Parcourir la source

Merge pull request #203 from aboe76/master_config_2015.8.7

merge options from 2015.8.7 version in f_defaults.conf
tags/v0.57.0
Forrest il y a 9 ans
Parent
révision
a8ced2e98f
1 fichiers modifiés avec 224 ajouts et 71 suppressions
  1. +224
    -71
      salt/files/master.d/f_defaults.conf

+ 224
- 71
salt/files/master.d/f_defaults.conf Voir le fichier

@@ -1,5 +1,5 @@
# This file managed by Salt, do not edit by hand!!
# Based on salt version 2014.7 default config
# Based on salt version 2015.8.7 default config
{% set reserved_keys = ['master', 'minion', 'cloud', 'salt_cloud_certs'] -%}
{% set cfg_salt = pillar.get('salt', {}) -%}
{% set cfg_master = cfg_salt.get('master', {}) -%}
@@ -15,10 +15,11 @@
{%- from 'salt/formulas.jinja' import file_roots, formulas with context -%}
##### Primary configuration settings #####
##########################################
# This configuration file is used to manage the behavior of the Salt Master
# Values that are commented out but have no space after the comment are
# defaults that need not be set in the config. If there is a space after the
# comment that the value is presented as an example and is not the default.
# This configuration file is used to manage the behavior of the Salt Master.
# Values that are commented out but have an empty line after the comment are
# defaults that do not need to be set in the config. If there is no blank line
# after the comment then the value is presented as an example and is not the
# default.

# Per default, the master will automatically include all config files
# from master.d/*.conf (master.d is a directory in the same directory
@@ -41,30 +42,6 @@
# modified files cause conflicts, set verify_env to False.
{{ get_config('user', 'root') }}

# Max open files
#
# Each minion connecting to the master uses AT LEAST one file descriptor, the
# master subscription connection. If enough minions connect you might start
# seeing on the console (and then salt-master crashes):
# Too many open files (tcp_listener.cpp:335)
# Aborted (core dumped)
#
# By default this value will be the one of `ulimit -Hn`, ie, the hard limit for
# max open files.
#
# If you wish to set a different value than the default one, uncomment and
# configure this setting. Remember that this value CANNOT be higher than the
# hard limit. Raising the hard limit depends on your OS and/or distribution,
# a good way to find the limit is to search the internet. For example:
# raise max open files hard limit debian
#
{{ get_config('max_open_files', '100000') }}

# The number of worker threads to start. These threads are used to manage
# return calls made from minions to the master. If the master seems to be
# running slowly, increase the number of threads.
{{ get_config('worker_threads', '5') }}

# The port used by the communication interface. The ret (return) port is the
# interface used for the file server, authentication, job returns, etc.
{{ get_config('ret_port', '4506') }}
@@ -81,6 +58,8 @@
{{ get_config('pki_dir', '/etc/salt/pki/master') }}

# Directory to store job and cache data:
# This directory may contain sensitive data and should be protected accordingly.
#
{{ get_config('cachedir', '/var/cache/salt/master') }}

# Directory for custom modules. This directory can contain subdirectories for
@@ -88,6 +67,25 @@
# "states", "returners", etc.
{{ get_config('extension_modules', '<no default>') }}

# Directory for custom modules. This directory can contain subdirectories for
# each of Salt's module types such as "runners", "output", "wheel", "modules",
# "states", "returners", etc.
# Like 'extension_modules' but can take an array of paths
{% if 'module_dirs' in cfg_master -%}
module_dirs:
{%- for dir in cfg_master['module_dirs'] %}
- {{ dir}}
{%- endfor -%}
{% elif 'module_dirs' in cfg_salt -%}
module_dirs:
{%- for dir in cfg_salt['module_dirs'] %}
- {{ dir}}
{%- endfor -%}
{% else -%}
#module_dirs: <no default>
# - /var/cache/salt/minion/extmods
{% endif %}

# Verify and set permissions on configuration directories at startup:
{{ get_config('verify_env', 'True') }}

@@ -109,9 +107,6 @@
# Return minions that timeout when running commands like test.ping
{{ get_config('show_timeout', 'True') }}

# Display the jid when a job is published
{{ get_config('show_jid', 'False') }}

# By default, output is colored. To disable colored output, set the color value
# to False.
{{ get_config('color', 'True') }}
@@ -138,10 +133,9 @@
{{ get_config('minion_data_cache', 'True') }}

