Saltstack Official Salt Formula
Вы не можете выбрать более 25 тем Темы должны начинаться с буквы или цифры, могут содержать дефисы(-) и должны содержать не более 35 символов.

11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
6 лет назад
6 лет назад
6 лет назад
6 лет назад
6 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
8 лет назад
8 лет назад
8 лет назад
8 лет назад
8 лет назад
8 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
8 лет назад
11 лет назад
Fixed pillar_roots generation for salt-master. With a simple pillar like this:: $ sudo salt-call --config-dir /srv/etc/bootstrap --pillar-root /srv/pillar pillar.get salt:pillar_roots local: ---------- base: - /srv/pillar This was generated in /etc/salt/master.d/f_defaults.conf:: # highstate format, and is generally just key/value pairs. pillar_roots:base:- /srv/pillar # Resulting in parse errors by salt:: $ sudo salt '*' state.highstate [ERROR ] Error parsing configuration file: /etc/salt/master.d/f_defaults.conf - while scanning a simple key in "<string>", line 531, column 1: pillar_roots:base:- /srv/pillar ^ could not found expected ':' in "<string>", line 532, column 1: # ^ [ERROR ] Error parsing configuration file: /etc/salt/master.d/f_defaults.conf - while scanning a simple key in "<string>", line 531, column 1: pillar_roots:base:- /srv/pillar ^ could not found expected ':' in "<string>", line 532, column 1: # ^ This patch will fix it as such:: ID: salt-master Function: file.recurse Name: /etc/salt/master.d Result: True Comment: Recursively updated /etc/salt/master.d Started: 11:37:12.946823 Duration: 6255.296 ms Changes: ---------- /etc/salt/master.d/f_defaults.conf: ---------- diff: --- +++ @@ -528,7 +528,9 @@ # Pillar is laid out in the same fashion as the file server, with environments, # a top file and sls files. However, pillar data does not need to be in the # highstate format, and is generally just key/value pairs. -pillar_roots:base:- /srv/pillar +pillar_roots: + base: + - /srv/pillar # Resulting in:: # highstate format, and is generally just key/value pairs. pillar_roots: base: - /srv/pillar #
9 лет назад
Fixed pillar_roots generation for salt-master. With a simple pillar like this:: $ sudo salt-call --config-dir /srv/etc/bootstrap --pillar-root /srv/pillar pillar.get salt:pillar_roots local: ---------- base: - /srv/pillar This was generated in /etc/salt/master.d/f_defaults.conf:: # highstate format, and is generally just key/value pairs. pillar_roots:base:- /srv/pillar # Resulting in parse errors by salt:: $ sudo salt '*' state.highstate [ERROR ] Error parsing configuration file: /etc/salt/master.d/f_defaults.conf - while scanning a simple key in "<string>", line 531, column 1: pillar_roots:base:- /srv/pillar ^ could not found expected ':' in "<string>", line 532, column 1: # ^ [ERROR ] Error parsing configuration file: /etc/salt/master.d/f_defaults.conf - while scanning a simple key in "<string>", line 531, column 1: pillar_roots:base:- /srv/pillar ^ could not found expected ':' in "<string>", line 532, column 1: # ^ This patch will fix it as such:: ID: salt-master Function: file.recurse Name: /etc/salt/master.d Result: True Comment: Recursively updated /etc/salt/master.d Started: 11:37:12.946823 Duration: 6255.296 ms Changes: ---------- /etc/salt/master.d/f_defaults.conf: ---------- diff: --- +++ @@ -528,7 +528,9 @@ # Pillar is laid out in the same fashion as the file server, with environments, # a top file and sls files. However, pillar data does not need to be in the # highstate format, and is generally just key/value pairs. -pillar_roots:base:- /srv/pillar +pillar_roots: + base: + - /srv/pillar # Resulting in:: # highstate format, and is generally just key/value pairs. pillar_roots: base: - /srv/pillar #
9 лет назад
Fixed pillar_roots generation for salt-master. With a simple pillar like this:: $ sudo salt-call --config-dir /srv/etc/bootstrap --pillar-root /srv/pillar pillar.get salt:pillar_roots local: ---------- base: - /srv/pillar This was generated in /etc/salt/master.d/f_defaults.conf:: # highstate format, and is generally just key/value pairs. pillar_roots:base:- /srv/pillar # Resulting in parse errors by salt:: $ sudo salt '*' state.highstate [ERROR ] Error parsing configuration file: /etc/salt/master.d/f_defaults.conf - while scanning a simple key in "<string>", line 531, column 1: pillar_roots:base:- /srv/pillar ^ could not found expected ':' in "<string>", line 532, column 1: # ^ [ERROR ] Error parsing configuration file: /etc/salt/master.d/f_defaults.conf - while scanning a simple key in "<string>", line 531, column 1: pillar_roots:base:- /srv/pillar ^ could not found expected ':' in "<string>", line 532, column 1: # ^ This patch will fix it as such:: ID: salt-master Function: file.recurse Name: /etc/salt/master.d Result: True Comment: Recursively updated /etc/salt/master.d Started: 11:37:12.946823 Duration: 6255.296 ms Changes: ---------- /etc/salt/master.d/f_defaults.conf: ---------- diff: --- +++ @@ -528,7 +528,9 @@ # Pillar is laid out in the same fashion as the file server, with environments, # a top file and sls files. However, pillar data does not need to be in the # highstate format, and is generally just key/value pairs. -pillar_roots:base:- /srv/pillar +pillar_roots: + base: + - /srv/pillar # Resulting in:: # highstate format, and is generally just key/value pairs. pillar_roots: base: - /srv/pillar #
9 лет назад
11 лет назад
9 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
8 лет назад
8 лет назад
8 лет назад
8 лет назад
8 лет назад
8 лет назад
8 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
11 лет назад
10 лет назад
10 лет назад
8 лет назад
8 лет назад
8 лет назад
1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561156215631564156515661567156815691570157115721573157415751576157715781579158015811582158315841585158615871588158915901591159215931594159515961597159815991600160116021603160416051606160716081609161016111612161316141615161616171618161916201621162216231624162516261627162816291630163116321633163416351636163716381639164016411642164316441645164616471648164916501651165216531654165516561657165816591660166116621663166416651666166716681669167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702170317041705170617071708170917101711171217131714171517161717171817191720172117221723172417251726172717281729173017311732173317341735173617371738173917401741174217431744174517461747174817491750175117521753175417551756175717581759176017611762176317641765176617671768176917701771177217731774177517761777177817791780178117821783178417851786178717881789179017911792179317941795179617971798179918001801180218031804180518061807180818091810181118121813181418151816181718181819182018211822182318241825182618271828182918301831
  1. # This file managed by Salt, do not edit by hand!!
  2. # Based on salt version 2016.11 default config
  3. {% set reserved_keys = ['master', 'minion', 'cloud', 'salt_cloud_certs', 'engines', 'lxc.network_profile', 'lxc.container_profile', 'reactors'] -%}
  4. {% set cfg_salt = pillar.get('salt', {}) -%}
  5. {% set cfg_master = cfg_salt.get('master', {}) -%}
  6. {% set default_keys = [] -%}
  7. {%- macro get_config(configname, default_value) -%}
  8. {%- do default_keys.append(configname) %}
  9. {%- if configname in cfg_master -%}
  10. {{ configname }}: {{ cfg_master[configname]|json }}
  11. {%- elif configname in cfg_salt and configname not in reserved_keys -%}
  12. {{ configname }}: {{ cfg_salt[configname]|json }}
  13. {%- else -%}
  14. #{{ configname }}: {{ default_value|json }}
  15. {%- endif -%}
  16. {%- endmacro -%}
  17. {%- from 'salt/formulas.jinja' import file_roots, formulas with context -%}
  18. ##### Primary configuration settings #####
  19. ##########################################
  20. # This configuration file is used to manage the behavior of the Salt Master.
  21. # Values that are commented out but have an empty line after the comment are
  22. # defaults that do not need to be set in the config. If there is no blank line
  23. # after the comment then the value is presented as an example and is not the
  24. # default.
  25. # The id to be passed in the publish job to minions.
  26. # This is used for MultiSyndics to return the job to the requesting master.
  27. # This must be the same string as the syndic is configured with.
  28. # master_id: None
  29. {{ get_config('master_id', 'None') }}
  30. # Per default, the master will automatically include all config files
  31. # from master.d/*.conf (master.d is a directory in the same directory
  32. # as the main master config file).
  33. {{ get_config('default_include', 'master.d/*.conf') }}
  34. # The address of the interface to bind to:
  35. {{ get_config('interface', '0.0.0.0') }}
  36. # Whether the master should listen for IPv6 connections. If this is set to True,
  37. # the interface option must be adjusted, too. (For example: "interface: '::'")
  38. {{ get_config('ipv6', 'False') }}
  39. # The tcp port used by the publisher:
  40. {{ get_config('publish_port', '4505') }}
  41. # The user under which the salt master will run. Salt will update all
  42. # permissions to allow the specified user to run the master. The exception is
  43. # the job cache, which must be deleted if this user is changed. If the
  44. # modified files cause conflicts, set verify_env to False.
  45. {{ get_config('user', 'root') }}
  46. # The port used by the communication interface. The ret (return) port is the
  47. # interface used for the file server, authentication, job returns, etc.
  48. {{ get_config('ret_port', '4506') }}
  49. # Specify the location of the daemon process ID file:
  50. {{ get_config('pidfile', '/var/run/salt-master.pid') }}
  51. # The root directory prepended to these options: pki_dir, cachedir,
  52. # sock_dir, log_file, autosign_file, autoreject_file, extension_modules,
  53. # key_logfile, pidfile:
  54. {{ get_config('root_dir', '/') }}
  55. # The path to the master's configuration file.
  56. {{ get_config('conf_file', '/etc/salt/master') }}
  57. # Directory used to store public key data:
  58. {{ get_config('pki_dir', '/etc/salt/pki/master') }}
  59. # Key cache. Increases master speed for large numbers of accepted
  60. # keys. Available options: 'sched'. (Updates on a fixed schedule.)
  61. # Note that enabling this feature means that minions will not be
  62. # available to target for up to the length of the maintanence loop
  63. # which by default is 60s.
  64. {{ get_config('key_cache', '') }}
  65. # Directory to store job and cache data:
  66. # This directory may contain sensitive data and should be protected accordingly.
  67. #
  68. {{ get_config('cachedir', '/var/cache/salt/master') }}
  69. # Directory for custom modules. This directory can contain subdirectories for
  70. # each of Salt's module types such as "runners", "output", "wheel", "modules",
  71. # "states", "returners", etc.
  72. {{ get_config('extension_modules', '<no default>') }}
  73. # Directory for custom modules. This directory can contain subdirectories for
  74. # each of Salt's module types such as "runners", "output", "wheel", "modules",
  75. # "states", "returners", "engines", etc.
