New version of salt-formula from Saltstack
選択できるのは25トピックまでです。 トピックは、先頭が英数字で、英数字とダッシュ('-')を使用した35文字以内のものにしてください。

README.rst 17KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738
  1. ============
  2. Salt Formula
  3. ============
  4. Salt is a new approach to infrastructure management. Easy enough to get
  5. running in minutes, scalable enough to manage tens of thousands of servers,
  6. and fast enough to communicate with them in seconds.
  7. Salt delivers a dynamic communication bus for infrastructures that can be used
  8. for orchestration, remote execution, configuration management and much more.
  9. Sample Metadata
  10. ===============
  11. Salt Master
  12. -----------
  13. Salt master with base formulas and pillar metadata backend
  14. .. literalinclude:: tests/pillar/master_single_pillar.sls
  15. :language: yaml
  16. Salt master with reclass ENC metadata backend
  17. .. literalinclude:: tests/pillar/master_single_reclass.sls
  18. :language: yaml
  19. Salt master with Architect ENC metadata backend
  20. .. code-block:: yaml
  21. salt:
  22. master:
  23. enabled: true
  24. pillar:
  25. engine: architect
  26. project: project-name
  27. host: architect-api
  28. port: 8181
  29. username: salt
  30. password: password
  31. Salt master with multiple ext_pillars
  32. .. literalinclude:: tests/pillar/master_single_extpillars.sls
  33. :language: yaml
  34. Salt master with API
  35. .. literalinclude:: tests/pillar/master_api.sls
  36. :language: yaml
  37. Salt master with defined user ACLs
  38. .. literalinclude:: tests/pillar/master_acl.sls
  39. :language: yaml
  40. Salt master with preset minions
  41. .. code-block:: yaml
  42. salt:
  43. master:
  44. enabled: true
  45. minions:
  46. - name: 'node1.system.location.domain.com'
  47. Salt master with pip based installation (optional)
  48. .. code-block:: yaml
  49. salt:
  50. master:
  51. enabled: true
  52. ...
  53. source:
  54. engine: pip
  55. version: 2016.3.0rc2
  56. Install formula through system package management
  57. .. code-block:: yaml
  58. salt:
  59. master:
  60. enabled: true
  61. ...
  62. environment:
  63. prd:
  64. keystone:
  65. source: pkg
  66. name: salt-formula-keystone
  67. nova:
  68. source: pkg
  69. name: salt-formula-keystone
  70. version: 0.1+0~20160818133412.24~1.gbp6e1ebb
  71. postresql:
  72. source: pkg
  73. name: salt-formula-postgresql
  74. version: purged
  75. Formula keystone is installed latest version and the formulas without version are installed in one call to aptpkg module.
  76. If the version attribute is present sls iterates over formulas and take action to install specific version or remove it.
  77. The version attribute may have these values ``[latest|purged|removed|<VERSION>]``.
  78. Clone master branch of keystone formula as local feature branch
  79. .. code-block:: yaml
  80. salt:
  81. master:
  82. enabled: true
  83. ...
  84. environment:
  85. dev:
  86. formula:
  87. keystone:
  88. source: git
  89. address: git@github.com:openstack/salt-formula-keystone.git
  90. revision: master
  91. branch: feature
  92. Salt master with specified formula refs (for example for Gerrit review)
  93. .. code-block:: yaml
  94. salt:
  95. master:
  96. enabled: true
  97. ...
