New Saltstack Salt formula
No puede seleccionar más de 25 temas Los temas deben comenzar con una letra o número, pueden incluir guiones ('-') y pueden tener hasta 35 caracteres de largo.

README.rst 19KB

hace 9 años
hace 9 años
hace 9 años
hace 9 años
hace 9 años
hace 9 años
hace 9 años
hace 9 años
hace 9 años
hace 9 años
hace 8 años
hace 8 años
hace 9 años
hace 9 años
hace 9 años
hace 8 años
hace 9 años
hace 8 años
hace 8 años
hace 9 años
hace 9 años
hace 9 años
hace 9 años
hace 8 años
hace 9 años
hace 9 años
hace 9 años
hace 9 años
hace 9 años
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823
  1. ============
  2. Salt Formula
  3. ============
  4. Salt is a new approach to infrastructure management. Easy enough to get
  5. running in minutes, scalable enough to manage tens of thousands of servers,
  6. and fast enough to communicate with them in seconds.
  7. Salt delivers a dynamic communication bus for infrastructures that can be used
  8. for orchestration, remote execution, configuration management and much more.
  9. Sample Metadata
  10. ===============
  11. Salt Master
  12. -----------
  13. Salt master with base formulas and pillar metadata backend
  14. .. literalinclude:: tests/pillar/master_single_pillar.sls
  15. :language: yaml
  16. Salt master with reclass ENC metadata backend
  17. .. literalinclude:: tests/pillar/master_single_reclass.sls
  18. :language: yaml
  19. Salt master with Architect ENC metadata backend
  20. .. code-block:: yaml
  21. salt:
  22. master:
  23. enabled: true
  24. pillar:
  25. engine: architect
  26. project: project-name
  27. host: architect-api
  28. port: 8181
  29. username: salt
  30. password: password
  31. Salt master with multiple ext_pillars
  32. .. literalinclude:: tests/pillar/master_single_extpillars.sls
  33. :language: yaml
  34. Salt master with API
  35. .. literalinclude:: tests/pillar/master_api.sls
  36. :language: yaml
  37. Salt master with defined user ACLs
  38. .. literalinclude:: tests/pillar/master_acl.sls
  39. :language: yaml
  40. Salt master with preset minions
  41. .. code-block:: yaml
  42. salt:
  43. master:
  44. enabled: true
  45. minions:
  46. - name: 'node1.system.location.domain.com'
  47. Salt master with pip based installation (optional)
  48. .. code-block:: yaml
  49. salt:
  50. master:
  51. enabled: true
  52. ...
  53. source:
  54. engine: pip
  55. version: 2016.3.0rc2
  56. Install formula through system package management
  57. .. code-block:: yaml
  58. salt:
  59. master:
  60. enabled: true
  61. ...
  62. environment:
  63. prd:
  64. keystone:
  65. source: pkg
  66. name: salt-formula-keystone
  67. nova:
  68. source: pkg
  69. name: salt-formula-keystone
  70. version: 0.1+0~20160818133412.24~1.gbp6e1ebb
  71. postresql:
  72. source: pkg
  73. name: salt-formula-postgresql
  74. version: purged
  75. Formula keystone is installed latest version and the formulas without version are installed in one call to aptpkg module.
  76. If the version attribute is present sls iterates over formulas and take action to install specific version or remove it.
  77. The version attribute may have these values ``[latest|purged|removed|<VERSION>]``.
  78. Clone master branch of keystone formula as local feature branch
  79. .. code-block:: yaml
  80. salt:
  81. master:
  82. enabled: true
  83. ...
  84. environment:
  85. dev:
  86. formula:
  87. keystone:
  88. source: git
  89. address: git@github.com:openstack/salt-formula-keystone.git
  90. revision: master
  91. branch: feature
  92. Salt master with specified formula refs (for example for Gerrit review)
  93. .. code-block:: yaml
  94. salt:
  95. master:
  96. enabled: true
  97. ...
