New Saltstack Salt formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

README.rst 18KB

9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
9 jaren geleden
8 jaren geleden
9 jaren geleden
9 jaren geleden
8 jaren geleden
9 jaren geleden
9 jaren geleden
8 jaren geleden
8 jaren geleden
9 jaren geleden
9 jaren geleden
8 jaren geleden
9 jaren geleden
8 jaren geleden
8 jaren geleden
9 jaren geleden
8 jaren geleden
8 jaren geleden
8 jaren geleden
9 jaren geleden
8 jaren geleden
9 jaren geleden
8 jaren geleden
9 jaren geleden
8 jaren geleden
9 jaren geleden
8 jaren geleden
9 jaren geleden
8 jaren geleden
9 jaren geleden
9 jaren geleden
8 jaren geleden
9 jaren geleden
8 jaren geleden
9 jaren geleden
8 jaren geleden
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799
  1. ============
  2. Salt Formula
  3. ============
  4. Salt is a new approach to infrastructure management. Easy enough to get
  5. running in minutes, scalable enough to manage tens of thousands of servers,
  6. and fast enough to communicate with them in seconds.
  7. Salt delivers a dynamic communication bus for infrastructures that can be used
  8. for orchestration, remote execution, configuration management and much more.
  9. Sample Metadata
  10. ===============
  11. Salt Master
  12. -----------
  13. Salt master with base formulas and pillar metadata backend
  14. .. literalinclude:: tests/pillar/master_single_pillar.sls
  15. :language: yaml
  16. Salt master with reclass ENC metadata backend
  17. .. literalinclude:: tests/pillar/master_single_reclass.sls
  18. :language: yaml
  19. Salt master with Architect ENC metadata backend
  20. .. code-block:: yaml
  21. salt:
  22. master:
  23. enabled: true
  24. pillar:
  25. engine: architect
  26. project: project-name
  27. host: architect-api
  28. port: 8181
  29. username: salt
  30. password: password
  31. Salt master with multiple ext_pillars
  32. .. literalinclude:: tests/pillar/master_single_extpillars.sls
  33. :language: yaml
  34. Salt master with API
  35. .. literalinclude:: tests/pillar/master_api.sls
  36. :language: yaml
  37. Salt master with defined user ACLs
  38. .. literalinclude:: tests/pillar/master_acl.sls
  39. :language: yaml
  40. Salt master with preset minions
  41. .. code-block:: yaml
  42. salt:
  43. master:
  44. enabled: true
  45. minions:
  46. - name: 'node1.system.location.domain.com'
  47. Salt master with pip based installation (optional)
  48. .. code-block:: yaml
  49. salt:
  50. master:
  51. enabled: true
  52. ...
  53. source:
  54. engine: pip
  55. version: 2016.3.0rc2
  56. Install formula through system package management
  57. .. code-block:: yaml
  58. salt:
  59. master:
  60. enabled: true
  61. ...
  62. environment:
  63. prd:
  64. keystone:
  65. source: pkg
  66. name: salt-formula-keystone
  67. nova:
  68. source: pkg
  69. name: salt-formula-keystone
  70. version: 0.1+0~20160818133412.24~1.gbp6e1ebb
  71. postresql:
  72. source: pkg
  73. name: salt-formula-postgresql
  74. version: purged
  75. Formula keystone is installed latest version and the formulas without version are installed in one call to aptpkg module.
  76. If the version attribute is present sls iterates over formulas and take action to install specific version or remove it.
  77. The version attribute may have these values ``[latest|purged|removed|<VERSION>]``.
  78. Clone master branch of keystone formula as local feature branch
  79. .. code-block:: yaml
  80. salt:
  81. master:
  82. enabled: true
  83. ...
  84. environment:
  85. dev:
  86. formula:
  87. keystone:
  88. source: git
  89. address: git@github.com:openstack/salt-formula-keystone.git
  90. revision: master
  91. branch: feature
  92. Salt master with specified formula refs (for example for Gerrit review)
  93. .. code-block:: yaml
  94. salt:
  95. master:
  96. enabled: true
  97. ...