  76. # Like 'extension_modules' but can take an array of paths
  77. {% if 'module_dirs' in cfg_master -%}
  78. {%- do default_keys.append('module_dirs') %}
  79. module_dirs:
  80. {%- for dir in cfg_master['module_dirs'] %}
  81. - {{ dir}}
  82. {%- endfor -%}
  83. {% elif 'module_dirs' in cfg_salt -%}
  84. module_dirs:
  85. {%- for dir in cfg_salt['module_dirs'] %}
  86. - {{ dir}}
  87. {%- endfor -%}
  88. {% else -%}
  89. #module_dirs: <no default>
  90. # - /var/cache/salt/minion/extmods
  91. {% endif %}
  92. # Verify and set permissions on configuration directories at startup:
  93. {{ get_config('verify_env', 'True') }}
  94. # Set the number of hours to keep old job information in the job cache:
  95. {{ get_config('keep_jobs', '24') }}
  96. # The number of seconds to wait when the client is requesting information
  97. # about running jobs.
  98. {{ get_config('gather_job_timeout', '10') }}
  99. # Set the default timeout for the salt command and api. The default is 5
  100. # seconds.
  101. {{ get_config('timeout', '5') }}
  102. # The loop_interval option controls the seconds for the master's maintenance
  103. # process check cycle. This process updates file server backends, cleans the
  104. # job cache and executes the scheduler.
  105. {{ get_config('loop_interval', '60') }}
  106. # Set the default outputter used by the salt command. The default is "nested".
  107. {{ get_config('output', 'nested') }}
  108. # Set the default output file used by the salt command. Default is to output
  109. # to the CLI and not to a file. Functions the same way as the "--out-file"
  110. # CLI option, only sets this to a single file for all salt commands.
  111. {{ get_config('output_file', 'None') }}
  112. # Return minions that timeout when running commands like test.ping
  113. {{ get_config('show_timeout', 'True') }}
  114. # By default, output is colored. To disable colored output, set the color value
  115. # to False.
  116. {{ get_config('color', 'True') }}
  117. # Do not strip off the colored output from nested results and state outputs
  118. # (true by default).
  119. {{ get_config('strip_colors', 'False') }}
  120. # To display a summary of the number of minions targeted, the number of
  121. # minions returned, and the number of minions that did not return, set the
  122. # cli_summary value to True. (False by default.)
  123. #
  124. {{ get_config('cli_summary', 'False') }}
  125. # Set the directory used to hold unix sockets:
  126. {{ get_config('sock_dir', '/var/run/salt/master') }}
  127. # The master can take a while to start up when lspci and/or dmidecode is used
  128. # to populate the grains for the master. Enable if you want to see GPU hardware
  129. # data for your master.
  130. {{ get_config('enable_gpu_grains', 'False') }}
  131. # The master maintains a job cache. While this is a great addition, it can be
  132. # a burden on the master for larger deployments (over 5000 minions).
  133. # Disabling the job cache will make previously executed jobs unavailable to
  134. # the jobs system and is not generally recommended.
  135. {{ get_config('job_cache', 'True') }}
  136. # Cache minion grains, pillar and mine data via the cache subsystem in the
  137. # cachedir or a database.
  138. {{ get_config('minion_data_cache', 'True') }}
  139. # Cache subsystem module to use for minion data cache.
  140. {{ get_config('cache', 'localfs') }}
  141. # Enables a fast in-memory cache booster and sets the expiration time.
  142. {{ get_config('memcache_expire_seconds', '0') }}
  143. # Set a memcache limit in items (bank + key) per cache storage (driver + driver_opts).
  144. {{ get_config('memcache_max_items', '1024') }}
  145. # Each time a cache storage got full cleanup all the expired items not just the oldest one.
  146. {{ get_config('memcache_full_cleanup', 'False') }}
  147. # Enable collecting the memcache stats and log it on `debug` log level.
  148. {{ get_config('memcache_debug', 'False') }}
  149. # Store all returns in the given returner.
  150. # Setting this option requires that any returner-specific configuration also
  151. # be set. See various returners in salt/returners for details on required
  152. # configuration values. (See also, event_return_queue below.)
  153. {{ get_config('event_return', 'mysql') }}
  154. # On busy systems, enabling event_returns can cause a considerable load on
  155. # the storage system for returners. Events can be queued on the master and
  156. # stored in a batched fashion using a single transaction for multiple events.
  157. # By default, events are not queued.
  158. {{ get_config('event_return_queue', '0') }}
  159. # Only return events matching tags in a whitelist, supports glob matches.
  160. {% if 'event_return_whitelist' in cfg_master -%}
  161. {%- do default_keys.append('event_return_whitelist') %}
  162. event_return_whitelist:
  163. {%- for event_return in cfg_master['event_return_whitelist'] %}
  164. - {{ event_return }}
  165. {%- endfor -%}
  166. {% elif 'event_return_whitelist' in cfg_salt -%}
  167. event_return_whitelist:
  168. {%- for event_return in cfg_salt['event_return_whitelist'] %}
  169. - {{ event_return }}
  170. {%- endfor -%}
  171. {% else -%}
  172. #event_return_whitelist:
  173. # - salt/master/a_tag
  174. # - salt/run/*/ret
  175. {% endif %}
  176. # Store all event returns **except** the tags in a blacklist supports globs.
  177. {% if 'event_return_blacklist' in cfg_master -%}
  178. {%- do default_keys.append('event_return_blacklist') %}
  179. event_return_blacklist:
  180. {%- for event_return in cfg_master['event_return_blacklist'] %}
  181. - {{ event_return }}
  182. {%- endfor -%}
  183. {% elif 'event_return_blacklist' in cfg_salt -%}
  184. event_return_blacklist:
  185. {%- for event_return in cfg_salt['event_return_blacklist'] %}
  186. - {{ event_return }}
  187. {%- endfor -%}
  188. {% else -%}
  189. #event_return_blacklist:
  190. # - salt/master/not_this_tag
  191. # - salt/wheel/*/ret
  192. {% endif %}
  193. # Passing very large events can cause the minion to consume large amounts of
  194. # memory. This value tunes the maximum size of a message allowed onto the
  195. # master event bus. The value is expressed in bytes.
  196. {{ get_config('max_event_size', '1048576') }}
  197. # By default, the master AES key rotates every 24 hours. The next command
  198. # following a key rotation will trigger a key refresh from the minion which may
  199. # result in minions which do not respond to the first command after a key refresh.
  200. #
  201. # To tell the master to ping all minions immediately after an AES key refresh, set
  202. # ping_on_rotate to True. This should mitigate the issue where a minion does not
  203. # appear to initially respond after a key is rotated.
  204. #
  205. # Note that ping_on_rotate may cause high load on the master immediately after
  206. # the key rotation event as minions reconnect. Consider this carefully if this
  207. # salt master is managing a large number of minions.
  208. #
  209. # If disabled, it is recommended to handle this event by listening for the
  210. # 'aes_key_rotate' event with the 'key' tag and acting appropriately.
  211. {{ get_config('ping_on_rotate', 'False') }}
  212. # By default, the master deletes its cache of minion data when the key for that
  213. # minion is removed. To preserve the cache after key deletion, set
  214. # 'preserve_minion_cache' to True.
  215. #
  216. # WARNING: This may have security implications if compromised minions auth with
  217. # a previous deleted minion ID.
  218. {{ get_config('preserve_minion_cache', 'False') }}
  219. # If max_minions is used in large installations, the master might experience
  220. # high-load situations because of having to check the number of connected
  221. # minions for every authentication. This cache provides the minion-ids of
  222. # all connected minions to all MWorker-processes and greatly improves the
  223. # performance of max_minions.
  224. {{ get_config('con_cache', 'False') }}
  225. # The master can include configuration from other files. To enable this,
  226. # pass a list of paths to this option. The paths can be either relative or
  227. # absolute; if relative, they are considered to be relative to the directory
  228. # the main master configuration file lives in (this file). Paths can make use
  229. # of shell-style globbing. If no files are matched by a path passed to this
  230. # option, then the master will log a warning message.
  231. #
  232. # Include a config file from some other path:
  233. # include: /etc/salt/extra_config
  234. #
  235. # Include config from several files and directories:
  236. # include:
  237. # - /etc/salt/extra_config
  238. {{ get_config('include', '[]') }}
  239. ##### Large-scale tuning settings #####
  240. ##########################################
  241. # Max open files
  242. #
  243. # Each minion connecting to the master uses AT LEAST one file descriptor, the
  244. # master subscription connection. If enough minions connect you might start
  245. # seeing on the console (and then salt-master crashes):
  246. # Too many open files (tcp_listener.cpp:335)
  247. # Aborted (core dumped)
  248. #
  249. # By default this value will be the one of `ulimit -Hn`, ie, the hard limit for
  250. # max open files.
  251. #
  252. # If you wish to set a different value than the default one, uncomment and
  253. # configure this setting. Remember that this value CANNOT be higher than the
  254. # hard limit. Raising the hard limit depends on your OS and/or distribution,
  255. # a good way to find the limit is to search the internet. For example:
  256. # raise max open files hard limit debian
  257. #
  258. {{ get_config('max_open_files', '100000') }}
  259. # The number of worker threads to start. These threads are used to manage
  260. # return calls made from minions to the master. If the master seems to be
  261. # running slowly, increase the number of threads. This setting can not be
  262. # set lower than 3.
  263. {{ get_config('worker_threads', '5') }}
  264. # Set the ZeroMQ high water marks
  265. # http://api.zeromq.org/3-2:zmq-setsockopt
  266. # The listen queue size / backlog
  267. {{ get_config('zmq_backlog', '1000') }}
  268. # The publisher interface ZeroMQPubServerChannel
  269. {{ get_config('pub_hwm', '1000') }}
  270. # These two ZMQ HWM settings, salt_event_pub_hwm and event_publisher_pub_hwm
  271. # are significant for masters with thousands of minions. When these are
  272. # insufficiently high it will manifest in random responses missing in the CLI
  273. # and even missing from the job cache. Masters that have fast CPUs and many
  274. # cores with appropriate worker_threads will not need these set as high.
  275. # On deployment with 8,000 minions, 2.4GHz CPUs, 24 cores, 32GiB memory has
  276. # these settings:
  277. #
  278. # salt_event_pub_hwm: 128000
  279. # event_publisher_pub_hwm: 64000
  280. # ZMQ high-water-mark for SaltEvent pub socket
  281. {{ get_config('salt_event_pub_hwm', '20000') }}
  282. # ZMQ high-water-mark for EventPublisher pub socket
  283. {{ get_config('event_publisher_pub_hwm', '10000') }}
  284. # The master may allocate memory per-event and not
  285. # reclaim it.
  286. # To set a high-water mark for memory allocation, use
  287. # ipc_write_buffer to set a high-water mark for message
  288. # buffering.
  289. # Value: In bytes. Set to 'dynamic' to have Salt select
  290. # a value for you. Default is disabled.
  291. {%- if 'ipc_write_buffer' in cfg_master %}
  292. {{ get_config('ipc_write_buffer', 'dynamic') }}
  293. {%- else %}
  294. # ipc_write_buffer: 'dynamic'
  295. {%- endif %}
  296. ##### Security settings #####
  297. ##########################################
  298. # Enable "open mode", this mode still maintains encryption, but turns off
  299. # authentication, this is only intended for highly secure environments or for
  300. # the situation where your keys end up in a bad state. If you run in open mode
  301. # you do so at your own risk!
