. # Reload the modules prior to a highstate run.
  495. {{ get_config('autoload_dynamic_modules', 'True') }}
  496. # clean_dynamic_modules keeps the dynamic modules on the minion in sync with
  497. # the dynamic modules on the master, this means that if a dynamic module is
  498. # not on the master it will be deleted from the minion. By default, this is
  499. # enabled and can be disabled by changing this value to False.
  500. {{ get_config('clean_dynamic_modules', 'True') }}
  501. # Renamed from ``environment`` to ``saltenv``. If ``environment`` is used,
  502. # ``saltenv`` will take its value. If both are used, ``environment`` will be
  503. # ignored and ``saltenv`` will be used.
  504. # Normally the minion is not isolated to any single environment on the master
  505. # when running states, but the environment can be isolated on the minion side
  506. # by statically setting it. Remember that the recommended way to manage
  507. # environments is to isolate via the top file.
  508. #saltenv: None
  509. {{ get_config('environment', 'None') }}
  510. {{ get_config('saltenv', 'None') }}
  511. #
  512. # Isolates the pillar environment on the minion side. This functions the same
  513. # as the environment setting, but for pillar instead of states.
  514. {{ get_config('pillarenv', 'None') }}
  515. #
  516. # Set this option to 'True' to force a 'KeyError' to be raised whenever an
  517. # attempt to retrieve a named value from pillar fails. When this option is set
  518. # to 'False', the failed attempt returns an empty string. Default is 'False'.
  519. {{ get_config('pillar_raise_on_missing', 'False') }}
  520. #
  521. # If using the local file directory, then the state top file name needs to be
  522. # defined, by default this is top.sls.
  523. {{ get_config('state_top', 'top.sls') }}
  524. # Run states when the minion daemon starts. To enable, set startup_states to:
  525. # 'highstate' -- Execute state.highstate
  526. # 'sls' -- Read in the sls_list option and execute the named sls files
  527. # 'top' -- Read top_file option and execute based on that file on the Master
  528. {{ get_config('startup_states', "''") }}
  529. # List of states to run when the minion starts up if startup_states is 'sls':
  530. #sls_list:
  531. # - edit.vim
  532. # - hyper
  533. {{ get_config('sls_list', '[]') }}
  534. # Top file to execute if startup_states is 'top':
  535. {{ get_config('top_file', "''") }}
  536. # Automatically aggregate all states that have support for mod_aggregate by
  537. # setting to True. Or pass a list of state module names to automatically
  538. # aggregate just those types.
  539. #
  540. # state_aggregate:
  541. # - pkg
  542. #
  543. #state_aggregate: False
  544. {{ get_config('state_aggregate', '{}') }}
  545. ##### File Directory Settings #####
  546. ##########################################
  547. # The Salt Minion can redirect all file server operations to a local directory,
  548. # this allows for the same state tree that is on the master to be used if
  549. # copied completely onto the minion. This is a literal copy of the settings on
  550. # the master but used to reference a local directory on the minion.
  551. # Set the file client. The client defaults to looking on the master server for
  552. # files, but can be directed to look at the local file directory setting
  553. # defined below by setting it to "local". Setting a local file_client runs the
  554. # minion in masterless mode.
  555. {%- if standalone %}
  556. file_client: local
  557. {%- else %}
  558. {{ get_config('file_client', 'remote') }}
  559. {%- endif %}
  560. # The file directory works on environments passed to the minion, each environment
  561. # can have multiple root directories, the subdirectories in the multiple file
  562. # roots cannot match, otherwise the downloaded files will not be able to be
  563. # reliably ensured. A base environment is required to house the top file.