# Store all returns in the given returner.
# Setting this option requires that any returner-specific configuration also
# Setting this option requires that any returner-specific configuration also
# be set. See various returners in salt/returners for details on required
# configuration values. (See also, event_return_queue below.)
#
{{ get_config('event_return', 'mysql') }}

# On busy systems, enabling event_returns can cause a considerable load on
@@ -182,7 +176,6 @@ event_return_blacklist:
# event_return_blacklist:
# - salt/master/not_this_tag
# - salt/master/or_this_one

{% endif %}

# Passing very large events can cause the minion to consume large amounts of
@@ -202,12 +195,12 @@ event_return_blacklist:
# the key rotation event as minions reconnect. Consider this carefully if this
# salt master is managing a large number of minions.
#
# If disabled, it is recommended to handle this event by listening for the
# If disabled, it is recommended to handle this event by listening for the
# 'aes_key_rotate' event with the 'key' tag and acting appropriately.
{{ get_config('ping_on_rotate', 'False') }}

# By default, the master deletes its cache of minion data when the key for that
# minion is removed. To preserve the cache after key deletion, set
# minion is removed. To preserve the cache after key deletion, set
# 'preserve_minion_cache' to True.
#
# WARNING: This may have security implications if compromised minions auth with
@@ -236,6 +229,58 @@ event_return_blacklist:
# - /etc/salt/extra_config
{{ get_config('include', '[]') }}

##### Large-scale tuning settings #####
##########################################
# Max open files
#
# Each minion connecting to the master uses AT LEAST one file descriptor, the
# master subscription connection. If enough minions connect you might start
# seeing on the console (and then salt-master crashes):
# Too many open files (tcp_listener.cpp:335)
# Aborted (core dumped)
#
# By default this value will be the one of `ulimit -Hn`, ie, the hard limit for
# max open files.
#
# If you wish to set a different value than the default one, uncomment and
# configure this setting. Remember that this value CANNOT be higher than the
# hard limit. Raising the hard limit depends on your OS and/or distribution,
# a good way to find the limit is to search the internet. For example:
# raise max open files hard limit debian
#
{{ get_config('max_open_files', '100000') }}

# The number of worker threads to start. These threads are used to manage
# return calls made from minions to the master. If the master seems to be
# running slowly, increase the number of threads. This setting can not be
# set lower than 3.
{{ get_config('worker_threads', '5') }}

# Set the ZeroMQ high water marks
# http://api.zeromq.org/3-2:zmq-setsockopt

# The publisher interface ZeroMQPubServerChannel
{{ get_config('pub_hwm', '1000') }}

# These two ZMQ HWM settings, salt_event_pub_hwm and event_publisher_pub_hwm
# are significant for masters with thousands of minions. When these are
# insufficiently high it will manifest in random responses missing in the CLI
# and even missing from the job cache. Masters that have fast CPUs and many
# cores with appropriate worker_threads will not need these set as high.

# On deployment with 8,000 minions, 2.4GHz CPUs, 24 cores, 32GiB memory has
# these settings:
#
# salt_event_pub_hwm: 128000
# event_publisher_pub_hwm: 64000

# ZMQ high-water-mark for SaltEvent pub socket
{{ get_config('salt_event_pub_hwm', '20000') }}

# ZMQ high-water-mark for EventPublisher pub socket
{{ get_config('event_publisher_pub_hwm', '10000') }}


##### Security settings #####
##########################################
# Enable "open mode", this mode still maintains encryption, but turns off
@@ -276,10 +321,6 @@ event_return_blacklist:
# This setting should be treated with care since it opens up execution
# capabilities to non root users. By default this capability is completely
# disabled.
#client_acl:
# larry:
# - test.ping
# - network.*
{% if 'client_acl' in cfg_master -%}
client_acl:
{%- for name, user in cfg_master['client_acl']|dictsort %}
@@ -308,7 +349,6 @@ client_acl:
# This example would blacklist all non sudo users, including root from
# running any commands. It would also blacklist any use of the "cmd"
# module. This is completely disabled by default.
#
{% if 'client_acl_blacklist' in cfg_master %}
client_acl_blacklist:
users:
@@ -339,8 +379,7 @@ client_acl_blacklist:
{% endif %}

# Enforce client_acl & client_acl_blacklist when users have sudo
# access to the salt command.
#
# access to the salt command.
{{ get_config('sudo_acl', 'False') }}

# The external auth system uses the Salt auth modules to authenticate and
@@ -377,9 +416,41 @@ client_acl_blacklist:
# will cause minion to throw an exception and drop the message.
{{ get_config('sign_pub_message', 'False') }}