  98. environment:
  99. dev:
  100. formula:
  101. keystone:
  102. source: git
  103. address: https://git.openstack.org/openstack/salt-formula-keystone
  104. revision: refs/changes/56/123456/1
  105. Salt master with logging handlers
  106. .. code-block:: yaml
  107. salt:
  108. master:
  109. enabled: true
  110. handler:
  111. handler01:
  112. engine: udp
  113. bind:
  114. host: 127.0.0.1
  115. port: 9999
  116. minion:
  117. handler:
  118. handler01:
  119. engine: udp
  120. bind:
  121. host: 127.0.0.1
  122. port: 9999
  123. handler02:
  124. engine: zmq
  125. bind:
  126. host: 127.0.0.1
  127. port: 9999
  128. Salt engine definition for saltgraph metadata collector
  129. .. code-block:: yaml
  130. salt:
  131. master:
  132. engine:
  133. graph_metadata:
  134. engine: saltgraph
  135. host: 127.0.0.1
  136. port: 5432
  137. user: salt
  138. password: salt
  139. database: salt
  140. Salt engine definition for Architect service
  141. .. code-block:: yaml
  142. salt:
  143. master:
  144. engine:
  145. architect:
  146. engine: architect
  147. project: project-name
  148. host: architect-api
  149. port: 8181
  150. username: salt
  151. password: password
  152. Salt engine definition for sending events from docker events
  153. .. code-block:: yaml
  154. salt:
  155. master:
  156. engine:
  157. docker_events:
  158. docker_url: unix://var/run/docker.sock
  159. Salt master peer setup for remote certificate signing
  160. .. code-block:: yaml
  161. salt:
  162. master:
  163. peer:
  164. ".*":
  165. - x509.sign_remote_certificate
  166. Salt master backup configuration
  167. .. code-block:: yaml
  168. salt:
  169. master:
  170. backup: true
  171. initial_data:
  172. engine: backupninja
  173. home_dir: remote-backup-home-dir
  174. source: backup-node-host
  175. host: original-salt-master-id
  176. Configure verbosity of state output (used for `salt` command)
  177. .. code-block:: yaml
  178. salt:
  179. master:
  180. state_output: changes
  181. Pass pillar render error to minion log
  182. .. note:: When set to `False` this option is great for debuging.
  183. However it is not recomended for any production environment as it may contain
  184. templating data as passwords, etc... , that minion should not expose.
  185. .. code-block:: yaml
  186. salt:
  187. master:
  188. pillar_safe_render_error: False
  189. Event/Reactor Systems
  190. ~~~~~~~~~~~~~~~~~~~~~
  191. Salt synchronise node pillar and modules after start
  192. .. code-block:: yaml
  193. salt:
  194. master:
  195. reactor:
  196. salt/minion/*/start:
  197. - salt://salt/reactor/node_start.sls
  198. Trigger basic node install
  199. .. code-block:: yaml
  200. salt:
  201. master:
  202. reactor:
  203. salt/minion/install:
  204. - salt://salt/reactor/node_install.sls
  205. Sample event to trigger the node installation
  206. .. code-block:: bash
  207. salt-call event.send 'salt/minion/install'
  208. Run any defined orchestration pipeline
  209. .. code-block:: yaml
  210. salt:
  211. master:
  212. reactor:
  213. salt/orchestrate/start:
  214. - salt://salt/reactor/orchestrate_start.sls
  215. Event to trigger the orchestration pipeline
  216. .. code-block:: bash
  217. salt-call event.send 'salt/orchestrate/start' "{'orchestrate': 'salt/orchestrate/infra_install.sls'}"
  218. Synchronise modules and pillars on minion start.
  219. .. code-block:: yaml
  220. salt:
  221. master:
  222. reactor:
  223. 'salt/minion/*/start':
  224. - salt://salt/reactor/minion_start.sls
  225. Add and/or remove the minion key
  226. .. code-block:: yaml
  227. salt:
  228. master:
  229. reactor:
  230. salt/key/create:
  231. - salt://salt/reactor/key_create.sls
  232. salt/key/remove:
  233. - salt://salt/reactor/key_remove.sls
  234. Event to trigger the key creation
  235. .. code-block:: bash
  236. salt-call event.send 'salt/key/create' \
  237. > "{'node_id': 'id-of-minion', 'node_host': '172.16.10.100', 'orch_post_create': 'kubernetes.orchestrate.compute_install', 'post_create_pillar': {'node_name': 'id-of-minion'}}"
  238. .. note::
  239. You can add pass additional `orch_pre_create`, `orch_post_create`,
  240. `orch_pre_remove` or `orch_post_remove` parameters to the event to call
  241. extra orchestrate files. This can be useful for example for
  242. registering/unregistering nodes from the monitoring alarms or dashboards.
  243. The key creation event needs to be run from other machine than the one
  244. being registered.