  564. # Example:
  565. # file_roots:
  566. # base:
  567. # - /srv/salt/
  568. # dev:
  569. # - /srv/salt/dev/services
  570. # - /srv/salt/dev/states
  571. # prod:
  572. # - /srv/salt/prod/services
  573. # - /srv/salt/prod/states
  574. {% if 'file_roots' in cfg_minion -%}
  575. {%- do default_keys.append('file_roots') %}
  576. {{ file_roots(cfg_minion['file_roots']) }}
  577. {%- elif 'file_roots' in cfg_salt -%}
  578. {{ file_roots(cfg_salt['file_roots']) }}
  579. {%- elif formulas|length -%}
  580. {{ file_roots({'base': ['/srv/salt']}) }}
  581. {%- else -%}
  582. #file_roots:
  583. # base:
  584. # - /srv/salt
  585. {%- endif %}
  586. # Uncomment the line below if you do not want the file_server to follow
  587. # symlinks when walking the filesystem tree. This is set to True
  588. # by default. Currently this only applies to the default roots
  589. # fileserver_backend.
  590. {{ get_config('fileserver_followsymlinks', 'True') }}
  591. #
  592. # Uncomment the line below if you do not want symlinks to be
  593. # treated as the files they are pointing to. By default this is set to
  594. # False. By uncommenting the line below, any detected symlink while listing
  595. # files on the Master will not be returned to the Minion.
  596. {{ get_config('fileserver_ignoresymlinks', 'False') }}
  597. #
  598. # To use multiple backends list them in the order they are searched:
  599. #fileserver_backend:
  600. # - git
  601. # - roots
  602. {% if 'fileserver_backend' in cfg_minion -%}
  603. {%- do default_keys.append('fileserver_backend') %}
  604. fileserver_backend:
  605. {%- for backend in cfg_minion['fileserver_backend'] %}
  606. - {{ backend }}
  607. {%- endfor -%}
  608. {%- endif %}
  609. # By default, the Salt fileserver recurses fully into all defined environments
  610. # to attempt to find files. To limit this behavior so that the fileserver only
  611. # traverses directories with SLS files and special Salt directories like _modules,
  612. # enable the option below. This might be useful for installations where a file root
  613. # has a very large number of files and performance is negatively impacted. Default
  614. # is False.
  615. {{ get_config('fileserver_limit_traversal', 'False') }}
  616. # The hash_type is the hash to use when discovering the hash of a file on
  617. # the local fileserver. The default is md5, but sha1, sha224, sha256, sha384
  618. # and sha512 are also supported.
  619. #
  620. # WARNING: While md5 and sha1 are also supported, do not use it due to the high chance
  621. # of possible collisions and thus security breach.
  622. #
  623. # Warning: Prior to changing this value, the minion should be stopped and all
  624. # Salt caches should be cleared.
  625. {{ get_config('hash_type', 'md5') }}
  626. # gitfs provider
  627. {{ get_config('gitfs_provider', 'pygit2') }}
  628. # Along with gitfs_password, is used to authenticate to HTTPS remotes.
  629. {{ get_config('gitfs_user', 'git') }}
  630. # Along with gitfs_user, is used to authenticate to HTTPS remotes.
  631. # This parameter is not required if the repository does not use authentication.
  632. {{ get_config('gitfs_password', '') }}
  633. # By default, Salt will not authenticate to an HTTP (non-HTTPS) remote.
  634. # This parameter enables authentication over HTTP. Enable this at your own risk.
  635. {{ get_config('gitfs_insecure_auth', 'False') }}
  636. # Along with gitfs_privkey (and optionally gitfs_passphrase), is used to
  637. # authenticate to SSH remotes. This parameter (or its per-remote counterpart)
  638. # is required for SSH remotes.
  639. {{ get_config('gitfs_pubkey', '') }}
  640. # Along with gitfs_pubkey (and optionally gitfs_passphrase), is used to
  641. # authenticate to SSH remotes. This parameter (or its per-remote counterpart)
  642. # is required for SSH remotes.
  643. {{ get_config('gitfs_privkey', '') }}
  644. # This parameter is optional, required only when the SSH key being used to
  645. # authenticate is protected by a passphrase.
  646. {{ get_config('gitfs_passphrase', '') }}
  647. # When using the git fileserver backend at least one git remote needs to be
  648. # defined. The user running the salt master will need read access to the repo.
