10 years ago · e3b2ebeb06
--- a/salt/files/master
+++ b/salt/files/master
 {{ get_config('pidfile', '/var/run/salt-master.pid') }}
 # The root directory prepended to these options: pki_dir, cachedir,
 # sock_dir, log_file, autosign_file, extension_modules, key_logfile, pidfile.
 # sock_dir, log_file, autosign_file, autoreject_file, extension_modules,
 # key_logfile, pidfile.
 {{ get_config('root_dir', '/') }}
 # Directory used to store public key data
 # seconds
 {{ get_config('timeout', '5') }}
 # The loop_interval option controls the seconds for the master's maintinance
 # The loop_interval option controls the seconds for the master's maintenance
 # process check cycle. This process updates file server backends, cleans the
 # job cache and executes the scheduler.
 {{ get_config('loop_interval', '60') }}
 # public keys from the minions. Note that this is insecure.
 {{ get_config('auto_accept', 'False') }}
 # If the autosign_file is specified only incoming keys specified in
 # the autosign_file will be automatically accepted. This is insecure.
 # Regular expressions as well as globing lines are supported.
 # If the autosign_file is specified, incoming keys specified in the
 # autosign_file will be automatically accepted. This is insecure.  Regular
 # expressions as well as globing lines are supported.
 {{ get_config('autosign_file', '/etc/salt/autosign.conf') }}
 # Works like autosign_file, but instead allows you to specify minion IDs for
 # which keys will automatically be rejected. Will override both membership in
 # the autosign_file and the auto_accept setting.
 {{ get_config('autorejecte_file', '/etc/salt/autosign.conf') }}
 # Enable permissive access to the salt keys.  This allows you to run the
 # master or minion as root, but have a non-root group be given access to
 # your pki_dir.  To make the access explicit, root must belong to the group
 # security purposes.
 {{ get_config('file_recv', 'False') }}
 # Set a hard-limit on the size of the files that can be pushed to the master.
 # It will be interpreted as megabytes.
 # Default: 100
 {{ get_config('file_recv_max_size', '100') }}
 # Signature verification on messages published from the master.
 # This causes the master to cryptographically sign all messages published to its event
 # bus, and minions then verify that signature before acting on the message.
 #
 # This is False by default.
 #
 # Note that to facilitate interoperability with masters and minions that are different
 # versions, if sign_pub_messages is True but a message is received by a minion with
 # no signature, it will still be accepted, and a warning message will be logged.
 # Conversely, if sign_pub_messages is False, but a minion receives a signed
 # message it will be accepted, the signature will not be checked, and a warning message
 # will be logged.  This behavior will go away in Salt 0.17.6 (or Hydrogen RC1, whichever
 # comes first) and these two situations will cause minion to throw an exception and
 # drop the message.
 #
 {{ get_config('sign_pub_message', 'False') }}
 #####    Master Module Management    #####
 ##########################################
 # Manage how master side modules are loaded
 # The renderer to use on the minions to render the state data
 {{ get_config('renderer', 'yaml_jinja') }}
 # The Jinja renderer can strip extra carriage returns and whitespace
 # See http://jinja.pocoo.org/docs/api/#high-level-api
 #
 # If this is set to True the first newline after a Jinja block is removed
 # (block, not variable tag!). Defaults to False, corresponds to the Jinja
 # environment init variable "trim_blocks".
 {{ get_config('jinja_trim_blocks', 'False') }}
 #
 # If this is set to True leading spaces and tabs are stripped from the start
 # of a line to a block. Defaults to False, corresponds to the Jinja
 # environment init variable "lstrip_blocks".
 {{ get_config('jinja_lstrip_blocks', 'False') }}
 # The failhard option tells the minions to stop immediately after the first
 # failure detected in the state execution, defaults to False
 {{ get_config('failhard', 'False') }}
  - {{ backend }}
 {% endfor -%}
 {% endif %}
 #
 # Uncomment the line below if you do not want the file_server to follow
 # symlinks when walking the filesystem tree. This is set to True
 # by default. Currently this only applies to the default roots
 # fileserver_backend.
 #
 {{ get_config('fileserver_followsymlinks', 'False') }}
 #
 # Uncomment the line below if you do not want symlinks to be
 # treated as the files they are pointing to. By default this is set to
 # False. By uncommenting the line below, any detected symlink while listing
 # files on the Master will not be returned to the Minion.
 #
 {{ get_config('fileserver_ignoresymlinks', 'True') }}
 #
 # By default, the Salt fileserver recurses fully into all defined environments
 # to attempt to find files. To limit this behavior so that the fileserver only
 #
 {{ get_config('fileserver_limit_traversal', 'False') }}
 #
 # The fileserver can fire events off every time the fileserver is updated,
 # these are disabled by default, but can be easily turned on by setting this
 # flag to True
 {{ get_config('fileserver_events', 'False') }}
 #
 # Git fileserver backend configuration
 #
 # Gitfs can be provided by one of two python modules: GitPython or pygit2. If
 # using pygit2, both libgit2 and git must also be installed.
 {{ get_config('gitfs_provider', 'gitpython') }}
 #
 # When using the git fileserver backend at least one git remote needs to be
 # defined. The user running the salt master will need read access to the repo.
 #
 #gitfs_remotes:
 #  - git://github.com/saltstack/salt-states.git
 #  - file:///var/git/saltmaster
 #
 # The repos will be searched in order to find the file requested by a client
 # and the first repo to have the file will return it.
 # When using the git backend branches and tags are translated into salt
  - {{ remote }}{% endfor -%}
 {%- endif %}
 #
 #gitfs_remotes:
 #  - git://github.com/saltstack/salt-states.git
 #  - file:///var/git/saltmaster
 #
 # The gitfs_ssl_verify option specifies whether to ignore ssl certificate
 # errors when contacting the gitfs backend. You might want to set this to
 # false if you're using a git backend that uses a self-signed certificate but
 # keep in mind that setting this flag to anything other than the default of True
 # is a security concern, you may want to try using the ssh transport.
 {{ get_config('gitfs_ssl_verify', 'True') }}
 #
 #
 # The gitfs_root option gives the ability to serve files from a subdirectory
 # within the repository. The path is defined relative to the root of the
 # repository and defaults to the repository root.
 #  - cmd_yaml: cat /etc/salt/yaml
 {%- endif %}
 # The pillar_gitfs_ssl_verify option specifies whether to ignore ssl certificate
 # errors when contacting the pillar gitfs backend. You might want to set this to
 # false if you're using a git backend that uses a self-signed certificate but
 # keep in mind that setting this flag to anything other than the default of True
 # is a security concern, you may want to try using the ssh transport.
 {{ get_config('pillar_gitfs_ssl_verify', 'True') }}
 # The pillar_opts option adds the master configuration file data to a dict in
 # the pillar called "master". This is used to set simple configurations in the
 # master config file that can then be used on minions.
  {% endfor -%}
 {% endif -%}
 #####         Mine settings     #####
 ##########################################
 # Restrict mine.get access from minions. By default any minion has a full access
 # to get all mine data from master cache. In acl definion below, only pcre matches
 # are allowed.
 #
 # mine_get:
 #   .*:
 #     - .*
 #
 # Example below enables minion foo.example.com to get  'network.interfaces' mine data only
 # , minions web* to get all network.* and disk.* mine data and all other minions won't get
 # any mine data.
 #
 # mine_get:
 #   foo.example.com:
 #     - network.inetrfaces
 #   web.*:
 #     - network.*
 #     - disk.*
 #####         Logging settings       #####
 ##########################################
  {{ name }}: {{ value }}
  {%- endfor %}
 {%- endif %}
--- a/salt/files/minion
+++ b/salt/files/minion
 # resolved, then the minion will fail to start.
 {{ get_config('master', 'salt') }}
 # If multiple masters are specified in the 'master' setting, the default behavior
 # is to always try to connect to them in the order they are listed. If random_master is
 # set to True, the order will be randomized instead. This can be helpful in distributing
 # the load of many minions executing salt-call requests, for example from a cron job.
 # If only one master is listed, this setting is ignored and a warning will be logged.
 {{ get_config('random_master', 'False') }}
 # Set whether the minion should connect to the master via IPv6
 {{ get_config('ipv6', 'False') }}
 # 0 and the defined value.
 {{ get_config('random_reauth_delay', '60') }}
 # When waiting for a master to accept the minion's public key, salt will
 # continuously attempt to reconnect until successful. This is the timeout value,
 # in seconds, for each individual attempt. After this timeout expires, the minion
 # will wait for acceptance_wait_time seconds before trying again.
 # Unless your master is under unusually heavy load, this should be left at the default.
 {{ get_config('auth_timeout', '3') }}
 # If you don't have any problems with syn-floods, dont bother with the
 # three recon_* settings described below, just leave the defaults!
 # to reconnect immediately, if the socket is disconnected (for example if
 # the master processes are restarted). In large setups this will have all
 # minions reconnect immediately which might flood the master (the ZeroMQ-default
 # is usually a 100ms delay). To prevent this, these three recon_* settings 
 # is usually a 100ms delay). To prevent this, these three recon_* settings
 # can be used.
 #
 # recon_default: the interval in milliseconds that the socket should wait before 
 # recon_default: the interval in milliseconds that the socket should wait before
 #                trying to reconnect to the master (100ms = 1 second)
 #
 # recon_max: the maximum time a socket should wait. each interval the time to wait
 #            reconnect 5: value from previous interval * 2
 #            reconnect x: if value >= recon_max, it starts again with recon_default
 #
 # recon_randomize: generate a random wait time on minion start. The wait time will 
 #                  be a random value between recon_default and recon_default + 
 #                  recon_max. Having all minions reconnect with the same recon_default 
 #                  and recon_max value kind of defeats the purpose of being able to 
 #                  change these settings. If all minions have the same values and your 
 #                  setup is quite large (several thousand minions), they will still 
 # recon_randomize: generate a random wait time on minion start. The wait time will
 #                  be a random value between recon_default and recon_default +
 #                  recon_max. Having all minions reconnect with the same recon_default
 #                  and recon_max value kind of defeats the purpose of being able to
 #                  change these settings. If all minions have the same values and your
 #                  setup is quite large (several thousand minions), they will still
 #                  flood the master. The desired behaviour is to have timeframe within
 #                  all minions try to reconnect. 
 #                  all minions try to reconnect.
 # Example on how to use these settings:
 # The goal: have all minions reconnect within a 60 second timeframe on a disconnect
 #
 # Each minion will have a randomized reconnect value between 'recon_default'
 # and 'recon_default + recon_max', which in this example means between 1000ms
 # 60000ms (or between 1 and 60 seconds). The generated random-value will be 
 # doubled after each attempt to reconnect. Lets say the generated random 
 # value is 11 seconds (or 11000ms). 
 # 60000ms (or between 1 and 60 seconds). The generated random-value will be
 # doubled after each attempt to reconnect. Lets say the generated random
 # value is 11 seconds (or 11000ms).
 #
 # reconnect 1: wait 11 seconds
 # reconnect 2: wait 22 seconds
 # often lower this value
 {{ get_config('loop_interval', '60') }}
 # The grains_refresh_every setting allows for a minion to periodically check
 # its grains to see if they have changed and, if so, to inform the master
 # of the new grains. This operation is moderately expensive, therefore
 # care should be taken not to set this value too low.
 #
 # Note: This value is expressed in __minutes__!
 #
 # A value of 10 minutes is a reasonable default.
 #
 # If the value is set to zero, this check is disabled.
 {{ get_config('grains_refresh_every', '1') }}
 # Cache grains on the minion. Default is False.
 {{ get_config('grains_cache', 'False') }}
 # Grains cache expiration, in seconds. If the cache file is older than this
 # number of seconds then the grains cache will be dumped and fully re-populated
 # with fresh data. Defaults to 5 minutes. Will have no effect if 'grains_cache'
 # is not enabled.
 {{ get_config('grains_cache_expiration', '300') }}
 # When healing, a dns_check is run. This is to make sure that the originally
 # resolved dns has not changed. If this is something that does not happen in
 # your environment, set this value to False.
 # Enable Cython modules searching and loading. (Default: False)
 {{ get_config('cython_enable', 'False') }}
 #
 #
 #
 # Specify a max size (in bytes) for modules on import
 # this feature is currently only supported on *nix OSs and requires psutil
 {{ get_config('modules_max_memory', '-1') }}
 #####    State Management Settings    #####
 ###########################################
 #     - /srv/salt/prod/services
 #     - /srv/salt/prod/states
 #
 # Default:
 {% if 'file_roots' in minion -%}
 file_roots:
  {% for name, roots in minion['file_roots'].items() -%}