  245. Event to trigger the key removal
  246. .. code-block:: bash
  247. salt-call event.send 'salt/key/remove'
  248. Control VM provisioning
  249. .. code-block:: yaml
  250. virt:
  251. disk:
  252. three_disks:
  253. - system:
  254. size: 4096
  255. image: ubuntu.qcow
  256. - repository_snapshot:
  257. size: 8192
  258. image: snapshot.qcow
  259. - cinder-volume:
  260. size: 2048
  261. nic:
  262. control:
  263. - name: nic01
  264. bridge: br-pxe
  265. model: virtio
  266. - name: nic02
  267. bridge: br-cp
  268. model: virtio
  269. - name: nic03
  270. bridge: br-store-front
  271. model: virtio
  272. - name: nic04
  273. bridge: br-public
  274. model: virtio
  275. salt:
  276. control:
  277. enabled: true
  278. virt_enabled: true
  279. size:
  280. medium_three_disks:
  281. cpu: 2
  282. ram: 4
  283. disk_profile: three_disks
  284. cluster:
  285. mycluster:
  286. domain: neco.virt.domain.com
  287. engine: virt
  288. node:
  289. ubuntu1:
  290. provider: node01.domain.com
  291. image: ubuntu.qcow
  292. size: medium
  293. img_dest: /var/lib/libvirt/ssdimages
  294. rng:
  295. backend: /dev/urandom
  296. model: random
  297. rate:
  298. period: '1800'
  299. bytes: '1500'
  300. mac:
  301. nic01: AC:DE:48:AA:AA:AA
  302. nic02: AC:DE:48:AA:AA:BB
  303. Jinja options
  304. -------------
  305. Use following options to update default jinja renderer options. Salt recognize Jinja options for templates and for sls files.
  306. For full list of options check jinja documentation: http://jinja.pocoo.org/docs/api/#high-level-api.
  307. .. code-block:: yaml
  308. salt:
  309. renderer:
  310. # for templates
  311. jinja: &jina_env
  312. # Default Jinja environment options
  313. block_start_string: '{%'
  314. block_end_string: '%}'
  315. variable_start_string: '{{'
  316. variable_end_string: '}}'
  317. comment_start_string: '{#'
  318. comment_end_string: '#}'
  319. keep_trailing_newline: False
  320. newline_sequence: '\n'
  321. # Next two are enabled by default in Salt
  322. trim_blocks: True
  323. lstrip_blocks: True
  324. # Next two are not enabled by default in Salt
  325. # but worth to consider to enable in future for salt-formulas
  326. line_statement_prefix: '%'
  327. line_comment_prefix: '##'
  328. # for .sls state files
  329. jinja_sls: *jinja_env
  330. With the line_statement/comment* _prefix options enabled following code statements are valid:
  331. .. code-block:: yaml
  332. %- set myvar = 'one'
  333. ## You can mix even with '{%'