  649. #
  650. # The repos will be searched in order to find the file requested by a client
  651. # and the first repo to have the file will return it.
  652. # When using the git backend branches and tags are translated into salt
  653. # environments.
  654. # Note: file:// repos will be treated as a remote, so refs you want used must
  655. # exist in that repo as *local* refs.
  656. {% if 'gitfs_remotes' in cfg_minion -%}
  657. {%- do default_keys.append('gitfs_remotes') %}
  658. gitfs_remotes:
  659. {%- for remote in cfg_minion['gitfs_remotes'] %}
  660. {%- if remote is iterable and remote is not string %}
  661. {%- for repo, children in remote.items() %}
  662. - {{ repo }}:
  663. {%- for child in children %}
  664. {%- for key, value in child.items() %}
  665. - {{ key }}: {{ value }}
  666. {%- endfor -%}
  667. {%- endfor -%}
  668. {%- endfor -%}
  669. {%- else %}
  670. - {{ remote }}
  671. {%- endif -%}
  672. {%- endfor -%}
  673. {%- endif %}
  674. # The gitfs_ssl_verify option specifies whether to ignore ssl certificate
  675. # errors when contacting the gitfs backend. You might want to set this to
  676. # false if you're using a git backend that uses a self-signed certificate but
  677. # keep in mind that setting this flag to anything other than the default of True
  678. # is a security concern, you may want to try using the ssh transport.
  679. {{ get_config('gitfs_ssl_verify', 'True') }}
  680. # The gitfs_root option gives the ability to serve files from a subdirectory
  681. # within the repository. The path is defined relative to the root of the
  682. # repository and defaults to the repository root.
  683. {{ get_config('gitfs_root', 'somefolder/otherfolder') }}
  684. # The gitfs_env_whitelist and gitfs_env_blacklist parameters allow for greater
  685. # control over which branches/tags are exposed as fileserver environments.
  686. {% if 'gitfs_env_whitelist' in cfg_minion -%}
  687. {%- do default_keys.append('gitfs_env_whitelist') %}
  688. gitfs_env_whitelist:
  689. {%- for git_env in cfg_minion['gitfs_env_whitelist'] %}
  690. - {{ git_env }}
  691. {%- endfor -%}
  692. {% else -%}
  693. # gitfs_env_whitelist:
  694. # - base
  695. # - v1.*
  696. {% endif %}
  697. {% if 'gitfs_env_blacklist' in cfg_minion -%}
  698. {%- do default_keys.append('gitfs_env_blacklist') %}
  699. gitfs_env_blacklist:
  700. {%- for git_env in cfg_minion['gitfs_env_blacklist'] %}
  701. - {{ git_env }}
  702. {%- endfor -%}
  703. {% else -%}
  704. # gitfs_env_blacklist:
  705. # - bug/*
  706. # - feature/*
  707. {% endif %}
  708. ##### Pillar settings #####
  709. ##########################################
  710. # The Salt pillar is searched for locally if file_client is set to local. If
  711. # this is the case, and pillar data is defined, then the pillar_roots need to
  712. # also be configured on the minion:
  713. {% if 'pillar_roots' in cfg_minion -%}
  714. {%- do default_keys.append('pillar_roots') %}
  715. pillar_roots:
  716. {%- for name, roots in cfg_minion['pillar_roots']|dictsort %}
  717. {{ name }}:
  718. {%- for dir in roots %}
  719. - {{ dir }}
  720. {%- endfor -%}
  721. {%- endfor -%}
  722. {% elif 'pillar_roots' in cfg_salt -%}
  723. pillar_roots:
  724. {%- for name, roots in cfg_salt['pillar_roots']|dictsort %}
  725. {{ name }}:
  726. {%- for dir in roots %}
  727. - {{ dir }}
  728. {%- endfor -%}
  729. {%- endfor -%}
  730. {%- else -%}
  731. #pillar_roots:
  732. # base:
  733. # - /srv/pillar
  734. {%- endif %}
  735. # Set a hard-limit on the size of the files that can be pushed to the master.
