New version of salt-formula from Saltstack
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

README.rst 15KB

9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
8 jaren geleden
8 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
8 jaren geleden
9 jaren geleden
8 jaren geleden
8 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
8 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684
  1. ============
  2. Salt Formula
  3. ============
  4. Salt is a new approach to infrastructure management. Easy enough to get
  5. running in minutes, scalable enough to manage tens of thousands of servers,
  6. and fast enough to communicate with them in seconds.
  7. Salt delivers a dynamic communication bus for infrastructures that can be used
  8. for orchestration, remote execution, configuration management and much more.
  9. Sample Metadata
  10. ===============
  11. Salt Master
  12. -----------
  13. Salt master with base formulas and pillar metadata backend
  14. .. literalinclude:: tests/pillar/master_single_pillar.sls
  15. :language: yaml
  16. Salt master with reclass ENC metadata backend
  17. .. literalinclude:: tests/pillar/master_single_reclass.sls
  18. :language: yaml
  19. Salt master with Architect ENC metadata backend
  20. .. code-block:: yaml
  21. salt:
  22. master:
  23. enabled: true
  24. pillar:
  25. engine: architect
  26. project: project-name
  27. host: architect-api
  28. port: 8181
  29. username: salt
  30. password: password
  31. Salt master with multiple ext_pillars
  32. .. literalinclude:: tests/pillar/master_single_extpillars.sls
  33. :language: yaml
  34. Salt master with API
  35. .. literalinclude:: tests/pillar/master_api.sls
  36. :language: yaml
  37. Salt master with defined user ACLs
  38. .. literalinclude:: tests/pillar/master_acl.sls
  39. :language: yaml
  40. Salt master with preset minions
  41. .. code-block:: yaml
  42. salt:
  43. master:
  44. enabled: true
  45. minions:
  46. - name: 'node1.system.location.domain.com'
  47. Salt master with pip based installation (optional)
  48. .. code-block:: yaml
  49. salt:
  50. master:
  51. enabled: true
  52. ...
  53. source:
  54. engine: pip
  55. version: 2016.3.0rc2
  56. Install formula through system package management
  57. .. code-block:: yaml
  58. salt:
  59. master:
  60. enabled: true
  61. ...
  62. environment:
  63. prd:
  64. keystone:
  65. source: pkg
  66. name: salt-formula-keystone
  67. nova:
  68. source: pkg
  69. name: salt-formula-keystone
  70. version: 0.1+0~20160818133412.24~1.gbp6e1ebb
  71. postresql:
  72. source: pkg
  73. name: salt-formula-postgresql
  74. version: purged
  75. Formula keystone is installed latest version and the formulas without version are installed in one call to aptpkg module.
  76. If the version attribute is present sls iterates over formulas and take action to install specific version or remove it.
  77. The version attribute may have these values ``[latest|purged|removed|<VERSION>]``.
  78. Clone master branch of keystone formula as local feature branch
  79. .. code-block:: yaml
  80. salt:
  81. master:
  82. enabled: true
  83. ...
  84. environment:
  85. dev:
  86. formula:
  87. keystone:
  88. source: git
  89. address: git@github.com:openstack/salt-formula-keystone.git
  90. revision: master
  91. branch: feature
  92. Salt master with specified formula refs (for example for Gerrit review)
  93. .. code-block:: yaml
  94. salt:
  95. master:
  96. enabled: true
  97. ...
  98. environment:
  99. dev:
  100. formula:
  101. keystone:
  102. source: git
  103. address: https://git.openstack.org/openstack/salt-formula-keystone
  104. revision: refs/changes/56/123456/1
  105. Salt master with logging handlers
  106. .. code-block:: yaml
  107. salt:
  108. master:
  109. enabled: true
  110. handler:
  111. handler01:
  112. engine: udp
  113. bind:
  114. host: 127.0.0.1
  115. port: 9999
  116. minion:
  117. handler:
  118. handler01:
  119. engine: udp
  120. bind:
  121. host: 127.0.0.1
  122. port: 9999
  123. handler02:
  124. engine: zmq
  125. bind:
  126. host: 127.0.0.1
  127. port: 9999
  128. Salt engine definition for saltgraph metadata collector
  129. .. code-block:: yaml
  130. salt:
  131. master:
  132. engine:
  133. graph_metadata:
  134. engine: saltgraph
  135. host: 127.0.0.1
  136. port: 5432
  137. user: salt
  138. password: salt
  139. database: salt
  140. Salt engine definition for Architect service
  141. .. code-block:: yaml
  142. salt:
  143. master:
  144. engine:
  145. architect:
  146. engine: architect
  147. project: project-name
  148. host: architect-api
  149. port: 8181
  150. username: salt
  151. password: password
  152. Salt engine definition for sending events from docker events
  153. .. code-block:: yaml
  154. salt:
  155. master:
  156. engine:
  157. docker_events:
  158. docker_url: unix://var/run/docker.sock
  159. Salt master peer setup for remote certificate signing
  160. .. code-block:: yaml
  161. salt:
  162. master:
  163. peer:
  164. ".*":
  165. - x509.sign_remote_certificate
  166. Salt master backup configuration
  167. .. code-block:: yaml
  168. salt:
  169. master:
  170. backup: true
  171. initial_data:
  172. engine: backupninja
  173. source: backup-node-host
  174. host: original-salt-master-id
  175. Configure verbosity of state output (used for `salt` command)
  176. .. code-block:: yaml
  177. salt:
  178. master:
  179. state_output: changes
  180. Pass pillar render error to minion log
  181. .. note:: When set to `False` this option is great for debuging.
