New version of salt-formula from Saltstack
您最多选择25个主题 主题必须以字母或数字开头,可以包含连字符 (-),并且长度不得超过35个字符

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870
  1. ============
  2. Salt Formula
  3. ============
  4. Salt is a new approach to infrastructure management. Easy enough to get
  5. running in minutes, scalable enough to manage tens of thousands of servers,
  6. and fast enough to communicate with them in seconds.
  7. Salt delivers a dynamic communication bus for infrastructures that can be used
  8. for orchestration, remote execution, configuration management and much more.
  9. Sample Metadata
  10. ===============
  11. Salt Master
  12. -----------
  13. Salt master with base formulas and pillar metadata backend
  14. .. literalinclude:: tests/pillar/master_single_pillar.sls
  15. :language: yaml
  16. Salt master with reclass ENC metadata backend
  17. .. literalinclude:: tests/pillar/master_single_reclass.sls
  18. :language: yaml
  19. Salt master with Architect ENC metadata backend
  20. .. code-block:: yaml
  21. salt:
  22. master:
  23. enabled: true
  24. pillar:
  25. engine: architect
  26. project: project-name
  27. host: architect-api
  28. port: 8181
  29. username: salt
  30. password: password
  31. Salt master with multiple ext_pillars
  32. .. literalinclude:: tests/pillar/master_single_extpillars.sls
  33. :language: yaml
  34. Salt master with API
  35. .. literalinclude:: tests/pillar/master_api.sls
  36. :language: yaml
  37. Salt master with defined user ACLs
  38. .. literalinclude:: tests/pillar/master_acl.sls
  39. :language: yaml
  40. Salt master with preset minions
  41. .. code-block:: yaml
  42. salt:
  43. master:
  44. enabled: true
  45. minions:
  46. - name: 'node1.system.location.domain.com'
  47. Salt master with pip based installation (optional)
  48. .. code-block:: yaml
  49. salt:
  50. master:
  51. enabled: true
  52. ...
  53. source:
  54. engine: pip
  55. version: 2016.3.0rc2
  56. Install formula through system package management
  57. .. code-block:: yaml
  58. salt:
  59. master:
  60. enabled: true
  61. ...
  62. environment:
  63. prd:
  64. keystone:
  65. source: pkg
  66. name: salt-formula-keystone
  67. nova:
  68. source: pkg
  69. name: salt-formula-keystone
  70. version: 0.1+0~20160818133412.24~1.gbp6e1ebb
  71. postresql:
  72. source: pkg
  73. name: salt-formula-postgresql
  74. version: purged
  75. Formula keystone is installed latest version and the formulas without version are installed in one call to aptpkg module.
  76. If the version attribute is present sls iterates over formulas and take action to install specific version or remove it.
  77. The version attribute may have these values ``[latest|purged|removed|<VERSION>]``.
  78. Clone master branch of keystone formula as local feature branch
  79. .. code-block:: yaml
  80. salt:
  81. master:
  82. enabled: true
  83. ...
  84. environment:
  85. dev:
  86. formula:
  87. keystone:
  88. source: git
  89. address: git@github.com:openstack/salt-formula-keystone.git
  90. revision: master
  91. branch: feature
  92. Salt master with specified formula refs (for example for Gerrit review)
  93. .. code-block:: yaml
  94. salt:
  95. master:
  96. enabled: true
  97. ...