  736. # It will be interpreted as megabytes. Default: 100
  737. {{ get_config('file_recv_max_size', '100') }}
  738. {% if 'ext_pillar' in cfg_minion %}
  739. {%- do default_keys.append('ext_pillar') %}
  740. ext_pillar:
  741. {%- for pillar in cfg_minion['ext_pillar'] -%}
  742. {%- for key in pillar -%}
  743. {%- if pillar[key] is string %}
  744. - {{ key }}: {{ pillar[key] }}
  745. {%- elif pillar[key] is iterable and pillar[key] is not mapping %}
  746. - {{ key }}:
  747. {%- for parameter in pillar[key] %}
  748. {%- if parameter is iterable and parameter is not string %}
  749. {%- for param, children in parameter.items() %}
  750. - {{ param }}:
  751. {%- for child in children %}
  752. {%- for key, value in child.items() %}
  753. - {{ key }}: {{ value }}
  754. {%- endfor -%}
  755. {%- endfor -%}
  756. {%- endfor -%}
  757. {%- else %}
  758. - {{ parameter }}
  759. {%- endif %}
  760. {%- endfor -%}
  761. {%- elif pillar[key] is mapping and pillar[key] is not string %}
  762. - {{ key }}:
  763. {%- for parameter in pillar[key] %}
  764. {{ parameter }}: {{pillar[key][parameter]}}
  765. {%- endfor %}
  766. {%- else %}
  767. # Error in rendering {{ key }}, please read https://docs.saltstack.com/en/latest/topics/development/external_pillars.html#configuration
  768. {% endif %}
  769. {%- endfor -%}
  770. {%- endfor %}
  771. {% elif 'ext_pillar' in cfg_salt %}
  772. ext_pillar:
  773. {% for pillar in cfg_salt['ext_pillar'] %}
  774. - {{ pillar.items()[0][0] }}: {{ pillar.items()[0][1] }}
  775. {% endfor %}
  776. {% else %}
  777. #ext_pillar:
  778. # - hiera: /etc/hiera.yaml
  779. # - cmd_yaml: cat /etc/salt/yaml
  780. {% endif %}
  781. # The ext_pillar_first option allows for external pillar sources to populate
  782. # before file system pillar. This allows for targeting file system pillar from
  783. # ext_pillar.
  784. {{ get_config('ext_pillar_first', 'False') }}
  785. # The pillar_gitfs_ssl_verify option specifies whether to ignore ssl certificate
  786. # errors when contacting the pillar gitfs backend. You might want to set this to
  787. # false if you're using a git backend that uses a self-signed certificate but
  788. # keep in mind that setting this flag to anything other than the default of True
  789. # is a security concern, you may want to try using the ssh transport.
  790. {{ get_config('pillar_gitfs_ssl_verify', 'True') }}
  791. # The pillar_opts option adds the master configuration file data to a dict in
  792. # the pillar called "master". This is used to set simple configurations in the
  793. # master config file that can then be used on minions.
  794. {{ get_config('pillar_opts', 'True') }}
  795. # The pillar_safe_render_error option prevents the master from passing pillar
  796. # render errors to the minion. This is set on by default because the error could
  797. # contain templating data which would give that minion information it shouldn't
  798. # have, like a password! When set true the error message will only show:
  799. # Rendering SLS 'my.sls' failed. Please see master log for details.
  800. {{ get_config('pillar_safe_render_error', 'True') }}
  801. # The pillar_source_merging_strategy option allows you to configure merging strategy
  802. # between different sources. It accepts four values: recurse, aggregate, overwrite,
  803. # or smart. Recurse will merge recursively mapping of data. Aggregate instructs
  804. # aggregation of elements between sources that use the #!yamlex renderer. Overwrite
  805. # will verwrite elements according the order in which they are processed. This is
  806. # behavior of the 2014.1 branch and earlier. Smart guesses the best strategy based
  807. # on the "renderer" setting and is the default value.
