|
|
|
|
|
|
|
|
# This file managed by Salt, do not edit by hand!! |
|
|
# This file managed by Salt, do not edit by hand!! |
|
|
# Based on salt version 2015.8.7 default config |
|
|
|
|
|
|
|
|
# Based on salt version 2016.11 default config |
|
|
{% set reserved_keys = ['master', 'minion', 'cloud', 'salt_cloud_certs', 'engines', 'lxc.network_profile', 'lxc.container_profile'] -%} |
|
|
{% set reserved_keys = ['master', 'minion', 'cloud', 'salt_cloud_certs', 'engines', 'lxc.network_profile', 'lxc.container_profile'] -%} |
|
|
{% set cfg_salt = pillar.get('salt', {}) -%} |
|
|
{% set cfg_salt = pillar.get('salt', {}) -%} |
|
|
{% set cfg_master = cfg_salt.get('master', {}) -%} |
|
|
{% set cfg_master = cfg_salt.get('master', {}) -%} |
|
|
|
|
|
|
|
|
# key_logfile, pidfile: |
|
|
# key_logfile, pidfile: |
|
|
{{ get_config('root_dir', '/') }} |
|
|
{{ get_config('root_dir', '/') }} |
|
|
|
|
|
|
|
|
|
|
|
# The path to the master's configuration file. |
|
|
|
|
|
{{ get_config('conf_file', '/etc/salt/master') }} |
|
|
|
|
|
|
|
|
# Directory used to store public key data: |
|
|
# Directory used to store public key data: |
|
|
{{ get_config('pki_dir', '/etc/salt/pki/master') }} |
|
|
{{ get_config('pki_dir', '/etc/salt/pki/master') }} |
|
|
|
|
|
|
|
|
|
|
|
# Key cache. Increases master speed for large numbers of accepted |
|
|
|
|
|
# keys. Available options: 'sched'. (Updates on a fixed schedule.) |
|
|
|
|
|
# Note that enabling this feature means that minions will not be |
|
|
|
|
|
# available to target for up to the length of the maintanence loop |
|
|
|
|
|
# which by default is 60s. |
|
|
|
|
|
{%- if cfg_minion['key_cache'] in cfg_master %} |
|
|
|
|
|
{{ get_config('key_cache', '') }} |
|
|
|
|
|
{% else %} |
|
|
|
|
|
#key_cache: '' |
|
|
|
|
|
{% endif %} |
|
|
|
|
|
|
|
|
# Directory to store job and cache data: |
|
|
# Directory to store job and cache data: |
|
|
# This directory may contain sensitive data and should be protected accordingly. |
|
|
# This directory may contain sensitive data and should be protected accordingly. |
|
|
# |
|
|
# |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Directory for custom modules. This directory can contain subdirectories for |
|
|
# Directory for custom modules. This directory can contain subdirectories for |
|
|
# each of Salt's module types such as "runners", "output", "wheel", "modules", |
|
|
# each of Salt's module types such as "runners", "output", "wheel", "modules", |
|
|
# "states", "returners", etc. |
|
|
|
|
|
|
|
|
# "states", "returners", "engines", etc. |
|
|
# Like 'extension_modules' but can take an array of paths |
|
|
# Like 'extension_modules' but can take an array of paths |
|
|
{% if 'module_dirs' in cfg_master -%} |
|
|
{% if 'module_dirs' in cfg_master -%} |
|
|
{%- do default_keys.append('module_dirs') %} |
|
|
{%- do default_keys.append('module_dirs') %} |
|
|
|
|
|
|
|
|
# Set the number of hours to keep old job information in the job cache: |
|
|
# Set the number of hours to keep old job information in the job cache: |
|
|
{{ get_config('keep_jobs', '24') }} |
|
|
{{ get_config('keep_jobs', '24') }} |
|
|
|
|
|
|
|
|
|
|
|
# The number of seconds to wait when the client is requesting information |
|
|
|
|
|
# about running jobs. |
|
|
|
|
|
{{ get_config('gather_job_timeout', '10') }} |
|
|
|
|
|
|
|
|
# Set the default timeout for the salt command and api. The default is 5 |
|
|
# Set the default timeout for the salt command and api. The default is 5 |
|
|
# seconds. |
|
|
# seconds. |
|
|
{{ get_config('timeout', '5') }} |
|
|
{{ get_config('timeout', '5') }} |
|
|
|
|
|
|
|
|
# Set the default outputter used by the salt command. The default is "nested". |
|
|
# Set the default outputter used by the salt command. The default is "nested". |
|
|
{{ get_config('output', 'nested') }} |
|
|
{{ get_config('output', 'nested') }} |
|
|
|
|
|
|
|
|
|
|
|
# Set the default output file used by the salt command. Default is to output |
|
|
|
|
|
# to the CLI and not to a file. Functions the same way as the "--out-file" |
|
|
|
|
|
