8 years ago · bfcaca38a6
--- a/salt/files/master.d/f_defaults.conf
+++ b/salt/files/master.d/f_defaults.conf
 # This file managed by Salt, do not edit by hand!!
 #  Based on salt version 2014.7 default config
 # Based on salt version 2015.8.7 default config
 {% set reserved_keys = ['master', 'minion', 'cloud', 'salt_cloud_certs'] -%}
 {% set cfg_salt = pillar.get('salt', {}) -%}
 {% set cfg_master = cfg_salt.get('master', {}) -%}
 {%- from 'salt/formulas.jinja' import file_roots, formulas with context -%}
 ##### Primary configuration settings #####
 ##########################################
 # This configuration file is used to manage the behavior of the Salt Master
 # Values that are commented out but have no space after the comment are
 # defaults that need not be set in the config. If there is a space after the
 # comment that the value is presented as an example and is not the default.
 # This configuration file is used to manage the behavior of the Salt Master.
 # Values that are commented out but have an empty line after the comment are
 # defaults that do not need to be set in the config. If there is no blank line
 # after the comment then the value is presented as an example and is not the
 # default.
 # Per default, the master will automatically include all config files
 # from master.d/*.conf (master.d is a directory in the same directory
 # modified files cause conflicts, set verify_env to False.
 {{ get_config('user', 'root') }}
 # Max open files
 #
 # Each minion connecting to the master uses AT LEAST one file descriptor, the
 # master subscription connection. If enough minions connect you might start
 # seeing on the console (and then salt-master crashes):
 #   Too many open files (tcp_listener.cpp:335)
 #   Aborted (core dumped)
 #
 # By default this value will be the one of `ulimit -Hn`, ie, the hard limit for
 # max open files.
 #
 # If you wish to set a different value than the default one, uncomment and
 # configure this setting. Remember that this value CANNOT be higher than the
 # hard limit. Raising the hard limit depends on your OS and/or distribution,
 # a good way to find the limit is to search the internet. For example:
 #   raise max open files hard limit debian
 #
 {{ get_config('max_open_files', '100000') }}
 # The number of worker threads to start. These threads are used to manage
 # return calls made from minions to the master. If the master seems to be
 # running slowly, increase the number of threads.
 {{ get_config('worker_threads', '5') }}
 # The port used by the communication interface. The ret (return) port is the
 # interface used for the file server, authentication, job returns, etc.
 {{ get_config('ret_port', '4506') }}
 {{ get_config('pki_dir', '/etc/salt/pki/master') }}
 # Directory to store job and cache data:
 # This directory may contain sensitive data and should be protected accordingly.
 # 
 {{ get_config('cachedir', '/var/cache/salt/master') }}
 # Directory for custom modules. This directory can contain subdirectories for
 # "states", "returners", etc.
 {{ get_config('extension_modules', '<no default>') }}
 # Directory for custom modules. This directory can contain subdirectories for
 # each of Salt's module types such as "runners", "output", "wheel", "modules",
 # "states", "returners", etc.
 # Like 'extension_modules' but can take an array of paths
 {% if 'module_dirs' in cfg_master -%}
 module_dirs:
  {%- for dir in cfg_master['module_dirs'] %}
  - {{ dir}}
  {%- endfor -%}
 {% elif 'module_dirs' in cfg_salt -%}
 module_dirs:
  {%- for dir in cfg_salt['module_dirs'] %}
  - {{ dir}}
  {%- endfor -%}
 {% else -%}
 #module_dirs: <no default>
 #   - /var/cache/salt/minion/extmods
 {% endif %}
 # Verify and set permissions on configuration directories at startup:
 {{ get_config('verify_env', 'True') }}
 # Return minions that timeout when running commands like test.ping
 {{ get_config('show_timeout', 'True') }}
 # Display the jid when a job is published
 {{ get_config('show_jid', 'False') }}
 # By default, output is colored. To disable colored output, set the color value
 # to False.
 {{ get_config('color', 'True') }}
 {{ get_config('minion_data_cache', 'True') }}
 # Store all returns in the given returner.
 # Setting this option requires that any returner-specific configuration also
 # Setting this option requires that any returner-specific configuration also 
 # be set. See various returners in salt/returners for details on required
 # configuration values. (See also, event_return_queue below.)
 #
 {{ get_config('event_return', 'mysql') }}
 # On busy systems, enabling event_returns can cause a considerable load on
 # event_return_blacklist:
 #   - salt/master/not_this_tag
 #   - salt/master/or_this_one
 {% endif %}
 # Passing very large events can cause the minion to consume large amounts of
 # the key rotation event as minions reconnect. Consider this carefully if this
 # salt master is managing a large number of minions.
 #
 # If disabled, it is recommended to handle this event by listening for the
 # If disabled, it is recommended to handle this event by listening for the 
 # 'aes_key_rotate' event with the 'key' tag and acting appropriately.
 {{ get_config('ping_on_rotate', 'False') }}
 # By default, the master deletes its cache of minion data when the key for that
 # minion is removed. To preserve the cache after key deletion, set
 # minion is removed. To preserve the cache after key deletion, set 
 # 'preserve_minion_cache' to True.
 #
 # WARNING: This may have security implications if compromised minions auth with
 #   - /etc/salt/extra_config
 {{ get_config('include', '[]') }}
 #####  Large-scale tuning settings   #####
 ##########################################
 # Max open files
 #
 # Each minion connecting to the master uses AT LEAST one file descriptor, the
 # master subscription connection. If enough minions connect you might start
 # seeing on the console (and then salt-master crashes):
 #   Too many open files (tcp_listener.cpp:335)
 #   Aborted (core dumped)
 #
 # By default this value will be the one of `ulimit -Hn`, ie, the hard limit for
 # max open files.
 #
 # If you wish to set a different value than the default one, uncomment and
 # configure this setting. Remember that this value CANNOT be higher than the
 # hard limit. Raising the hard limit depends on your OS and/or distribution,
 # a good way to find the limit is to search the internet. For example:
 #   raise max open files hard limit debian
 #
 {{ get_config('max_open_files', '100000') }}
 # The number of worker threads to start. These threads are used to manage
 # return calls made from minions to the master. If the master seems to be
 # running slowly, increase the number of threads. This setting can not be
 # set lower than 3.
 {{ get_config('worker_threads', '5') }}
 # Set the ZeroMQ high water marks
 # http://api.zeromq.org/3-2:zmq-setsockopt
 # The publisher interface ZeroMQPubServerChannel
 {{ get_config('pub_hwm', '1000') }}
 # These two ZMQ HWM settings, salt_event_pub_hwm and event_publisher_pub_hwm
 # are significant for masters with thousands of minions.  When these are
 # insufficiently high it will manifest in random responses missing in the CLI
 # and even missing from the job cache.  Masters that have fast CPUs and many
 # cores with appropriate worker_threads will not need these set as high.
 # On deployment with 8,000 minions, 2.4GHz CPUs, 24 cores, 32GiB memory has
 # these settings:
 #
 #   salt_event_pub_hwm: 128000
 #   event_publisher_pub_hwm: 64000
 # ZMQ high-water-mark for SaltEvent pub socket
 {{ get_config('salt_event_pub_hwm', '20000') }}
 # ZMQ high-water-mark for EventPublisher pub socket
 {{ get_config('event_publisher_pub_hwm', '10000') }}
 #####        Security settings       #####
 ##########################################
 # Enable "open mode", this mode still maintains encryption, but turns off
 # This setting should be treated with care since it opens up execution
 # capabilities to non root users. By default this capability is completely
 # disabled.
 #client_acl:
 #  larry:
 #    - test.ping
 #    - network.*
 {% if 'client_acl' in cfg_master -%}
 client_acl:
 {%- for name, user in cfg_master['client_acl']|dictsort %}
 # This example would blacklist all non sudo users, including root from
 # running any commands. It would also blacklist any use of the "cmd"
 # module. This is completely disabled by default.
 #
 {% if 'client_acl_blacklist' in cfg_master %}
 client_acl_blacklist:
  users:
 {% endif %}
 # Enforce client_acl & client_acl_blacklist when users have sudo
 # access to the salt command.
 #
 # access to the salt command. 
 {{ get_config('sudo_acl', 'False') }}
 # The external auth system uses the Salt auth modules to authenticate and
 # will cause minion to throw an exception and drop the message.
 {{ get_config('sign_pub_message', 'False') }}
 # Sign the master auth-replies with a cryptographic signature of the masters public key. 
 # Please see the tutorial how to use these settings in the Multimaster-PKI with Failover Tutorial
 {{ get_config('master_sign_pubkey', 'False') }}
 # The customizable name of the signing-key-pair without suffix.
 # master_sign_key_name: <filename_without_suffix>
 {{ get_config('master_sign', '{}') }}
 # The name of the file in the masters pki-directory that holds the pre-calculated 
 # signature of the masters public-key.
 # master_pubkey_signature: <filename>
 {{ get_config('master_pubkey_signature', '{}') }}
 # Instead of computing the signature for each auth-reply, use a pre-calculated signature. 
 # The master_pubkey_signature must also be set for this.
 {{ get_config('master_use_pubkey_signature', 'False') }}
 # Rotate the salt-masters AES-key when a minion-public is deleted with salt-key. 
 # This is a very important security-setting. Disabling it will enable deleted minions to still 
 # listen in on the messages published by the salt-master. 
 # Do not disable this unless it is absolutely clear what this does.
 {{ get_config('rotate_aes_key', 'True') }}
 #####     Salt-SSH Configuration     #####
 ##########################################
 # Pass in an alternative location for the salt-ssh roster file
 {{ get_config('roster_file', '/etc/salt/roster') }}
 # Pass in minion option overrides that will be inserted into the SHIM for
 # salt-ssh calls. The local minion config is not used for salt-ssh. Can be
 # overridden on a per-minion basis in the roster (`minion_opts`)
 #ssh_minion_opts:
 #  gpg_keydir: /root/gpg
 {{ get_config('ssh_minion_opts', '{}') }}
 #####    Master Module Management    #####
 ##########################################
 # master_tops:
 #   ext_nodes: <Shell command which returns yaml>
 #
 #master_tops: {}
 {% if 'master_tops' in cfg_master %}
 master_tops:
 {%- for master in cfg_master['master_tops'] -%}
 # (block, not variable tag!). Defaults to False, corresponds to the Jinja
 # environment init variable "trim_blocks".
 {{ get_config('jinja_trim_blocks', 'False') }}
 #
 # If this is set to True leading spaces and tabs are stripped from the start
 # of a line to a block. Defaults to False, corresponds to the Jinja
 # environment init variable "lstrip_blocks".
 {{ get_config('state_output', 'full') }}
 # Automatically aggregate all states that have support for mod_aggregate by
 # setting to True. Or pass a list of state module names to automatically
 # setting to 'True'. Or pass a list of state module names to automatically
 # aggregate just those types.
 #
 # state_aggregate:
 #   - pkg
 #
 #state_aggregate: False
 {{ get_config('state_aggregate', '{}') }}
 # Send progress events as each function in a state run completes execution
 # by setting to 'True'. Progress events are in the format
 # 'salt/job/<JID>/prog/<MID>/<RUN NUM>'.
 {{ get_config('state_events', 'False') }}
 #####      File Server settings      #####
 ##########################################
 #   prod:
 #     - /srv/salt/prod/services
 #     - /srv/salt/prod/states
 #
 {% if 'file_roots' in cfg_master -%}
 {{ file_roots(cfg_master['file_roots']) }}
 {%- elif 'file_roots' in cfg_salt -%}
 #    - /srv/salt
 {%- endif %}
 # When using multiple environments, each with their own top file, the
 # default behaviour is an unordered merge. To prevent top files from
 # being merged together and instead to only use the top file from the
 # requested environment, set this value to 'same'. 
 {{ get_config('top_file_merging_stragety', 'merge') }}
 # To specify the order in which environments are merged, set the ordering
 # in the env_order option. Given a conflict, the last matching value will
 # win.
 {{ get_config('env_order', '["base", "dev", "prod"]') }}
 # If top_file_merging_strategy is set to 'same' and an environment does not
 # contain a top file, the top file in the environment specified by default_top
 # will be used instead.
 {{ get_config('default_top', 'base') }}
 # The hash_type is the hash to use when discovering the hash of a file on
 # the master server. The default is md5, but sha1, sha224, sha256, sha384
 # and sha512 are also supported.
 #
 # Prior to changing this value, the master should be stopped and all Salt
 # Prior to changing this value, the master should be stopped and all Salt 
 # caches should be cleared.
 {{ get_config('hash_type', 'md5') }}
  - {{ backend }}
 {%- endfor -%}
 {%- endif %}
 #
 # Uncomment the line below if you do not want the file_server to follow
 # symlinks when walking the filesystem tree. This is set to True
 # by default. Currently this only applies to the default roots
 # fileserver_backend.
 {{ get_config('fileserver_followsymlinks', 'False') }}
 #
 # Uncomment the line below if you do not want symlinks to be
 # treated as the files they are pointing to. By default this is set to
 # False. By uncommenting the line below, any detected symlink while listing
 # files on the Master will not be returned to the Minion.
 {{ get_config('fileserver_ignoresymlinks', 'True') }}
 #
 # By default, the Salt fileserver recurses fully into all defined environments
 # to attempt to find files. To limit this behavior so that the fileserver only
 # traverses directories with SLS files and special Salt directories like _modules,
 # enable the option below. This might be useful for installations where a file root
 # has a very large number of files and performance is impacted. Default is False.
 {{ get_config('fileserver_limit_traversal', 'False') }}
 #
 # The fileserver can fire events off every time the fileserver is updated,
 # these are disabled by default, but can be easily turned on by setting this
 # flag to True
 # Gitfs can be provided by one of two python modules: GitPython or pygit2. If
 # using pygit2, both libgit2 and git must also be installed.
 {{ get_config('gitfs_provider', 'gitpython') }}
 #
 # When using the git fileserver backend at least one git remote needs to be
 # defined. The user running the salt master will need read access to the repo.
 #
 # keep in mind that setting this flag to anything other than the default of True
 # is a security concern, you may want to try using the ssh transport.
 {{ get_config('gitfs_ssl_verify', 'True') }}
 #
 # The gitfs_root option gives the ability to serve files from a subdirectory
 # within the repository. The path is defined relative to the root of the
 # repository and defaults to the repository root.
 #   - feature/*
 {% endif %}
 #####         Pillar settings        #####
 ##########################################
 # Salt Pillars allow for the building of global data that can be made selectively
 #  base:
 #    - /srv/pillar
 {%- endif %}
 #
 {% if 'ext_pillar' in cfg_master %}
 ext_pillar:
 {%- for pillar in cfg_master['ext_pillar'] -%}
    - {{ parameter }}
      {%- endfor -%}
    {%- elif pillar[key] is mapping and pillar[key] is not string %}
  - {{ key }}: 
  - {{ key }}:
      {%- for parameter in pillar[key] %}
      {{ parameter }}: {{pillar[key][parameter]}}
      {%- endfor %}
 # master config file that can then be used on minions.
 {{ get_config('pillar_opts', 'True') }}
 # The pillar_safe_render_error option prevents the master from passing pillar
 # render errors to the minion. This is set on by default because the error could
 # contain templating data which would give that minion information it shouldn't
 # have, like a password! When set true the error message will only show:
 #   Rendering SLS 'my.sls' failed. Please see master log for details.
 {{ get_config('pillar_safe_render_error', 'True') }}
 # The pillar_source_merging_strategy option allows you to configure merging strategy
 # between different sources. It accepts four values: recurse, aggregate, overwrite,
 # or smart. Recurse will merge recursively mapping of data. Aggregate instructs
 # on the "renderer" setting and is the default value.
 {{ get_config('pillar_source_merging_strategy', 'smart') }}
 # Recursively merge lists by aggregating them instead of replacing them.
 {{ get_config('pillar_merge_lists', 'False') }}
 #####          Syndic settings       #####
 ##########################################
 # The Salt syndic is used to pass commands through a master from a higher
 # master. Using the syndic is simple, if this is a master that will have
 # syndic servers(s) below it set the "order_masters" setting to True, if this
 # is a master that will be running a syndic daemon for passthrough the
 # "syndic_master" setting needs to be set to the location of the master server
 # master. Using the syndic is simple. If this is a master that will have
 # syndic servers(s) below it, then set the "order_masters" setting to True.
 #
 # If this is a master that will be running a syndic daemon for passthrough, then
 # the "syndic_master" setting needs to be set to the location of the master server
 # to receive commands from.
 # Set the order_masters setting to True if this master will command lower
 # LOG file of the syndic daemon:
 {{ get_config('syndic_log_file', 'syndic.log') }}
 #####      Peer Publish settings     #####
 ##########################################
 # Salt minions can send commands to other minions, but only if the minion is
  {% endfor %}
 {% endif %}
 #####         Mine settings     #####
 ##########################################
 #####################################
 # Restrict mine.get access from minions. By default any minion has a full access
 # to get all mine data from master cache. In acl definion below, only pcre matches
 # are allowed.
 #     - disk.*
 {%- endif %}
 #####         Logging settings       #####
 ##########################################
 # The location of the master log file
 # The level of messages to send to the console.
 # One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'.
 #
 # The following log levels are considered INSECURE and may log sensitive data:
 # ['garbage', 'trace', 'debug']
 #
 {{ get_config('log_level', 'warning') }}
 # The level of messages to send to the log file.
 # One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'.
 # If using 'log_granular_levels' this must be set to the highest desired level.
 {{ get_config('log_level_logfile', 'warning') }}
 # The date and time format used in log messages. Allowed date/time formating
 # The format of the console logging messages. Allowed formatting options can
 # be seen here: http://docs.python.org/library/logging.html#logrecord-attributes
 #
 # Console log colors are specified by these additional formatters:
 #
 # %(colorlevel)s
 # %(colorname)s
 # %(colorprocess)s
 # %(colormsg)s
 #
 # Since it is desirable to include the surrounding brackets, '[' and ']', in
 # the coloring of the messages, these color formatters also include padding as
 # well.  Color LogRecord attributes are only available for console logging.
 #
 {{ get_config('log_fmt_console', "'%(colorlevel)s %(colormsg)s'") }}
 {{ get_config('log_fmt_console', "'[%(levelname)-8s] %(message)s'") }}
 {{ get_config('log_fmt_logfile', "'%(asctime)s,%(msecs)03.0f [%(name)-17s][%(levelname)-8s] %(message)s'") }}
 # This can be used to control logging levels more specificically.  This
 #log_granular_levels: {}
 {% endif %}
 #####         Node Groups           #####
 #####         Node Groups           ######
 ##########################################
 # Node groups allow for logical groupings of minion nodes. A group consists of a group
 # name and a compound target.
  {% endfor %}
 {% endif %}
 #####     Range Cluster settings     #####
 ##########################################
 # The range server (and optional port) that serves your cluster information
 #
 {{ get_config('range_server', 'range:80') }}
 #####     Windows Software Repo settings #####
 ##############################################
 #####  Windows Software Repo settings #####
 ###########################################
 # Location of the repo on the master:
 {{ get_config('win_repo_dir_ng', '/srv/salt/win/repo-ng') }}
 # List of git repositories to include with the local repo:
 {% if 'win_gitrepos_ng' in cfg_master %}
 win_gitrepos_ng:
  {% for repo in cfg_master['win_gitrepos_ng'] %}
  - {{ repo }}
  {% endfor %}
 {% elif 'win_gitrepos_ng' in cfg_salt %}
 win_gitrepos_ng:
  {% for repo in cfg_salt['win_gitrepos_ng'] %}
  - {{ repo }}
  {% endfor %}
 {% else %}
 #winrepo_remotes_ng:
 #  - 'https://github.com/saltstack/salt-winrepo-ng.git'
 {% endif %}
 #####  Windows Software Repo settings - Pre 2015.8 #####
 ########################################################
 # Legacy repo settings for pre-2015.8 Windows minions.
 #
 # Location of the repo on the master:
 {{ get_config('win_repo', '/srv/salt/win/repo') }}
  - {{ repo }}
  {% endfor %}
 {% else %}
 #win_gitrepos:
 #winrepo_remotes:
 #  - 'https://github.com/saltstack/salt-winrepo.git'
 {% endif %}
 ############################################
 # Which returner(s) will be used for minion's result:
 #return: mysql
 {{ get_config('return', '')}}
 ######    Miscellaneous  settings     ######
 ############################################
 # Default match type for filtering events tags: startswith, endswith, find, regex, fnmatch
 {{ get_config('event_match_type', 'startswith') }}
 {% if 'halite' in cfg_master %}
 #####             Halite             #####