  808. {{ get_config('pillar_source_merging_strategy', 'smart') }}
  809. # Recursively merge lists by aggregating them instead of replacing them.
  810. {{ get_config('pillar_merge_lists', False) }}
  811. # Git External Pillar (git_pillar) Configuration Options
  812. #
  813. # Specify the provider to be used for git_pillar. Must be either pygit2 or
  814. # gitpython. If unset, then both will be tried in that same order, and the
  815. # first one with a compatible version installed will be the provider that
  816. # is used.
  817. {{ get_config('git_pillar_provider', 'pygit2') }}
  818. # If the desired branch matches this value, and the environment is omitted
  819. # from the git_pillar configuration, then the environment for that git_pillar
  820. # remote will be base.
  821. {{ get_config('git_pillar_base', 'master') }}
  822. # If the branch is omitted from a git_pillar remote, then this branch will
  823. # be used instead.
  824. {{ get_config('git_pillar_branch', 'master') }}
  825. # Environment to use for git_pillar remotes. This is normally derived from
  826. # the branch/tag (or from a per-remote env parameter), but if set this will
  827. # override the process of deriving the env from the branch/tag name.
  828. {{ get_config('git_pillar_env', '') }}
  829. # Path relative to the root of the repository where the git_pillar top file
  830. # and SLS files are located.
  831. {{ get_config('git_pillar_root', 'pillar') }}
  832. # Specifies whether or not to ignore SSL certificate errors when contacting
  833. # the remote repository.
  834. {{ get_config('git_pillar_ssl_verify', True) }}
  835. # When set to False, if there is an update/checkout lock for a git_pillar
  836. # remote and the pid written to it is not running on the master, the lock
  837. # file will be automatically cleared and a new lock will be obtained.
  838. {{ get_config('git_pillar_global_lock', False) }}
  839. # Git External Pillar Authentication Options
  840. #
  841. # Along with git_pillar_password, is used to authenticate to HTTPS remotes.
  842. {{ get_config('git_pillar_user', '') }}
  843. # Along with git_pillar_user, is used to authenticate to HTTPS remotes.
  844. # This parameter is not required if the repository does not use authentication.
  845. {{ get_config('git_pillar_password', '') }}
  846. # By default, Salt will not authenticate to an HTTP (non-HTTPS) remote.
  847. # This parameter enables authentication over HTTP.
  848. {{ get_config('git_pillar_insecure_auth', False) }}
  849. # Along with git_pillar_privkey (and optionally git_pillar_passphrase),
  850. # is used to authenticate to SSH remotes.
  851. {{ get_config('git_pillar_pubkey', '') }}
  852. # Along with git_pillar_pubkey (and optionally git_pillar_passphrase),
  853. # is used to authenticate to SSH remotes.
  854. {{ get_config('git_pillar_privkey', '') }}
  855. # This parameter is optional, required only when the SSH key being used
  856. # to authenticate is protected by a passphrase.
  857. {{ get_config('git_pillar_passphrase', '') }}
  858. ###### Security settings #####
  859. ###########################################
  860. # Enable "open mode", this mode still maintains encryption, but turns off
  861. # authentication, this is only intended for highly secure environments or for
  862. # the situation where your keys end up in a bad state. If you run in open mode
  863. # you do so at your own risk!
  864. {{ get_config('open_mode', 'False') }}
  865. # Enable permissive access to the salt keys. This allows you to run the
  866. # master or minion as root, but have a non-root group be given access to
  867. # your pki_dir. To make the access explicit, root must belong to the group
  868. # you've given access to. This is potentially quite insecure.
  869. {{ get_config('permissive_pki_access', 'False') }}
  870. # The state_verbose and state_output settings can be used to change the way
  871. # state system data is printed to the display. By default all data is printed.
  872. # The state_verbose setting can be set to True or False, when set to False
  873. # all data that has a result of True and no changes will be suppressed.
  874. {{ get_config('state_verbose', 'True') }}
  875. # The state_output setting changes if the output is the full multi line
  876. # output for each changed state if set to 'full', but if set to 'terse'
  877. # the output will be shortened to a single line.
