Saltstack Official UFW Formula
Nevar pievienot vairāk kā 25 tēmas Tēmai ir jāsākas ar burtu vai ciparu, tā var saturēt domu zīmes ('-') un var būt līdz 35 simboliem gara.

TOFS_pattern.rst 19KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518
  1. .. _tofs_pattern:
  2. TOFS: A pattern for using SaltStack
  3. ===================================
  4. .. list-table::
  5. :name: tofs-authors
  6. :header-rows: 1
  7. :stub-columns: 1
  8. :widths: 2,2,3,2
  9. * -
  10. - Person
  11. - Contact
  12. - Date
  13. * - Authored by
  14. - Roberto Moreda
  15. - moreda@allenta.com
  16. - 29/12/2014
  17. * - Modified by
  18. - Daniel Dehennin
  19. - daniel.dehennin@baby-gnu.org
  20. - 07/02/2019
  21. * - Modified by
  22. - Imran Iqbal
  23. - https://github.com/myii
  24. - 23/02/2019
  25. All that follows is a proposal based on my experience with `SaltStack <http://www.saltstack.com/>`_. The good thing of a piece of software like this is that you can "bend it" to suit your needs in many possible ways, and this is one of them. All the recommendations and thoughts are given "as it is" with no warranty of any type.
  26. .. contents:: **Table of Contents**
  27. Usage of values in pillar vs templates in ``file_roots``
  28. --------------------------------------------------------
  29. Among other functions, the *master* (or *salt-master*) serves files to the *minions* (or *salt-minions*). The `file_roots <http://docs.saltstack.com/en/latest/ref/file_server/file_roots.html>`_ is the list of directories used in sequence to find a file when a minion requires it: the first match is served to the minion. Those files could be `state files <http://docs.saltstack.com/en/latest/topics/tutorials/starting_states.html>`_ or configuration templates, among others.
  30. Using SaltStack is a simple and effective way to implement configuration management, but even in a `non-multitenant <http://en.wikipedia.org/wiki/Multitenancy>`_ scenario, it is not a good idea to generally access some data (e.g. the database password in our `Zabbix <http://www.zabbix.com/>`_ server configuration file or the private key of our `Nginx <http://nginx.org/en/>`_ TLS certificate).
  31. To avoid this situation we can use the `pillar mechanism <http://docs.saltstack.com/en/latest/topics/pillar/>`_, which is designed to provide controlled access to data from the minions based on some selection rules. As pillar data could be easily integrated in the `Jinja <http://docs.saltstack.com/en/latest/topics/tutorials/pillar.html>`_ templates, it is a good mechanism to store values to be used in the final rendering of state files and templates.
  32. There are a variety of approaches on the usage of pillar and templates as seen in the `saltstack-formulas <https://github.com/saltstack-formulas>`_' repositories. `Some <https://github.com/saltstack-formulas/nginx-formula/pull/18>`_ `developments <https://github.com/saltstack-formulas/php-formula/pull/14>`_ stress the initial purpose of pillar data into a storage for most of the possible variables for a determined system configuration. This, in my opinion, is shifting too much load from the original template files approach. Adding up some `non-trivial Jinja <https://github.com/saltstack-formulas/nginx-formula/blob/f74254c07e188bd448eaf1c5f9c802d78c4c005e/nginx/files/default/nginx.conf>`_ code as essential part of composing the state file definitely makes SaltStack state files (hence formulas) more difficult to read. The extreme of this approach is that we could end up with a new render mechanism, implemented in Jinja, storing everything needed in pillar data to compose configurations. Additionally, we are establishing a strong dependency with the Jinja renderer.
  33. In opposition to the *put the code in file_roots and the data in pillars* approach, there is the *pillar as a store for a set of key-values* approach. A full-blown configuration file abstracted in pillar and jinja is complicated to develop, understand and maintain. I think a better and simpler approach is to keep a configuration file templated using just a basic (non-extensive but extensible) set of pillar values.
  34. On the reusability of SaltStack state files
  35. -------------------------------------------
  36. There is a brilliant initiative of the SaltStack community called `salt-formulas <https://github.com/saltstack-formulas>`_. Their goal is to provide state files, pillar examples and configuration templates ready to be used for provisioning. I am a contributor for two small ones: `zabbix-formula <https://github.com/saltstack-formulas/zabbix-formula>`_ and `varnish-formula <https://github.com/saltstack-formulas/varnish-formula>`_.