  182. However it is not recomended for any production environment as it may contain
  183. templating data as passwords, etc... , that minion should not expose.
  184. .. code-block:: yaml
  185. salt:
  186. master:
  187. pillar_safe_render_error: False
  188. Event/Reactor Systems
  189. ~~~~~~~~~~~~~~~~~~~~~
  190. Salt synchronise node pillar and modules after start
  191. .. code-block:: yaml
  192. salt:
  193. master:
  194. reactor:
  195. salt/minion/*/start:
  196. - salt://salt/reactor/node_start.sls
  197. Trigger basic node install
  198. .. code-block:: yaml
  199. salt:
  200. master:
  201. reactor:
  202. salt/minion/install:
  203. - salt://salt/reactor/node_install.sls
  204. Sample event to trigger the node installation
  205. .. code-block:: bash
  206. salt-call event.send 'salt/minion/install'
  207. Run any defined orchestration pipeline
  208. .. code-block:: yaml
  209. salt:
  210. master:
  211. reactor:
  212. salt/orchestrate/start:
  213. - salt://salt/reactor/orchestrate_start.sls
  214. Event to trigger the orchestration pipeline
  215. .. code-block:: bash
  216. salt-call event.send 'salt/orchestrate/start' "{'orchestrate': 'salt/orchestrate/infra_install.sls'}"
  217. Synchronise modules and pillars on minion start.
  218. .. code-block:: yaml
  219. salt:
  220. master:
  221. reactor:
  222. 'salt/minion/*/start':
  223. - salt://salt/reactor/minion_start.sls
  224. Add and/or remove the minion key
  225. .. code-block:: yaml
  226. salt:
  227. master:
  228. reactor:
  229. salt/key/create:
  230. - salt://salt/reactor/key_create.sls
  231. salt/key/remove:
  232. - salt://salt/reactor/key_remove.sls
  233. Event to trigger the key creation
  234. .. code-block:: bash
  235. salt-call event.send 'salt/key/create' \
  236. > "{'node_id': 'id-of-minion', 'node_host': '172.16.10.100', 'orch_post_create': 'kubernetes.orchestrate.compute_install', 'post_create_pillar': {'node_name': 'id-of-minion'}}"
  237. .. note::
  238. You can add pass additional `orch_pre_create`, `orch_post_create`,
  239. `orch_pre_remove` or `orch_post_remove` parameters to the event to call
  240. extra orchestrate files. This can be useful for example for
  241. registering/unregistering nodes from the monitoring alarms or dashboards.
  242. The key creation event needs to be run from other machine than the one
  243. being registered.
  244. Event to trigger the key removal
  245. .. code-block:: bash
  246. salt-call event.send 'salt/key/remove'