# CLI option, only sets this to a single file for all salt commands. |
|
|
|
|
|
{{ get_config('output_file', 'None') }} |
|
|
|
|
|
|
|
|
# Return minions that timeout when running commands like test.ping |
|
|
# Return minions that timeout when running commands like test.ping |
|
|
{{ get_config('show_timeout', 'True') }} |
|
|
{{ get_config('show_timeout', 'True') }} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# (true by default). |
|
|
# (true by default). |
|
|
{{ get_config('strip_colors', 'False') }} |
|
|
{{ get_config('strip_colors', 'False') }} |
|
|
|
|
|
|
|
|
|
|
|
# To display a summary of the number of minions targeted, the number of |
|
|
|
|
|
# minions returned, and the number of minions that did not return, set the |
|
|
|
|
|
# cli_summary value to True. (False by default.) |
|
|
|
|
|
# |
|
|
|
|
|
{{ get_config('cli_summary', 'False') }} |
|
|
|
|
|
|
|
|
# Set the directory used to hold unix sockets: |
|
|
# Set the directory used to hold unix sockets: |
|
|
{{ get_config('sock_dir', '/var/run/salt/master') }} |
|
|
{{ get_config('sock_dir', '/var/run/salt/master') }} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# the jobs system and is not generally recommended. |
|
|
# the jobs system and is not generally recommended. |
|
|
{{ get_config('job_cache', 'True') }} |
|
|
{{ get_config('job_cache', 'True') }} |
|
|
|
|
|
|
|
|
# Cache minion grains and pillar data in the cachedir. |
|
|
|
|
|
|
|
|
# Cache minion grains, pillar and mine data via the cache subsystem in the |
|
|
|
|
|
# cachedir or a database. |
|
|
{{ get_config('minion_data_cache', 'True') }} |
|
|
{{ get_config('minion_data_cache', 'True') }} |
|
|
|
|
|
|
|
|
|
|
|
# Cache subsystem module to use for minion data cache. |
|
|
|
|
|
{{ get_config('cache', 'localfs') }} |
|
|
|
|
|
# Enables a fast in-memory cache booster and sets the expiration time. |
|
|
|
|
|
{{ get_config('memcache_expire_seconds', '0') }} |
|
|
|
|
|
# Set a memcache limit in items (bank + key) per cache storage (driver + driver_opts). |
|
|
|
|
|
{{ get_config('memcache_max_items', '1024') }} |
|
|
|
|
|
# Each time a cache storage got full cleanup all the expired items not just the oldest one. |
|
|
|
|
|
{{ get_config('memcache_full_cleanup', 'False') }} |
|
|
|
|
|
# Enable collecting the memcache stats and log it on `debug` log level. |
|
|
|
|
|
{{ get_config('memcache_debug', 'False') }} |
|
|
|
|
|
|
|
|
# Store all returns in the given returner. |
|
|
# Store all returns in the given returner. |
|
|
# Setting this option requires that any returner-specific configuration also |
|
|
# Setting this option requires that any returner-specific configuration also |
|
|
# be set. See various returners in salt/returners for details on required |
|
|
# be set. See various returners in salt/returners for details on required |
|
|
|
|
|
|
|
|
# By default, events are not queued. |
|
|
# By default, events are not queued. |
|
|
{{ get_config('event_return_queue', '0') }} |
|
|
{{ get_config('event_return_queue', '0') }} |
|
|
|
|
|
|
|
|
# Only events returns matching tags in a whitelist |
|
|
|
|
|
|
|
|
# Only return events matching tags in a whitelist, supports glob matches. |
|
|
{% if 'event_return_whitelist' in cfg_master -%} |
|
|
{% if 'event_return_whitelist' in cfg_master -%} |
|
|
{%- do default_keys.append('event_return_whitelist') %} |
|
|
{%- do default_keys.append('event_return_whitelist') %} |
|
|
event_return_whitelist: |
|
|
event_return_whitelist: |
|
|
|
|
|
|
|
|
- {{ event_return }} |
|
|
- {{ event_return }} |
|
|
{%- endfor -%} |
|
|
{%- endfor -%} |
|
|
{% else -%} |
|
|
{% else -%} |
|
|
# event_return_whitelist: |
|
|
|
|
|
# - salt/master/a_tag |
|
|
|
|
|
# - salt/master/another_tag |
|
|
|
|
|
|
|
|
#event_return_whitelist: |
|
|
|
|
|
# - salt/master/a_tag |
|
|
|
|
|
# - salt/run/*/ret |
|
|
{% endif %} |
|
|
{% endif %} |
|
|
|
|
|
|
|
|
# Store all event returns _except_ the tags in a blacklist |
|
|
|
|
|
|
|
|
# Store all event returns **except** the tags in a blacklist supports globs. |
|
|