  302. {{ get_config('open_mode', 'False') }}
  303. # Enable auto_accept, this setting will automatically accept all incoming
  304. # public keys from the minions. Note that this is insecure.
  305. {{ get_config('auto_accept', 'False') }}
  306. # Time in minutes that an incoming public key with a matching name found in
  307. # pki_dir/minion_autosign/keyid is automatically accepted. Expired autosign keys
  308. # are removed when the master checks the minion_autosign directory.
  309. # 0 equals no timeout
  310. {{ get_config('autosign_timeout', '120') }}
  311. # If the autosign_file is specified, incoming keys specified in the
  312. # autosign_file will be automatically accepted. This is insecure. Regular
  313. # expressions as well as globing lines are supported.
  314. {{ get_config('autosign_file', '/etc/salt/autosign.conf') }}
  315. # Works like autosign_file, but instead allows you to specify minion IDs for
  316. # which keys will automatically be rejected. Will override both membership in
  317. # the autosign_file and the auto_accept setting.
  318. {{ get_config('autoreject_file', '/etc/salt/autoreject.conf') }}
  319. # Enable permissive access to the salt keys. This allows you to run the
  320. # master or minion as root, but have a non-root group be given access to
  321. # your pki_dir. To make the access explicit, root must belong to the group
  322. # you've given access to. This is potentially quite insecure. If an autosign_file
  323. # is specified, enabling permissive_pki_access will allow group access to that
  324. # specific file.
  325. {{ get_config('permissive_pki_access', 'False') }}
  326. # Allow users on the master access to execute specific commands on minions.
  327. # This setting should be treated with care since it opens up execution
  328. # capabilities to non root users. By default this capability is completely
  329. # disabled.
  330. #publisher_acl:
  331. # larry:
  332. # - test.ping
  333. # - network.*
  334. # - '*':
  335. # - pkg.*
  336. #
  337. {% if 'publisher_acl' in cfg_master -%}
  338. {%- do default_keys.append('publisher_acl') %}
  339. publisher_acl:
  340. {%- for user, commands in cfg_master['publisher_acl']|dictsort %}
  341. {{ user }}:
  342. {%- for command in commands %}
  343. {%- if command is mapping %}
  344. {%- for target, targetcommands in command.items() %}
  345. - {% raw %}'{% endraw %}{{ target }}{% raw %}'{% endraw %}:
  346. {%- for targetcommand in targetcommands %}
  347. - {% raw %}'{% endraw %}{{ targetcommand }}{% raw %}'{% endraw %}
  348. {%- endfor -%}
  349. {%- endfor -%}
  350. {%- else %}
  351. - {% raw %}'{% endraw %}{{ command }}{% raw %}'{% endraw %}
  352. {%- endif %}
  353. {%- endfor -%}
  354. {%- endfor -%}
  355. {% elif 'publisher_acl' in cfg_salt -%}
  356. publisher_acl:
  357. {%- for user, commands in cfg_salt['publisher_acl']|dictsort %}
  358. {{ user }}:
  359. {%- for command in commands %}
  360. {%- if command is mapping %}
  361. {%- for target, targetcommands in command.items() %}
  362. - {% raw %}'{% endraw %}{{ target }}{% raw %}'{% endraw %}:
  363. {%- for targetcommand in targetcommands %}
  364. - {% raw %}'{% endraw %}{{ targetcommand }}{% raw %}'{% endraw %}
  365. {%- endfor -%}
  366. {%- endfor -%}
  367. {%- else %}
  368. - {% raw %}'{% endraw %}{{ command }}{% raw %}'{% endraw %}
  369. {%- endif %}
  370. {%- endfor -%}
  371. {%- endfor -%}
  372. {% elif 'client_acl' in cfg_master -%}
  373. {%- do default_keys.append('client_acl') %}
  374. publisher_acl:
  375. {%- for name, user in cfg_master['client_acl']|dictsort %}
  376. {{ name}}:
  377. {%- for command in user %}
  378. - {% raw %}'{% endraw %}{{ command }}{% raw %}'{% endraw %}
  379. {%- endfor -%}
  380. {%- endfor -%}
  381. {% elif 'client_acl' in cfg_salt -%}
  382. publisher_acl:
  383. {%- for name, user in cfg_salt['client_acl']|dictsort %}
  384. {{ name }}:
  385. {%- for command in user %}
  386. - {% raw %}'{% endraw %}{{ command }}{% raw %}'{% endraw %}
  387. {%- endfor -%}
  388. {%- endfor -%}
  389. {% else -%}
  390. {%- endif %}
  391. # Blacklist any of the following users or modules
  392. #
  393. # This example would blacklist all non sudo users, including root from
  394. # running any commands. It would also blacklist any use of the "cmd"
  395. # module. This is completely disabled by default.
  396. #
  397. #
  398. # Check the list of configured users in client ACL against users on the
  399. # system and throw errors if they do not exist.
  400. {{ get_config('client_acl_verify', 'True') }}
  401. #
  402. {% if 'publisher_acl_blacklist' in cfg_master %}
  403. {%- do default_keys.append('publisher_acl_blacklist') %}
  404. publisher_acl_blacklist:
  405. users:
  406. {% for user in cfg_master['publisher_acl_blacklist'].get('users', []) %}
  407. - {{ user }}
  408. {% endfor %}
  409. modules:
  410. {% for mod in cfg_master['publisher_acl_blacklist'].get('modules', []) %}
  411. - {{ mod }}
  412. {% endfor %}
  413. {% elif 'publisher_acl_blacklist' in cfg_salt %}
  414. publisher_acl_blacklist:
  415. users:
  416. {% for user in cfg_salt['publisher_acl_blacklist'].get('users', []) %}
  417. - {{ user }}
  418. {% endfor %}
  419. modules:
  420. {% for mod in cfg_salt['publisher_acl_blacklist'].get('modules', []) %}
  421. - {{ mod }}
  422. {% endfor %}
  423. {% elif 'client_acl_blacklist' in cfg_master %}
  424. {%- do default_keys.append('client_acl_blacklist') %}
  425. publisher_acl_blacklist:
  426. users:
  427. {% for user in cfg_master['client_acl_blacklist'].get('users', []) %}
  428. - {{ user }}
  429. {% endfor %}
  430. modules:
  431. {% for mod in cfg_master['client_acl_blacklist'].get('modules', []) %}
  432. - {{ mod }}
  433. {% endfor %}
  434. {% elif 'client_acl_blacklist' in cfg_salt %}
  435. publisher_acl_blacklist:
  436. users:
  437. {% for user in cfg_salt['client_acl_blacklist'].get('users', []) %}
  438. - {{ user }}
  439. {% endfor %}
  440. modules:
  441. {% for mod in cfg_salt['client_acl_blacklist'].get('modules', []) %}
  442. - {{ mod }}
  443. {% endfor %}
  444. {% else %}
  445. #publisher_acl_blacklist:
  446. # users:
  447. # - root
  448. # - '^(?!sudo_).*$' # all non sudo users
  449. # modules:
  450. # - cmd
  451. {% endif %}
  452. #
  453. # WARNING: client_acl and client_acl_blacklist options are deprecated and will
  454. # be removed in the future releases. Use publisher_acl and
  455. # publisher_acl_blacklist instead.
  456. # Enforce publisher_acl & publisher_acl_blacklist when users have sudo
  457. # access to the salt command.
  458. {{ get_config('sudo_acl', 'False') }}
  459. # The external auth system uses the Salt auth modules to authenticate and
  460. # validate users to access areas of the Salt system.
  461. #external_auth:
  462. # pam:
  463. # fred:
  464. # - test.*
  465. {%- if 'external_auth' in cfg_master %}
  466. {%- do default_keys.append('external_auth') %}
  467. external_auth:
  468. {%- for auth, users in cfg_master['external_auth']|dictsort %}
  469. {{ auth }}:
  470. {%- for user, commands in users.items() %}
  471. {%- if user.startswith('^') %}
  472. {{ user }}: {% raw %}'{% endraw %}{{ commands }}{% raw %}'{% endraw %}
  473. {%- else %}
  474. {{ user }}:
  475. {%- for command in commands %}
  476. {%- if command is mapping %}
  477. {%- for target, targetcommands in command.items() %}
  478. - {% raw %}'{% endraw %}{{ target }}{% raw %}'{% endraw %}:
  479. {%- for targetcommand in targetcommands %}
  480. {%- if targetcommand is mapping %}
  481. {%- for module, options in targetcommand.items() %}
  482. - {% raw %}'{% endraw %}{{ module }}{% raw %}'{% endraw %}:
  483. {%- for category, arguments in options.items() %}
  484. {% raw %}'{% endraw %}{{ category }}{% raw %}'{% endraw %}:
  485. {%- if arguments is mapping %}
  486. {%- for key, argument in arguments.items() %}
  487. {% raw %}'{% endraw %}{{ key }}{% raw %}'{% endraw %}: {% raw %}'{% endraw %}{{ argument }}{% raw %}'{% endraw %}
  488. {%- endfor %}
  489. {%- else %}
  490. {%- for argument in arguments %}
  491. - {% raw %}'{% endraw %}{{ argument }}{% raw %}'{% endraw %}
  492. {%- endfor %}
  493. {%- endif %}
  494. {%- endfor %}
  495. {%- endfor %}
  496. {%- else %}
  497. - {% raw %}'{% endraw %}{{ targetcommand }}{% raw %}'{% endraw %}
  498. {%- endif %}
  499. {%- endfor %}
  500. {%- endfor %}
  501. {%- else %}
  502. - {% raw %}'{% endraw %}{{ command }}{% raw %}'{% endraw %}
  503. {%- endif %}
  504. {%- endfor -%}
  505. {%- endif %}
  506. {%- endfor -%}
  507. {%- endfor -%}
  508. {%- endif %}
  509. # Time (in seconds) for a newly generated token to live. Default: 12 hours
  510. {{ get_config('token_expire', '43200') }}
  511. #
  512. # Allow eauth users to specify the expiry time of the tokens they generate.
  513. # A boolean applies to all users or a dictionary of whitelisted eauth backends
  514. # and usernames may be given.
  515. # token_expire_user_override:
  516. # pam:
  517. # - fred
  518. # - tom
  519. # ldap:
  520. # - gary
  521. #
  522. #token_expire_user_override: False
  523. # Allow minions to push files to the master. This is disabled by default, for
  524. # security purposes.
  525. {{ get_config('file_recv', 'False') }}
  526. # Set a hard-limit on the size of the files that can be pushed to the master.
  527. # It will be interpreted as megabytes. Default: 100
  528. {{ get_config('file_recv_max_size', '100') }}
  529. # Signature verification on messages published from the master.
  530. # This causes the master to cryptographically sign all messages published to its event
  531. # bus, and minions then verify that signature before acting on the message.
  532. #
  533. # This is False by default.