  247. Encrypted Pillars
  248. ~~~~~~~~~~~~~~~~~
  249. Note: NACL + below configuration will be available in Salt > 2017.7.
  250. External resources:
  251. - Tutorial to configure salt + reclass ext_pillar and nacl: http://apealive.net/post/2017-09-salt-nacl-ext-pillar/
  252. - Saltstack documentation: https://docs.saltstack.com/en/latest/ref/modules/all/salt.modules.nacl.html
  253. Configure salt NACL module:
  254. .. code-block:: shell
  255. pip install --upgrade libnacl===1.5.2
  256. salt-call --local nacl.keygen /etc/salt/pki/master/nacl
  257. local:
  258. saved sk_file:/etc/salt/pki/master/nacl pk_file: /etc/salt/pki/master/nacl.pub
  259. .. code-block:: yaml
  260. salt:
  261. master:
  262. pillar:
  263. reclass: *reclass
  264. nacl:
  265. index: 99
  266. nacl:
  267. box_type: sealedbox
  268. sk_file: /etc/salt/pki/master/nacl
  269. pk_file: /etc/salt/pki/master/nacl.pub
  270. #sk: None
  271. #pk: None
  272. NACL encrypt secrets:
  273. salt-call --local nacl.enc 'my_secret_value' pk_file=/etc/salt/pki/master/nacl.pub
  274. hXTkJpC1hcKMS7yZVGESutWrkvzusXfETXkacSklIxYjfWDlMJmR37MlmthdIgjXpg4f2AlBKb8tc9Woma7q
  275. # or
  276. salt-run nacl.enc 'myotherpass'
  277. ADDFD0Rav6p6+63sojl7Htfrncp5rrDVyeE4BSPO7ipq8fZuLDIVAzQLf4PCbDqi+Fau5KD3/J/E+Pw=
  278. NACL encrypted values on pillar:
  279. Use Boxed syntax `NACL[CryptedValue=]` to encode value on pillar:
  280. .. code-block:: yaml
  281. my_pillar:
  282. my_nacl:
  283. key0: unencrypted_value
  284. key1: NACL[hXTkJpC1hcKMS7yZVGESutWrkvzusXfETXkacSklIxYjfWDlMJmR37MlmthdIgjXpg4f2AlBKb8tc9Woma7q]
  285. NACL large files:
  286. .. code-block:: shell
  287. salt-call nacl.enc_file /tmp/cert.crt out=/srv/salt/env/dev/cert.nacl
  288. # or more advanced
  289. cert=$(cat /tmp/cert.crt)
  290. salt-call --out=newline_values_only nacl.enc_pub data="$cert" > /srv/salt/env/dev/cert.nacl
  291. NACL within template/native pillars:
  292. pillarexample:
  293. user: root
  294. password1: {{salt.nacl.dec('DRB7Q6/X5gGSRCTpZyxS6hlbWj0llUA+uaVyvou3vJ4=')|json}}
  295. cert_key: {{salt.nacl.dec_file('/srv/salt/env/dev/certs/example.com/cert.nacl')|json}}
  296. cert_key2: {{salt.nacl.dec_file('salt:///certs/example.com/cert2.nacl')|json}}
  297. Salt Syndic
  298. -----------
  299. The master of masters
  300. .. code-block:: yaml
  301. salt:
  302. master:
  303. enabled: true
  304. order_masters: True
  305. Lower syndicated master
  306. .. code-block:: yaml
  307. salt:
  308. syndic:
  309. enabled: true
  310. master:
  311. host: master-of-master-host
  312. timeout: 5
  313. Syndicated master with multiple master of masters
  314. .. code-block:: yaml
  315. salt:
  316. syndic:
  317. enabled: true
  318. masters:
  319. - host: master-of-master-host1
  320. - host: master-of-master-host2
  321. timeout: 5
  322. Salt Minion
  323. -----------
  324. Simplest Salt minion setup with central configuration node
  325. .. code-block:: yaml
  326. .. literalinclude:: tests/pillar/minion_master.sls
  327. :language: yaml
  328. Multi-master Salt minion setup
  329. .. literalinclude:: tests/pillar/minion_multi_master.sls
  330. :language: yaml
  331. Salt minion with salt mine options
  332. .. literalinclude:: tests/pillar/minion_mine.sls
  333. :language: yaml
  334. Salt minion with graphing dependencies
  335. .. literalinclude:: tests/pillar/minion_graph.sls
  336. :language: yaml
  337. Salt minion behind HTTP proxy
  338. .. code-block:: yaml
  339. salt:
  340. minion:
  341. proxy:
  342. host: 127.0.0.1
  343. port: 3128
  344. Salt minion to specify non-default HTTP backend. The default tornado backend
  345. does not respect HTTP proxy settings set as environment variables. This is
  346. useful for cases where you need to set no_proxy lists.
