New Saltstack Salt formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

README.rst 16KB

9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692
  1. ============
  2. Salt Formula
  3. ============
  4. Salt is a new approach to infrastructure management. Easy enough to get
  5. running in minutes, scalable enough to manage tens of thousands of servers,
  6. and fast enough to communicate with them in seconds.
  7. Salt delivers a dynamic communication bus for infrastructures that can be used
  8. for orchestration, remote execution, configuration management and much more.
  9. Sample Metadata
  10. ===============
  11. Salt master
  12. -----------
  13. Salt master with base formulas and pillar metadata backend
  14. .. literalinclude:: tests/pillar/master_single_pillar.sls
  15. :language: yaml
  16. Salt master with reclass ENC metadata backend
  17. .. literalinclude:: tests/pillar/master_single_reclass.sls
  18. :language: yaml
  19. Salt master with Architect ENC metadata backend
  20. .. code-block:: yaml
  21. salt:
  22. master:
  23. enabled: true
  24. pillar:
  25. engine: architect
  26. project: project-name
  27. host: architect-api
  28. port: 8181
  29. username: salt
  30. password: password
  31. Salt master with multiple ext_pillars
  32. .. literalinclude:: tests/pillar/master_single_extpillars.sls
  33. :language: yaml
  34. Salt master with API
  35. .. literalinclude:: tests/pillar/master_api.sls
  36. :language: yaml
  37. Salt master with defined user ACLs
  38. .. literalinclude:: tests/pillar/master_acl.sls
  39. :language: yaml
  40. Salt master with preset minions
  41. .. code-block:: yaml
  42. salt:
  43. master:
  44. enabled: true
  45. minions:
  46. - name: 'node1.system.location.domain.com'
  47. Salt master with pip based installation (optional)
  48. .. code-block:: yaml
  49. salt:
  50. master:
  51. enabled: true
  52. ...
  53. source:
  54. engine: pip
  55. version: 2016.3.0rc2
  56. Install formula through system package management
  57. .. code-block:: yaml
  58. salt:
  59. master:
  60. enabled: true
  61. ...
  62. environment:
  63. prd:
  64. keystone:
  65. source: pkg
  66. name: salt-formula-keystone
  67. nova:
  68. source: pkg
  69. name: salt-formula-keystone
  70. version: 0.1+0~20160818133412.24~1.gbp6e1ebb
  71. postresql:
  72. source: pkg
  73. name: salt-formula-postgresql
  74. version: purged
  75. Formula keystone is installed latest version and the formulas without version are installed in one call to aptpkg module.
  76. If the version attribute is present sls iterates over formulas and take action to install specific version or remove it.
  77. The version attribute may have these values ``[latest|purged|removed|<VERSION>]``.
  78. Clone master branch of keystone formula as local feature branch
  79. .. code-block:: yaml
  80. salt:
  81. master:
  82. enabled: true
  83. ...
  84. environment:
  85. dev:
  86. formula:
  87. keystone:
  88. source: git
  89. address: git@github.com:openstack/salt-formula-keystone.git
  90. revision: master
  91. branch: feature
  92. Salt master with specified formula refs (for example for Gerrit review)
  93. .. code-block:: yaml
  94. salt:
  95. master:
  96. enabled: true
  97. ...
  98. environment:
  99. dev:
  100. formula:
  101. keystone:
  102. source: git
  103. address: https://git.openstack.org/openstack/salt-formula-keystone
  104. revision: refs/changes/56/123456/1
  105. Salt master with logging handlers
  106. .. code-block:: yaml
  107. salt:
  108. master:
  109. enabled: true
  110. handler:
  111. handler01:
  112. engine: udp
  113. bind:
  114. host: 127.0.0.1
  115. port: 9999
  116. minion:
  117. handler:
  118. handler01:
  119. engine: udp
  120. bind:
  121. host: 127.0.0.1
  122. port: 9999
  123. handler02:
  124. engine: zmq
  125. bind:
  126. host: 127.0.0.1
  127. port: 9999
  128. Salt engine definition for saltgraph metadata collector
  129. .. code-block:: yaml
  130. salt:
  131. master:
  132. engine:
  133. graph_metadata:
  134. engine: saltgraph
  135. host: 127.0.0.1
  136. port: 5432
  137. user: salt
  138. password: salt
  139. database: salt
  140. Salt engine definition for Architect service
  141. .. code-block:: yaml
  142. salt:
  143. master:
  144. engine:
  145. architect:
  146. engine: architect
  147. project: project-name