  534. #
  535. # Note that to facilitate interoperability with masters and minions that are different
  536. # versions, if sign_pub_messages is True but a message is received by a minion with
  537. # no signature, it will still be accepted, and a warning message will be logged.
  538. # Conversely, if sign_pub_messages is False, but a minion receives a signed
  539. # message it will be accepted, the signature will not be checked, and a warning message
  540. # will be logged. This behavior went away in Salt 2014.1.0 and these two situations
  541. # will cause minion to throw an exception and drop the message.
  542. {{ get_config('sign_pub_message', 'False') }}
  543. # Use TLS/SSL encrypted connection between master and minion.
  544. # Can be set to a dictionary containing keyword arguments corresponding to Python's
  545. # 'ssl.wrap_socket' method.
  546. # Default is None.
  547. #ssl:
  548. # keyfile: <path_to_keyfile>
  549. # certfile: <path_to_certfile>
  550. # ssl_version: PROTOCOL_TLSv1_2
  551. # Sign the master auth-replies with a cryptographic signature of the masters public key.
  552. # Please see the tutorial how to use these settings in the Multimaster-PKI with Failover Tutorial
  553. {{ get_config('master_sign_pubkey', 'False') }}
  554. # The customizable name of the signing-key-pair without suffix.
  555. # master_sign_key_name: <filename_without_suffix>
  556. {{ get_config('master_sign', '{}') }}
  557. # The name of the file in the masters pki-directory that holds the pre-calculated
  558. # signature of the masters public-key.
  559. # master_pubkey_signature: <filename>
  560. {{ get_config('master_pubkey_signature', '{}') }}
  561. # Instead of computing the signature for each auth-reply, use a pre-calculated signature.
  562. # The master_pubkey_signature must also be set for this.
  563. {{ get_config('master_use_pubkey_signature', 'False') }}
  564. # Rotate the salt-masters AES-key when a minion-public is deleted with salt-key.
  565. # This is a very important security-setting. Disabling it will enable deleted minions to still
  566. # listen in on the messages published by the salt-master.
  567. # Do not disable this unless it is absolutely clear what this does.
  568. {{ get_config('rotate_aes_key', 'True') }}
  569. # Unique ID attribute name for the user. For Active Directory should be set
  570. # to 'sAMAccountName'. Default value is 'memberUid'.
  571. {{ get_config('auth.ldap.accountattributename', 'memberUid') }}
  572. # Set this to True if LDAP is Active Directory. Default is False
  573. {{ get_config('auth.ldap.activedirectory', False) }}
  574. # Bind to LDAP anonymously to determine group membership
  575. # Active Directory does not allow anonymous binds without special configuration
  576. {{ get_config('auth.ldap.anonymous', False) }}
  577. # The base DN under which users can be found in LDAP
  578. {{ get_config('auth.ldap.basedn', '') }}
  579. # The user Salt authenticates to search for a users' Distinguished Name and
  580. # group membership.
  581. {{ get_config('auth.ldap.binddn', '') }}
  582. # The bind password to go along with the bind dn (binddn).
  583. {{ get_config('auth.ldap.bindpw', '') }}
  584. # The filter used to find the DN associated with a user. For most LDAPs use
  585. # the value {% raw %}'uid={{ username }}'{% endraw %}. For Active Directory use the value
  586. # {% raw %}'sAMAccountName={{username}}'{% endraw %}.
  587. {{ get_config('auth.ldap.filter', '') }}
  588. # The attribute used for user group membership. Defaults to 'memberOf'
  589. {{ get_config('auth.ldap.groupattribute', 'memberOf') }}
  590. # LDAP group class. Use 'group' for Active Directory. Defaults to 'posixGroup'
  591. {{ get_config('auth.ldap.groupclass', 'posixGroup') }}
  592. # To specify an OU that contains group data. Not used for Active Directory
  593. # Default value: 'Groups'
  594. {{ get_config('auth.ldap.groupou', 'Groups') }}
  595. # Allows the administrator to strip off a certain set of domain names
  596. # so the hostnames looked up in the directory service can match the minion IDs.
  597. {{ get_config('auth.ldap.minion_stripdomains', []) }}
  598. # Verify server's TLS certificate. Default value: False
  599. {{ get_config('auth.ldap.no_verify', False) }}
  600. # Only for Active Directory. Default value: 'person'
  601. {{ get_config('auth.ldap.persontype', 'person') }}
  602. # Port to connect via. Default value: '389'
  603. {{ get_config('auth.ldap.port', '389') }}
  604. # LDAP scope level, almost always 2. Default value: 2
  605. {{ get_config('auth.ldap.scope', 2) }}
  606. # Server to auth against. Default value: 'localhost'
  607. {{ get_config('auth.ldap.server', 'localhost') }}
  608. # Use TLS when connecting. Default value: False
  609. {{ get_config('auth.ldap.tls', False) }}
  610. # Server specified in URI format. Overrides .ldap.server, .ldap.port,
  611. # .ldap.tls. Default value: ''
  612. {{ get_config('auth.ldap.uri', '') }}
  613. ##### Salt-SSH Configuration #####
  614. ##########################################
  615. # Pass in an alternative location for the salt-ssh roster file
  616. {{ get_config('roster_file', '/etc/salt/roster') }}
  617. # Define locations for roster files so they can be chosen when using Salt API.
  618. # An administrator can place roster files into these locations. Then when
  619. # calling Salt API, parameter 'roster_file' should contain a relative path to
  620. # these locations. That is, "roster_file=/foo/roster" will be resolved as
  621. # "/etc/salt/roster.d/foo/roster" etc. This feature prevents passing insecure
  622. # custom rosters through the Salt API.
  623. #
  624. {%- if 'rosters' in cfg_master %}
  625. rosters:
  626. {% for name in cfg_master['rosters'] -%}
  627. - {{ name }}
  628. {% endfor -%}
  629. {%- else %}
  630. #rosters:
  631. # - /etc/salt/roster.d
  632. # - /opt/salt/some/more/rosters
  633. {%- endif %}
  634. # The log file of the salt-ssh command:
  635. {{ get_config('ssh_log_file', '/var/log/salt/ssh') }}
  636. # Pass in minion option overrides that will be inserted into the SHIM for
  637. # salt-ssh calls. The local minion config is not used for salt-ssh. Can be
  638. # overridden on a per-minion basis in the roster (`minion_opts`)
  639. #ssh_minion_opts:
  640. # gpg_keydir: /root/gpg
  641. {{ get_config('ssh_minion_opts', '{}') }}
  642. # Set this to True to default to using ~/.ssh/id_rsa for salt-ssh
  643. # authentication with minions
  644. {{ get_config('ssh_use_home_key', 'False') }}
  645. ##### Master Module Management #####
  646. ##########################################
  647. # Manage how master side modules are loaded.
  648. # Add any additional locations to look for master runners:
  649. {{ get_config('runner_dirs', '[]') }}
  650. # Enable Cython for master side modules:
  651. {{ get_config('cython_enable', 'False') }}
  652. ##### State System settings #####
  653. ##########################################
  654. # The state system uses a "top" file to tell the minions what environment to
  655. # use and what modules to use. The state_top file is defined relative to the
  656. # root of the base environment as defined in "File Server settings" below.
  657. {{ get_config('state_top', 'top.sls') }}
  658. # The master_tops option replaces the external_nodes option by creating
  659. # a plugable system for the generation of external top data. The external_nodes
  660. # option is deprecated by the master_tops option.
  661. #
  662. # To gain the capabilities of the classic external_nodes system, use the
  663. # following configuration:
  664. # master_tops:
  665. # ext_nodes: <Shell command which returns yaml>
  666. #
  667. #master_tops: {}
  668. {% if 'master_tops' in cfg_master %}
  669. {%- do default_keys.append('master_tops') %}
  670. master_tops:
  671. {%- for master in cfg_master['master_tops'] -%}
  672. {%- if cfg_master['master_tops'][master] is mapping %}
  673. {{ master }}:
  674. {%- for parameter in cfg_master['master_tops'][master] %}
  675. {{ parameter }}: {{ cfg_master['master_tops'][master][parameter] }}
  676. {%- endfor -%}
  677. {%- elif cfg_master['master_tops'][master] is string %}
  678. {{ master }}: {{ cfg_master['master_tops'][master] }}
  679. {%- elif cfg_master['master_tops'][master] is iterable %}
  680. {{ master }}:
  681. {%- for item in cfg_master['master_tops'][master] %}
  682. - {{ item }}
  683. {%- endfor -%}
  684. {%- else %}
  685. {{ master }}: {{ cfg_master['master_tops'][master] }}
  686. {% endif %}
  687. {%- endfor %}
  688. {% endif %}
  689. # The external_nodes option allows Salt to gather data that would normally be
  690. # placed in a top file. The external_nodes option is the executable that will
  691. # return the ENC data. Remember that Salt will look for external nodes AND top
  692. # files and combine the results if both are enabled!
  693. {{ get_config('external_nodes', 'None') }}
  694. # The renderer to use on the minions to render the state data
  695. {{ get_config('renderer', 'yaml_jinja') }}
  696. # The Jinja renderer can strip extra carriage returns and whitespace
  697. # See http://jinja.pocoo.org/docs/api/#high-level-api
  698. #
  699. # If this is set to True the first newline after a Jinja block is removed
  700. # (block, not variable tag!). Defaults to False, corresponds to the Jinja
  701. # environment init variable "trim_blocks".
  702. {{ get_config('jinja_trim_blocks', 'False') }}
  703. #
  704. # If this is set to True leading spaces and tabs are stripped from the start
  705. # of a line to a block. Defaults to False, corresponds to the Jinja
  706. # environment init variable "lstrip_blocks".
  707. {{ get_config('jinja_lstrip_blocks', 'False') }}
  708. # The failhard option tells the minions to stop immediately after the first
  709. # failure detected in the state execution, defaults to False
  710. {{ get_config('failhard', 'False') }}
  711. # The state_verbose and state_output settings can be used to change the way
  712. # state system data is printed to the display. By default all data is printed.
  713. # The state_verbose setting can be set to True or False, when set to False
  714. # all data that has a result of True and no changes will be suppressed.
  715. {{ get_config('state_verbose', 'True') }}
  716. # The state_output setting changes if the output is the full multi line
  717. # output for each changed state if set to 'full', but if set to 'terse'
  718. # the output will be shortened to a single line. If set to 'mixed', the output
  719. # will be terse unless a state failed, in which case that output will be full.
  720. # If set to 'changes', the output will be full unless the state didn't change.
  721. {{ get_config('state_output', 'full') }}
  722. # Automatically aggregate all states that have support for mod_aggregate by
  723. # setting to 'True'. Or pass a list of state module names to automatically
  724. # aggregate just those types.
  725. #
  726. # state_aggregate:
  727. # - pkg
  728. #
  729. #state_aggregate: False
  730. {{ get_config('state_aggregate', '{}') }}
  731. # Send progress events as each function in a state run completes execution
  732. # by setting to 'True'. Progress events are in the format
  733. # 'salt/job/<JID>/prog/<MID>/<RUN NUM>'.
  734. {{ get_config('state_events', 'False') }}
  735. # Enable extra routines for YAML renderer used states containing UTF characters.