  98. environment:
  99. dev:
  100. formula:
  101. keystone:
  102. source: git
  103. address: https://git.openstack.org/openstack/salt-formula-keystone
  104. revision: refs/changes/56/123456/1
  105. Salt master logging configuration
  106. .. code-block:: yaml
  107. salt:
  108. master:
  109. enabled: true
  110. log:
  111. level: warning
  112. file: '/var/log/salt/master'
  113. level_logfile: warning
  114. Salt minion logging configuration
  115. .. code-block:: yaml
  116. salt:
  117. minion:
  118. enabled: true
  119. log:
  120. level: info
  121. file: '/var/log/salt/minion'
  122. level_logfile: warning
  123. Salt master with logging handlers
  124. .. code-block:: yaml
  125. salt:
  126. master:
  127. enabled: true
  128. handler:
  129. handler01:
  130. engine: udp
  131. bind:
  132. host: 127.0.0.1
  133. port: 9999
  134. minion:
  135. handler:
  136. handler01:
  137. engine: udp
  138. bind:
  139. host: 127.0.0.1
  140. port: 9999
  141. handler02:
  142. engine: zmq
  143. bind:
  144. host: 127.0.0.1
  145. port: 9999
  146. Salt engine definition for saltgraph metadata collector
  147. .. code-block:: yaml
  148. salt:
  149. master:
  150. engine:
  151. graph_metadata:
  152. engine: saltgraph
  153. host: 127.0.0.1
  154. port: 5432
  155. user: salt
  156. password: salt
  157. database: salt
  158. Salt engine definition for Architect service
  159. .. code-block:: yaml
  160. salt:
  161. master:
  162. engine:
  163. architect:
  164. engine: architect
  165. project: project-name
  166. host: architect-api
  167. port: 8181
  168. username: salt
  169. password: password
  170. Salt engine definition for sending events from docker events
  171. .. code-block:: yaml
  172. salt:
  173. master:
  174. engine:
  175. docker_events:
  176. docker_url: unix://var/run/docker.sock
  177. Salt master peer setup for remote certificate signing
  178. .. code-block:: yaml
  179. salt:
  180. master:
  181. peer:
  182. ".*":
  183. - x509.sign_remote_certificate
  184. Salt master backup configuration
  185. .. code-block:: yaml
  186. salt:
  187. master:
  188. backup: true
  189. initial_data:
  190. engine: backupninja
  191. home_dir: remote-backup-home-dir
  192. source: backup-node-host
  193. host: original-salt-master-id
  194. Configure verbosity of state output (used for `salt` command)
  195. .. code-block:: yaml
  196. salt:
  197. master:
  198. state_output: changes
  199. Pass pillar render error to minion log
  200. .. note:: When set to `False` this option is great for debuging.
  201. However it is not recomended for any production environment as it may contain
  202. templating data as passwords, etc... , that minion should not expose.
  203. .. code-block:: yaml
  204. salt:
  205. master:
  206. pillar_safe_render_error: False
  207. Enable Windows repo support
  208. .. code-block:: yaml
  209. salt:
  210. master:
  211. win_repo:
  212. source: git
  213. address: https://github.com/saltstack/salt-winrepo-ng
  214. revision: master
  215. Event/Reactor Systems
  216. ~~~~~~~~~~~~~~~~~~~~~
  217. Salt synchronise node pillar and modules after start
  218. .. code-block:: yaml
  219. salt:
  220. master:
  221. reactor:
  222. salt/minion/*/start:
  223. - salt://salt/reactor/node_start.sls
  224. Trigger basic node install
  225. .. code-block:: yaml
  226. salt:
  227. master:
  228. reactor:
  229. salt/minion/install:
  230. - salt://salt/reactor/node_install.sls
  231. Sample event to trigger the node installation
  232. .. code-block:: bash
  233. salt-call event.send 'salt/minion/install'
  234. Run any defined orchestration pipeline
  235. .. code-block:: yaml
  236. salt:
  237. master:
  238. reactor:
  239. salt/orchestrate/start:
  240. - salt://salt/reactor/orchestrate_start.sls
  241. Event to trigger the orchestration pipeline
  242. .. code-block:: bash
  243. salt-call event.send 'salt/orchestrate/start' "{'orchestrate': 'salt/orchestrate/infra_install.sls'}"
