New Saltstack Salt formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

README.rst 19KB

9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826
  1. ============
  2. Salt Formula
  3. ============
  4. Salt is a new approach to infrastructure management. Easy enough to get
  5. running in minutes, scalable enough to manage tens of thousands of servers,
  6. and fast enough to communicate with them in seconds.
  7. Salt delivers a dynamic communication bus for infrastructures that can be used
  8. for orchestration, remote execution, configuration management and much more.
  9. Sample Metadata
  10. ===============
  11. Salt Master
  12. -----------
  13. Salt master with base formulas and pillar metadata backend
  14. .. literalinclude:: tests/pillar/master_single_pillar.sls
  15. :language: yaml
  16. Salt master with reclass ENC metadata backend
  17. .. literalinclude:: tests/pillar/master_single_reclass.sls
  18. :language: yaml
  19. Salt master with Architect ENC metadata backend
  20. .. code-block:: yaml
  21. salt:
  22. master:
  23. enabled: true
  24. pillar:
  25. engine: architect
  26. project: project-name
  27. host: architect-api
  28. port: 8181
  29. username: salt
  30. password: password
  31. Salt master with multiple ext_pillars
  32. .. literalinclude:: tests/pillar/master_single_extpillars.sls
  33. :language: yaml
  34. Salt master with API
  35. .. literalinclude:: tests/pillar/master_api.sls
  36. :language: yaml
  37. Salt master with defined user ACLs
  38. .. literalinclude:: tests/pillar/master_acl.sls
  39. :language: yaml
  40. Salt master with preset minions
  41. .. code-block:: yaml
  42. salt:
  43. master:
  44. enabled: true
  45. minions:
  46. - name: 'node1.system.location.domain.com'
  47. Salt master with pip based installation (optional)
  48. .. code-block:: yaml
  49. salt:
  50. master:
  51. enabled: true
  52. ...
  53. source:
  54. engine: pip
  55. version: 2016.3.0rc2
  56. Install formula through system package management
  57. .. code-block:: yaml
  58. salt:
  59. master:
  60. enabled: true
  61. ...
  62. environment:
  63. prd:
  64. keystone:
  65. source: pkg
  66. name: salt-formula-keystone
  67. nova:
  68. source: pkg
  69. name: salt-formula-keystone
  70. version: 0.1+0~20160818133412.24~1.gbp6e1ebb
  71. postresql:
  72. source: pkg
  73. name: salt-formula-postgresql
  74. version: purged
  75. Formula keystone is installed latest version and the formulas without version are installed in one call to aptpkg module.
  76. If the version attribute is present sls iterates over formulas and take action to install specific version or remove it.
  77. The version attribute may have these values ``[latest|purged|removed|<VERSION>]``.
  78. Clone master branch of keystone formula as local feature branch
  79. .. code-block:: yaml
  80. salt:
  81. master:
  82. enabled: true
  83. ...
  84. environment:
  85. dev:
  86. formula:
  87. keystone:
  88. source: git
  89. address: git@github.com:openstack/salt-formula-keystone.git
  90. revision: master
  91. branch: feature
  92. Salt master with specified formula refs (for example for Gerrit review)
  93. .. code-block:: yaml
  94. salt:
  95. master:
  96. enabled: true
  97. ...