{% if 'event_return_blacklist' in cfg_master -%} |
|
|
{% if 'event_return_blacklist' in cfg_master -%} |
|
|
{%- do default_keys.append('event_return_blacklist') %} |
|
|
{%- do default_keys.append('event_return_blacklist') %} |
|
|
event_return_blacklist: |
|
|
event_return_blacklist: |
|
|
|
|
|
|
|
|
- {{ event_return }} |
|
|
- {{ event_return }} |
|
|
{%- endfor -%} |
|
|
{%- endfor -%} |
|
|
{% else -%} |
|
|
{% else -%} |
|
|
# event_return_blacklist: |
|
|
|
|
|
# - salt/master/not_this_tag |
|
|
|
|
|
# - salt/master/or_this_one |
|
|
|
|
|
|
|
|
#event_return_blacklist: |
|
|
|
|
|
# - salt/master/not_this_tag |
|
|
|
|
|
# - salt/wheel/*/ret |
|
|
{% endif %} |
|
|
{% endif %} |
|
|
|
|
|
|
|
|
# Passing very large events can cause the minion to consume large amounts of |
|
|
# Passing very large events can cause the minion to consume large amounts of |
|
|
|
|
|
|
|
|
# Set the ZeroMQ high water marks |
|
|
# Set the ZeroMQ high water marks |
|
|
# http://api.zeromq.org/3-2:zmq-setsockopt |
|
|
# http://api.zeromq.org/3-2:zmq-setsockopt |
|
|
|
|
|
|
|
|
|
|
|
# The listen queue size / backlog |
|
|
|
|
|
{{ get_config('zmq_backlog', '1000') }} |
|
|
|
|
|
|
|
|
# The publisher interface ZeroMQPubServerChannel |
|
|
# The publisher interface ZeroMQPubServerChannel |
|
|
{{ get_config('pub_hwm', '1000') }} |
|
|
{{ get_config('pub_hwm', '1000') }} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# ZMQ high-water-mark for EventPublisher pub socket |
|
|
# ZMQ high-water-mark for EventPublisher pub socket |
|
|
{{ get_config('event_publisher_pub_hwm', '10000') }} |
|
|
{{ get_config('event_publisher_pub_hwm', '10000') }} |
|
|
|
|
|
|
|
|
|
|
|
# The master may allocate memory per-event and not |
|
|
|
|
|
# reclaim it. |
|
|
|
|
|
# To set a high-water mark for memory allocation, use |
|
|
|
|
|
# ipc_write_buffer to set a high-water mark for message |
|
|
|
|
|
# buffering. |
|
|
|
|
|
# Value: In bytes. Set to 'dynamic' to have Salt select |
|
|
|
|
|
# a value for you. Default is disabled. |
|
|
|
|
|
{%- if 'ipc_write_buffer' in cfg_master %} |
|
|
|
|
|
{{ get_config('ipc_write_buffer', 'dynamic') }} |
|
|
|
|
|
{%- else %} |
|
|
|
|
|
# ipc_write_buffer: 'dynamic' |
|
|
|
|
|
{%- endif %} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
##### Security settings ##### |
|
|
##### Security settings ##### |
|
|
########################################## |
|
|
########################################## |
|
|
|
|
|
|
|
|
# public keys from the minions. Note that this is insecure. |
|
|
# public keys from the minions. Note that this is insecure. |
|
|
{{ get_config('auto_accept', 'False') }} |
|
|
{{ get_config('auto_accept', 'False') }} |
|
|
|
|
|
|
|
|
# Time in minutes that a incoming public key with a matching name found in |
|
|
|
|
|
|
|
|
# Time in minutes that an incoming public key with a matching name found in |
|
|
# pki_dir/minion_autosign/keyid is automatically accepted. Expired autosign keys |
|
|
# pki_dir/minion_autosign/keyid is automatically accepted. Expired autosign keys |
|
|
# are removed when the master checks the minion_autosign directory. |
|
|
# are removed when the master checks the minion_autosign directory. |
|
|
# 0 equals no timeout |
|
|
# 0 equals no timeout |
|
|
|
|
|
|
|
|
# larry: |
|
|
# larry: |
|
|
# - test.ping |
|
|
# - test.ping |
|
|
# - network.* |
|
|
# - network.* |
|
|
|
|
|
# |
|
|
{%- endif %} |
|
|
{%- endif %} |
|
|
|
|
|
|
|
|
# Blacklist any of the following users or modules |
|
|
# Blacklist any of the following users or modules |
|
|
|
|
|
|
|
|
# This example would blacklist all non sudo users, including root from |
|
|
# This example would blacklist all non sudo users, including root from |
|
|
# running any commands. It would also blacklist any use of the "cmd" |
|
|
# running any commands. It would also blacklist any use of the "cmd" |
|
|
# module. This is completely disabled by default. |
|
|
# module. This is completely disabled by default. |
|
|
|
|
|
# |
|
|
|
|
|
# |
|
|
|
|
|
# Check the list of configured users in client ACL against users on the |
|
|