  98. environment:
  99. dev:
  100. formula:
  101. keystone:
  102. source: git
  103. address: https://git.openstack.org/openstack/salt-formula-keystone
  104. revision: refs/changes/56/123456/1
  105. Salt master with logging handlers
  106. .. code-block:: yaml
  107. salt:
  108. master:
  109. enabled: true
  110. handler:
  111. handler01:
  112. engine: udp
  113. bind:
  114. host: 127.0.0.1
  115. port: 9999
  116. minion:
  117. handler:
  118. handler01:
  119. engine: udp
  120. bind:
  121. host: 127.0.0.1
  122. port: 9999
  123. handler02:
  124. engine: zmq
  125. bind:
  126. host: 127.0.0.1
  127. port: 9999
  128. Salt engine definition for saltgraph metadata collector
  129. .. code-block:: yaml
  130. salt:
  131. master:
  132. engine:
  133. graph_metadata:
  134. engine: saltgraph
  135. host: 127.0.0.1
  136. port: 5432
  137. user: salt
  138. password: salt
  139. database: salt
  140. Salt engine definition for Architect service
  141. .. code-block:: yaml
  142. salt:
  143. master:
  144. engine:
  145. architect:
  146. engine: architect
  147. project: project-name
  148. host: architect-api
  149. port: 8181
  150. username: salt
  151. password: password
  152. Salt engine definition for sending events from docker events
  153. .. code-block:: yaml
  154. salt:
  155. master:
  156. engine:
  157. docker_events:
  158. docker_url: unix://var/run/docker.sock
  159. Salt master peer setup for remote certificate signing
  160. .. code-block:: yaml
  161. salt:
  162. master:
  163. peer:
  164. ".*":
  165. - x509.sign_remote_certificate
  166. Salt master backup configuration
  167. .. code-block:: yaml
  168. salt:
  169. master:
  170. backup: true
  171. initial_data:
  172. engine: backupninja
  173. home_dir: remote-backup-home-dir
  174. source: backup-node-host
  175. host: original-salt-master-id
  176. Configure verbosity of state output (used for `salt` command)
  177. .. code-block:: yaml
  178. salt:
  179. master:
  180. state_output: changes
  181. Pass pillar render error to minion log
  182. .. note:: When set to `False` this option is great for debuging.
  183. However it is not recomended for any production environment as it may contain
  184. templating data as passwords, etc... , that minion should not expose.
  185. .. code-block:: yaml
  186. salt:
  187. master:
  188. pillar_safe_render_error: False
  189. Event/Reactor Systems
  190. ~~~~~~~~~~~~~~~~~~~~~
  191. Salt synchronise node pillar and modules after start
  192. .. code-block:: yaml
  193. salt:
  194. master:
  195. reactor:
  196. salt/minion/*/start:
  197. - salt://salt/reactor/node_start.sls
  198. Trigger basic node install
  199. .. code-block:: yaml
  200. salt:
  201. master:
  202. reactor:
  203. salt/minion/install:
  204. - salt://salt/reactor/node_install.sls
  205. Sample event to trigger the node installation
  206. .. code-block:: bash
  207. salt-call event.send 'salt/minion/install'
  208. Run any defined orchestration pipeline
  209. .. code-block:: yaml
  210. salt:
  211. master:
  212. reactor:
  213. salt/orchestrate/start:
  214. - salt://salt/reactor/orchestrate_start.sls
  215. Event to trigger the orchestration pipeline
  216. .. code-block:: bash
  217. salt-call event.send 'salt/orchestrate/start' "{'orchestrate': 'salt/orchestrate/infra_install.sls'}"
  218. Synchronise modules and pillars on minion start.
  219. .. code-block:: yaml
  220. salt:
  221. master:
  222. reactor:
  223. 'salt/minion/*/start':
  224. - salt://salt/reactor/minion_start.sls
  225. Add and/or remove the minion key
  226. .. code-block:: yaml
  227. salt:
  228. master:
  229. reactor:
  230. salt/key/create:
  231. - salt://salt/reactor/key_create.sls
  232. salt/key/remove:
  233. - salt://salt/reactor/key_remove.sls
  234. Event to trigger the key creation
  235. .. code-block:: bash
  236. salt-call event.send 'salt/key/create' \
  237. > "{'node_id': 'id-of-minion', 'node_host': '172.16.10.100', 'orch_post_create': 'kubernetes.orchestrate.compute_install', 'post_create_pillar': {'node_name': 'id-of-minion'}}"
  238. .. note::
  239. You can add pass additional `orch_pre_create`, `orch_post_create`,
  240. `orch_pre_remove` or `orch_post_remove` parameters to the event to call
  241. extra orchestrate files. This can be useful for example for
  242. registering/unregistering nodes from the monitoring alarms or dashboards.