  347. .. code-block:: yaml
  348. salt:
  349. minion:
  350. backend: urllib2
  351. Salt minion with PKI certificate authority (CA)
  352. .. literalinclude:: tests/pillar/minion_pki_ca.sls
  353. :language: yaml
  354. Salt minion using PKI certificate
  355. .. literalinclude:: tests/pillar/minion_pki_cert.sls
  356. :language: yaml
  357. Salt minion trust CA certificates issued by salt CA on a specific host (ie: salt-master node)
  358. .. code-block:: yaml
  359. salt:
  360. minion:
  361. trusted_ca_minions:
  362. - cfg01
  363. Salt Minion Proxy
  364. ~~~~~~~~~~~~~~~~~
  365. Salt proxy pillar
  366. .. code-block:: yaml
  367. salt:
  368. minion:
  369. proxy_minion:
  370. master: localhost
  371. device:
  372. vsrx01.mydomain.local:
  373. enabled: true
  374. engine: napalm
  375. csr1000v.mydomain.local:
  376. enabled: true
  377. engine: napalm
  378. .. note:: This is pillar of the the real salt-minion
  379. Proxy pillar for IOS device
  380. .. code-block:: yaml
  381. proxy:
  382. proxytype: napalm
  383. driver: ios
  384. host: csr1000v.mydomain.local
  385. username: root
  386. passwd: r00tme
  387. .. note:: This is pillar of the node thats not able to run salt-minion itself
  388. Proxy pillar for JunOS device
  389. .. code-block:: yaml
  390. proxy:
  391. proxytype: napalm
  392. driver: junos
  393. host: vsrx01.mydomain.local
  394. username: root
  395. passwd: r00tme
  396. optional_args:
  397. config_format: set
  398. .. note:: This is pillar of the node thats not able to run salt-minion itself
  399. Salt SSH
  400. ~~~~~~~~
  401. Salt SSH with sudoer using key
  402. .. literalinclude:: tests/pillar/master_ssh_minion_key.sls
  403. :language: yaml
  404. Salt SSH with sudoer using password
  405. .. literalinclude:: tests/pillar/master_ssh_minion_password.sls
  406. :language: yaml
  407. Salt SSH with root using password
  408. .. literalinclude:: tests/pillar/master_ssh_minion_root.sls
  409. :language: yaml
  410. Salt control (cloud/kvm/docker)
  411. -------------------------------
  412. Salt cloud with local OpenStack provider
  413. .. literalinclude:: tests/pillar/control_cloud_openstack.sls
  414. :language: yaml
  415. Salt cloud with Digital Ocean provider
  416. .. literalinclude:: tests/pillar/control_cloud_digitalocean.sls
  417. :language: yaml
  418. Salt virt with KVM cluster
  419. .. literalinclude:: tests/pillar/control_virt.sls
  420. :language: yaml
  421. salt virt with custom destination for image file
  422. .. literalinclude:: tests/pillar/control_virt_custom.sls
  423. :language: yaml
  424. Usage
  425. =====
  426. Working with salt-cloud
  427. .. code-block:: bash
  428. salt-cloud -m /path/to/map --assume-yes
  429. Debug LIBCLOUD for salt-cloud connection
  430. .. code-block:: bash
  431. export LIBCLOUD_DEBUG=/dev/stderr; salt-cloud --list-sizes provider_name --log-level all
  432. References
  433. ==========
  434. * http://salt.readthedocs.org/en/latest/
  435. * https://github.com/DanielBryan/salt-state-graph
  436. * http://karlgrz.com/testing-salt-states-rapidly-with-docker/
  437. * https://mywushublog.com/2013/03/configuration-management-with-salt-stack/
  438. * http://russell.ballestrini.net/replace-the-nagios-scheduler-and-nrpe-with-salt-stack/
  439. * https://github.com/saltstack-formulas/salt-formula
  440. * http://docs.saltstack.com/en/latest/topics/tutorials/multimaster.html
  441. salt-cloud
  442. ----------
  443. * http://www.blog.sandro-mathys.ch/2013/07/setting-user-password-when-launching.html
  444. * http://cloudinit.readthedocs.org/en/latest/topics/examples.html
  445. * http://salt-cloud.readthedocs.org/en/latest/topics/install/index.html
  446. * http://docs.saltstack.com/topics/cloud/digitalocean.html
  447. * http://salt-cloud.readthedocs.org/en/latest/topics/rackspace.html
  448. * http://salt-cloud.readthedocs.org/en/latest/topics/map.html
  449. * http://docs.saltstack.com/en/latest/topics/tutorials/multimaster.html
  450. Documentation and Bugs
  451. ======================
  452. To learn how to install and update salt-formulas, consult the documentation
  453. available online at:
  454. http://salt-formulas.readthedocs.io/
  455. In the unfortunate event that bugs are discovered, they should be reported to
  456. the appropriate issue tracker. Use Github issue tracker for specific salt
  457. formula:
  458. https://github.com/salt-formulas/salt-formula-salt/issues
  459. For feature requests, bug reports or blueprints affecting entire ecosystem,
  460. use Launchpad salt-formulas project:
  461. https://launchpad.net/salt-formulas
  462. You can also join salt-formulas-users team and subscribe to mailing list:
  463. https://launchpad.net/~salt-formulas-users
  464. Developers wishing to work on the salt-formulas projects should always base
  465. their work on master branch and submit pull request against specific formula.
  466. https://github.com/salt-formulas/salt-formula-salt
  467. Any questions or feedback is always welcome so feel free to join our IRC
  468. channel:
  469. #salt-formulas @ irc.freenode.net