  244. Synchronise modules and pillars on minion start.
  245. .. code-block:: yaml
  246. salt:
  247. master:
  248. reactor:
  249. 'salt/minion/*/start':
  250. - salt://salt/reactor/minion_start.sls
  251. Add and/or remove the minion key
  252. .. code-block:: yaml
  253. salt:
  254. master:
  255. reactor:
  256. salt/key/create:
  257. - salt://salt/reactor/key_create.sls
  258. salt/key/remove:
  259. - salt://salt/reactor/key_remove.sls
  260. Event to trigger the key creation
  261. .. code-block:: bash
  262. salt-call event.send 'salt/key/create' \
  263. > "{'node_id': 'id-of-minion', 'node_host': '172.16.10.100', 'orch_post_create': 'kubernetes.orchestrate.compute_install', 'post_create_pillar': {'node_name': 'id-of-minion'}}"
  264. .. note::
  265. You can add pass additional `orch_pre_create`, `orch_post_create`,
  266. `orch_pre_remove` or `orch_post_remove` parameters to the event to call
  267. extra orchestrate files. This can be useful for example for
  268. registering/unregistering nodes from the monitoring alarms or dashboards.
  269. The key creation event needs to be run from other machine than the one
  270. being registered.
  271. Event to trigger the key removal
  272. .. code-block:: bash
  273. salt-call event.send 'salt/key/remove'
  274. Control VM provisioning
  275. .. code-block:: yaml
  276. virt:
  277. disk:
  278. three_disks:
  279. - system:
  280. size: 4096
  281. image: ubuntu.qcow
  282. - repository_snapshot:
  283. size: 8192
  284. image: snapshot.qcow
  285. - cinder-volume:
  286. size: 2048
  287. nic:
  288. control:
  289. - name: nic01
  290. bridge: br-pxe
  291. model: virtio
  292. - name: nic02
  293. bridge: br-cp
  294. model: virtio
  295. - name: nic03
  296. bridge: br-store-front
  297. model: virtio
  298. - name: nic04
  299. bridge: br-public
  300. model: virtio
  301. - name: nic05
  302. bridge: br-prv
  303. model: virtio
  304. virtualport:
  305. type: openvswitch
  306. salt:
  307. control:
  308. enabled: true
  309. virt_enabled: true
  310. size:
  311. medium_three_disks:
  312. cpu: 2
  313. ram: 4
  314. disk_profile: three_disks
  315. cluster:
  316. mycluster:
  317. domain: neco.virt.domain.com
  318. engine: virt
  319. #Option to set rng globaly
  320. rng: false
  321. node:
  322. ubuntu1:
  323. provider: node01.domain.com
  324. image: ubuntu.qcow
  325. size: medium
  326. img_dest: /var/lib/libvirt/ssdimages
  327. #Rng defined on node will have higher priority then global one
  328. rng:
  329. backend: /dev/urandom
  330. model: random
  331. rate:
  332. period: '1800'
  333. bytes: '1500'
  334. mac:
  335. nic01: AC:DE:48:AA:AA:AA
  336. nic02: AC:DE:48:AA:AA:BB
  337. To enable Redis plugin for the Salt caching subsystem. The below pillar structure should be used
  338. .. code-block:: yaml
  339. salt:
  340. master:
  341. cache:
  342. plugin: redis
  343. host: localhost
  344. port: 6379
  345. db: '0'
  346. password: pass_word
  347. bank_prefix: 'MCP'
  348. bank_keys_prefix: 'MCPKEY'
  349. key_prefix: 'KEY'
  350. separator: '@'
  351. Jinja options
  352. -------------
  353. Use following options to update default jinja renderer options. Salt recognize Jinja options for templates and for sls files.