  148. host: architect-api
  149. port: 8181
  150. username: salt
  151. password: password
  152. Salt engine definition for sending events from docker events
  153. .. code-block:: yaml
  154. salt:
  155. master:
  156. engine:
  157. docker_events:
  158. docker_url: unix://var/run/docker.sock
  159. Salt master peer setup for remote certificate signing
  160. .. code-block:: yaml
  161. salt:
  162. master:
  163. peer:
  164. ".*":
  165. - x509.sign_remote_certificate
  166. Salt master backup configuration
  167. .. code-block:: yaml
  168. salt:
  169. master:
  170. backup: true
  171. initial_data:
  172. engine: backupninja
  173. source: backup-node-host
  174. host: original-salt-master-id
  175. Configure verbosity of state output (used for `salt` command)
  176. .. code-block:: yaml
  177. salt:
  178. master:
  179. state_output: changes
  180. Salt synchronise node pillar and modules after start
  181. .. code-block:: yaml
  182. salt:
  183. master:
  184. reactor:
  185. salt/minion/*/start:
  186. - salt://salt/reactor/node_start.sls
  187. Trigger basic node install
  188. .. code-block:: yaml
  189. salt:
  190. master:
  191. reactor:
  192. salt/minion/install:
  193. - salt://salt/reactor/node_install.sls
  194. Sample event to trigger the node installation
  195. .. code-block:: bash
  196. salt-call event.send 'salt/minion/install'
  197. Run any defined orchestration pipeline
  198. .. code-block:: yaml
  199. salt:
  200. master:
  201. reactor:
  202. salt/orchestrate/start:
  203. - salt://salt/reactor/orchestrate_start.sls
  204. Event to trigger the orchestration pipeline
  205. .. code-block:: bash
  206. salt-call event.send 'salt/orchestrate/start' "{'orchestrate': 'salt/orchestrate/infra_install.sls'}"
  207. Synchronise modules and pillars on minion start.
  208. .. code-block:: yaml
  209. salt:
  210. master:
  211. reactor:
  212. 'salt/minion/*/start':
  213. - salt://salt/reactor/minion_start.sls
  214. Add and/or remove the minion key
  215. .. code-block:: yaml
  216. salt:
  217. master:
  218. reactor:
  219. salt/key/create:
  220. - salt://salt/reactor/key_create.sls
  221. salt/key/remove:
  222. - salt://salt/reactor/key_remove.sls
  223. Event to trigger the key creation
  224. .. code-block:: bash
  225. salt-call event.send 'salt/key/create' \
  226. > "{'node_id': 'id-of-minion', 'node_host': '172.16.10.100', 'orch_post_create': 'kubernetes.orchestrate.compute_install', 'post_create_pillar': {'node_name': 'id-of-minion'}}"
  227. .. note::
  228. You can add pass additional `orch_pre_create`, `orch_post_create`,
  229. `orch_pre_remove` or `orch_post_remove` parameters to the event to call
  230. extra orchestrate files. This can be useful for example for
  231. registering/unregistering nodes from the monitoring alarms or dashboards.
  232. The key creation event needs to be run from other machine than the one
  233. being registered.
  234. Event to trigger the key removal
  235. .. code-block:: bash
  236. salt-call event.send 'salt/key/remove'
  237. Encrypted pillars
  238. -----------------
  239. Note: NACL + below configuration will be available in Salt > 2017.7.
  240. External resources:
  241. - Tutorial to configure salt + reclass ext_pillar and nacl: http://apealive.net/post/2017-09-salt-nacl-ext-pillar/
  242. - Saltstack documentation: https://docs.saltstack.com/en/latest/ref/modules/all/salt.modules.nacl.html
  243. Configure salt NACL module:
  244. .. code-block:: shell
  245. pip install --upgrade libnacl===1.5.2
  246. salt-call --local nacl.keygen /etc/salt/pki/master/nacl
  247. local:
  248. saved sk_file:/etc/salt/pki/master/nacl pk_file: /etc/salt/pki/master/nacl.pub
  249. .. code-block:: yaml
  250. salt:
  251. master:
  252. pillar:
  253. reclass: *reclass
  254. nacl:
  255. index: 99
  256. nacl:
  257. box_type: sealedbox
  258. sk_file: /etc/salt/pki/master/nacl
  259. pk_file: /etc/salt/pki/master/nacl.pub
  260. #sk: None
  261. #pk: None
  262. NACL encrypt secrets:
  263. salt-call --local nacl.enc 'my_secret_value' pk_file=/etc/salt/pki/master/nacl.pub
  264. hXTkJpC1hcKMS7yZVGESutWrkvzusXfETXkacSklIxYjfWDlMJmR37MlmthdIgjXpg4f2AlBKb8tc9Woma7q
  265. # or
  266. salt-run nacl.enc 'myotherpass'
  267. ADDFD0Rav6p6+63sojl7Htfrncp5rrDVyeE4BSPO7ipq8fZuLDIVAzQLf4PCbDqi+Fau5KD3/J/E+Pw=