|
|
|
# system and throw errors if they do not exist. |
|
|
|
|
|
{{ get_config('client_acl_verify', 'True') }} |
|
|
|
|
|
# |
|
|
{% if 'publisher_acl_blacklist' in cfg_master %} |
|
|
{% if 'publisher_acl_blacklist' in cfg_master %} |
|
|
{%- do default_keys.append('publisher_acl_blacklist') %} |
|
|
{%- do default_keys.append('publisher_acl_blacklist') %} |
|
|
publisher_acl_blacklist: |
|
|
publisher_acl_blacklist: |
|
|
|
|
|
|
|
|
# modules: |
|
|
# modules: |
|
|
# - cmd |
|
|
# - cmd |
|
|
{% endif %} |
|
|
{% endif %} |
|
|
|
|
|
# |
|
|
|
|
|
# WARNING: client_acl and client_acl_blacklist options are deprecated and will |
|
|
|
|
|
# be removed in the future releases. Use publisher_acl and |
|
|
|
|
|
# publisher_acl_blacklist instead. |
|
|
|
|
|
|
|
|
# Enforce publisher_acl & publisher_acl_blacklist when users have sudo |
|
|
# Enforce publisher_acl & publisher_acl_blacklist when users have sudo |
|
|
# access to the salt command. |
|
|
# access to the salt command. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Time (in seconds) for a newly generated token to live. Default: 12 hours |
|
|
# Time (in seconds) for a newly generated token to live. Default: 12 hours |
|
|
{{ get_config('token_expire', '43200') }} |
|
|
{{ get_config('token_expire', '43200') }} |
|
|
|
|
|
# |
|
|
|
|
|
# Allow eauth users to specify the expiry time of the tokens they generate. |
|
|
|
|
|
# A boolean applies to all users or a dictionary of whitelisted eauth backends |
|
|
|
|
|
# and usernames may be given. |
|
|
|
|
|
# token_expire_user_override: |
|
|
|
|
|
# pam: |
|
|
|
|
|
# - fred |
|
|
|
|
|
# - tom |
|
|
|
|
|
# ldap: |
|
|
|
|
|
# - gary |
|
|
|
|
|
# |
|
|
|
|
|
#token_expire_user_override: False |
|
|
|
|
|
|
|
|
# Allow minions to push files to the master. This is disabled by default, for |
|
|
# Allow minions to push files to the master. This is disabled by default, for |
|
|
# security purposes. |
|
|
# security purposes. |
|
|
|
|
|
|
|
|
# will cause minion to throw an exception and drop the message. |
|
|
# will cause minion to throw an exception and drop the message. |
|
|
{{ get_config('sign_pub_message', 'False') }} |
|
|
{{ get_config('sign_pub_message', 'False') }} |
|
|
|
|
|
|
|
|
|
|
|
# Use TLS/SSL encrypted connection between master and minion. |
|
|
|
|
|
# Can be set to a dictionary containing keyword arguments corresponding to Python's |
|
|
|
|
|
# 'ssl.wrap_socket' method. |
|
|
|
|
|
# Default is None. |
|
|
|
|
|
#ssl: |
|
|
|
|
|
# keyfile: <path_to_keyfile> |
|
|
|
|
|
# certfile: <path_to_certfile> |
|
|
|
|
|
# ssl_version: PROTOCOL_TLSv1_2 |
|
|
|
|
|
|
|
|
# Sign the master auth-replies with a cryptographic signature of the masters public key. |
|
|
# Sign the master auth-replies with a cryptographic signature of the masters public key. |
|
|
# Please see the tutorial how to use these settings in the Multimaster-PKI with Failover Tutorial |
|
|
# Please see the tutorial how to use these settings in the Multimaster-PKI with Failover Tutorial |
|
|
{{ get_config('master_sign_pubkey', 'False') }} |
|
|
{{ get_config('master_sign_pubkey', 'False') }} |
|
|
|
|
|
|
|
|
# Pass in an alternative location for the salt-ssh roster file |
|
|
# Pass in an alternative location for the salt-ssh roster file |
|
|
{{ get_config('roster_file', '/etc/salt/roster') }} |
|
|
{{ get_config('roster_file', '/etc/salt/roster') }} |
|
|
|
|
|
|
|
|
|
|
|
# Define locations for roster files so they can be chosen when using Salt API. |
|
|
|
|
|
# An administrator can place roster files into these locations. Then when |
|
|
|
|
|
# calling Salt API, parameter 'roster_file' should contain a relative path to |
|
|
|
|
|
# these locations. That is, "roster_file=/foo/roster" will be resolved as |
|
|
|
|
|
# "/etc/salt/roster.d/foo/roster" etc. This feature prevents passing insecure |
|
|
|
|
|
# custom rosters through the Salt API. |
|
|
|
|
|
# |
|
|
|
|
|
{%- if 'rosters' in cfg_master %} |
|
|
|
|
|
rosters: |
|
|
|
|
|
{% for name in cfg_master['rosters'] -%} |
|
|
|
|
|
- {{ name }} |
|
|
|
|
|