# Sign the master auth-replies with a cryptographic signature of the masters public key.
# Please see the tutorial how to use these settings in the Multimaster-PKI with Failover Tutorial
{{ get_config('master_sign_pubkey', 'False') }}

# The customizable name of the signing-key-pair without suffix.
# master_sign_key_name: <filename_without_suffix>
{{ get_config('master_sign', '{}') }}

# The name of the file in the masters pki-directory that holds the pre-calculated
# signature of the masters public-key.
# master_pubkey_signature: <filename>
{{ get_config('master_pubkey_signature', '{}') }}

# Instead of computing the signature for each auth-reply, use a pre-calculated signature.
# The master_pubkey_signature must also be set for this.
{{ get_config('master_use_pubkey_signature', 'False') }}

# Rotate the salt-masters AES-key when a minion-public is deleted with salt-key.
# This is a very important security-setting. Disabling it will enable deleted minions to still
# listen in on the messages published by the salt-master.
# Do not disable this unless it is absolutely clear what this does.
{{ get_config('rotate_aes_key', 'True') }}

##### Salt-SSH Configuration #####
##########################################

# Pass in an alternative location for the salt-ssh roster file
{{ get_config('roster_file', '/etc/salt/roster') }}

# Pass in minion option overrides that will be inserted into the SHIM for
# salt-ssh calls. The local minion config is not used for salt-ssh. Can be
# overridden on a per-minion basis in the roster (`minion_opts`)
#ssh_minion_opts:
# gpg_keydir: /root/gpg
{{ get_config('ssh_minion_opts', '{}') }}

##### Master Module Management #####
##########################################
@@ -408,6 +479,7 @@ client_acl_blacklist:
# master_tops:
# ext_nodes: <Shell command which returns yaml>
#
#master_tops: {}
{% if 'master_tops' in cfg_master %}
master_tops:
{%- for master in cfg_master['master_tops'] -%}
@@ -438,7 +510,7 @@ master_tops:
# (block, not variable tag!). Defaults to False, corresponds to the Jinja
# environment init variable "trim_blocks".
{{ get_config('jinja_trim_blocks', 'False') }}
#
# If this is set to True leading spaces and tabs are stripped from the start
# of a line to a block. Defaults to False, corresponds to the Jinja
# environment init variable "lstrip_blocks".
@@ -462,13 +534,19 @@ master_tops:
{{ get_config('state_output', 'full') }}

# Automatically aggregate all states that have support for mod_aggregate by
# setting to True. Or pass a list of state module names to automatically
# setting to 'True'. Or pass a list of state module names to automatically
# aggregate just those types.
#
# state_aggregate:
# - pkg
#
#state_aggregate: False
{{ get_config('state_aggregate', '{}') }}

# Send progress events as each function in a state run completes execution
# by setting to 'True'. Progress events are in the format
# 'salt/job/<JID>/prog/<MID>/<RUN NUM>'.
{{ get_config('state_events', 'False') }}

##### File Server settings #####
##########################################
@@ -490,7 +568,7 @@ master_tops:
# prod:
# - /srv/salt/prod/services
# - /srv/salt/prod/states
#
{% if 'file_roots' in cfg_master -%}
{{ file_roots(cfg_master['file_roots']) }}
{%- elif 'file_roots' in cfg_salt -%}
@@ -503,11 +581,27 @@ master_tops:
# - /srv/salt
{%- endif %}

# When using multiple environments, each with their own top file, the
# default behaviour is an unordered merge. To prevent top files from
# being merged together and instead to only use the top file from the
# requested environment, set this value to 'same'.
{{ get_config('top_file_merging_stragety', 'merge') }}

# To specify the order in which environments are merged, set the ordering
# in the env_order option. Given a conflict, the last matching value will
# win.
{{ get_config('env_order', '["base", "dev", "prod"]') }}

# If top_file_merging_strategy is set to 'same' and an environment does not
# contain a top file, the top file in the environment specified by default_top
# will be used instead.
{{ get_config('default_top', 'base') }}

# The hash_type is the hash to use when discovering the hash of a file on
# the master server. The default is md5, but sha1, sha224, sha256, sha384
# and sha512 are also supported.
#
# Prior to changing this value, the master should be stopped and all Salt
# Prior to changing this value, the master should be stopped and all Salt
# caches should be cleared.
{{ get_config('hash_type', 'md5') }}