  37. The `design guidelines <http://docs.saltstack.com/en/latest/topics/development/conventions/formulas.html>`_ for formulas are clear in many aspects and it is a recommended reading for anyone willing to write state files, even non-formulaic ones.
  38. In the next section, I am going to describe my proposal to extend further the reusability of formulas, suggesting some patterns of usage.
  39. The Template Override and Files Switch (TOFS) pattern
  40. -----------------------------------------------------
  41. I understand a formula as a **complete, independent set of SaltStack state and configuration template files sufficient to configure a system**. A system could be something as simple as an NTP server or some other much more complex service that requires many state and configuration template files.
  42. The customization of a formula should be done mainly by providing pillar data used later to render either the state or the configuration template files.
  43. Example: NTP before applying TOFS
  44. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  45. Let's work with the NTP example. A basic formula that follows the `design guidelines <http://docs.saltstack.com/en/latest/topics/development/conventions/formulas.html>`_ has the following files and directories tree:
  46. .. code-block::
  47. /srv/saltstack/salt-formulas/ntp-saltstack-formula/
  48. ntp/
  49. map.jinja
  50. init.sls
  51. conf.sls
  52. files/
  53. default/
  54. etc/
  55. ntp.conf.jinja
  56. In order to use it, let's assume a `masterless configuration <http://docs.saltstack.com/en/latest/topics/tutorials/quickstart.html>`_ and this relevant section of ``/etc/salt/minion``:
  57. .. code-block:: yaml
  58. pillar_roots:
  59. base:
  60. - /srv/saltstack/pillar
  61. file_client: local
  62. file_roots:
  63. base:
  64. - /srv/saltstack/salt
  65. - /srv/saltstack/salt-formulas/ntp-saltstack-formula
  66. .. code-block:: jinja
  67. {#- /srv/saltstack/salt-formulas/ntp-saltstack-formula/ntp/map.jinja #}
  68. {%- set ntp = salt['grains.filter_by']({
  69. 'default': {
  70. 'pkg': 'ntp',
  71. 'service': 'ntp',
  72. 'config': '/etc/ntp.conf',
  73. },
  74. }, merge=salt['pillar.get']('ntp:lookup')) %}
  75. In ``init.sls`` we have the minimal states required to have NTP configured. In many cases ``init.sls`` is almost equivalent to an ``apt-get install`` or a ``yum install`` of the package.
  76. .. code-block:: sls
  77. ## /srv/saltstack/salt-formulas/ntp-saltstack-formula/ntp/init.sls
  78. {%- from 'ntp/map.jinja' import ntp with context %}
  79. Install NTP:
  80. pkg.installed:
  81. - name: {{ ntp.pkg }}
  82. Enable and start NTP:
  83. service.running:
  84. - name: {{ ntp.service }}
  85. - enabled: True
  86. - require:
  87. - pkg: Install NTP package
  88. In ``conf.sls`` we have the configuration states. In most cases, that is just managing configuration file templates and making them to be watched by the service.
  89. .. code-block:: sls
  90. ## /srv/saltstack/salt-formulas/ntp-saltstack-formula/ntp/conf.sls
  91. include:
  92. - ntp
  93. {%- from 'ntp/map.jinja' import ntp with context %}
  94. Configure NTP:
  95. file.managed:
  96. - name: {{ ntp.config }}
  97. - template: jinja
  98. - source: salt://ntp/files/default/etc/ntp.conf.jinja
  99. - watch_in:
  100. - service: Enable and start NTP service
  101. - require:
  102. - pkg: Install NTP package
  103. Under ``files/default``, there is a structure that mimics the one in the minion in order to avoid clashes and confusion on where to put the needed templates. There you can find a mostly standard template for the configuration file.