  878. {{ get_config('state_output', 'full') }}
  879. # The state_output_diff setting changes whether or not the output from
  880. # successful states is returned. Useful when even the terse output of these
  881. # states is cluttering the logs. Set it to True to ignore them.
  882. {{ get_config('state_output_diff', 'False') }}
  883. # The state_output_profile setting changes whether profile information
  884. # will be shown for each state run.
  885. {{ get_config('state_output_profile', 'True') }}
  886. # Fingerprint of the master public key to validate the identity of your Salt master
  887. # before the initial key exchange. The master fingerprint can be found by running
  888. # "salt-key -F master" on the Salt master.
  889. {{ get_config('master_finger', "''") }}
  890. # Use TLS/SSL encrypted connection between master and minion.
  891. # Can be set to a dictionary containing keyword arguments corresponding to Python's
  892. # 'ssl.wrap_socket' method.
  893. # Default is None.
  894. #ssl:
  895. # keyfile: <path_to_keyfile>
  896. # certfile: <path_to_certfile>
  897. # ssl_version: PROTOCOL_TLSv1_2
  898. ###### Thread settings #####
  899. ###########################################
  900. # Disable multiprocessing support, by default when a minion receives a
  901. # publication a new process is spawned and the command is executed therein.
  902. #
  903. # WARNING: Disabling multiprocessing may result in substantial slowdowns
  904. # when processing large pillars. See https://github.com/saltstack/salt/issues/38758
  905. # for a full explanation.
  906. {{ get_config('multiprocessing', 'True') }}
  907. ##### Logging settings #####
  908. ##########################################
  909. # The location of the minion log file
  910. # The minion log can be sent to a regular file, local path name, or network
  911. # location. Remote logging works best when configured to use rsyslogd(8) (e.g.:
  912. # ``file:///dev/log``), with rsyslogd(8) configured for network logging. The URI
  913. # format is: <file|udp|tcp>://<host|socketpath>:<port-if-required>/<log-facility>
  914. #log_file: /var/log/salt/minion
  915. #log_file: file:///dev/log
  916. #log_file: udp://loghost:10514
  917. #
  918. {{ get_config('log_file', '/var/log/salt/minion') }}
  919. {{ get_config('key_logfile', ' /var/log/salt/key') }}
  920. # The level of messages to send to the console.
  921. # One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'.
  922. #
  923. # The following log levels are considered INSECURE and may log sensitive data:
  924. # ['garbage', 'trace', 'debug']
  925. #
  926. # Default: 'warning'
  927. {{ get_config('log_level', 'warning') }}
  928. # The level of messages to send to the log file.
  929. # One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'.
  930. # If using 'log_granular_levels' this must be set to the highest desired level.
  931. # Default: 'warning'
  932. {{ get_config('log_level_logfile', '') }}
  933. # The date and time format used in log messages. Allowed date/time formating
  934. # can be seen here: http://docs.python.org/library/time.html#time.strftime
  935. {{ get_config('log_datefmt', "'%H:%M:%S'") }}
  936. {{ get_config('log_datefmt_logfile', "'%Y-%m-%d %H:%M:%S'") }}
  937. # The format of the console logging messages. Allowed formatting options can
  938. # be seen here: http://docs.python.org/library/logging.html#logrecord-attributes
  939. #
  940. # Console log colors are specified by these additional formatters:
  941. #
  942. # %(colorlevel)s
  943. # %(colorname)s
  944. # %(colorprocess)s
  945. # %(colormsg)s
  946. #
  947. # Since it is desirable to include the surrounding brackets, '[' and ']', in
  948. # the coloring of the messages, these color formatters also include padding as
  949. # well. Color LogRecord attributes are only available for console logging.