{% endfor -%} |
|
|
|
|
|
{%- else %} |
|
|
|
|
|
#rosters: |
|
|
|
|
|
# - /etc/salt/roster.d |
|
|
|
|
|
# - /opt/salt/some/more/rosters |
|
|
|
|
|
{%- endif %} |
|
|
|
|
|
|
|
|
|
|
|
# The log file of the salt-ssh command: |
|
|
|
|
|
{{ get_config('ssh_log_file', '/var/log/salt/ssh') }} |
|
|
|
|
|
|
|
|
# Pass in minion option overrides that will be inserted into the SHIM for |
|
|
# Pass in minion option overrides that will be inserted into the SHIM for |
|
|
# salt-ssh calls. The local minion config is not used for salt-ssh. Can be |
|
|
# salt-ssh calls. The local minion config is not used for salt-ssh. Can be |
|
|
# overridden on a per-minion basis in the roster (`minion_opts`) |
|
|
# overridden on a per-minion basis in the roster (`minion_opts`) |
|
|
|
|
|
|
|
|
# gpg_keydir: /root/gpg |
|
|
# gpg_keydir: /root/gpg |
|
|
{{ get_config('ssh_minion_opts', '{}') }} |
|
|
{{ get_config('ssh_minion_opts', '{}') }} |
|
|
|
|
|
|
|
|
|
|
|
# Set this to True to default to using ~/.ssh/id_rsa for salt-ssh |
|
|
|
|
|
# authentication with minions |
|
|
|
|
|
{{ get_config('ssh_use_home_key', 'False') }} |
|
|
|
|
|
|
|
|
##### Master Module Management ##### |
|
|
##### Master Module Management ##### |
|
|
########################################## |
|
|
########################################## |
|
|
# Manage how master side modules are loaded. |
|
|
# Manage how master side modules are loaded. |
|
|
|
|
|
|
|
|
# (block, not variable tag!). Defaults to False, corresponds to the Jinja |
|
|
# (block, not variable tag!). Defaults to False, corresponds to the Jinja |
|
|
# environment init variable "trim_blocks". |
|
|
# environment init variable "trim_blocks". |
|
|
{{ get_config('jinja_trim_blocks', 'False') }} |
|
|
{{ get_config('jinja_trim_blocks', 'False') }} |
|
|
|
|
|
|
|
|
|
|
|
# |
|
|
# If this is set to True leading spaces and tabs are stripped from the start |
|
|
# If this is set to True leading spaces and tabs are stripped from the start |
|
|
# of a line to a block. Defaults to False, corresponds to the Jinja |
|
|
# of a line to a block. Defaults to False, corresponds to the Jinja |
|
|
# environment init variable "lstrip_blocks". |
|
|
# environment init variable "lstrip_blocks". |
|
|
|
|
|
|
|
|
#file_roots: |
|
|
#file_roots: |
|
|
# base: |
|
|
# base: |
|
|
# - /srv/salt |
|
|
# - /srv/salt |
|
|
|
|
|
# |
|
|
{%- endif %} |
|
|
{%- endif %} |
|
|
|
|
|
|
|
|
# When using multiple environments, each with their own top file, the |
|
|
# When using multiple environments, each with their own top file, the |
|
|
|
|
|
|
|
|
{{ get_config('default_top', 'base') }} |
|
|
{{ get_config('default_top', 'base') }} |
|
|
|
|
|
|
|
|
# The hash_type is the hash to use when discovering the hash of a file on |
|
|
# The hash_type is the hash to use when discovering the hash of a file on |
|
|
# the master server. The default is md5, but sha1, sha224, sha256, sha384 |
|
|
|
|
|
|
|
|
# the master server. The default is md5 but sha1, sha224, sha256, sha384 |
|
|
# and sha512 are also supported. |
|
|
# and sha512 are also supported. |
|
|
# |
|
|
# |
|
|
|
|
|
# WARNING: While md5 and sha1 are also supported, do not use it due to the high chance |
|
|
|
|
|
# of possible collisions and thus security breach. |
|
|
|
|
|
# |
|
|
# Prior to changing this value, the master should be stopped and all Salt |
|
|
# Prior to changing this value, the master should be stopped and all Salt |
|
|
# caches should be cleared. |
|
|
# caches should be cleared. |
|
|
{{ get_config('hash_type', 'md5') }} |
|
|
{{ get_config('hash_type', 'md5') }} |
|
|
|
|
|
|
|
|
# and the first repo to have the file will return it. |
|
|
# and the first repo to have the file will return it. |
|
|
# When using the git backend branches and tags are translated into salt |
|
|
# When using the git backend branches and tags are translated into salt |
|
|
# environments. |
|
|
# environments. |
|
|
# Note: file:// repos will be treated as a remote, so refs you want used must |
|
|
|
|
|
|
|
|
# Note: file:// repos will be treated as a remote, so refs you want used must |
|