  98. environment:
  99. dev:
  100. formula:
  101. keystone:
  102. source: git
  103. address: https://git.openstack.org/openstack/salt-formula-keystone
  104. revision: refs/changes/56/123456/1
  105. Salt master logging configuration
  106. .. code-block:: yaml
  107. salt:
  108. master:
  109. enabled: true
  110. log:
  111. level: warning
  112. file: '/var/log/salt/master'
  113. level_logfile: warning
  114. Salt minion logging configuration
  115. .. code-block:: yaml
  116. salt:
  117. minion:
  118. enabled: true
  119. log:
  120. level: info
  121. file: '/var/log/salt/minion'
  122. level_logfile: warning
  123. Salt master with logging handlers
  124. .. code-block:: yaml
  125. salt:
  126. master:
  127. enabled: true
  128. handler:
  129. handler01:
  130. engine: udp
  131. bind:
  132. host: 127.0.0.1
  133. port: 9999
  134. minion:
  135. handler:
  136. handler01:
  137. engine: udp
  138. bind:
  139. host: 127.0.0.1
  140. port: 9999
  141. handler02:
  142. engine: zmq
  143. bind:
  144. host: 127.0.0.1
  145. port: 9999
  146. Salt engine definition for saltgraph metadata collector
  147. .. code-block:: yaml
  148. salt:
  149. master:
  150. engine:
  151. graph_metadata:
  152. engine: saltgraph
  153. host: 127.0.0.1
  154. port: 5432
  155. user: salt
  156. password: salt
  157. database: salt
  158. Salt engine definition for Architect service
  159. .. code-block:: yaml
  160. salt:
  161. master:
  162. engine:
  163. architect:
  164. engine: architect
  165. project: project-name
  166. host: architect-api
  167. port: 8181
  168. username: salt
  169. password: password
  170. Salt engine definition for sending events from docker events
  171. .. code-block:: yaml
  172. salt:
  173. master:
  174. engine:
  175. docker_events:
  176. docker_url: unix://var/run/docker.sock
  177. Salt master peer setup for remote certificate signing
  178. .. code-block:: yaml
  179. salt:
  180. master:
  181. peer:
  182. ".*":
  183. - x509.sign_remote_certificate
  184. Salt master backup configuration
  185. .. code-block:: yaml
  186. salt:
  187. master:
  188. backup: true
  189. initial_data:
  190. engine: backupninja
  191. home_dir: remote-backup-home-dir
  192. source: backup-node-host
  193. host: original-salt-master-id
  194. Configure verbosity of state output (used for `salt` command)
  195. .. code-block:: yaml
  196. salt:
  197. master:
  198. state_output: changes
  199. Pass pillar render error to minion log
  200. .. note:: When set to `False` this option is great for debuging.
  201. However it is not recomended for any production environment as it may contain
  202. templating data as passwords, etc... , that minion should not expose.
  203. .. code-block:: yaml
  204. salt:
  205. master:
  206. pillar_safe_render_error: False
  207. Event/Reactor Systems
  208. ~~~~~~~~~~~~~~~~~~~~~
  209. Salt synchronise node pillar and modules after start
  210. .. code-block:: yaml
  211. salt:
  212. master:
  213. reactor:
  214. salt/minion/*/start:
  215. - salt://salt/reactor/node_start.sls
  216. Trigger basic node install
  217. .. code-block:: yaml
  218. salt:
  219. master:
  220. reactor:
  221. salt/minion/install:
  222. - salt://salt/reactor/node_install.sls
  223. Sample event to trigger the node installation
  224. .. code-block:: bash
  225. salt-call event.send 'salt/minion/install'
  226. Run any defined orchestration pipeline
  227. .. code-block:: yaml
  228. salt:
  229. master:
  230. reactor:
  231. salt/orchestrate/start:
  232. - salt://salt/reactor/orchestrate_start.sls
  233. Event to trigger the orchestration pipeline
  234. .. code-block:: bash
  235. salt-call event.send 'salt/orchestrate/start' "{'orchestrate': 'salt/orchestrate/infra_install.sls'}"
  236. Synchronise modules and pillars on minion start.
  237. .. code-block:: yaml
  238. salt:
  239. master:
  240. reactor:
  241. 'salt/minion/*/start':
  242. - salt://salt/reactor/minion_start.sls
  243. Add and/or remove the minion key
  244. .. code-block:: yaml
  245. salt:
  246. master:
  247. reactor:
  248. salt/key/create:
  249. - salt://salt/reactor/key_create.sls
  250. salt/key/remove:
  251. - salt://salt/reactor/key_remove.sls
  252. Event to trigger the key creation
  253. .. code-block:: bash
  254. salt-call event.send 'salt/key/create' \
  255. > "{'node_id': 'id-of-minion', 'node_host': '172.16.10.100', 'orch_post_create': 'kubernetes.orchestrate.compute_install', 'post_create_pillar': {'node_name': 'id-of-minion'}}"
  256. .. note::
  257. You can add pass additional `orch_pre_create`, `orch_post_create`,
  258. `orch_pre_remove` or `orch_post_remove` parameters to the event to call
  259. extra orchestrate files. This can be useful for example for
  260. registering/unregistering nodes from the monitoring alarms or dashboards.