  354. For full list of options check jinja documentation: http://jinja.pocoo.org/docs/api/#high-level-api.
  355. .. code-block:: yaml
  356. salt:
  357. renderer:
  358. # for templates
  359. jinja: &jina_env
  360. # Default Jinja environment options
  361. block_start_string: '{%'
  362. block_end_string: '%}'
  363. variable_start_string: '{{'
  364. variable_end_string: '}}'
  365. comment_start_string: '{#'
  366. comment_end_string: '#}'
  367. keep_trailing_newline: False
  368. newline_sequence: '\n'
  369. # Next two are enabled by default in Salt
  370. trim_blocks: True
  371. lstrip_blocks: True
  372. # Next two are not enabled by default in Salt
  373. # but worth to consider to enable in future for salt-formulas
  374. line_statement_prefix: '%'
  375. line_comment_prefix: '##'
  376. # for .sls state files
  377. jinja_sls: *jinja_env
  378. With the line_statement/comment* _prefix options enabled following code statements are valid:
  379. .. code-block:: yaml
  380. %- set myvar = 'one'
  381. ## You can mix even with '{%'
  382. {%- set myvar = 'two' %} ## comment
  383. %- set mylist = ['one', 'two', 'three'] ## comment
  384. ## comment
  385. %- for item in mylist: ## comment
  386. {{- item }}
  387. %- endfor
  388. Encrypted pillars
  389. ~~~~~~~~~~~~~~~~~
  390. Note: NACL + below configuration will be available in Salt > 2017.7.
  391. External resources:
  392. - Tutorial to configure salt + reclass ext_pillar and nacl: http://apealive.net/post/2017-09-salt-nacl-ext-pillar/
  393. - Saltstack documentation: https://docs.saltstack.com/en/latest/ref/modules/all/salt.modules.nacl.html
  394. Configure salt NACL module:
  395. .. code-block:: shell
  396. pip install --upgrade libnacl===1.5.2
  397. salt-call --local nacl.keygen /etc/salt/pki/master/nacl
  398. local:
  399. saved sk_file:/etc/salt/pki/master/nacl pk_file: /etc/salt/pki/master/nacl.pub
  400. .. code-block:: yaml
  401. salt:
  402. master:
  403. pillar:
  404. reclass: *reclass
  405. nacl:
  406. index: 99
  407. nacl:
  408. box_type: sealedbox
  409. sk_file: /etc/salt/pki/master/nacl
  410. pk_file: /etc/salt/pki/master/nacl.pub
  411. #sk: None
  412. #pk: None
  413. NACL encrypt secrets:
  414. salt-call --local nacl.enc 'my_secret_value' pk_file=/etc/salt/pki/master/nacl.pub
  415. hXTkJpC1hcKMS7yZVGESutWrkvzusXfETXkacSklIxYjfWDlMJmR37MlmthdIgjXpg4f2AlBKb8tc9Woma7q
  416. # or
  417. salt-run nacl.enc 'myotherpass'
  418. ADDFD0Rav6p6+63sojl7Htfrncp5rrDVyeE4BSPO7ipq8fZuLDIVAzQLf4PCbDqi+Fau5KD3/J/E+Pw=
  419. NACL encrypted values on pillar:
  420. Use Boxed syntax `NACL[CryptedValue=]` to encode value on pillar:
  421. .. code-block:: yaml
  422. my_pillar:
  423. my_nacl:
  424. key0: unencrypted_value
  425. key1: NACL[hXTkJpC1hcKMS7yZVGESutWrkvzusXfETXkacSklIxYjfWDlMJmR37MlmthdIgjXpg4f2AlBKb8tc9Woma7q]
  426. NACL large files:
  427. .. code-block:: shell
  428. salt-call nacl.enc_file /tmp/cert.crt out=/srv/salt/env/dev/cert.nacl
  429. # or more advanced
  430. cert=$(cat /tmp/cert.crt)
  431. salt-call --out=newline_values_only nacl.enc_pub data="$cert" > /srv/salt/env/dev/cert.nacl
  432. NACL within template/native pillars:
  433. pillarexample:
  434. user: root
  435. password1: {{salt.nacl.dec('DRB7Q6/X5gGSRCTpZyxS6hlbWj0llUA+uaVyvou3vJ4=')|json}}
  436. cert_key: {{salt.nacl.dec_file('/srv/salt/env/dev/certs/example.com/cert.nacl')|json}}
  437. cert_key2: {{salt.nacl.dec_file('salt:///certs/example.com/cert2.nacl')|json}}
  438. Salt Syndic
  439. -----------
  440. The master of masters
  441. .. code-block:: yaml
  442. salt:
  443. master:
  444. enabled: true
  445. order_masters: True
  446. Lower syndicated master
  447. .. code-block:: yaml
  448. salt:
  449. syndic:
  450. enabled: true
  451. master:
  452. host: master-of-master-host
  453. timeout: 5
  454. Syndicated master with multiple master of masters
  455. .. code-block:: yaml
  456. salt:
  457. syndic:
  458. enabled: true
  459. masters:
  460. - host: master-of-master-host1
  461. - host: master-of-master-host2
  462. timeout: 5
  463. Salt Minion
  464. -----------
  465. Minion ID by default trigger dependency on linux formula, as it uses fqdn configured from `linux.system.name` and
  466. `linux.system.domain` pillar. To override, provide exact minion ID you require. The same can be sate for master id rendered
  467. at `master.conf`.