  243. The key creation event needs to be run from other machine than the one
  244. being registered.
  245. Event to trigger the key removal
  246. .. code-block:: bash
  247. salt-call event.send 'salt/key/remove'
  248. Jinja options
  249. -------------
  250. Use following options to update default jinja renderer options. Salt recognize Jinja options for templates and for sls files.
  251. For full list of options check jinja documentation: http://jinja.pocoo.org/docs/api/#high-level-api.
  252. .. code-block:: yaml
  253. salt:
  254. renderer:
  255. # for templates
  256. jinja: &jina_env
  257. # Default Jinja environment options
  258. block_start_string: '{%'
  259. block_end_string: '%}'
  260. variable_start_string: '{{'
  261. variable_end_string: '}}'
  262. comment_start_string: '{#'
  263. comment_end_string: '#}'
  264. keep_trailing_newline: False
  265. newline_sequence: '\n'
  266. # Next two are enabled by default in Salt
  267. trim_blocks: True
  268. lstrip_blocks: True
  269. # Next two are not enabled by default in Salt
  270. # but worth to consider to enable in future for salt-formulas
  271. line_statement_prefix: '%'
  272. line_comment_prefix: '##'
  273. # for .sls state files
  274. jinja_sls: *jinja_env
  275. With the line_statement/comment* _prefix options enabled following code statements are valid:
  276. .. code-block:: yaml
  277. %- set myvar = 'one'
  278. ## You can mix even with '{%'
  279. {%- set myvar = 'two' %} ## comment
  280. %- set mylist = ['one', 'two', 'three'] ## comment
  281. ## comment
  282. %- for item in mylist: ## comment
  283. {{- item }}
  284. %- endfor
  285. Encrypted pillars
  286. ~~~~~~~~~~~~~~~~~
  287. Note: NACL + below configuration will be available in Salt > 2017.7.
  288. External resources:
  289. - Tutorial to configure salt + reclass ext_pillar and nacl: http://apealive.net/post/2017-09-salt-nacl-ext-pillar/
  290. - Saltstack documentation: https://docs.saltstack.com/en/latest/ref/modules/all/salt.modules.nacl.html
  291. Configure salt NACL module:
  292. .. code-block:: shell
  293. pip install --upgrade libnacl===1.5.2
  294. salt-call --local nacl.keygen /etc/salt/pki/master/nacl
  295. local:
  296. saved sk_file:/etc/salt/pki/master/nacl pk_file: /etc/salt/pki/master/nacl.pub
  297. .. code-block:: yaml
  298. salt:
  299. master:
  300. pillar:
  301. reclass: *reclass
  302. nacl:
  303. index: 99
  304. nacl:
  305. box_type: sealedbox
  306. sk_file: /etc/salt/pki/master/nacl
  307. pk_file: /etc/salt/pki/master/nacl.pub
  308. #sk: None
  309. #pk: None
  310. NACL encrypt secrets:
  311. salt-call --local nacl.enc 'my_secret_value' pk_file=/etc/salt/pki/master/nacl.pub
  312. hXTkJpC1hcKMS7yZVGESutWrkvzusXfETXkacSklIxYjfWDlMJmR37MlmthdIgjXpg4f2AlBKb8tc9Woma7q
  313. # or
  314. salt-run nacl.enc 'myotherpass'
  315. ADDFD0Rav6p6+63sojl7Htfrncp5rrDVyeE4BSPO7ipq8fZuLDIVAzQLf4PCbDqi+Fau5KD3/J/E+Pw=
  316. NACL encrypted values on pillar:
  317. Use Boxed syntax `NACL[CryptedValue=]` to encode value on pillar:
  318. .. code-block:: yaml
  319. my_pillar:
  320. my_nacl:
  321. key0: unencrypted_value
  322. key1: NACL[hXTkJpC1hcKMS7yZVGESutWrkvzusXfETXkacSklIxYjfWDlMJmR37MlmthdIgjXpg4f2AlBKb8tc9Woma7q]
  323. NACL large files:
  324. .. code-block:: shell
  325. salt-call nacl.enc_file /tmp/cert.crt out=/srv/salt/env/dev/cert.nacl
  326. # or more advanced
  327. cert=$(cat /tmp/cert.crt)
  328. salt-call --out=newline_values_only nacl.enc_pub data="$cert" > /srv/salt/env/dev/cert.nacl