  268. NACL encrypted values on pillar:
  269. Use Boxed syntax `NACL[CryptedValue=]` to encode value on pillar:
  270. .. code-block:: yaml
  271. my_pillar:
  272. my_nacl:
  273. key0: unencrypted_value
  274. key1: NACL[hXTkJpC1hcKMS7yZVGESutWrkvzusXfETXkacSklIxYjfWDlMJmR37MlmthdIgjXpg4f2AlBKb8tc9Woma7q]
  275. NACL large files:
  276. .. code-block:: shell
  277. salt-call nacl.enc_file /tmp/cert.crt out=/srv/salt/env/dev/cert.nacl
  278. # or more advanced
  279. cert=$(cat /tmp/cert.crt)
  280. salt-call --out=newline_values_only nacl.enc_pub data="$cert" > /srv/salt/env/dev/cert.nacl
  281. NACL within template/native pillars:
  282. pillarexample:
  283. user: root
  284. password1: {{salt.nacl.dec('DRB7Q6/X5gGSRCTpZyxS6hlbWj0llUA+uaVyvou3vJ4=')|json}}
  285. cert_key: {{salt.nacl.dec_file('/srv/salt/env/dev/certs/example.com/cert.nacl')|json}}
  286. cert_key2: {{salt.nacl.dec_file('salt:///certs/example.com/cert2.nacl')|json}}
  287. Salt syndic
  288. -----------
  289. The master of masters
  290. .. code-block:: yaml
  291. salt:
  292. master:
  293. enabled: true
  294. order_masters: True
  295. Lower syndicated master
  296. .. code-block:: yaml
  297. salt:
  298. syndic:
  299. enabled: true
  300. master:
  301. host: master-of-master-host
  302. timeout: 5
  303. Syndicated master with multiple master of masters
  304. .. code-block:: yaml
  305. salt:
  306. syndic:
  307. enabled: true
  308. masters:
  309. - host: master-of-master-host1
  310. - host: master-of-master-host2
  311. timeout: 5
  312. Salt-minion proxy
  313. -----------------
  314. Salt proxy pillar
  315. .. code-block:: yaml
  316. salt:
  317. minion:
  318. proxy_minion:
  319. master: localhost
  320. device:
  321. vsrx01.mydomain.local:
  322. enabled: true
  323. engine: napalm
  324. csr1000v.mydomain.local:
  325. enabled: true
  326. engine: napalm
  327. .. note:: This is pillar of the the real salt-minion
  328. Proxy pillar for IOS device
  329. .. code-block:: yaml
  330. proxy:
  331. proxytype: napalm
  332. driver: ios
  333. host: csr1000v.mydomain.local
  334. username: root
  335. passwd: r00tme
  336. .. note:: This is pillar of the node thats not able to run salt-minion itself
  337. Proxy pillar for JunOS device
  338. .. code-block:: yaml
  339. proxy:
  340. proxytype: napalm
  341. driver: junos
  342. host: vsrx01.mydomain.local
  343. username: root
  344. passwd: r00tme
  345. optional_args:
  346. config_format: set
  347. .. note:: This is pillar of the node thats not able to run salt-minion itself
  348. Salt SSH
  349. --------
  350. Salt SSH with sudoer using key
  351. .. literalinclude:: tests/pillar/master_ssh_minion_key.sls
  352. :language: yaml
  353. Salt SSH with sudoer using password
  354. .. literalinclude:: tests/pillar/master_ssh_minion_password.sls
  355. :language: yaml
  356. Salt SSH with root using password
  357. .. literalinclude:: tests/pillar/master_ssh_minion_root.sls
  358. :language: yaml
  359. Common salt config options
  360. --------------------------
  361. Pass pillar render error to minion log.
  362. .. Note: When set to `False` this option is great for debuging. However it is not recomended for
  363. any production environment as it may contain templating data as passwords, etc...,
  364. that minion should not have.
  365. .. code-block:: yaml
  366. salt:
  367. master:
  368. pillar_safe_render_error: False
  369. Salt minion
  370. -----------
  371. Simplest Salt minion setup with central configuration node
  372. .. code-block:: yaml
  373. .. literalinclude:: tests/pillar/minion_master.sls
  374. :language: yaml
  375. Multi-master Salt minion setup
  376. .. literalinclude:: tests/pillar/minion_multi_master.sls
  377. :language: yaml
  378. Salt minion with salt mine options
  379. .. literalinclude:: tests/pillar/minion_mine.sls
  380. :language: yaml
  381. Salt minion with graphing dependencies
  382. .. literalinclude:: tests/pillar/minion_graph.sls
  383. :language: yaml
  384. Salt minion behind HTTP proxy
  385. .. code-block:: yaml
  386. salt:
  387. minion:
  388. proxy:
  389. host: 127.0.0.1
  390. port: 3128
  391. Salt minion to specify non-default HTTP backend. The default tornado backend
  392. does not respect HTTP proxy settings set as environment variables. This is
  393. useful for cases where you need to set no_proxy lists.