  98. environment:
  99. dev:
  100. formula:
  101. keystone:
  102. source: git
  103. address: https://git.openstack.org/openstack/salt-formula-keystone
  104. revision: refs/changes/56/123456/1
  105. Salt master logging configuration
  106. .. code-block:: yaml
  107. salt:
  108. master:
  109. enabled: true
  110. log:
  111. level: warning
  112. file: '/var/log/salt/master'
  113. level_logfile: warning
  114. Salt minion logging configuration
  115. .. code-block:: yaml
  116. salt:
  117. minion:
  118. enabled: true
  119. log:
  120. level: info
  121. file: '/var/log/salt/minion'
  122. level_logfile: warning
  123. Salt master with logging handlers
  124. .. code-block:: yaml
  125. salt:
  126. master:
  127. enabled: true
  128. handler:
  129. handler01:
  130. engine: udp
  131. bind:
  132. host: 127.0.0.1
  133. port: 9999
  134. minion:
  135. handler:
  136. handler01:
  137. engine: udp
  138. bind:
  139. host: 127.0.0.1
  140. port: 9999
  141. handler02:
  142. engine: zmq
  143. bind:
  144. host: 127.0.0.1
  145. port: 9999
  146. Salt engine definition for saltgraph metadata collector
  147. .. code-block:: yaml
  148. salt:
  149. master:
  150. engine:
  151. graph_metadata:
  152. engine: saltgraph
  153. host: 127.0.0.1
  154. port: 5432
  155. user: salt
  156. password: salt
  157. database: salt
  158. Salt engine definition for Architect service
  159. .. code-block:: yaml
  160. salt:
  161. master:
  162. engine:
  163. architect:
  164. engine: architect
  165. project: project-name
  166. host: architect-api
  167. port: 8181
  168. username: salt
  169. password: password
  170. Salt engine definition for sending events from docker events
  171. .. code-block:: yaml
  172. salt:
  173. master:
  174. engine:
  175. docker_events:
  176. docker_url: unix://var/run/docker.sock
  177. Salt master peer setup for remote certificate signing
  178. .. code-block:: yaml
  179. salt:
  180. master:
  181. peer:
  182. ".*":
  183. - x509.sign_remote_certificate
  184. Salt master backup configuration
  185. .. code-block:: yaml
  186. salt:
  187. master:
  188. backup: true
  189. initial_data:
  190. engine: backupninja
  191. home_dir: remote-backup-home-dir
  192. source: backup-node-host
  193. host: original-salt-master-id
  194. Configure verbosity of state output (used for `salt` command)
  195. .. code-block:: yaml
  196. salt:
  197. master:
  198. state_output: changes
  199. Pass pillar render error to minion log
  200. .. note:: When set to `False` this option is great for debuging.
  201. However it is not recomended for any production environment as it may contain
  202. templating data as passwords, etc... , that minion should not expose.
  203. .. code-block:: yaml
  204. salt:
  205. master:
  206. pillar_safe_render_error: False
  207. Event/Reactor Systems
  208. ~~~~~~~~~~~~~~~~~~~~~
  209. Salt synchronise node pillar and modules after start
  210. .. code-block:: yaml
  211. salt:
  212. master:
  213. reactor:
  214. salt/minion/*/start:
  215. - salt://salt/reactor/node_start.sls
  216. Trigger basic node install
  217. .. code-block:: yaml
  218. salt:
  219. master:
  220. reactor:
  221. salt/minion/install:
  222. - salt://salt/reactor/node_install.sls
  223. Sample event to trigger the node installation
  224. .. code-block:: bash
  225. salt-call event.send 'salt/minion/install'
  226. Run any defined orchestration pipeline
  227. .. code-block:: yaml
  228. salt:
  229. master:
  230. reactor:
  231. salt/orchestrate/start:
  232. - salt://salt/reactor/orchestrate_start.sls
  233. Event to trigger the orchestration pipeline
  234. .. code-block:: bash
  235. salt-call event.send 'salt/orchestrate/start' "{'orchestrate': 'salt/orchestrate/infra_install.sls'}"
  236. Synchronise modules and pillars on minion start.
  237. .. code-block:: yaml
  238. salt:
  239. master:
  240. reactor:
  241. 'salt/minion/*/start':
  242. - salt://salt/reactor/minion_start.sls
  243. Add and/or remove the minion key
  244. .. code-block:: yaml
  245. salt:
  246. master:
  247. reactor:
  248. salt/key/create:
  249. - salt://salt/reactor/key_create.sls
  250. salt/key/remove:
  251. - salt://salt/reactor/key_remove.sls
  252. Event to trigger the key creation
  253. .. code-block:: bash
  254. salt-call event.send 'salt/key/create' \
  255. > "{'node_id': 'id-of-minion', 'node_host': '172.16.10.100', 'orch_post_create': 'kubernetes.orchestrate.compute_install', 'post_create_pillar': {'node_name': 'id-of-minion'}}"
  256. .. note::
  257. You can add pass additional `orch_pre_create`, `orch_post_create`,
  258. `orch_pre_remove` or `orch_post_remove` parameters to the event to call
  259. extra orchestrate files. This can be useful for example for
  260. registering/unregistering nodes from the monitoring alarms or dashboards.
  261. The key creation event needs to be run from other machine than the one
  262. being registered.