  261. The key creation event needs to be run from other machine than the one
  262. being registered.
  263. Event to trigger the key removal
  264. .. code-block:: bash
  265. salt-call event.send 'salt/key/remove'
  266. Control VM provisioning
  267. .. code-block:: yaml
  268. virt:
  269. disk:
  270. three_disks:
  271. - system:
  272. size: 4096
  273. image: ubuntu.qcow
  274. - repository_snapshot:
  275. size: 8192
  276. image: snapshot.qcow
  277. - cinder-volume:
  278. size: 2048
  279. nic:
  280. control:
  281. - name: nic01
  282. bridge: br-pxe
  283. model: virtio
  284. - name: nic02
  285. bridge: br-cp
  286. model: virtio
  287. - name: nic03
  288. bridge: br-store-front
  289. model: virtio
  290. - name: nic04
  291. bridge: br-public
  292. model: virtio
  293. salt:
  294. control:
  295. enabled: true
  296. virt_enabled: true
  297. size:
  298. medium_three_disks:
  299. cpu: 2
  300. ram: 4
  301. disk_profile: three_disks
  302. cluster:
  303. mycluster:
  304. domain: neco.virt.domain.com
  305. engine: virt
  306. node:
  307. ubuntu1:
  308. provider: node01.domain.com
  309. image: ubuntu.qcow
  310. size: medium
  311. img_dest: /var/lib/libvirt/ssdimages
  312. rng:
  313. backend: /dev/urandom
  314. model: random
  315. rate:
  316. period: '1800'
  317. bytes: '1500'
  318. mac:
  319. nic01: AC:DE:48:AA:AA:AA
  320. nic02: AC:DE:48:AA:AA:BB
  321. Jinja options
  322. -------------
  323. Use following options to update default jinja renderer options. Salt recognize Jinja options for templates and for sls files.
  324. For full list of options check jinja documentation: http://jinja.pocoo.org/docs/api/#high-level-api.
  325. .. code-block:: yaml
  326. salt:
  327. renderer:
  328. # for templates
  329. jinja: &jina_env
  330. # Default Jinja environment options
  331. block_start_string: '{%'
  332. block_end_string: '%}'
  333. variable_start_string: '{{'
  334. variable_end_string: '}}'
  335. comment_start_string: '{#'
  336. comment_end_string: '#}'
  337. keep_trailing_newline: False
  338. newline_sequence: '\n'
  339. # Next two are enabled by default in Salt
  340. trim_blocks: True
  341. lstrip_blocks: True
  342. # Next two are not enabled by default in Salt
  343. # but worth to consider to enable in future for salt-formulas
  344. line_statement_prefix: '%'
  345. line_comment_prefix: '##'
  346. # for .sls state files
  347. jinja_sls: *jinja_env
  348. With the line_statement/comment* _prefix options enabled following code statements are valid:
  349. .. code-block:: yaml
  350. %- set myvar = 'one'
  351. ## You can mix even with '{%'