  736. {{ get_config('yaml_utf8', 'False') }}
  737. ##### File Server settings #####
  738. ##########################################
  739. # Salt runs a lightweight file server written in zeromq to deliver files to
  740. # minions. This file server is built into the master daemon and does not
  741. # require a dedicated port.
  742. # The file server works on environments passed to the master, each environment
  743. # can have multiple root directories, the subdirectories in the multiple file
  744. # roots cannot match, otherwise the downloaded files will not be able to be
  745. # reliably ensured. A base environment is required to house the top file.
  746. # Example:
  747. # file_roots:
  748. # base:
  749. # - /srv/salt/
  750. # dev:
  751. # - /srv/salt/dev/services
  752. # - /srv/salt/dev/states
  753. # prod:
  754. # - /srv/salt/prod/services
  755. # - /srv/salt/prod/states
  756. #
  757. {% if 'file_roots' in cfg_master -%}
  758. {%- do default_keys.append('file_roots') %}
  759. {{ file_roots(cfg_master['file_roots']) }}
  760. {%- elif 'file_roots' in cfg_salt -%}
  761. {{ file_roots(cfg_salt['file_roots']) }}
  762. {%- elif formulas|length -%}
  763. {{ file_roots({'base': ['/srv/salt']}) }}
  764. {%- else -%}
  765. #file_roots:
  766. # base:
  767. # - /srv/salt
  768. #
  769. {%- endif %}
  770. # When using multiple environments, each with their own top file, the
  771. # default behaviour is an unordered merge. To prevent top files from
  772. # being merged together and instead to only use the top file from the
  773. # requested environment, set this value to 'same'.
  774. {{ get_config('top_file_merging_strategy', 'merge') }}
  775. # To specify the order in which environments are merged, set the ordering
  776. # in the env_order option. Given a conflict, the last matching value will
  777. # win.
  778. {{ get_config('env_order', '["base", "dev", "prod"]') }}
  779. # If top_file_merging_strategy is set to 'same' and an environment does not
  780. # contain a top file, the top file in the environment specified by default_top
  781. # will be used instead.
  782. {{ get_config('default_top', 'base') }}
  783. # The hash_type is the hash to use when discovering the hash of a file on
  784. # the master server. The default is md5 but sha1, sha224, sha256, sha384
  785. # and sha512 are also supported.
  786. #
  787. # WARNING: While md5 and sha1 are also supported, do not use it due to the high chance
  788. # of possible collisions and thus security breach.
  789. #
  790. # Prior to changing this value, the master should be stopped and all Salt
  791. # caches should be cleared.
  792. {{ get_config('hash_type', 'md5') }}
  793. # The buffer size in the file server can be adjusted here:
  794. {{ get_config('file_buffer_size', '1048576') }}
  795. # A regular expression (or a list of expressions) that will be matched
  796. # against the file path before syncing the modules and states to the minions.
  797. # This includes files affected by the file.recurse state.
  798. # For example, if you manage your custom modules and states in subversion
  799. # and don't want all the '.svn' folders and content synced to your minions,
  800. # you could set this to '/\.svn($|/)'. By default nothing is ignored.
  801. {%- if 'file_ignore_regex' in cfg_master %}
  802. {%- do default_keys.append('file_ignore_regex') %}
  803. file_ignore_regex:
  804. {%- for regex in cfg_master['file_ignore_regex'] %}
  805. - {{ regex }}
  806. {%- endfor %}
  807. {%- elif 'file_ignore_regex' in cfg_salt %}
  808. file_ignore_regex:
  809. {%- for regex in cfg_salt['file_ignore_regex'] %}
  810. - {{ regex }}
  811. {%- endfor %}
  812. {%- else %}
  813. #file_ignore_regex:
  814. # - '/\.svn($|/)'
  815. # - '/\.git($|/)'
  816. {%- endif %}
  817. # A file glob (or list of file globs) that will be matched against the file
  818. # path before syncing the modules and states to the minions. This is similar
  819. # to file_ignore_regex above, but works on globs instead of regex. By default
  820. # nothing is ignored.
  821. {%- if 'file_ignore_glob' in cfg_master %}
  822. {%- do default_keys.append('file_ignore_glob') %}
  823. file_ignore_glob:
  824. {%- for glob in cfg_master['file_ignore_glob'] %}
  825. - '{{ glob }}'
  826. {%- endfor %}
  827. {%- elif 'file_ignore_glob' in cfg_salt %}
  828. file_ignore_glob:
  829. {%- for glob in cfg_salt['file_ignore_glob'] %}
  830. - '{{ glob }}'
  831. {%- endfor %}
  832. {%- else %}
  833. # file_ignore_glob:
  834. # - '*.pyc'
  835. # - '*/somefolder/*.bak'
  836. # - '*.swp'
  837. {%- endif %}
  838. # File Server Backend
  839. #
  840. # Salt supports a modular fileserver backend system, this system allows
  841. # the salt master to link directly to third party systems to gather and
  842. # manage the files available to minions. Multiple backends can be
  843. # configured and will be searched for the requested file in the order in which
  844. # they are defined here. The default setting only enables the standard backend
  845. # "roots" which uses the "file_roots" option.
  846. #fileserver_backend:
  847. # - roots
  848. #
  849. # To use multiple backends list them in the order they are searched:
  850. #fileserver_backend:
  851. # - git
  852. # - roots
  853. {% if 'fileserver_backend' in cfg_master -%}
  854. {%- do default_keys.append('fileserver_backend') %}
  855. fileserver_backend:
  856. {%- for backend in cfg_master['fileserver_backend'] %}
  857. - {{ backend }}
  858. {%- endfor -%}
  859. {%- endif %}
  860. # Uncomment the line below if you do not want the file_server to follow
  861. # symlinks when walking the filesystem tree. This is set to True
  862. # by default. Currently this only applies to the default roots
  863. # fileserver_backend.
  864. {{ get_config('fileserver_followsymlinks', 'False') }}
  865. # Uncomment the line below if you do not want symlinks to be
  866. # treated as the files they are pointing to. By default this is set to
  867. # False. By uncommenting the line below, any detected symlink while listing
  868. # files on the Master will not be returned to the Minion.
  869. {{ get_config('fileserver_ignoresymlinks', 'True') }}
  870. # By default, the Salt fileserver recurses fully into all defined environments
  871. # to attempt to find files. To limit this behavior so that the fileserver only
  872. # traverses directories with SLS files and special Salt directories like _modules,
  873. # enable the option below. This might be useful for installations where a file root
  874. # has a very large number of files and performance is impacted. Default is False.
  875. {{ get_config('fileserver_limit_traversal', 'False') }}
  876. # Salt caches the list of files/symlinks/directories for each fileserver backend
  877. # and environment as they are requested, to guard against a performance bottleneck
  878. # at scale when many minions all ask the fileserver which files are available
  879. # simultaneously. This configuration parameter allows for the max age of that
  880. # cache to be altered.
  881. #
  882. # Set this value to 0 to disable use of this cache altogether, but keep in mind
  883. # that this may increase the CPU load on the master when running a highstate on
  884. # a large number of minions.
  885. #
  886. # Rather than altering this configuration parameter, it may be advisable to use
  887. # the fileserver.clear_list_cache runner to clear these caches.
  888. {{ get_config('fileserver_list_cache_time', '20') }}
  889. # The fileserver can fire events off every time the fileserver is updated,
  890. # these are disabled by default, but can be easily turned on by setting this
  891. # flag to True
  892. {{ get_config('fileserver_events', 'False') }}
  893. # Git File Server Backend Configuration
  894. #
  895. # Optional parameter used to specify the provider to be used for gitfs. Must
  896. # be one of the following: pygit2, gitpython, or dulwich. If unset, then each
  897. # will be tried in that same order, and the first one with a compatible
  898. # version installed will be the provider that is used.
  899. {{ get_config('gitfs_provider', 'pygit2') }}
  900. # Along with gitfs_password, is used to authenticate to HTTPS remotes.
  901. {{ get_config('gitfs_user', 'git') }}
  902. # Along with gitfs_user, is used to authenticate to HTTPS remotes.
  903. # This parameter is not required if the repository does not use authentication.
  904. {{ get_config('gitfs_password', '') }}
  905. # By default, Salt will not authenticate to an HTTP (non-HTTPS) remote.
  906. # This parameter enables authentication over HTTP. Enable this at your own risk.
  907. {{ get_config('gitfs_insecure_auth', 'False') }}
  908. # Along with gitfs_privkey (and optionally gitfs_passphrase), is used to
  909. # authenticate to SSH remotes. This parameter (or its per-remote counterpart)
  910. # is required for SSH remotes.
  911. {{ get_config('gitfs_pubkey', '') }}
  912. # Along with gitfs_pubkey (and optionally gitfs_passphrase), is used to
  913. # authenticate to SSH remotes. This parameter (or its per-remote counterpart)
  914. # is required for SSH remotes.
  915. {{ get_config('gitfs_privkey', '') }}
  916. # This parameter is optional, required only when the SSH key being used to
  917. # authenticate is protected by a passphrase.
  918. {{ get_config('gitfs_passphrase', '') }}
  919. # When using the git fileserver backend at least one git remote needs to be
  920. # defined. The user running the salt master will need read access to the repo.
  921. #
  922. # The repos will be searched in order to find the file requested by a client
  923. # and the first repo to have the file will return it.
  924. # When using the git backend branches and tags are translated into salt
  925. # environments.
  926. # Note: file:// repos will be treated as a remote, so refs you want used must
  927. # exist in that repo as *local* refs.
  928. {% if 'gitfs_remotes' in cfg_master -%}
  929. {%- do default_keys.append('gitfs_remotes') %}
  930. gitfs_remotes:
  931. {%- for remote in cfg_master['gitfs_remotes'] %}
  932. {%- if remote is iterable and remote is not string %}
  933. {%- for repo, children in remote.items() %}
  934. - {{ repo }}:
  935. {%- for child in children %}
  936. {%- for key, value in child.items() %}
  937. - {{ key }}: {{ value }}
  938. {%- endfor -%}
  939. {%- endfor -%}
  940. {%- endfor -%}
  941. {%- else %}
  942. - {{ remote }}
  943. {%- endif -%}
  944. {%- endfor -%}
  945. {%- endif %}
  946. #gitfs_remotes:
  947. # - git://github.com/saltstack/salt-states.git
  948. # - file:///var/git/saltmaster
  949. #
  950. # The gitfs_ssl_verify option specifies whether to ignore ssl certificate
  951. # errors when contacting the gitfs backend. You might want to set this to
  952. # false if you're using a git backend that uses a self-signed certificate but
  953. # keep in mind that setting this flag to anything other than the default of True
  954. # is a security concern, you may want to try using the ssh transport.
  955. {{ get_config('gitfs_ssl_verify', 'True') }}
  956. # The gitfs_root option gives the ability to serve files from a subdirectory
  957. # within the repository. The path is defined relative to the root of the
  958. # repository and defaults to the repository root.