  950. #
  951. #log_fmt_console "%(colorlevel)s %(colormsg)s"
  952. {{ get_config('log_fmt_console', "'[%(levelname)-8s] %(message)s'") }}
  953. #
  954. {{ get_config('log_fmt_logfile', "'%(asctime)s,%(msecs)03.0f [%(name)-17s][%(levelname)-8s] %(message)s'") }}
  955. # This can be used to control logging levels more specificically. This
  956. # example sets the main salt library at the 'warning' level, but sets
  957. # 'salt.modules' to log at the 'debug' level:
  958. # log_granular_levels:
  959. # 'salt': 'warning'
  960. # 'salt.modules': 'debug'
  961. #
  962. {{ get_config('log_granular_levels', '{}') }}
  963. # To diagnose issues with minions disconnecting or missing returns, ZeroMQ
  964. # supports the use of monitor sockets to log connection events. This
  965. # feature requires ZeroMQ 4.0 or higher.
  966. #
  967. # To enable ZeroMQ monitor sockets, set 'zmq_monitor' to 'True' and log at a
  968. # debug level or higher.
  969. #
  970. # A sample log event is as follows:
  971. #
  972. # [DEBUG ] ZeroMQ event: {'endpoint': 'tcp://127.0.0.1:4505', 'event': 512,
  973. # 'value': 27, 'description': 'EVENT_DISCONNECTED'}
  974. #
  975. # All events logged will include the string 'ZeroMQ event'. A connection event
  976. # should be logged as the minion starts up and initially connects to the
  977. # master. If not, check for debug log level and that the necessary version of
  978. # ZeroMQ is installed.
  979. #
  980. {{ get_config('zmq_monitor', 'False') }}
  981. ###### Module configuration #####
  982. ###########################################
  983. # Salt allows for modules to be passed arbitrary configuration data, any data
  984. # passed here in valid yaml format will be passed on to the salt minion modules
  985. # for use. It is STRONGLY recommended that a naming convention be used in which
  986. # the module name is followed by a . and then the value. Also, all top level
  987. # data must be applied via the yaml dict construct, some examples:
  988. #
  989. # You can specify that all modules should run in test mode:
  990. {{ get_config('test', 'True') }}
  991. # A simple value for the test module:
  992. #test.foo: foo
  993. #
  994. # A list for the test module:
  995. #test.bar: [baz,quo]
  996. #
  997. # A dict for the test module:
  998. #test.baz: {spam: sausage, cheese: bread}
  999. #
  1000. {%- if 'module_config' in cfg_minion %}
  1001. {%- do default_keys.append('module_config') %}
  1002. {%- for modkey, modval in cfg_minion.module_config|dictsort %}
  1003. {{ modkey }}: {{ modval }}
  1004. {%- endfor %}
  1005. {%- endif %}
  1006. #
  1007. ###### Update settings ######
  1008. ###########################################
  1009. # Using the features in Esky, a salt minion can both run as a frozen app and
  1010. # be updated on the fly. These options control how the update process
  1011. # (saltutil.update()) behaves.
  1012. #
  1013. # The url for finding and downloading updates. Disabled by default.
  1014. {{ get_config('update_url', 'False') }}
  1015. #
  1016. # The list of services to restart after a successful update. Empty by default.
  1017. {{ get_config('update_restart_services', '[]') }}
  1018. ###### Keepalive settings ######
  1019. ############################################
  1020. # ZeroMQ now includes support for configuring SO_KEEPALIVE if supported by
  1021. # the OS. If connections between the minion and the master pass through
  1022. # a state tracking device such as a firewall or VPN gateway, there is
  1023. # the risk that it could tear down the connection the master and minion
  1024. # without informing either party that their connection has been taken away.
  1025. # Enabling TCP Keepalives prevents this from happening.
  1026. # Overall state of TCP Keepalives, enable (1 or True), disable (0 or False)
  1027. # or leave to the OS defaults (-1), on Linux, typically disabled. Default True, enabled.
  1028. {{ get_config('tcp_keepalive', 'True') }}
  1029. # How long before the first keepalive should be sent in seconds. Default 300
  1030. # to send the first keepalive after 5 minutes, OS default (-1) is typically 7200 seconds
  1031. # on Linux see /proc/sys/net/ipv4/tcp_keepalive_time.