  352. {%- set myvar = 'two' %} ## comment
  353. %- set mylist = ['one', 'two', 'three'] ## comment
  354. ## comment
  355. %- for item in mylist: ## comment
  356. {{- item }}
  357. %- endfor
  358. Encrypted pillars
  359. ~~~~~~~~~~~~~~~~~
  360. Note: NACL + below configuration will be available in Salt > 2017.7.
  361. External resources:
  362. - Tutorial to configure salt + reclass ext_pillar and nacl: http://apealive.net/post/2017-09-salt-nacl-ext-pillar/
  363. - Saltstack documentation: https://docs.saltstack.com/en/latest/ref/modules/all/salt.modules.nacl.html
  364. Configure salt NACL module:
  365. .. code-block:: shell
  366. pip install --upgrade libnacl===1.5.2
  367. salt-call --local nacl.keygen /etc/salt/pki/master/nacl
  368. local:
  369. saved sk_file:/etc/salt/pki/master/nacl pk_file: /etc/salt/pki/master/nacl.pub
  370. .. code-block:: yaml
  371. salt:
  372. master:
  373. pillar:
  374. reclass: *reclass
  375. nacl:
  376. index: 99
  377. nacl:
  378. box_type: sealedbox
  379. sk_file: /etc/salt/pki/master/nacl
  380. pk_file: /etc/salt/pki/master/nacl.pub
  381. #sk: None
  382. #pk: None
  383. NACL encrypt secrets:
  384. salt-call --local nacl.enc 'my_secret_value' pk_file=/etc/salt/pki/master/nacl.pub
  385. hXTkJpC1hcKMS7yZVGESutWrkvzusXfETXkacSklIxYjfWDlMJmR37MlmthdIgjXpg4f2AlBKb8tc9Woma7q
  386. # or
  387. salt-run nacl.enc 'myotherpass'
  388. ADDFD0Rav6p6+63sojl7Htfrncp5rrDVyeE4BSPO7ipq8fZuLDIVAzQLf4PCbDqi+Fau5KD3/J/E+Pw=
  389. NACL encrypted values on pillar:
  390. Use Boxed syntax `NACL[CryptedValue=]` to encode value on pillar:
  391. .. code-block:: yaml
  392. my_pillar:
  393. my_nacl:
  394. key0: unencrypted_value
  395. key1: NACL[hXTkJpC1hcKMS7yZVGESutWrkvzusXfETXkacSklIxYjfWDlMJmR37MlmthdIgjXpg4f2AlBKb8tc9Woma7q]
  396. NACL large files:
  397. .. code-block:: shell
  398. salt-call nacl.enc_file /tmp/cert.crt out=/srv/salt/env/dev/cert.nacl
  399. # or more advanced
  400. cert=$(cat /tmp/cert.crt)
  401. salt-call --out=newline_values_only nacl.enc_pub data="$cert" > /srv/salt/env/dev/cert.nacl
  402. NACL within template/native pillars:
  403. pillarexample:
  404. user: root
  405. password1: {{salt.nacl.dec('DRB7Q6/X5gGSRCTpZyxS6hlbWj0llUA+uaVyvou3vJ4=')|json}}
  406. cert_key: {{salt.nacl.dec_file('/srv/salt/env/dev/certs/example.com/cert.nacl')|json}}
  407. cert_key2: {{salt.nacl.dec_file('salt:///certs/example.com/cert2.nacl')|json}}
  408. Salt Syndic
  409. -----------
  410. The master of masters
  411. .. code-block:: yaml
  412. salt:
  413. master:
  414. enabled: true
  415. order_masters: True
  416. Lower syndicated master
  417. .. code-block:: yaml
  418. salt:
  419. syndic:
  420. enabled: true
  421. master:
  422. host: master-of-master-host
  423. timeout: 5
  424. Syndicated master with multiple master of masters
  425. .. code-block:: yaml
  426. salt:
  427. syndic:
  428. enabled: true
  429. masters:
  430. - host: master-of-master-host1
  431. - host: master-of-master-host2
  432. timeout: 5
  433. Salt Minion
  434. -----------
  435. Simplest Salt minion setup with central configuration node
  436. .. code-block:: yaml
  437. .. literalinclude:: tests/pillar/minion_master.sls
  438. :language: yaml
  439. Multi-master Salt minion setup
  440. .. literalinclude:: tests/pillar/minion_multi_master.sls
  441. :language: yaml
  442. Salt minion with salt mine options
  443. .. literalinclude:: tests/pillar/minion_mine.sls
  444. :language: yaml
  445. Salt minion with graphing dependencies
  446. .. literalinclude:: tests/pillar/minion_graph.sls
  447. :language: yaml
  448. Salt minion behind HTTP proxy
  449. .. code-block:: yaml
  450. salt:
  451. minion:
  452. proxy:
  453. host: 127.0.0.1
  454. port: 3128
  455. Salt minion to specify non-default HTTP backend. The default tornado backend
  456. does not respect HTTP proxy settings set as environment variables. This is
  457. useful for cases where you need to set no_proxy lists.