  468. .. code-block:: yaml
  469. salt:
  470. minion:
  471. id: minion1.production
  472. master:
  473. id: master.production
  474. Simplest Salt minion setup with central configuration node
  475. .. code-block:: yaml
  476. .. literalinclude:: tests/pillar/minion_master.sls
  477. :language: yaml
  478. Multi-master Salt minion setup
  479. .. literalinclude:: tests/pillar/minion_multi_master.sls
  480. :language: yaml
  481. Salt minion with salt mine options
  482. .. literalinclude:: tests/pillar/minion_mine.sls
  483. :language: yaml
  484. Salt minion with graphing dependencies
  485. .. literalinclude:: tests/pillar/minion_graph.sls
  486. :language: yaml
  487. Salt minion behind HTTP proxy
  488. .. code-block:: yaml
  489. salt:
  490. minion:
  491. proxy:
  492. host: 127.0.0.1
  493. port: 3128
  494. Salt minion to specify non-default HTTP backend. The default tornado backend
  495. does not respect HTTP proxy settings set as environment variables. This is
  496. useful for cases where you need to set no_proxy lists.
  497. .. code-block:: yaml
  498. salt:
  499. minion:
  500. backend: urllib2
  501. Salt minion with PKI certificate authority (CA)
  502. .. literalinclude:: tests/pillar/minion_pki_ca.sls
  503. :language: yaml
  504. Salt minion using PKI certificate
  505. .. literalinclude:: tests/pillar/minion_pki_cert.sls
  506. :language: yaml
  507. Salt minion trust CA certificates issued by salt CA on a specific host (ie: salt-master node)
  508. .. code-block:: yaml
  509. salt:
  510. minion:
  511. trusted_ca_minions:
  512. - cfg01
  513. Salt Minion Proxy
  514. ~~~~~~~~~~~~~~~~~
  515. Salt proxy pillar
  516. .. code-block:: yaml
  517. salt:
  518. minion:
  519. proxy_minion:
  520. master: localhost
  521. device:
  522. vsrx01.mydomain.local:
  523. enabled: true
  524. engine: napalm
  525. csr1000v.mydomain.local:
  526. enabled: true
  527. engine: napalm
  528. .. note:: This is pillar of the the real salt-minion
  529. Proxy pillar for IOS device
  530. .. code-block:: yaml
  531. proxy:
  532. proxytype: napalm
  533. driver: ios
  534. host: csr1000v.mydomain.local
  535. username: root
  536. passwd: r00tme
  537. .. note:: This is pillar of the node thats not able to run salt-minion itself
  538. Proxy pillar for JunOS device
  539. .. code-block:: yaml
  540. proxy:
  541. proxytype: napalm
  542. driver: junos
  543. host: vsrx01.mydomain.local
  544. username: root
  545. passwd: r00tme
  546. optional_args:
  547. config_format: set
  548. .. note:: This is pillar of the node thats not able to run salt-minion itself
  549. Salt SSH
  550. ~~~~~~~~
  551. Salt SSH with sudoer using key
  552. .. literalinclude:: tests/pillar/master_ssh_minion_key.sls
  553. :language: yaml
  554. Salt SSH with sudoer using password
  555. .. literalinclude:: tests/pillar/master_ssh_minion_password.sls
  556. :language: yaml
  557. Salt SSH with root using password
  558. .. literalinclude:: tests/pillar/master_ssh_minion_root.sls
  559. :language: yaml
  560. Salt control (cloud/kvm/docker)