|
# exist in that repo as *local* refs. |
|
|
# exist in that repo as *local* refs. |
|
|
{% if 'gitfs_remotes' in cfg_master -%} |
|
|
{% if 'gitfs_remotes' in cfg_master -%} |
|
|
{%- do default_keys.append('gitfs_remotes') %} |
|
|
{%- do default_keys.append('gitfs_remotes') %} |
|
|
|
|
|
|
|
|
#pillar_roots: |
|
|
#pillar_roots: |
|
|
# base: |
|
|
# base: |
|
|
# - /srv/pillar |
|
|
# - /srv/pillar |
|
|
|
|
|
# |
|
|
{%- endif %} |
|
|
{%- endif %} |
|
|
|
|
|
|
|
|
{% if 'ext_pillar' in cfg_master %} |
|
|
{% if 'ext_pillar' in cfg_master %} |
|
|
|
|
|
|
|
|
# ext_pillar. |
|
|
# ext_pillar. |
|
|
{{ get_config('ext_pillar_first', 'False') }} |
|
|
{{ get_config('ext_pillar_first', 'False') }} |
|
|
|
|
|
|
|
|
|
|
|
# The external pillars permitted to be used on-demand using pillar.ext |
|
|
|
|
|
{%- if 'on_demand_ext_pillar' in cfg_master %} |
|
|
|
|
|
on_demand_ext_pillar: |
|
|
|
|
|
{% for name in cfg_master['on_demand_ext_pillar'] -%} |
|
|
|
|
|
- {{ name }} |
|
|
|
|
|
{% endfor -%} |
|
|
|
|
|
{%- else %} |
|
|
|
|
|
#on_demand_ext_pillar: |
|
|
|
|
|
# - libvirt |
|
|
|
|
|
# - virtkey |
|
|
|
|
|
{%- endif %} |
|
|
|
|
|
|
|
|
# The pillar_gitfs_ssl_verify option specifies whether to ignore ssl certificate |
|
|
# The pillar_gitfs_ssl_verify option specifies whether to ignore ssl certificate |
|
|
# errors when contacting the pillar gitfs backend. You might want to set this to |
|
|
# errors when contacting the pillar gitfs backend. You might want to set this to |
|
|
# false if you're using a git backend that uses a self-signed certificate but |
|
|
# false if you're using a git backend that uses a self-signed certificate but |
|
|
|
|
|
|
|
|
{{ get_config('pillar_safe_render_error', 'True') }} |
|
|
{{ get_config('pillar_safe_render_error', 'True') }} |
|
|
|
|
|
|
|
|
# The pillar_source_merging_strategy option allows you to configure merging strategy |
|
|
# The pillar_source_merging_strategy option allows you to configure merging strategy |
|
|
# between different sources. It accepts four values: recurse, aggregate, overwrite, |
|
|
|
|
|
# or smart. Recurse will merge recursively mapping of data. Aggregate instructs |
|
|
|
|
|
# aggregation of elements between sources that use the #!yamlex renderer. Overwrite |
|
|
|
|
|
# will verwrite elements according the order in which they are processed. This is |
|
|
|
|
|
|
|
|
# between different sources. It accepts five values: none, recurse, aggregate, overwrite, |
|
|
|
|
|
# or smart. None will not do any merging at all. Recurse will merge recursively mapping of data. |
|
|
|
|
|
# Aggregate instructs aggregation of elements between sources that use the #!yamlex renderer. Overwrite |
|
|
|
|
|
# will overwrite elements according the order in which they are processed. This is |
|
|
# behavior of the 2014.1 branch and earlier. Smart guesses the best strategy based |
|
|
# behavior of the 2014.1 branch and earlier. Smart guesses the best strategy based |
|
|
# on the "renderer" setting and is the default value. |
|
|
# on the "renderer" setting and is the default value. |
|
|
{{ get_config('pillar_source_merging_strategy', 'smart') }} |
|
|
{{ get_config('pillar_source_merging_strategy', 'smart') }} |
|
|
|
|
|
|
|
|
# Recursively merge lists by aggregating them instead of replacing them. |
|
|
# Recursively merge lists by aggregating them instead of replacing them. |
|
|
{{ get_config('pillar_merge_lists', False) }} |
|
|
|
|
|
|
|
|
{{ get_config('pillar_merge_lists', 'False') }} |
|
|
|
|
|
|
|
|
|
|
|
# Set this option to 'True' to force a 'KeyError' to be raised whenever an |
|
|
|
|
|
# attempt to retrieve a named value from pillar fails. When this option is set |
|
|
|
|
|
# to 'False', the failed attempt returns an empty string. Default is 'False'. |
|
|
|
|
|
{{ get_config('pillar_raise_on_missing', 'False') }} |
|
|
|
|
|
|
|
|
# Git External Pillar (git_pillar) Configuration Options |
|
|
# Git External Pillar (git_pillar) Configuration Options |
|
|
# |
|
|
# |
|
|
|
|
|
|
|
|