  959. {{ get_config('gitfs_root', 'somefolder/otherfolder') }}
  960. # The gitfs_env_whitelist and gitfs_env_blacklist parameters allow for greater
  961. # control over which branches/tags are exposed as fileserver environments.
  962. {% if 'gitfs_env_whitelist' in cfg_master -%}
  963. {%- do default_keys.append('gitfs_env_whitelist') %}
  964. gitfs_env_whitelist:
  965. {%- for git_env in cfg_master['gitfs_env_whitelist'] %}
  966. - {{ git_env }}
  967. {%- endfor -%}
  968. {% else -%}
  969. # gitfs_env_whitelist:
  970. # - base
  971. # - v1.*
  972. {% endif %}
  973. {% if 'gitfs_env_blacklist' in cfg_master -%}
  974. {%- do default_keys.append('gitfs_env_blacklist') %}
  975. gitfs_env_blacklist:
  976. {%- for git_env in cfg_master['gitfs_env_blacklist'] %}
  977. - {{ git_env }}
  978. {%- endfor -%}
  979. {% else -%}
  980. # gitfs_env_blacklist:
  981. # - bug/*
  982. # - feature/*
  983. {% endif %}
  984. # S3 File Server Backend Configuration
  985. #
  986. # S3 credentials must be set in the master config file.
  987. # Alternatively, if on EC2 these credentials can be automatically
  988. # loaded from instance metadata.
  989. {% if 's3.keyid' in cfg_master -%}
  990. {{ get_config('s3.keyid', '<no default>') }}
  991. {{ get_config('s3.key', '<no default>') }}
  992. {% else -%}
  993. # s3.keyid: GKTADJGHEIQSXMKKRBJ08H
  994. # s3.key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs
  995. {% endif %}
  996. # This fileserver supports two modes of operation for the buckets:
  997. # - A single bucket per environment
  998. # - Multiple environments per bucket
  999. #
  1000. # Note that bucket names must be all lowercase both in the AWS console
  1001. # and in Salt, otherwise you may encounter SignatureDoesNotMatch
  1002. # errors.
  1003. #
  1004. # A multiple-environment bucket must adhere to the following root
  1005. # directory structure:
  1006. #
  1007. # s3://<bucket name>/<environment>/<files>
  1008. #
  1009. # This fileserver back-end requires the use of the MD5 hashing
  1010. # algorithm. MD5 may not be compliant with all security policies.
  1011. {% if 's3.buckets' in cfg_master -%}
  1012. {{ get_config('s3.buckets', '<no default>') }}
  1013. {% else -%}
  1014. # s3.buckets: #single bucket per environment
  1015. # production:
  1016. # - bucket1
  1017. # - bucket2
  1018. # staging:
  1019. # - bucket3
  1020. # - bucket4
  1021. #
  1022. # s3.buckets: #multiple environments per bucket
  1023. # - bucket1
  1024. # - bucket2
  1025. # - bucket3
  1026. # - bucket4
  1027. {% endif %}
  1028. ##### Pillar settings #####
  1029. ##########################################
  1030. # Salt Pillars allow for the building of global data that can be made selectively
  1031. # available to different minions based on minion grain filtering. The Salt
  1032. # Pillar is laid out in the same fashion as the file server, with environments,
  1033. # a top file and sls files. However, pillar data does not need to be in the
  1034. # highstate format, and is generally just key/value pairs.
  1035. {% if 'pillar_roots' in cfg_master -%}
  1036. {%- do default_keys.append('pillar_roots') %}
  1037. pillar_roots:
  1038. {%- for name, roots in cfg_master['pillar_roots']|dictsort %}
  1039. {{ name }}:
  1040. {%- for dir in roots %}
  1041. - {{ dir }}
  1042. {%- endfor -%}
  1043. {%- endfor -%}
  1044. {% elif 'pillar_roots' in cfg_salt -%}
  1045. pillar_roots:
  1046. {%- for name, roots in cfg_salt['pillar_roots']|dictsort %}
  1047. {{ name }}:
  1048. {%- for dir in roots %}
  1049. - {{ dir }}
  1050. {%- endfor -%}
  1051. {%- endfor -%}
  1052. {%- else -%}
  1053. #pillar_roots:
  1054. # base:
  1055. # - /srv/pillar
  1056. #
  1057. {%- endif %}
  1058. {% if 'ext_pillar' in cfg_master %}
  1059. {%- do default_keys.append('ext_pillar') %}
  1060. ext_pillar:
  1061. {%- for pillar in cfg_master['ext_pillar'] -%}
  1062. {%- for key in pillar -%}
  1063. {%- if pillar[key] is string %}
  1064. - {{ key }}: {{ pillar[key] }}
  1065. {#- Workaround for missing `is mapping` on CentOS 6, see #193: #}
  1066. {%- elif pillar[key] is iterable and 'dict' not in pillar[key].__class__.__name__ %}
  1067. - {{ key }}:
  1068. {%- for parameter in pillar[key] %}
  1069. {%- if parameter is iterable and parameter is not string %}
  1070. {%- for param, children in parameter.items() %}
  1071. - {{ param }}:
  1072. {%- for child in children %}
  1073. {%- for key, value in child.items() %}
  1074. - {{ key }}: {{ value }}
  1075. {%- endfor -%}
  1076. {%- endfor -%}
  1077. {%- endfor -%}
  1078. {%- else %}
  1079. - {{ parameter }}
  1080. {%- endif %}
  1081. {%- endfor -%}
  1082. {#- Workaround for missing `is mapping` on CentOS 6, see #193: #}
  1083. {%- elif 'dict' in pillar[key].__class__.__name__ and pillar[key] is not string %}
  1084. - {{ key }}:
  1085. {%- for parameter in pillar[key] %}
  1086. {{ parameter }}: {{pillar[key][parameter]}}
  1087. {%- endfor %}
  1088. {%- else %}
  1089. # Error in rendering {{ key }}, please read https://docs.saltstack.com/en/latest/topics/development/external_pillars.html#configuration
  1090. {% endif %}
  1091. {%- endfor -%}
  1092. {%- endfor %}
  1093. {% elif 'ext_pillar' in cfg_salt %}
  1094. ext_pillar:
  1095. {% for pillar in cfg_salt['ext_pillar'] %}
  1096. - {{ pillar.items()[0][0] }}: {{ pillar.items()[0][1] }}
  1097. {% endfor %}
  1098. {% else %}
  1099. #ext_pillar:
  1100. # - hiera: /etc/hiera.yaml
  1101. # - cmd_yaml: cat /etc/salt/yaml
  1102. {% endif %}
  1103. # The ext_pillar_first option allows for external pillar sources to populate
  1104. # before file system pillar. This allows for targeting file system pillar from
  1105. # ext_pillar.
  1106. {{ get_config('ext_pillar_first', 'False') }}
  1107. # The external pillars permitted to be used on-demand using pillar.ext
  1108. {%- if 'on_demand_ext_pillar' in cfg_master %}
  1109. on_demand_ext_pillar:
  1110. {% for name in cfg_master['on_demand_ext_pillar'] -%}
  1111. - {{ name }}
  1112. {% endfor -%}
  1113. {%- else %}
  1114. #on_demand_ext_pillar:
  1115. # - libvirt
  1116. # - virtkey
  1117. {%- endif %}
  1118. # The pillar_gitfs_ssl_verify option specifies whether to ignore ssl certificate
  1119. # errors when contacting the pillar gitfs backend. You might want to set this to
  1120. # false if you're using a git backend that uses a self-signed certificate but
  1121. # keep in mind that setting this flag to anything other than the default of True
  1122. # is a security concern, you may want to try using the ssh transport.
  1123. {{ get_config('pillar_gitfs_ssl_verify', 'True') }}
  1124. # The pillar_opts option adds the master configuration file data to a dict in
  1125. # the pillar called "master". This is used to set simple configurations in the
  1126. # master config file that can then be used on minions.
  1127. {{ get_config('pillar_opts', 'False') }}
  1128. # The pillar_safe_render_error option prevents the master from passing pillar
  1129. # render errors to the minion. This is set on by default because the error could
  1130. # contain templating data which would give that minion information it shouldn't
  1131. # have, like a password! When set true the error message will only show:
  1132. # Rendering SLS 'my.sls' failed. Please see master log for details.
  1133. {{ get_config('pillar_safe_render_error', 'True') }}
  1134. # The pillar_source_merging_strategy option allows you to configure merging strategy
  1135. # between different sources. It accepts five values: none, recurse, aggregate, overwrite,
  1136. # or smart. None will not do any merging at all. Recurse will merge recursively mapping of data.
  1137. # Aggregate instructs aggregation of elements between sources that use the #!yamlex renderer. Overwrite
  1138. # will overwrite elements according the order in which they are processed. This is
  1139. # behavior of the 2014.1 branch and earlier. Smart guesses the best strategy based
  1140. # on the "renderer" setting and is the default value.
  1141. {{ get_config('pillar_source_merging_strategy', 'smart') }}
  1142. # Recursively merge lists by aggregating them instead of replacing them.
  1143. {{ get_config('pillar_merge_lists', 'False') }}
  1144. # Set this option to 'True' to force a 'KeyError' to be raised whenever an
  1145. # attempt to retrieve a named value from pillar fails. When this option is set
  1146. # to 'False', the failed attempt returns an empty string. Default is 'False'.
  1147. {{ get_config('pillar_raise_on_missing', 'False') }}
  1148. # Git External Pillar (git_pillar) Configuration Options
  1149. #
  1150. # Specify the provider to be used for git_pillar. Must be either pygit2 or
  1151. # gitpython. If unset, then both will be tried in that same order, and the
  1152. # first one with a compatible version installed will be the provider that
  1153. # is used.
  1154. {{ get_config('git_pillar_provider', 'pygit2') }}
  1155. # If the desired branch matches this value, and the environment is omitted
  1156. # from the git_pillar configuration, then the environment for that git_pillar
  1157. # remote will be base.
  1158. {{ get_config('git_pillar_base', 'master') }}
  1159. # If the branch is omitted from a git_pillar remote, then this branch will
  1160. # be used instead.
  1161. {{ get_config('git_pillar_branch', 'master') }}
  1162. # Environment to use for git_pillar remotes. This is normally derived from
  1163. # the branch/tag (or from a per-remote env parameter), but if set this will
  1164. # override the process of deriving the env from the branch/tag name.
  1165. {{ get_config('git_pillar_env', '') }}
  1166. # Path relative to the root of the repository where the git_pillar top file
  1167. # and SLS files are located.
  1168. {{ get_config('git_pillar_root', 'pillar') }}
  1169. # Specifies whether or not to ignore SSL certificate errors when contacting
  1170. # the remote repository.
  1171. {{ get_config('git_pillar_ssl_verify', True) }}
  1172. # When set to False, if there is an update/checkout lock for a git_pillar
  1173. # remote and the pid written to it is not running on the master, the lock
  1174. # file will be automatically cleared and a new lock will be obtained.
  1175. {{ get_config('git_pillar_global_lock', False) }}
  1176. # Git External Pillar Authentication Options
  1177. #
  1178. # Along with git_pillar_password, is used to authenticate to HTTPS remotes.