@@ -578,26 +672,26 @@ fileserver_backend:
- {{ backend }}
{%- endfor -%}
{%- endif %}
#
# Uncomment the line below if you do not want the file_server to follow
# symlinks when walking the filesystem tree. This is set to True
# by default. Currently this only applies to the default roots
# fileserver_backend.
{{ get_config('fileserver_followsymlinks', 'False') }}
#
# Uncomment the line below if you do not want symlinks to be
# treated as the files they are pointing to. By default this is set to
# False. By uncommenting the line below, any detected symlink while listing
# files on the Master will not be returned to the Minion.
{{ get_config('fileserver_ignoresymlinks', 'True') }}
#
# By default, the Salt fileserver recurses fully into all defined environments
# to attempt to find files. To limit this behavior so that the fileserver only
# traverses directories with SLS files and special Salt directories like _modules,
# enable the option below. This might be useful for installations where a file root
# has a very large number of files and performance is impacted. Default is False.
{{ get_config('fileserver_limit_traversal', 'False') }}
#
# The fileserver can fire events off every time the fileserver is updated,
# these are disabled by default, but can be easily turned on by setting this
# flag to True
@@ -608,7 +702,7 @@ fileserver_backend:
# Gitfs can be provided by one of two python modules: GitPython or pygit2. If
# using pygit2, both libgit2 and git must also be installed.
{{ get_config('gitfs_provider', 'gitpython') }}
#
# When using the git fileserver backend at least one git remote needs to be
# defined. The user running the salt master will need read access to the repo.
#
@@ -646,7 +740,7 @@ gitfs_remotes:
# keep in mind that setting this flag to anything other than the default of True
# is a security concern, you may want to try using the ssh transport.
{{ get_config('gitfs_ssl_verify', 'True') }}
#
# The gitfs_root option gives the ability to serve files from a subdirectory
# within the repository. The path is defined relative to the root of the
# repository and defaults to the repository root.
@@ -676,7 +770,6 @@ gitfs_env_blacklist:
# - feature/*
{% endif %}


##### Pillar settings #####
##########################################
# Salt Pillars allow for the building of global data that can be made selectively
@@ -705,7 +798,7 @@ pillar_roots:
# base:
# - /srv/pillar
{%- endif %}
#
{% if 'ext_pillar' in cfg_master %}
ext_pillar:
{%- for pillar in cfg_master['ext_pillar'] -%}
@@ -718,7 +811,7 @@ ext_pillar:
- {{ parameter }}
{%- endfor -%}
{%- elif pillar[key] is mapping and pillar[key] is not string %}
- {{ key }}:
- {{ key }}:
{%- for parameter in pillar[key] %}
{{ parameter }}: {{pillar[key][parameter]}}
{%- endfor %}
@@ -755,6 +848,13 @@ ext_pillar:
# master config file that can then be used on minions.
{{ get_config('pillar_opts', 'True') }}

# The pillar_safe_render_error option prevents the master from passing pillar
# render errors to the minion. This is set on by default because the error could
# contain templating data which would give that minion information it shouldn't
# have, like a password! When set true the error message will only show:
# Rendering SLS 'my.sls' failed. Please see master log for details.
{{ get_config('pillar_safe_render_error', 'True') }}

# The pillar_source_merging_strategy option allows you to configure merging strategy
# between different sources. It accepts four values: recurse, aggregate, overwrite,
# or smart. Recurse will merge recursively mapping of data. Aggregate instructs
@@ -764,13 +864,18 @@ ext_pillar:
# on the "renderer" setting and is the default value.
{{ get_config('pillar_source_merging_strategy', 'smart') }}

# Recursively merge lists by aggregating them instead of replacing them.
{{ get_config('pillar_merge_lists', 'False') }}


##### Syndic settings #####
##########################################
# The Salt syndic is used to pass commands through a master from a higher
# master. Using the syndic is simple, if this is a master that will have
# syndic servers(s) below it set the "order_masters" setting to True, if this
# is a master that will be running a syndic daemon for passthrough the
# "syndic_master" setting needs to be set to the location of the master server
# master. Using the syndic is simple. If this is a master that will have
# syndic servers(s) below it, then set the "order_masters" setting to True.
#
# If this is a master that will be running a syndic daemon for passthrough, then
# the "syndic_master" setting needs to be set to the location of the master server
# to receive commands from.