# to authenticate is protected by a passphrase. |
|
|
# to authenticate is protected by a passphrase. |
|
|
{{ get_config('git_pillar_passphrase', '') }} |
|
|
{{ get_config('git_pillar_passphrase', '') }} |
|
|
|
|
|
|
|
|
|
|
|
# A master can cache pillars locally to bypass the expense of having to render them |
|
|
|
|
|
# for each minion on every request. This feature should only be enabled in cases |
|
|
|
|
|
# where pillar rendering time is known to be unsatisfactory and any attendant security |
|
|
|
|
|
# concerns about storing pillars in a master cache have been addressed. |
|
|
|
|
|
# |
|
|
|
|
|
# When enabling this feature, be certain to read through the additional ``pillar_cache_*`` |
|
|
|
|
|
# configuration options to fully understand the tunable parameters and their implications. |
|
|
|
|
|
# |
|
|
|
|
|
# Note: setting ``pillar_cache: True`` has no effect on targeting Minions with Pillars. |
|
|
|
|
|
# See https://docs.saltstack.com/en/latest/topics/targeting/pillar.html |
|
|
|
|
|
{{ get_config('pillar_cache', 'False') }} |
|
|
|
|
|
|
|
|
|
|
|
# If and only if a master has set ``pillar_cache: True``, the cache TTL controls the amount |
|
|
|
|
|
# of time, in seconds, before the cache is considered invalid by a master and a fresh |
|
|
|
|
|
# pillar is recompiled and stored. |
|
|
|
|
|
{{ get_config('pillar_cache_ttl', '3600') }} |
|
|
|
|
|
|
|
|
|
|
|
# If and only if a master has set `pillar_cache: True`, one of several storage providers |
|
|
|
|
|
# can be utililzed. |
|
|
|
|
|
# |
|
|
|
|
|
# `disk`: The default storage backend. This caches rendered pillars to the master cache. |
|
|
|
|
|
# Rendered pillars are serialized and deserialized as msgpack structures for speed. |
|
|
|
|
|
# Note that pillars are stored UNENCRYPTED. Ensure that the master cache |
|
|
|
|
|
# has permissions set appropriately. (Same defaults are provided.) |
|
|
|
|
|
# |
|
|
|
|
|
# memory: [EXPERIMENTAL] An optional backend for pillar caches which uses a pure-Python |
|
|
|
|
|
# in-memory data structure for maximal performance. There are several caveats, |
|
|
|
|
|
# however. First, because each master worker contains its own in-memory cache, |
|
|
|
|
|
# there is no guarantee of cache consistency between minion requests. This |
|
|
|
|
|
# works best in situations where the pillar rarely if ever changes. Secondly, |
|
|
|
|
|
# and perhaps more importantly, this means that unencrypted pillars will |
|
|
|
|
|
# be accessible to any process which can examine the memory of the ``salt-master``! |
|
|
|
|
|
# This may represent a substantial security risk. |
|
|
|
|
|
# |
|
|
|
|
|
{{ get_config('pillar_cache_backend', 'disk') }} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
##### Syndic settings ##### |
|
|
##### Syndic settings ##### |
|
|
########################################## |
|
|
########################################## |
|
|
# The Salt syndic is used to pass commands through a master from a higher |
|
|
# The Salt syndic is used to pass commands through a master from a higher |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# If this master will be running a salt syndic daemon, syndic_master tells |
|
|
# If this master will be running a salt syndic daemon, syndic_master tells |
|
|
# this master where to receive commands from. |
|
|
# this master where to receive commands from. |
|
|
{{ get_config('syndic_master', 'masterofmaster') }} |
|
|
|
|
|
|
|
|
{{ get_config('syndic_master', 'masterofmasters') }} |
|
|
|
|
|
|
|
|
# This is the 'ret_port' of the MasterOfMaster: |
|
|
# This is the 'ret_port' of the MasterOfMaster: |
|
|
{{ get_config('syndic_master_port', '4506') }} |
|
|
{{ get_config('syndic_master_port', '4506') }} |
|
|
|
|
|
|
|
|
{{ get_config('syndic_pidfile', '/var/run/salt-syndic.pid') }} |
|
|
{{ get_config('syndic_pidfile', '/var/run/salt-syndic.pid') }} |
|
|
|
|
|
|
|
|
# LOG file of the syndic daemon: |
|
|
# LOG file of the syndic daemon: |
|
|
{{ get_config('syndic_log_file', 'syndic.log') }} |
|
|
|
|
|
|
|
|
{{ get_config('syndic_log_file', '/var/log/salt/syndic') }} |