  104. .. code-block:: jinja
  105. {#- /srv/saltstack/salt-formulas/ntp-saltstack-formula/ntp/files/default/etc/ntp.conf.jinja #}
  106. {#- Managed by saltstack #}
  107. {#- Edit pillars or override this template in saltstack if you need customization #}
  108. {%- set settings = salt['pillar.get']('ntp', {}) %}
  109. {%- set default_servers = ['0.ubuntu.pool.ntp.org',
  110. '1.ubuntu.pool.ntp.org',
  111. '2.ubuntu.pool.ntp.org',
  112. '3.ubuntu.pool.ntp.org'] %}
  113. driftfile /var/lib/ntp/ntp.drift
  114. statistics loopstats peerstats clockstats
  115. filegen loopstats file loopstats type day enable
  116. filegen peerstats file peerstats type day enable
  117. filegen clockstats file clockstats type day enable
  118. {%- for server in settings.get('servers', default_servers) %}
  119. server {{ server }}
  120. {%- endfor %}
  121. restrict -4 default kod notrap nomodify nopeer noquery
  122. restrict -6 default kod notrap nomodify nopeer noquery
  123. restrict 127.0.0.1
  124. restrict ::1
  125. With all this, it is easy to install and configure a simple NTP server by just running ``salt-call state.sls ntp.conf``: the package will be installed, the service will be running and the configuration should be correct for most of cases, even without pillar data.
  126. Alternatively, you can define a highstate in ``/srv/saltstack/salt/top.sls`` and run ``salt-call state.highstate``.
  127. .. code-block:: sls
  128. ## /srv/saltstack/salt/top.sls
  129. base:
  130. '*':
  131. - ntp.conf
  132. **Customizing the formula just with pillar data**, we have the option to define the NTP servers.
  133. .. code-block:: sls
  134. ## /srv/saltstack/pillar/top.sls
  135. base:
  136. '*':
  137. - ntp
  138. .. code-block:: sls
  139. ## /srv/saltstack/pillar/ntp.sls
  140. ntp:
  141. servers:
  142. - 0.ch.pool.ntp.org
  143. - 1.ch.pool.ntp.org
  144. - 2.ch.pool.ntp.org
  145. - 3.ch.pool.ntp.org
  146. Template Override
  147. ^^^^^^^^^^^^^^^^^
  148. If the customization based on pillar data is not enough, we can override the template by creating a new one in ``/srv/saltstack/salt/ntp/files/default/etc/ntp.conf.jinja``
  149. .. code-block:: jinja
  150. {#- /srv/saltstack/salt/ntp/files/default/etc/ntp.conf.jinja #}
  151. {#- Managed by saltstack #}
  152. {#- Edit pillars or override this template in saltstack if you need customization #}
  153. {#- Some bizarre configurations here #}
  154. {#- ... #}
  155. {%- for server in settings.get('servers', default_servers) %}
  156. server {{ server }}
  157. {%- endfor %}
  158. This way we are locally **overriding the template files** offered by the formula in order to make a more complex adaptation. Of course, this could be applied as well to any of the files, including the state files.
  159. Files Switch
  160. ^^^^^^^^^^^^
  161. To bring some order into the set of template files included in a formula, as we commented, we suggest having a similar structure to a normal final file system under ``files/default``.
  162. We can make different templates coexist for different minions, classified by any `grain <http://docs.saltstack.com/en/latest/topics/targeting/grains.html>`_ value, by simply creating new directories under ``files``. This mechanism is based on **using values of some grains as a switch for the directories under** ``files/``.
  163. If we decide that we want ``os_family`` as switch, then we could provide the formula template variants for both the ``RedHat`` and ``Debian`` families.
  164. .. code-block::
  165. /srv/saltstack/salt-formulas/ntp-saltstack-formula/ntp/files/
  166. default/
  167. etc/
  168. ntp.conf.jinja
  169. RedHat/
  170. etc/
  171. ntp.conf.jinja
  172. Debian/
  173. etc/
  174. ntp.conf.jinja
  175. To make this work we need a ``conf.sls`` state file that takes a list of possible files as the configuration template.
  176. .. code-block:: sls
  177. ## /srv/saltstack/salt-formulas/ntp-saltstack-formula/ntp/conf.sls
  178. include:
  179. - ntp
  180. {%- from 'ntp/map.jinja' import ntp with context %}
  181. Configure NTP:
  182. file.managed:
  183. - name: {{ ntp.config }}
  184. - template: jinja
  185. - source:
  186. - salt://ntp/files/{{ grains.get('os_family', 'default') }}/etc/ntp.conf.jinja
  187. - salt://ntp/files/default/etc/ntp.conf.jinja
  188. - watch_in:
  189. - service: Enable and start NTP service
  190. - require:
  191. - pkg: Install NTP package
  192. If we want to cover the possibility of a special template for a minion identified by ``node01`` then we could have a specific template in ``/srv/saltstack/salt/ntp/files/node01/etc/ntp.conf.jinja``.