  329. NACL within template/native pillars:
  330. pillarexample:
  331. user: root
  332. password1: {{salt.nacl.dec('DRB7Q6/X5gGSRCTpZyxS6hlbWj0llUA+uaVyvou3vJ4=')|json}}
  333. cert_key: {{salt.nacl.dec_file('/srv/salt/env/dev/certs/example.com/cert.nacl')|json}}
  334. cert_key2: {{salt.nacl.dec_file('salt:///certs/example.com/cert2.nacl')|json}}
  335. Salt Syndic
  336. -----------
  337. The master of masters
  338. .. code-block:: yaml
  339. salt:
  340. master:
  341. enabled: true
  342. order_masters: True
  343. Lower syndicated master
  344. .. code-block:: yaml
  345. salt:
  346. syndic:
  347. enabled: true
  348. master:
  349. host: master-of-master-host
  350. timeout: 5
  351. Syndicated master with multiple master of masters
  352. .. code-block:: yaml
  353. salt:
  354. syndic:
  355. enabled: true
  356. masters:
  357. - host: master-of-master-host1
  358. - host: master-of-master-host2
  359. timeout: 5
  360. Salt Minion
  361. -----------
  362. Simplest Salt minion setup with central configuration node
  363. .. code-block:: yaml
  364. .. literalinclude:: tests/pillar/minion_master.sls
  365. :language: yaml
  366. Multi-master Salt minion setup
  367. .. literalinclude:: tests/pillar/minion_multi_master.sls
  368. :language: yaml
  369. Salt minion with salt mine options
  370. .. literalinclude:: tests/pillar/minion_mine.sls
  371. :language: yaml
  372. Salt minion with graphing dependencies
  373. .. literalinclude:: tests/pillar/minion_graph.sls
  374. :language: yaml
  375. Salt minion behind HTTP proxy
  376. .. code-block:: yaml
  377. salt:
  378. minion:
  379. proxy:
  380. host: 127.0.0.1
  381. port: 3128
  382. Salt minion to specify non-default HTTP backend. The default tornado backend
  383. does not respect HTTP proxy settings set as environment variables. This is
  384. useful for cases where you need to set no_proxy lists.
  385. .. code-block:: yaml
  386. salt:
  387. minion:
  388. backend: urllib2
  389. Salt minion with PKI certificate authority (CA)
  390. .. literalinclude:: tests/pillar/minion_pki_ca.sls
  391. :language: yaml
  392. Salt minion using PKI certificate
  393. .. literalinclude:: tests/pillar/minion_pki_cert.sls
  394. :language: yaml
  395. Salt minion trust CA certificates issued by salt CA on a specific host (ie: salt-master node)
  396. .. code-block:: yaml
  397. salt:
  398. minion:
  399. trusted_ca_minions:
  400. - cfg01
  401. Salt Minion Proxy
  402. ~~~~~~~~~~~~~~~~~
  403. Salt proxy pillar
  404. .. code-block:: yaml
  405. salt:
  406. minion:
  407. proxy_minion:
  408. master: localhost
  409. device:
  410. vsrx01.mydomain.local:
  411. enabled: true
  412. engine: napalm
  413. csr1000v.mydomain.local:
  414. enabled: true
  415. engine: napalm
  416. .. note:: This is pillar of the the real salt-minion
  417. Proxy pillar for IOS device
  418. .. code-block:: yaml
  419. proxy:
  420. proxytype: napalm
  421. driver: ios
  422. host: csr1000v.mydomain.local
  423. username: root
  424. passwd: r00tme
  425. .. note:: This is pillar of the node thats not able to run salt-minion itself
  426. Proxy pillar for JunOS device
  427. .. code-block:: yaml
  428. proxy:
  429. proxytype: napalm
  430. driver: junos
  431. host: vsrx01.mydomain.local
  432. username: root
  433. passwd: r00tme
  434. optional_args:
  435. config_format: set
  436. .. note:: This is pillar of the node thats not able to run salt-minion itself
  437. Salt SSH
  438. ~~~~~~~~