|
|
|
|
|
|
|
|
# The user under which the salt syndic will run. |
|
|
# The user under which the salt syndic will run. |
|
|
{{ get_config('syndic_user', 'root') }} |
|
|
{{ get_config('syndic_user', 'root') }} |
|
|
|
|
|
|
|
|
|
|
|
# The behaviour of the multi-syndic when connection to a master of masters failed. |
|
|
|
|
|
# Can specify ``random`` (default) or ``ordered``. If set to ``random``, masters |
|
|
|
|
|
# will be iterated in random order. If ``ordered`` is specified, the configured |
|
|
|
|
|
# order will be used. |
|
|
|
|
|
{{ get_config('syndic_failover', 'random') }} |
|
|
|
|
|
|
|
|
|
|
|
# The number of seconds for the salt client to wait for additional syndics to |
|
|
|
|
|
# check in with their lists of expected minions before giving up. |
|
|
|
|
|
{{ get_config('syndic_wait', '5') }} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
##### Peer Publish settings ##### |
|
|
##### Peer Publish settings ##### |
|
|
########################################## |
|
|
########################################## |
|
|
# Salt minions can send commands to other minions, but only if the minion is |
|
|
# Salt minions can send commands to other minions, but only if the minion is |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
##### Node Groups ###### |
|
|
##### Node Groups ###### |
|
|
########################################## |
|
|
########################################## |
|
|
# Node groups allow for logical groupings of minion nodes. A group consists of a group |
|
|
|
|
|
# name and a compound target. |
|
|
|
|
|
|
|
|
# Node groups allow for logical groupings of minion nodes. A group consists of |
|
|
|
|
|
# a group name and a compound target. Nodgroups can reference other nodegroups |
|
|
|
|
|
# with 'N@' classifier. Ensure that you do not have circular references. |
|
|
|
|
|
# |
|
|
#nodegroups: |
|
|
#nodegroups: |
|
|
# group1: 'L@foo.domain.com,bar.domain.com,baz.domain.com and bl*.domain.com' |
|
|
|
|
|
|
|
|
# group1: 'L@foo.domain.com,bar.domain.com,baz.domain.com or bl*.domain.com' |
|
|
# group2: 'G@os:Debian and foo.domain.com' |
|
|
# group2: 'G@os:Debian and foo.domain.com' |
|
|
|
|
|
# group3: 'G@os:Debian and N@group1' |
|
|
|
|
|
# group4: |
|
|
|
|
|
# - 'G@foo:bar' |
|
|
|
|
|
# - 'or' |
|
|
|
|
|
# - 'G@foo:baz' |
|
|
{%- if 'nodegroups' in cfg_master %} |
|
|
{%- if 'nodegroups' in cfg_master %} |
|
|
{%- do default_keys.append('nodegroups') %} |
|
|
{%- do default_keys.append('nodegroups') %} |
|
|
nodegroups: |
|
|
nodegroups: |
|
|
|
|
|
|
|
|
{{ get_config('return', '')}} |
|
|
{{ get_config('return', '')}} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
###### Miscellaneous settings ###### |
|
|
|
|
|
|
|
|
###### Miscellaneous settings ###### |
|
|
############################################ |
|
|
############################################ |
|
|
# Default match type for filtering events tags: startswith, endswith, find, regex, fnmatch |
|
|
# Default match type for filtering events tags: startswith, endswith, find, regex, fnmatch |
|
|
{{ get_config('event_match_type', 'startswith') }} |
|
|
{{ get_config('event_match_type', 'startswith') }} |
|
|
|
|
|
|
|
|
|
|
|
# Save runner returns to the job cache |
|
|
|
|
|
{{ get_config('runner_returns', 'True') }} |
|
|
|
|
|
|
|
|
|
|
|
# Permanently include any available Python 3rd party modules into Salt Thin |
|
|
|
|
|
# when they are generated for Salt-SSH or other purposes. |
|
|
|
|
|
# The modules should be named by the names they are actually imported inside the Python. |
|
|
|
|
|
# The value of the parameters can be either one module or a comma separated list of them. |
|
|
|
|
|
{%- if 'thin_extra_mods' in cfg_master %} |
|
|
|
|
|
{{ get_config('thin_extra_mods', '') }} |
|
|
|
|
|
{%- else %} |
|
|
|
|
|
#thin_extra_mods: foo,bar |
|
|
|
|
|
{%- endif %} |
|
|
|
|
|
|
|
|
{%- if 'halite' in cfg_master %} |
|
|
{%- if 'halite' in cfg_master %} |
|
|
{%- do default_keys.append('halite') %} |
|
|
{%- do default_keys.append('halite') %} |
|
|
##### Halite ##### |
|
|
##### Halite ##### |