  561. -------------------------------
  562. Salt cloud with local OpenStack provider
  563. .. literalinclude:: tests/pillar/control_cloud_openstack.sls
  564. :language: yaml
  565. Salt cloud with Digital Ocean provider
  566. .. literalinclude:: tests/pillar/control_cloud_digitalocean.sls
  567. :language: yaml
  568. Salt virt with KVM cluster
  569. .. literalinclude:: tests/pillar/control_virt.sls
  570. :language: yaml
  571. salt virt with custom destination for image file
  572. .. literalinclude:: tests/pillar/control_virt_custom.sls
  573. :language: yaml
  574. Usage
  575. =====
  576. Working with salt-cloud
  577. .. code-block:: bash
  578. salt-cloud -m /path/to/map --assume-yes
  579. Debug LIBCLOUD for salt-cloud connection
  580. .. code-block:: bash
  581. export LIBCLOUD_DEBUG=/dev/stderr; salt-cloud --list-sizes provider_name --log-level all
  582. References
  583. ==========
  584. * http://salt.readthedocs.org/en/latest/
  585. * https://github.com/DanielBryan/salt-state-graph
  586. * http://karlgrz.com/testing-salt-states-rapidly-with-docker/
  587. * https://mywushublog.com/2013/03/configuration-management-with-salt-stack/
  588. * http://russell.ballestrini.net/replace-the-nagios-scheduler-and-nrpe-with-salt-stack/
  589. * https://github.com/saltstack-formulas/salt-formula
  590. * http://docs.saltstack.com/en/latest/topics/tutorials/multimaster.html
  591. salt-cloud
  592. ----------
  593. * http://www.blog.sandro-mathys.ch/2013/07/setting-user-password-when-launching.html
  594. * http://cloudinit.readthedocs.org/en/latest/topics/examples.html
  595. * http://salt-cloud.readthedocs.org/en/latest/topics/install/index.html
  596. * http://docs.saltstack.com/topics/cloud/digitalocean.html
  597. * http://salt-cloud.readthedocs.org/en/latest/topics/rackspace.html
  598. * http://salt-cloud.readthedocs.org/en/latest/topics/map.html
  599. * http://docs.saltstack.com/en/latest/topics/tutorials/multimaster.html
  600. Documentation and Bugs
  601. ======================
  602. To learn how to install and update salt-formulas, consult the documentation
  603. available online at:
  604. http://salt-formulas.readthedocs.io/
  605. In the unfortunate event that bugs are discovered, they should be reported to
  606. the appropriate issue tracker. Use Github issue tracker for specific salt
  607. formula:
  608. https://github.com/salt-formulas/salt-formula-salt/issues
  609. For feature requests, bug reports or blueprints affecting entire ecosystem,
  610. use Launchpad salt-formulas project:
  611. https://launchpad.net/salt-formulas
  612. You can also join salt-formulas-users team and subscribe to mailing list:
  613. https://launchpad.net/~salt-formulas-users
  614. Developers wishing to work on the salt-formulas projects should always base
  615. their work on master branch and submit pull request against specific formula.
  616. https://github.com/salt-formulas/salt-formula-salt
  617. Any questions or feedback is always welcome so feel free to join our IRC
  618. channel:
  619. #salt-formulas @ irc.freenode.net