  458. .. code-block:: yaml
  459. salt:
  460. minion:
  461. backend: urllib2
  462. Salt minion with PKI certificate authority (CA)
  463. .. literalinclude:: tests/pillar/minion_pki_ca.sls
  464. :language: yaml
  465. Salt minion using PKI certificate
  466. .. literalinclude:: tests/pillar/minion_pki_cert.sls
  467. :language: yaml
  468. Salt minion trust CA certificates issued by salt CA on a specific host (ie: salt-master node)
  469. .. code-block:: yaml
  470. salt:
  471. minion:
  472. trusted_ca_minions:
  473. - cfg01
  474. Salt Minion Proxy
  475. ~~~~~~~~~~~~~~~~~
  476. Salt proxy pillar
  477. .. code-block:: yaml
  478. salt:
  479. minion:
  480. proxy_minion:
  481. master: localhost
  482. device:
  483. vsrx01.mydomain.local:
  484. enabled: true
  485. engine: napalm
  486. csr1000v.mydomain.local:
  487. enabled: true
  488. engine: napalm
  489. .. note:: This is pillar of the the real salt-minion
  490. Proxy pillar for IOS device
  491. .. code-block:: yaml
  492. proxy:
  493. proxytype: napalm
  494. driver: ios
  495. host: csr1000v.mydomain.local
  496. username: root
  497. passwd: r00tme
  498. .. note:: This is pillar of the node thats not able to run salt-minion itself
  499. Proxy pillar for JunOS device
  500. .. code-block:: yaml
  501. proxy:
  502. proxytype: napalm
  503. driver: junos
  504. host: vsrx01.mydomain.local
  505. username: root
  506. passwd: r00tme
  507. optional_args:
  508. config_format: set
  509. .. note:: This is pillar of the node thats not able to run salt-minion itself
  510. Salt SSH
  511. ~~~~~~~~
  512. Salt SSH with sudoer using key
  513. .. literalinclude:: tests/pillar/master_ssh_minion_key.sls
  514. :language: yaml
  515. Salt SSH with sudoer using password
  516. .. literalinclude:: tests/pillar/master_ssh_minion_password.sls
  517. :language: yaml
  518. Salt SSH with root using password
  519. .. literalinclude:: tests/pillar/master_ssh_minion_root.sls
  520. :language: yaml
  521. Salt control (cloud/kvm/docker)
  522. -------------------------------
  523. Salt cloud with local OpenStack provider
  524. .. literalinclude:: tests/pillar/control_cloud_openstack.sls
  525. :language: yaml
  526. Salt cloud with Digital Ocean provider
  527. .. literalinclude:: tests/pillar/control_cloud_digitalocean.sls
  528. :language: yaml
  529. Salt virt with KVM cluster
  530. .. literalinclude:: tests/pillar/control_virt.sls
  531. :language: yaml
  532. salt virt with custom destination for image file
  533. .. literalinclude:: tests/pillar/control_virt_custom.sls
  534. :language: yaml
  535. Usage
  536. =====
  537. Working with salt-cloud
  538. .. code-block:: bash
  539. salt-cloud -m /path/to/map --assume-yes
  540. Debug LIBCLOUD for salt-cloud connection
  541. .. code-block:: bash
  542. export LIBCLOUD_DEBUG=/dev/stderr; salt-cloud --list-sizes provider_name --log-level all
  543. References
  544. ==========
  545. * http://salt.readthedocs.org/en/latest/
  546. * https://github.com/DanielBryan/salt-state-graph
  547. * http://karlgrz.com/testing-salt-states-rapidly-with-docker/
  548. * https://mywushublog.com/2013/03/configuration-management-with-salt-stack/
  549. * http://russell.ballestrini.net/replace-the-nagios-scheduler-and-nrpe-with-salt-stack/
  550. * https://github.com/saltstack-formulas/salt-formula
  551. * http://docs.saltstack.com/en/latest/topics/tutorials/multimaster.html
  552. salt-cloud
  553. ----------
  554. * http://www.blog.sandro-mathys.ch/2013/07/setting-user-password-when-launching.html
  555. * http://cloudinit.readthedocs.org/en/latest/topics/examples.html
  556. * http://salt-cloud.readthedocs.org/en/latest/topics/install/index.html
  557. * http://docs.saltstack.com/topics/cloud/digitalocean.html
  558. * http://salt-cloud.readthedocs.org/en/latest/topics/rackspace.html
  559. * http://salt-cloud.readthedocs.org/en/latest/topics/map.html
  560. * http://docs.saltstack.com/en/latest/topics/tutorials/multimaster.html
  561. Documentation and Bugs
  562. ======================
  563. To learn how to install and update salt-formulas, consult the documentation
  564. available online at:
  565. http://salt-formulas.readthedocs.io/
  566. In the unfortunate event that bugs are discovered, they should be reported to
  567. the appropriate issue tracker. Use Github issue tracker for specific salt
  568. formula:
  569. https://github.com/salt-formulas/salt-formula-salt/issues
  570. For feature requests, bug reports or blueprints affecting entire ecosystem,
  571. use Launchpad salt-formulas project:
  572. https://launchpad.net/salt-formulas
  573. You can also join salt-formulas-users team and subscribe to mailing list:
  574. https://launchpad.net/~salt-formulas-users
  575. Developers wishing to work on the salt-formulas projects should always base
  576. their work on master branch and submit pull request against specific formula.
  577. https://github.com/salt-formulas/salt-formula-salt
  578. Any questions or feedback is always welcome so feel free to join our IRC
  579. channel:
  580. #salt-formulas @ irc.freenode.net