  1032. {{ get_config('tcp_keepalive_idle', '300') }}
  1033. # How many lost probes are needed to consider the connection lost. Default -1
  1034. # to use OS defaults, typically 9 on Linux, see /proc/sys/net/ipv4/tcp_keepalive_probes.
  1035. {{ get_config('tcp_keepalive_cnt', '-1') }}
  1036. # How often, in seconds, to send keepalives after the first one. Default -1 to
  1037. # use OS defaults, typically 75 seconds on Linux, see
  1038. # /proc/sys/net/ipv4/tcp_keepalive_intvl.
  1039. {{ get_config('tcp_keepalive_intvl', '-1') }}
  1040. ###### Windows Software settings ######
  1041. ############################################
  1042. # Location of the repository cache file on the master:
  1043. {{ get_config('win_repo_cachefile', 'salt://win/repo/winrepo.p') }}
  1044. ###### Returner settings ######
  1045. ############################################
  1046. # Default Minion returners. Can be a comma delimited string or a list:
  1047. #
  1048. #return: mysql
  1049. #
  1050. #return: mysql,slack,redis
  1051. #
  1052. #return:
  1053. # - mysql
  1054. # - hipchat
  1055. # - slack
  1056. {%- if 'return' in cfg_minion and cfg_minion['return'] is not string %}
  1057. return:
  1058. {% for name in cfg_minion['return'] -%}
  1059. - {{ name }}
  1060. {% endfor -%}
  1061. {%- else %}
  1062. {{ get_config('return', '') }}
  1063. {%- endif %}
  1064. ###### Miscellaneous settings ######
  1065. ############################################
  1066. # Default match type for filtering events tags: startswith, endswith, find, regex, fnmatch
  1067. #event_match_type: startswith
  1068. {{ get_config('event_match_type', 'startswith') }}
  1069. {% if 'elasticsearch' in cfg_minion -%}
  1070. {%- do default_keys.append('elasticsearch') %}
  1071. {%- do default_keys.append('return') %}
  1072. ##### elasticsearch connection settings #####
  1073. ##########################################
  1074. elasticsearch:
  1075. {%- for name, value in cfg_minion['elasticsearch'].items() %}
  1076. {%- if value is list %}
  1077. {{ name }}:
  1078. {%- for objvalue in value %}
  1079. - {{ objvalue }}
  1080. {%- endfor %}
  1081. {%- else %}
  1082. {{ name }}: {{ value }}
  1083. {%- endif %}
  1084. {%- endfor %}
  1085. {%- endif %}
  1086. {% if 'mongo' in cfg_minion -%}
  1087. {%- do default_keys.append('mongo') %}
  1088. ##### mongodb connection settings #####
  1089. ##########################################
  1090. {%- for name, value in cfg_minion['mongo'].items() %}
  1091. mongo.{{ name }}: {{ value }}
  1092. {%- endfor %}
  1093. {% if 'alternative.mongo' in cfg_minion -%}
  1094. {%- do default_keys.append('alternative.mongo') %}
  1095. {%- for name, value in cfg_minion['alternative.mongo'].items() %}
  1096. alternative.mongo.{{ name }}: {{ value }}
  1097. {%- endfor %}
  1098. {% endif %}
  1099. {%- endif %}
  1100. {%- for configname in cfg_minion|sort %}
  1101. {%- if configname not in reserved_keys and configname not in default_keys %}
  1102. {%- if cfg_minion[configname] is iterable and cfg_minion[configname] is not mapping and cfg_minion[configname] is not string %}
  1103. {{ configname }}:
  1104. {%- for item in cfg_minion[configname] %}
  1105. - {{ item }}
  1106. {%- endfor -%}
  1107. {%- else %}
  1108. {{ configname }}: {{ cfg_minion[configname]|json }}
  1109. {%- endif %}
  1110. {%- endif %}
  1111. {%- endfor %}