  394. .. code-block:: yaml
  395. salt:
  396. minion:
  397. backend: urllib2
  398. Salt minion using environment variables defined in /etc/default/salt-minion for
  399. upstart based Ubuntu and in /etc/environment for Ubuntu with systemd.
  400. .. code-block:: yaml
  401. salt:
  402. minion:
  403. env_vars:
  404. engine: file
  405. Salt minion with PKI certificate authority (CA)
  406. .. literalinclude:: tests/pillar/minion_pki_ca.sls
  407. :language: yaml
  408. Salt minion using PKI certificate
  409. .. literalinclude:: tests/pillar/minion_pki_cert.sls
  410. :language: yaml
  411. Salt minion trust CA certificates issued by salt CA on a specific host (ie: salt-master node)
  412. .. code-block:: yaml
  413. salt:
  414. minion:
  415. trusted_ca_minions:
  416. - cfg01
  417. Salt control (cloud/kvm/docker)
  418. -------------------------------
  419. Salt cloud with local OpenStack provider
  420. .. literalinclude:: tests/pillar/control_cloud_openstack.sls
  421. :language: yaml
  422. Salt cloud with Digital Ocean provider
  423. .. literalinclude:: tests/pillar/control_cloud_digitalocean.sls
  424. :language: yaml
  425. Salt virt with KVM cluster
  426. .. literalinclude:: tests/pillar/control_virt.sls
  427. :language: yaml
  428. salt virt with custom destination for image file
  429. .. literalinclude:: tests/pillar/control_virt_custom.sls
  430. :language: yaml
  431. Usage
  432. =====
  433. Working with salt-cloud
  434. .. code-block:: bash
  435. salt-cloud -m /path/to/map --assume-yes
  436. Debug LIBCLOUD for salt-cloud connection
  437. .. code-block:: bash
  438. export LIBCLOUD_DEBUG=/dev/stderr; salt-cloud --list-sizes provider_name --log-level all
  439. More Information
  440. ================
  441. * http://salt.readthedocs.org/en/latest/
  442. * https://github.com/DanielBryan/salt-state-graph
  443. * http://karlgrz.com/testing-salt-states-rapidly-with-docker/
  444. * https://mywushublog.com/2013/03/configuration-management-with-salt-stack/
  445. * http://russell.ballestrini.net/replace-the-nagios-scheduler-and-nrpe-with-salt-stack/
  446. * https://github.com/saltstack-formulas/salt-formula
  447. * http://docs.saltstack.com/en/latest/topics/tutorials/multimaster.html
  448. salt-cloud
  449. ----------
  450. * http://www.blog.sandro-mathys.ch/2013/07/setting-user-password-when-launching.html
  451. * http://cloudinit.readthedocs.org/en/latest/topics/examples.html
  452. * http://salt-cloud.readthedocs.org/en/latest/topics/install/index.html
  453. * http://docs.saltstack.com/topics/cloud/digitalocean.html
  454. * http://salt-cloud.readthedocs.org/en/latest/topics/rackspace.html
  455. * http://salt-cloud.readthedocs.org/en/latest/topics/map.html
  456. * http://docs.saltstack.com/en/latest/topics/tutorials/multimaster.html
  457. Documentation and Bugs
  458. ======================
  459. To learn how to install and update salt-formulas, consult the documentation
  460. available online at:
  461. http://salt-formulas.readthedocs.io/
  462. In the unfortunate event that bugs are discovered, they should be reported to
  463. the appropriate issue tracker. Use Github issue tracker for specific salt
  464. formula:
  465. https://github.com/salt-formulas/salt-formula-salt/issues
  466. For feature requests, bug reports or blueprints affecting entire ecosystem,
  467. use Launchpad salt-formulas project:
  468. https://launchpad.net/salt-formulas
  469. You can also join salt-formulas-users team and subscribe to mailing list:
  470. https://launchpad.net/~salt-formulas-users
  471. Developers wishing to work on the salt-formulas projects should always base
  472. their work on master branch and submit pull request against specific formula.
  473. https://github.com/salt-formulas/salt-formula-salt
  474. Any questions or feedback is always welcome so feel free to join our IRC
  475. channel:
  476. #salt-formulas @ irc.freenode.net