# Set the order_masters setting to True if this master will command lower
@@ -790,6 +895,7 @@ ext_pillar:
# LOG file of the syndic daemon:
{{ get_config('syndic_log_file', 'syndic.log') }}


##### Peer Publish settings #####
##########################################
# Salt minions can send commands to other minions, but only if the minion is
@@ -864,9 +970,8 @@ peer_run:
{% endfor %}
{% endif %}


##### Mine settings #####
##########################################
#####################################
# Restrict mine.get access from minions. By default any minion has a full access
# to get all mine data from master cache. In acl definion below, only pcre matches
# are allowed.
@@ -902,7 +1007,6 @@ mine_get:
# - disk.*
{%- endif %}


##### Logging settings #####
##########################################
# The location of the master log file
@@ -919,10 +1023,15 @@ mine_get:

# The level of messages to send to the console.
# One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'.
#
# The following log levels are considered INSECURE and may log sensitive data:
# ['garbage', 'trace', 'debug']
#
{{ get_config('log_level', 'warning') }}

# The level of messages to send to the log file.
# One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'.
# If using 'log_granular_levels' this must be set to the highest desired level.
{{ get_config('log_level_logfile', 'warning') }}

# The date and time format used in log messages. Allowed date/time formating
@@ -932,7 +1041,21 @@ mine_get:

# The format of the console logging messages. Allowed formatting options can
# be seen here: http://docs.python.org/library/logging.html#logrecord-attributes
#
# Console log colors are specified by these additional formatters:
#
# %(colorlevel)s
# %(colorname)s
# %(colorprocess)s
# %(colormsg)s
#
# Since it is desirable to include the surrounding brackets, '[' and ']', in
# the coloring of the messages, these color formatters also include padding as
# well. Color LogRecord attributes are only available for console logging.
#
{{ get_config('log_fmt_console', "'%(colorlevel)s %(colormsg)s'") }}
{{ get_config('log_fmt_console', "'[%(levelname)-8s] %(message)s'") }}

{{ get_config('log_fmt_logfile', "'%(asctime)s,%(msecs)03.0f [%(name)-17s][%(levelname)-8s] %(message)s'") }}

# This can be used to control logging levels more specificically. This
@@ -956,8 +1079,7 @@ log_granular_levels:
#log_granular_levels: {}
{% endif %}


##### Node Groups #####
##### Node Groups ######
##########################################
# Node groups allow for logical groupings of minion nodes. A group consists of a group
# name and a compound target.
@@ -976,7 +1098,6 @@ nodegroups:
{% endfor %}
{% endif %}


##### Range Cluster settings #####
##########################################
# The range server (and optional port) that serves your cluster information
@@ -984,8 +1105,33 @@ nodegroups:
#
{{ get_config('range_server', 'range:80') }}

##### Windows Software Repo settings #####
##############################################

##### Windows Software Repo settings #####
###########################################
# Location of the repo on the master:
{{ get_config('win_repo_dir_ng', '/srv/salt/win/repo-ng') }}

# List of git repositories to include with the local repo:
{% if 'win_gitrepos_ng' in cfg_master %}
win_gitrepos_ng:
{% for repo in cfg_master['win_gitrepos_ng'] %}
- {{ repo }}
{% endfor %}
{% elif 'win_gitrepos_ng' in cfg_salt %}
win_gitrepos_ng:
{% for repo in cfg_salt['win_gitrepos_ng'] %}
- {{ repo }}
{% endfor %}
{% else %}
#winrepo_remotes_ng:
# - 'https://github.com/saltstack/salt-winrepo-ng.git'
{% endif %}


##### Windows Software Repo settings - Pre 2015.8 #####
########################################################
# Legacy repo settings for pre-2015.8 Windows minions.
#
# Location of the repo on the master:
{{ get_config('win_repo', '/srv/salt/win/repo') }}

@@ -1004,7 +1150,7 @@ win_gitrepos:
- {{ repo }}
{% endfor %}
{% else %}
#win_gitrepos:
#winrepo_remotes:
# - 'https://github.com/saltstack/salt-winrepo.git'
{% endif %}

@@ -1012,6 +1158,13 @@ win_gitrepos:
############################################
# Which returner(s) will be used for minion's result:
#return: mysql
{{ get_config('return', '')}}


###### Miscellaneous settings ######
############################################
# Default match type for filtering events tags: startswith, endswith, find, regex, fnmatch
{{ get_config('event_match_type', 'startswith') }}

{% if 'halite' in cfg_master %}
##### Halite #####

Chargement…
Annuler
Enregistrer