  193. .. code-block:: jinja
  194. {#- /srv/saltstack/salt/ntp/files/node01/etc/ntp.conf.jinja #}
  195. {#- Managed by saltstack #}
  196. {#- Edit pillars or override this template in saltstack if you need customization #}
  197. {#- Some crazy configurations here for node01 #}
  198. {#- ... #}
  199. To make this work we could write a specially crafted ``conf.sls``.
  200. .. code-block:: sls
  201. ## /srv/saltstack/salt-formulas/ntp-saltstack-formula/ntp/conf.sls
  202. include:
  203. - ntp
  204. {%- from 'ntp/map.jinja' import ntp with context %}
  205. Configure NTP:
  206. file.managed:
  207. - name: {{ ntp.config }}
  208. - template: jinja
  209. - source:
  210. - salt://ntp/files/{{ grains.get('id') }}/etc/ntp.conf.jinja
  211. - salt://ntp/files/{{ grains.get('os_family') }}/etc/ntp.conf.jinja
  212. - salt://ntp/files/default/etc/ntp.conf.jinja
  213. - watch_in:
  214. - service: Enable and start NTP service
  215. - require:
  216. - pkg: Install NTP package
  217. Using the ``files_switch`` macro
  218. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  219. We can simplify the ``conf.sls`` with the new ``files_switch`` macro to use in the ``source`` parameter for the ``file.managed`` state.
  220. .. code-block:: sls
  221. ## /srv/saltstack/salt-formulas/ntp-saltstack-formula/ntp/conf.sls
  222. include:
  223. - ntp
  224. {%- set tplroot = tpldir.split('/')[0] %}
  225. {%- from 'ntp/map.jinja' import ntp with context %}
  226. {%- from 'ntp/libtofs.jinja' import files_switch %}
  227. Configure NTP:
  228. file.managed:
  229. - name: {{ ntp.config }}
  230. - template: jinja
  231. - source: {{ files_switch(['/etc/ntp.conf.jinja'],
  232. lookup='Configure NTP'
  233. )
  234. }}
  235. - watch_in:
  236. - service: Enable and start NTP service
  237. - require:
  238. - pkg: Install NTP package
  239. * This uses ``config.get``, searching for ``ntp:tofs:source_files:Configure NTP`` to determine the list of template files to use.
  240. * If this returns a result, the default of ``['/etc/ntp.conf.jinja']`` will be appended to it.
  241. * If this does not yield any results, the default of ``['/etc/ntp.conf.jinja']`` will be used.
  242. In ``libtofs.jinja``, we define this new macro ``files_switch``.
  243. .. literalinclude:: ../template/libtofs.jinja
  244. :caption: /srv/saltstack/salt-formulas/ntp-saltstack-formula/ntp/libtofs.jinja
  245. :language: jinja
  246. How to customise the ``source`` further
  247. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  248. The examples below are based on an ``Ubuntu`` minion called ``theminion`` being configured via. pillar.