  439. Salt SSH with sudoer using key
  440. .. literalinclude:: tests/pillar/master_ssh_minion_key.sls
  441. :language: yaml
  442. Salt SSH with sudoer using password
  443. .. literalinclude:: tests/pillar/master_ssh_minion_password.sls
  444. :language: yaml
  445. Salt SSH with root using password
  446. .. literalinclude:: tests/pillar/master_ssh_minion_root.sls
  447. :language: yaml
  448. Salt control (cloud/kvm/docker)
  449. -------------------------------
  450. Salt cloud with local OpenStack provider
  451. .. literalinclude:: tests/pillar/control_cloud_openstack.sls
  452. :language: yaml
  453. Salt cloud with Digital Ocean provider
  454. .. literalinclude:: tests/pillar/control_cloud_digitalocean.sls
  455. :language: yaml
  456. Salt virt with KVM cluster
  457. .. literalinclude:: tests/pillar/control_virt.sls
  458. :language: yaml
  459. salt virt with custom destination for image file
  460. .. literalinclude:: tests/pillar/control_virt_custom.sls
  461. :language: yaml
  462. Usage
  463. =====
  464. Working with salt-cloud
  465. .. code-block:: bash
  466. salt-cloud -m /path/to/map --assume-yes
  467. Debug LIBCLOUD for salt-cloud connection
  468. .. code-block:: bash
  469. export LIBCLOUD_DEBUG=/dev/stderr; salt-cloud --list-sizes provider_name --log-level all
  470. References
  471. ==========
  472. * http://salt.readthedocs.org/en/latest/
  473. * https://github.com/DanielBryan/salt-state-graph
  474. * http://karlgrz.com/testing-salt-states-rapidly-with-docker/
  475. * https://mywushublog.com/2013/03/configuration-management-with-salt-stack/
  476. * http://russell.ballestrini.net/replace-the-nagios-scheduler-and-nrpe-with-salt-stack/
  477. * https://github.com/saltstack-formulas/salt-formula
  478. * http://docs.saltstack.com/en/latest/topics/tutorials/multimaster.html
  479. salt-cloud
  480. ----------
  481. * http://www.blog.sandro-mathys.ch/2013/07/setting-user-password-when-launching.html
  482. * http://cloudinit.readthedocs.org/en/latest/topics/examples.html
  483. * http://salt-cloud.readthedocs.org/en/latest/topics/install/index.html
  484. * http://docs.saltstack.com/topics/cloud/digitalocean.html
  485. * http://salt-cloud.readthedocs.org/en/latest/topics/rackspace.html
  486. * http://salt-cloud.readthedocs.org/en/latest/topics/map.html
  487. * http://docs.saltstack.com/en/latest/topics/tutorials/multimaster.html
  488. Documentation and Bugs
  489. ======================
  490. To learn how to install and update salt-formulas, consult the documentation
  491. available online at:
  492. http://salt-formulas.readthedocs.io/
  493. In the unfortunate event that bugs are discovered, they should be reported to
  494. the appropriate issue tracker. Use Github issue tracker for specific salt
  495. formula:
  496. https://github.com/salt-formulas/salt-formula-salt/issues
  497. For feature requests, bug reports or blueprints affecting entire ecosystem,
  498. use Launchpad salt-formulas project:
  499. https://launchpad.net/salt-formulas
  500. You can also join salt-formulas-users team and subscribe to mailing list:
  501. https://launchpad.net/~salt-formulas-users
  502. Developers wishing to work on the salt-formulas projects should always base
  503. their work on master branch and submit pull request against specific formula.
  504. https://github.com/salt-formulas/salt-formula-salt
  505. Any questions or feedback is always welcome so feel free to join our IRC
  506. channel:
  507. #salt-formulas @ irc.freenode.net