  1179. {{ get_config('git_pillar_user', '') }}
  1180. # Along with git_pillar_user, is used to authenticate to HTTPS remotes.
  1181. # This parameter is not required if the repository does not use authentication.
  1182. {{ get_config('git_pillar_password', '') }}
  1183. # By default, Salt will not authenticate to an HTTP (non-HTTPS) remote.
  1184. # This parameter enables authentication over HTTP.
  1185. {{ get_config('git_pillar_insecure_auth', False) }}
  1186. # Along with git_pillar_privkey (and optionally git_pillar_passphrase),
  1187. # is used to authenticate to SSH remotes.
  1188. {{ get_config('git_pillar_pubkey', '') }}
  1189. # Along with git_pillar_pubkey (and optionally git_pillar_passphrase),
  1190. # is used to authenticate to SSH remotes.
  1191. {{ get_config('git_pillar_privkey', '') }}
  1192. # This parameter is optional, required only when the SSH key being used
  1193. # to authenticate is protected by a passphrase.
  1194. {{ get_config('git_pillar_passphrase', '') }}
  1195. # A master can cache pillars locally to bypass the expense of having to render them
  1196. # for each minion on every request. This feature should only be enabled in cases
  1197. # where pillar rendering time is known to be unsatisfactory and any attendant security
  1198. # concerns about storing pillars in a master cache have been addressed.
  1199. #
  1200. # When enabling this feature, be certain to read through the additional ``pillar_cache_*``
  1201. # configuration options to fully understand the tunable parameters and their implications.
  1202. #
  1203. # Note: setting ``pillar_cache: True`` has no effect on targeting Minions with Pillars.
  1204. # See https://docs.saltstack.com/en/latest/topics/targeting/pillar.html
  1205. {{ get_config('pillar_cache', 'False') }}
  1206. # If and only if a master has set ``pillar_cache: True``, the cache TTL controls the amount
  1207. # of time, in seconds, before the cache is considered invalid by a master and a fresh
  1208. # pillar is recompiled and stored.
  1209. {{ get_config('pillar_cache_ttl', '3600') }}
  1210. # If and only if a master has set `pillar_cache: True`, one of several storage providers
  1211. # can be utililzed.
  1212. #
  1213. # `disk`: The default storage backend. This caches rendered pillars to the master cache.
  1214. # Rendered pillars are serialized and deserialized as msgpack structures for speed.
  1215. # Note that pillars are stored UNENCRYPTED. Ensure that the master cache
  1216. # has permissions set appropriately. (Same defaults are provided.)
  1217. #
  1218. # memory: [EXPERIMENTAL] An optional backend for pillar caches which uses a pure-Python
  1219. # in-memory data structure for maximal performance. There are several caveats,
  1220. # however. First, because each master worker contains its own in-memory cache,
  1221. # there is no guarantee of cache consistency between minion requests. This
  1222. # works best in situations where the pillar rarely if ever changes. Secondly,
  1223. # and perhaps more importantly, this means that unencrypted pillars will
  1224. # be accessible to any process which can examine the memory of the ``salt-master``!
  1225. # This may represent a substantial security risk.
  1226. #
  1227. {{ get_config('pillar_cache_backend', 'disk') }}
  1228. ##### Syndic settings #####
  1229. ##########################################
  1230. # The Salt syndic is used to pass commands through a master from a higher
  1231. # master. Using the syndic is simple. If this is a master that will have
  1232. # syndic servers(s) below it, then set the "order_masters" setting to True.
  1233. #
  1234. # If this is a master that will be running a syndic daemon for passthrough, then
  1235. # the "syndic_master" setting needs to be set to the location of the master server
  1236. # to receive commands from.
  1237. # Set the order_masters setting to True if this master will command lower
  1238. # masters' syndic interfaces.
  1239. {{ get_config('order_masters', 'False') }}
  1240. # If this master will be running a salt syndic daemon, syndic_master tells
  1241. # this master where to receive commands from.
  1242. {{ get_config('syndic_master', 'masterofmasters') }}
  1243. # This is the 'ret_port' of the MasterOfMaster:
  1244. {{ get_config('syndic_master_port', '4506') }}
  1245. # PID file of the syndic daemon:
  1246. {{ get_config('syndic_pidfile', '/var/run/salt-syndic.pid') }}
  1247. # LOG file of the syndic daemon:
  1248. {{ get_config('syndic_log_file', '/var/log/salt/syndic') }}
  1249. # The user under which the salt syndic will run.
  1250. {{ get_config('syndic_user', 'root') }}
  1251. # The behaviour of the multi-syndic when connection to a master of masters failed.
  1252. # Can specify ``random`` (default) or ``ordered``. If set to ``random``, masters
  1253. # will be iterated in random order. If ``ordered`` is specified, the configured
  1254. # order will be used.
  1255. {{ get_config('syndic_failover', 'random') }}
  1256. # The number of seconds for the salt client to wait for additional syndics to
  1257. # check in with their lists of expected minions before giving up.
  1258. {{ get_config('syndic_wait', '5') }}
  1259. ##### Peer Publish settings #####
  1260. ##########################################
  1261. # Salt minions can send commands to other minions, but only if the minion is
  1262. # allowed to. By default "Peer Publication" is disabled, and when enabled it
  1263. # is enabled for specific minions and specific commands. This allows secure
  1264. # compartmentalization of commands based on individual minions.
  1265. # The configuration uses regular expressions to match minions and then a list
  1266. # of regular expressions to match functions. The following will allow the
  1267. # minion authenticated as foo.example.com to execute functions from the test
  1268. # and pkg modules.
  1269. #peer:
  1270. # foo.example.com:
  1271. # - test.*
  1272. # - pkg.*
  1273. #
  1274. # This will allow all minions to execute all commands:
  1275. #peer:
  1276. # .*:
  1277. # - .*
  1278. #
  1279. # This is not recommended, since it would allow anyone who gets root on any
  1280. # single minion to instantly have root on all of the minions!
  1281. {% if 'peer' in cfg_master %}
  1282. {%- do default_keys.append('peer') %}
  1283. peer:
  1284. {% for name, roots in cfg_master['peer'].items() %}
  1285. {{ name }}:
  1286. {% for mod in roots %}
  1287. - {{ mod }}
  1288. {% endfor %}
  1289. {% endfor %}
  1290. {% elif 'peer' in cfg_salt %}
  1291. peer:
  1292. {% for name, roots in cfg_salt['peer'].items() %}
  1293. {{ name }}:
  1294. {% for mod in roots %}
  1295. - {{ mod }}
  1296. {% endfor %}
  1297. {% endfor %}
  1298. {% endif %}
  1299. # Minions can also be allowed to execute runners from the salt master.
  1300. # Since executing a runner from the minion could be considered a security risk,
  1301. # it needs to be enabled. This setting functions just like the peer setting
  1302. # except that it opens up runners instead of module functions.
  1303. #
  1304. # All peer runner support is turned off by default and must be enabled before
  1305. # using. This will enable all peer runners for all minions:
  1306. #peer_run:
  1307. # .*:
  1308. # - .*
  1309. #
  1310. # To enable just the manage.up runner for the minion foo.example.com:
  1311. #peer_run:
  1312. # foo.example.com:
  1313. # - manage.up
  1314. {% if 'peer_run' in cfg_master %}
  1315. {%- do default_keys.append('peer_run') %}
  1316. peer_run:
  1317. {%- for name, roots in cfg_master['peer_run'].items() %}
  1318. {{ name }}:
  1319. {%- for mod in roots %}
  1320. - {{ mod }}
  1321. {%- endfor %}
  1322. {%- endfor %}
  1323. {%- elif 'peer_run' in cfg_salt %}
  1324. peer_run:
  1325. {%- for name, roots in cfg_salt['peer_run'].items() %}
  1326. {{ name }}:
  1327. {%- for mod in roots %}
  1328. - {{ mod }}
  1329. {%- endfor %}
  1330. {%- endfor %}
  1331. {%- endif %}
  1332. ##### Mine settings #####
  1333. #####################################
  1334. # Restrict mine.get access from minions. By default any minion has a full access
  1335. # to get all mine data from master cache. In acl definion below, only pcre matches
  1336. # are allowed.
  1337. # mine_get:
  1338. # .*:
  1339. # - .*
  1340. #
  1341. # The example below enables minion foo.example.com to get 'network.interfaces' mine
  1342. # data only, minions web* to get all network.* and disk.* mine data and all other
  1343. # minions won't get any mine data.
  1344. {% if 'mine_get' in cfg_master -%}
  1345. {%- do default_keys.append('mine_get') %}
  1346. mine_get:
  1347. {%- for minion, data in cfg_master['mine_get']|dictsort %}
  1348. {{ minion }}:
  1349. {%- for command in data %}
  1350. - {% raw %}'{% endraw %}{{ command }}{% raw %}'{% endraw %}
  1351. {%- endfor -%}
  1352. {%- endfor -%}
  1353. {% elif 'mine_get' in cfg_salt -%}
  1354. mine_get:
  1355. {%- for minion, data in cfg_salt['mine_get']|dictsort %}
  1356. {{ minion }}:
  1357. {%- for command in data %}
  1358. - {% raw %}'{% endraw %}{{ command }}{% raw %}'{% endraw %}
  1359. {%- endfor -%}
  1360. {%- endfor -%}
  1361. {% else -%}
  1362. # mine_get:
  1363. # foo.example.com:
  1364. # - network.interfaces
  1365. # web.*:
  1366. # - network.*
  1367. # - disk.*
  1368. {%- endif %}
  1369. ##### Logging settings #####
  1370. ##########################################
  1371. # The location of the master log file
  1372. # The master log can be sent to a regular file, local path name, or network
  1373. # location. Remote logging works best when configured to use rsyslogd(8) (e.g.:
  1374. # ``file:///dev/log``), with rsyslogd(8) configured for network logging. The URI
  1375. # format is: <file|udp|tcp>://<host|socketpath>:<port-if-required>/<log-facility>
  1376. #log_file: /var/log/salt/master
  1377. #log_file: file:///dev/log
  1378. #log_file: udp://loghost:10514
  1379. {{ get_config('log_file', '/var/log/salt/master') }}
  1380. {{ get_config('key_logfile', '/var/log/salt/key') }}
  1381. # The level of messages to send to the console.
  1382. # One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'.
  1383. #
  1384. # The following log levels are considered INSECURE and may log sensitive data:
  1385. # ['garbage', 'trace', 'debug']
  1386. #
  1387. {{ get_config('log_level', 'warning') }}
  1388. # The level of messages to send to the log file.
  1389. # One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'.
  1390. # If using 'log_granular_levels' this must be set to the highest desired level.