  249. Using the default settings of the ``files_switch`` macro above,
  250. the ``source`` will be:
  251. .. code-block:: sls
  252. - source:
  253. - salt://ntp/files/theminion/etc/ntp.conf.jinja
  254. - salt://ntp/files/Debian/etc/ntp.conf.jinja
  255. - salt://ntp/files/default/etc/ntp.conf.jinja
  256. Customise ``files``
  257. ~~~~~~~~~~~~~~~~~~~
  258. The ``files`` portion can be customised:
  259. .. code-block:: sls
  260. ntp:
  261. tofs:
  262. dirs:
  263. files: files_alt
  264. Resulting in:
  265. .. code-block:: sls
  266. - source:
  267. - salt://ntp/files_alt/theminion/etc/ntp.conf.jinja
  268. - salt://ntp/files_alt/Debian/etc/ntp.conf.jinja
  269. - salt://ntp/files_alt/default/etc/ntp.conf.jinja
  270. Customise the use of grains
  271. ~~~~~~~~~~~~~~~~~~~~~~~~~~~
  272. Grains can be customised and even arbitrary paths can be supplied:
  273. .. code-block:: sls
  274. ntp:
  275. tofs:
  276. files_switch:
  277. - any/path/can/be/used/here
  278. - id
  279. - os
  280. - os_family
  281. Resulting in:
  282. .. code-block:: sls
  283. - source:
  284. - salt://ntp/files/any/path/can/be/used/here/etc/ntp.conf.jinja
  285. - salt://ntp/files/theminion/etc/ntp.conf.jinja
  286. - salt://ntp/files/Ubuntu/etc/ntp.conf.jinja
  287. - salt://ntp/files/Debian/etc/ntp.conf.jinja
  288. - salt://ntp/files/default/etc/ntp.conf.jinja
  289. Customise the ``default`` path
  290. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  291. The ``default`` portion of the path can be customised:
  292. .. code-block:: sls
  293. ntp:
  294. tofs:
  295. dirs:
  296. default: default_alt
  297. Resulting in:
  298. .. code-block:: sls
  299. - source:
  300. ...
  301. - salt://ntp/files/default_alt/etc/ntp.conf.jinja
  302. Customise the list of ``source_files``
  303. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  304. The list of ``source_files`` can be given:
  305. .. code-block:: sls
  306. ntp:
  307. tofs:
  308. source_files:
  309. Configure NTP:
  310. - '/etc/ntp.conf_alt.jinja'
  311. Resulting in:
  312. .. code-block:: sls
  313. - source:
  314. - salt://ntp/files/theminion/etc/ntp.conf_alt.jinja
  315. - salt://ntp/files/theminion/etc/ntp.conf.jinja
  316. - salt://ntp/files/Debian/etc/ntp.conf_alt.jinja
  317. - salt://ntp/files/Debian/etc/ntp.conf.jinja
  318. - salt://ntp/files/default/etc/ntp.conf_alt.jinja
  319. - salt://ntp/files/default/etc/ntp.conf.jinja
  320. Note: This does *not* override the default value.
  321. Rather, the value from the pillar/config is prepended to the default.
  322. Using sub-directories for ``components``
  323. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  324. If your formula is composed of several components, you may prefer to provides files under sub-directories, like in the `systemd-formula <https://github.com/saltstack-formulas/systemd-formula>`_.
  325. .. code-block::
  326. /srv/saltstack/systemd-formula/
  327. systemd/
  328. init.sls
  329. libtofs.jinja
  330. map.jinja
  331. networkd/
  332. init.sls
  333. files/
  334. default/
  335. network/
  336. 99-default.link
  337. resolved/
  338. init.sls
  339. files/
  340. default/
  341. resolved.conf
  342. timesyncd/
  343. init.sls
  344. files/
  345. Arch/
  346. resolved.conf
  347. Debian/
  348. resolved.conf
  349. default/
  350. resolved.conf
  351. Ubuntu/
  352. resolved.conf
  353. For example, the following ``formula.component.config`` SLS:
  354. .. code-block:: sls
  355. {%- from "formula/libtofs.jinja" import files_switch with context %}
  356. formula configuration file:
  357. file.managed:
  358. - name: /etc/formula.conf
  359. - user: root
  360. - group: root
  361. - mode: 644
  362. - template: jinja
  363. - source: {{ files_switch(['formula.conf'],
  364. lookup='formula',
  365. use_subpath=True
  366. )
  367. }}
  368. will be rendered on a ``Debian`` minion named ``salt-formula.ci.local`` as:
  369. .. code-block:: sls
  370. formula configuration file:
  371. file.managed:
  372. - name: /etc/formula.conf
  373. - user: root
  374. - group: root
  375. - mode: 644
  376. - template: jinja
  377. - source:
  378. - salt://formula/component/files/salt-formula.ci.local/formula.conf
  379. - salt://formula/component/files/Debian/formula.conf
  380. - salt://formula/component/files/default/formula.conf
  381. - salt://formula/files/salt-formula.ci.local/formula.conf
  382. - salt://formula/files/Debian/formula.conf
  383. - salt://formula/files/default/formula.conf