  334. {%- set myvar = 'two' %} ## comment
  335. %- set mylist = ['one', 'two', 'three'] ## comment
  336. ## comment
  337. %- for item in mylist: ## comment
  338. {{- item }}
  339. %- endfor
  340. Encrypted pillars
  341. ~~~~~~~~~~~~~~~~~
  342. Note: NACL + below configuration will be available in Salt > 2017.7.
  343. External resources:
  344. - Tutorial to configure salt + reclass ext_pillar and nacl: http://apealive.net/post/2017-09-salt-nacl-ext-pillar/
  345. - Saltstack documentation: https://docs.saltstack.com/en/latest/ref/modules/all/salt.modules.nacl.html
  346. Configure salt NACL module:
  347. .. code-block:: shell
  348. pip install --upgrade libnacl===1.5.2
  349. salt-call --local nacl.keygen /etc/salt/pki/master/nacl
  350. local:
  351. saved sk_file:/etc/salt/pki/master/nacl pk_file: /etc/salt/pki/master/nacl.pub
  352. .. code-block:: yaml
  353. salt:
  354. master:
  355. pillar:
  356. reclass: *reclass
  357. nacl:
  358. index: 99
  359. nacl:
  360. box_type: sealedbox
  361. sk_file: /etc/salt/pki/master/nacl
  362. pk_file: /etc/salt/pki/master/nacl.pub
  363. #sk: None
  364. #pk: None
  365. NACL encrypt secrets:
  366. salt-call --local nacl.enc 'my_secret_value' pk_file=/etc/salt/pki/master/nacl.pub
  367. hXTkJpC1hcKMS7yZVGESutWrkvzusXfETXkacSklIxYjfWDlMJmR37MlmthdIgjXpg4f2AlBKb8tc9Woma7q
  368. # or
  369. salt-run nacl.enc 'myotherpass'
  370. ADDFD0Rav6p6+63sojl7Htfrncp5rrDVyeE4BSPO7ipq8fZuLDIVAzQLf4PCbDqi+Fau5KD3/J/E+Pw=
  371. NACL encrypted values on pillar:
  372. Use Boxed syntax `NACL[CryptedValue=]` to encode value on pillar:
  373. .. code-block:: yaml
  374. my_pillar:
  375. my_nacl:
  376. key0: unencrypted_value
  377. key1: NACL[hXTkJpC1hcKMS7yZVGESutWrkvzusXfETXkacSklIxYjfWDlMJmR37MlmthdIgjXpg4f2AlBKb8tc9Woma7q]
  378. NACL large files:
  379. .. code-block:: shell
  380. salt-call nacl.enc_file /tmp/cert.crt out=/srv/salt/env/dev/cert.nacl
  381. # or more advanced
  382. cert=$(cat /tmp/cert.crt)
  383. salt-call --out=newline_values_only nacl.enc_pub data="$cert" > /srv/salt/env/dev/cert.nacl
  384. NACL within template/native pillars:
  385. pillarexample:
  386. user: root
  387. password1: {{salt.nacl.dec('DRB7Q6/X5gGSRCTpZyxS6hlbWj0llUA+uaVyvou3vJ4=')|json}}
  388. cert_key: {{salt.nacl.dec_file('/srv/salt/env/dev/certs/example.com/cert.nacl')|json}}
  389. cert_key2: {{salt.nacl.dec_file('salt:///certs/example.com/cert2.nacl')|json}}
  390. Salt Syndic
  391. -----------
  392. The master of masters
  393. .. code-block:: yaml
  394. salt:
  395. master:
  396. enabled: true
  397. order_masters: True
  398. Lower syndicated master
  399. .. code-block:: yaml
  400. salt:
  401. syndic:
  402. enabled: true
  403. master:
  404. host: master-of-master-host
  405. timeout: 5
  406. Syndicated master with multiple master of masters
  407. .. code-block:: yaml
  408. salt:
  409. syndic:
  410. enabled: true
  411. masters:
  412. - host: master-of-master-host1
  413. - host: master-of-master-host2
  414. timeout: 5
  415. Salt Minion
  416. -----------
  417. Simplest Salt minion setup with central configuration node
  418. .. code-block:: yaml
  419. .. literalinclude:: tests/pillar/minion_master.sls
  420. :language: yaml
  421. Multi-master Salt minion setup
  422. .. literalinclude:: tests/pillar/minion_multi_master.sls
  423. :language: yaml
  424. Salt minion with salt mine options
  425. .. literalinclude:: tests/pillar/minion_mine.sls
  426. :language: yaml
  427. Salt minion with graphing dependencies
  428. .. literalinclude:: tests/pillar/minion_graph.sls
  429. :language: yaml
  430. Salt minion behind HTTP proxy
  431. .. code-block:: yaml
  432. salt:
  433. minion:
  434. proxy:
  435. host: 127.0.0.1
  436. port: 3128
  437. Salt minion to specify non-default HTTP backend. The default tornado backend
  438. does not respect HTTP proxy settings set as environment variables. This is
  439. useful for cases where you need to set no_proxy lists.