  1391. {{ get_config('log_level_logfile', 'warning') }}
  1392. # The date and time format used in log messages. Allowed date/time formating
  1393. # can be seen here: http://docs.python.org/library/time.html#time.strftime
  1394. {{ get_config('log_datefmt', "'%H:%M:%S'") }}
  1395. {{ get_config('log_datefmt_logfile', "'%Y-%m-%d %H:%M:%S'") }}
  1396. # The format of the console logging messages. Allowed formatting options can
  1397. # be seen here: http://docs.python.org/library/logging.html#logrecord-attributes
  1398. #
  1399. # Console log colors are specified by these additional formatters:
  1400. #
  1401. # %(colorlevel)s
  1402. # %(colorname)s
  1403. # %(colorprocess)s
  1404. # %(colormsg)s
  1405. #
  1406. # Since it is desirable to include the surrounding brackets, '[' and ']', in
  1407. # the coloring of the messages, these color formatters also include padding as
  1408. # well. Color LogRecord attributes are only available for console logging.
  1409. #
  1410. {{ get_config('log_fmt_console', "'%(colorlevel)s %(colormsg)s'") }}
  1411. {{ get_config('log_fmt_console', "'[%(levelname)-8s] %(message)s'") }}
  1412. {{ get_config('log_fmt_logfile', "'%(asctime)s,%(msecs)03.0f [%(name)-17s][%(levelname)-8s] %(message)s'") }}
  1413. # This can be used to control logging levels more specificically. This
  1414. # example sets the main salt library at the 'warning' level, but sets
  1415. # 'salt.modules' to log at the 'debug' level:
  1416. # log_granular_levels:
  1417. # 'salt': 'warning'
  1418. # 'salt.modules': 'debug'
  1419. #
  1420. {% if 'log_granular_levels' in cfg_master %}
  1421. {%- do default_keys.append('log_granular_levels') %}
  1422. log_granular_levels:
  1423. {% for name, lvl in cfg_master['log_granular_levels'].items() %}
  1424. {{ name }}: {{ lvl }}
  1425. {% endfor %}
  1426. {% elif 'log_granular_levels' in cfg_salt %}
  1427. log_granular_levels:
  1428. {% for name, lvl in cfg_salt['log_granular_levels'].items() %}
  1429. {{ name }}: {{ lvl }}
  1430. {% endfor %}
  1431. {% else %}
  1432. #log_granular_levels: {}
  1433. {% endif %}
  1434. ##### Node Groups ######
  1435. ##########################################
  1436. # Node groups allow for logical groupings of minion nodes. A group consists of
  1437. # a group name and a compound target. Nodgroups can reference other nodegroups
  1438. # with 'N@' classifier. Ensure that you do not have circular references.
  1439. #
  1440. #nodegroups:
  1441. # group1: 'L@foo.domain.com,bar.domain.com,baz.domain.com or bl*.domain.com'
  1442. # group2: 'G@os:Debian and foo.domain.com'
  1443. # group3: 'G@os:Debian and N@group1'
  1444. # group4:
  1445. # - 'G@foo:bar'
  1446. # - 'or'
  1447. # - 'G@foo:baz'
  1448. {%- if 'nodegroups' in cfg_master %}
  1449. {%- do default_keys.append('nodegroups') %}
  1450. nodegroups:
  1451. {%- for name, lvl in cfg_master['nodegroups'].items() %}
  1452. {{ name }}: {{ lvl }}
  1453. {%- endfor %}
  1454. {%- elif 'nodegroups' in cfg_salt %}
  1455. nodegroups:
  1456. {%- for name, lvl in cfg_salt['nodegroups'].items() %}
  1457. {{ name }}: {{ lvl }}
  1458. {%- endfor %}
  1459. {%- endif %}
  1460. ##### Range Cluster settings #####
  1461. ##########################################
  1462. # The range server (and optional port) that serves your cluster information
  1463. # https://github.com/ytoolshed/range/wiki/%22yamlfile%22-module-file-spec
  1464. #
  1465. {{ get_config('range_server', 'range:80') }}
  1466. ##### Windows Software Repo settings #####
  1467. ###########################################
  1468. # Specify the provider to be used for git_pillar. Must be either pygit2 or
  1469. # gitpython. If unset, then both will be tried in that same order, and the
  1470. # first one with a compatible version installed will be the provider that
  1471. # is used.
  1472. {{ get_config('winrepo_provider', 'pygit2') }}
  1473. # Repo settings for 2015.8+ master used with 2015.8+ Windows minions
  1474. #
  1475. # Location of the repo on the master:
  1476. {{ get_config('winrepo_dir_ng', '/srv/salt/win/repo-ng') }}
  1477. # List of git repositories to include with the local repo:
  1478. {% if 'winrepo_remotes_ng' in cfg_master %}
  1479. {%- do default_keys.append('winrepo_remotes_ng') %}
  1480. winrepo_remotes_ng:
  1481. {% for repo in cfg_master['winrepo_remotes_ng'] %}
  1482. - {{ repo }}
  1483. {% endfor %}
  1484. {% elif 'winrepo_remotes_ng' in cfg_salt %}
  1485. winrepo_remotes_ng:
  1486. {% for repo in cfg_salt['winrepo_remotes_ng'] %}
  1487. - {{ repo }}
  1488. {% endfor %}
  1489. {% else %}
  1490. #winrepo_remotes_ng:
  1491. # - 'https://github.com/saltstack/salt-winrepo-ng.git'
  1492. {% endif %}
  1493. # Repo settings for 2015.8+ master used with pre-2015.8 Windows minions
  1494. #
  1495. # Location of the repo on the master:
  1496. {{ get_config('winrepo_dir', '/srv/salt/win/repo') }}
  1497. # Location of the master's repo cache file:
  1498. {{ get_config('winrepo_cachefile', 'winrepo.p') }}
  1499. # List of git repositories to include with the local repo:
  1500. {% if 'winrepo_remotes' in cfg_master %}
  1501. {%- do default_keys.append('winrepo_remotes') %}
  1502. winrepo_remotes:
  1503. {% for repo in cfg_master['winrepo_remotes'] %}
  1504. - {{ repo }}
  1505. {% endfor %}
  1506. {% elif 'winrepo_remotes' in cfg_salt %}
  1507. winrepo_remotes:
  1508. {% for repo in cfg_salt['winrepo_remotes'] %}
  1509. - {{ repo }}
  1510. {% endfor %}
  1511. {% else %}
  1512. #winrepo_remotes:
  1513. # - 'https://github.com/saltstack/salt-winrepo.git'
  1514. {% endif %}
  1515. ##### Windows Software Repo settings - Pre 2015.8 #####
  1516. ########################################################
  1517. # Legacy repo settings for pre-2015.8 Windows minions.
  1518. #
  1519. # Location of the repo on the master:
  1520. {{ get_config('win_repo', '/srv/salt/win/repo') }}
  1521. # Location of the master's repo cache file:
  1522. {{ get_config('win_repo_mastercachefile', '/srv/salt/win/repo/winrepo.p') }}
  1523. # List of git repositories to include with the local repo:
  1524. {% if 'win_gitrepos' in cfg_master %}
  1525. {%- do default_keys.append('win_gitrepos') %}
  1526. win_gitrepos:
  1527. {% for repo in cfg_master['win_gitrepos'] %}
  1528. - {{ repo }}
  1529. {% endfor %}
  1530. {% elif 'win_gitrepos' in cfg_salt %}
  1531. win_gitrepos:
  1532. {% for repo in cfg_salt['win_gitrepos'] %}
  1533. - {{ repo }}
  1534. {% endfor %}
  1535. {% else %}
  1536. #winrepo_remotes:
  1537. # - 'https://github.com/saltstack/salt-winrepo.git'
  1538. {% endif %}
  1539. ##### Returner settings ######
  1540. ############################################
  1541. # Which returner(s) will be used for minion's result:
  1542. #return: mysql
  1543. {{ get_config('return', '')}}
  1544. ###### Miscellaneous settings ######
  1545. ############################################
  1546. # Default match type for filtering events tags: startswith, endswith, find, regex, fnmatch
  1547. {{ get_config('event_match_type', 'startswith') }}
  1548. # Save runner returns to the job cache
  1549. {{ get_config('runner_returns', 'True') }}
  1550. # Permanently include any available Python 3rd party modules into Salt Thin
  1551. # when they are generated for Salt-SSH or other purposes.
  1552. # The modules should be named by the names they are actually imported inside the Python.
  1553. # The value of the parameters can be either one module or a comma separated list of them.
  1554. {%- if 'thin_extra_mods' in cfg_master %}
  1555. {{ get_config('thin_extra_mods', '') }}
  1556. {%- else %}
  1557. #thin_extra_mods: foo,bar
  1558. {%- endif %}
  1559. {%- if 'halite' in cfg_master %}
  1560. {%- do default_keys.append('halite') %}
  1561. ##### Halite #####
  1562. ##########################################
  1563. halite:
  1564. {%- for name, value in cfg_master['halite'].items() %}
  1565. {{ name }}: {{ value }}
  1566. {%- endfor %}
  1567. {%- endif %}
  1568. {%- if 'rest_cherrypy' in cfg_master %}
  1569. {%- do default_keys.append('rest_cherrypy') %}
  1570. ##### rest_cherrypy #####
  1571. ##########################################
  1572. rest_cherrypy:
  1573. {%- for name, value in cfg_master['rest_cherrypy'].items() %}
  1574. {{ name }}: {{ value }}
  1575. {%- endfor %}
  1576. {%- endif %}
  1577. {%- if 'rest_tornado' in cfg_master %}
  1578. {%- do default_keys.append('rest_tornado') %}
  1579. ##### rest_tornado #####
  1580. ###########################################
  1581. rest_tornado:
  1582. {%- for name, value in cfg_master['rest_tornado'].items() %}
  1583. {{ name }}: {{ value }}
  1584. {%- endfor %}
  1585. {%- endif %}
  1586. {%- if 'presence_events' in cfg_master %}
  1587. ##### presence events #####
  1588. ##########################################
  1589. {{ get_config('presence_events', 'False') }}
  1590. {%- endif %}
  1591. {%- if 'consul_config' in cfg_master %}
  1592. {%- do default_keys.append('consul_config') %}
  1593. ##### consul_config #####
  1594. ##########################################
  1595. consul_config:
  1596. {%- for name, value in cfg_master['consul_config'].items() %}
  1597. {{ name }}: {{ value }}
  1598. {%- endfor %}
  1599. {%- endif %}
  1600. {% if 'mongo' in cfg_master -%}
  1601. {%- do default_keys.append('mongo') %}
  1602. ##### mongodb connection settings #####
  1603. ##########################################
  1604. {%- for name, value in cfg_master['mongo'].items() %}
  1605. mongo.{{ name }}: {{ value }}
  1606. {%- endfor %}
  1607. {% if 'alternative.mongo' in cfg_master -%}
  1608. {%- do default_keys.append('alternative.mongo') %}
  1609. {%- for name, value in cfg_master['alternative.mongo'].items() %}
  1610. alternative.mongo.{{ name }}: {{ value }}
  1611. {%- endfor %}
  1612. {% endif %}
  1613. {%- endif %}
  1614. {%- for configname in cfg_master %}
  1615. {%- if configname not in reserved_keys and configname not in default_keys %}
  1616. {{ configname }}:
  1617. {{ cfg_master[configname]| yaml(False) | indent(2) }}
  1618. {%- endif %}
  1619. {%- endfor %}