  440. .. code-block:: yaml
  441. salt:
  442. minion:
  443. backend: urllib2
  444. Salt minion with PKI certificate authority (CA)
  445. .. literalinclude:: tests/pillar/minion_pki_ca.sls
  446. :language: yaml
  447. Salt minion using PKI certificate
  448. .. literalinclude:: tests/pillar/minion_pki_cert.sls
  449. :language: yaml
  450. Salt minion trust CA certificates issued by salt CA on a specific host (ie: salt-master node)
  451. .. code-block:: yaml
  452. salt:
  453. minion:
  454. trusted_ca_minions:
  455. - cfg01
  456. Salt Minion Proxy
  457. ~~~~~~~~~~~~~~~~~
  458. Salt proxy pillar
  459. .. code-block:: yaml
  460. salt:
  461. minion:
  462. proxy_minion:
  463. master: localhost
  464. device:
  465. vsrx01.mydomain.local:
  466. enabled: true
  467. engine: napalm
  468. csr1000v.mydomain.local:
  469. enabled: true
  470. engine: napalm
  471. .. note:: This is pillar of the the real salt-minion
  472. Proxy pillar for IOS device
  473. .. code-block:: yaml
  474. proxy:
  475. proxytype: napalm
  476. driver: ios
  477. host: csr1000v.mydomain.local
  478. username: root
  479. passwd: r00tme
  480. .. note:: This is pillar of the node thats not able to run salt-minion itself
  481. Proxy pillar for JunOS device
  482. .. code-block:: yaml
  483. proxy:
  484. proxytype: napalm
  485. driver: junos
  486. host: vsrx01.mydomain.local
  487. username: root
  488. passwd: r00tme
  489. optional_args:
  490. config_format: set
  491. .. note:: This is pillar of the node thats not able to run salt-minion itself
  492. Salt SSH
  493. ~~~~~~~~
  494. Salt SSH with sudoer using key
  495. .. literalinclude:: tests/pillar/master_ssh_minion_key.sls
  496. :language: yaml
  497. Salt SSH with sudoer using password
  498. .. literalinclude:: tests/pillar/master_ssh_minion_password.sls
  499. :language: yaml
  500. Salt SSH with root using password
  501. .. literalinclude:: tests/pillar/master_ssh_minion_root.sls
  502. :language: yaml
  503. Salt control (cloud/kvm/docker)
  504. -------------------------------
  505. Salt cloud with local OpenStack provider
  506. .. literalinclude:: tests/pillar/control_cloud_openstack.sls
  507. :language: yaml
  508. Salt cloud with Digital Ocean provider
  509. .. literalinclude:: tests/pillar/control_cloud_digitalocean.sls
  510. :language: yaml
  511. Salt virt with KVM cluster
  512. .. literalinclude:: tests/pillar/control_virt.sls
  513. :language: yaml
  514. salt virt with custom destination for image file
  515. .. literalinclude:: tests/pillar/control_virt_custom.sls
  516. :language: yaml
  517. Usage
  518. =====
  519. Working with salt-cloud
  520. .. code-block:: bash
  521. salt-cloud -m /path/to/map --assume-yes
  522. Debug LIBCLOUD for salt-cloud connection
  523. .. code-block:: bash
  524. export LIBCLOUD_DEBUG=/dev/stderr; salt-cloud --list-sizes provider_name --log-level all
  525. References
  526. ==========
  527. * http://salt.readthedocs.org/en/latest/
  528. * https://github.com/DanielBryan/salt-state-graph
  529. * http://karlgrz.com/testing-salt-states-rapidly-with-docker/
  530. * https://mywushublog.com/2013/03/configuration-management-with-salt-stack/
  531. * http://russell.ballestrini.net/replace-the-nagios-scheduler-and-nrpe-with-salt-stack/
  532. * https://github.com/saltstack-formulas/salt-formula
  533. * http://docs.saltstack.com/en/latest/topics/tutorials/multimaster.html
  534. salt-cloud
  535. ----------
  536. * http://www.blog.sandro-mathys.ch/2013/07/setting-user-password-when-launching.html
  537. * http://cloudinit.readthedocs.org/en/latest/topics/examples.html
  538. * http://salt-cloud.readthedocs.org/en/latest/topics/install/index.html
  539. * http://docs.saltstack.com/topics/cloud/digitalocean.html
  540. * http://salt-cloud.readthedocs.org/en/latest/topics/rackspace.html
  541. * http://salt-cloud.readthedocs.org/en/latest/topics/map.html
  542. * http://docs.saltstack.com/en/latest/topics/tutorials/multimaster.html
  543. Documentation and Bugs
  544. ======================
  545. To learn how to install and update salt-formulas, consult the documentation
  546. available online at:
  547. http://salt-formulas.readthedocs.io/
  548. In the unfortunate event that bugs are discovered, they should be reported to
  549. the appropriate issue tracker. Use Github issue tracker for specific salt
  550. formula:
  551. https://github.com/salt-formulas/salt-formula-salt/issues
  552. For feature requests, bug reports or blueprints affecting entire ecosystem,
  553. use Launchpad salt-formulas project:
  554. https://launchpad.net/salt-formulas
  555. You can also join salt-formulas-users team and subscribe to mailing list:
  556. https://launchpad.net/~salt-formulas-users
  557. Developers wishing to work on the salt-formulas projects should always base
  558. their work on master branch and submit pull request against specific formula.
  559. https://github.com/salt-formulas/salt-formula-salt
  560. Any questions or feedback is always welcome so feel free to join our IRC
  561. channel:
  562. #salt-formulas @ irc.freenode.net