  263. Event to trigger the key removal
  264. .. code-block:: bash
  265. salt-call event.send 'salt/key/remove'
  266. Control VM provisioning
  267. .. code-block:: yaml
  268. virt:
  269. disk:
  270. three_disks:
  271. - system:
  272. size: 4096
  273. image: ubuntu.qcow
  274. - repository_snapshot:
  275. size: 8192
  276. image: snapshot.qcow
  277. - cinder-volume:
  278. size: 2048
  279. nic:
  280. control:
  281. - name: nic01
  282. bridge: br-pxe
  283. model: virtio
  284. - name: nic02
  285. bridge: br-cp
  286. model: virtio
  287. - name: nic03
  288. bridge: br-store-front
  289. model: virtio
  290. - name: nic04
  291. bridge: br-public
  292. model: virtio
  293. salt:
  294. control:
  295. enabled: true
  296. virt_enabled: true
  297. size:
  298. medium_three_disks:
  299. cpu: 2
  300. ram: 4
  301. disk_profile: three_disks
  302. cluster:
  303. mycluster:
  304. domain: neco.virt.domain.com
  305. engine: virt
  306. #Option to set rng globaly
  307. rng: false
  308. node:
  309. ubuntu1:
  310. provider: node01.domain.com
  311. image: ubuntu.qcow
  312. size: medium
  313. img_dest: /var/lib/libvirt/ssdimages
  314. #Rng defined on node will have higher priority then global one
  315. rng:
  316. backend: /dev/urandom
  317. model: random
  318. rate:
  319. period: '1800'
  320. bytes: '1500'
  321. mac:
  322. nic01: AC:DE:48:AA:AA:AA
  323. nic02: AC:DE:48:AA:AA:BB
  324. Jinja options
  325. -------------
  326. Use following options to update default jinja renderer options. Salt recognize Jinja options for templates and for sls files.
  327. For full list of options check jinja documentation: http://jinja.pocoo.org/docs/api/#high-level-api.
  328. .. code-block:: yaml
  329. salt:
  330. renderer:
  331. # for templates
  332. jinja: &jina_env
  333. # Default Jinja environment options
  334. block_start_string: '{%'
  335. block_end_string: '%}'
  336. variable_start_string: '{{'
  337. variable_end_string: '}}'
  338. comment_start_string: '{#'
  339. comment_end_string: '#}'
  340. keep_trailing_newline: False
  341. newline_sequence: '\n'
  342. # Next two are enabled by default in Salt
  343. trim_blocks: True
  344. lstrip_blocks: True
  345. # Next two are not enabled by default in Salt
  346. # but worth to consider to enable in future for salt-formulas
  347. line_statement_prefix: '%'
  348. line_comment_prefix: '##'
  349. # for .sls state files
  350. jinja_sls: *jinja_env
  351. With the line_statement/comment* _prefix options enabled following code statements are valid:
  352. .. code-block:: yaml
  353. %- set myvar = 'one'
  354. ## You can mix even with '{%'
  355. {%- set myvar = 'two' %} ## comment
  356. %- set mylist = ['one', 'two', 'three'] ## comment
  357. ## comment
  358. %- for item in mylist: ## comment
  359. {{- item }}
  360. %- endfor
  361. Encrypted pillars
  362. ~~~~~~~~~~~~~~~~~
  363. Note: NACL + below configuration will be available in Salt > 2017.7.
  364. External resources:
  365. - Tutorial to configure salt + reclass ext_pillar and nacl: http://apealive.net/post/2017-09-salt-nacl-ext-pillar/
  366. - Saltstack documentation: https://docs.saltstack.com/en/latest/ref/modules/all/salt.modules.nacl.html
  367. Configure salt NACL module:
  368. .. code-block:: shell
  369. pip install --upgrade libnacl===1.5.2
  370. salt-call --local nacl.keygen /etc/salt/pki/master/nacl
  371. local:
  372. saved sk_file:/etc/salt/pki/master/nacl pk_file: /etc/salt/pki/master/nacl.pub
  373. .. code-block:: yaml
  374. salt:
  375. master:
  376. pillar:
  377. reclass: *reclass
  378. nacl:
  379. index: 99
  380. nacl:
  381. box_type: sealedbox
  382. sk_file: /etc/salt/pki/master/nacl
  383. pk_file: /etc/salt/pki/master/nacl.pub
  384. #sk: None
  385. #pk: None
  386. NACL encrypt secrets:
  387. salt-call --local nacl.enc 'my_secret_value' pk_file=/etc/salt/pki/master/nacl.pub
  388. hXTkJpC1hcKMS7yZVGESutWrkvzusXfETXkacSklIxYjfWDlMJmR37MlmthdIgjXpg4f2AlBKb8tc9Woma7q
  389. # or
  390. salt-run nacl.enc 'myotherpass'
  391. ADDFD0Rav6p6+63sojl7Htfrncp5rrDVyeE4BSPO7ipq8fZuLDIVAzQLf4PCbDqi+Fau5KD3/J/E+Pw=
  392. NACL encrypted values on pillar:
  393. Use Boxed syntax `NACL[CryptedValue=]` to encode value on pillar:
  394. .. code-block:: yaml
  395. my_pillar:
  396. my_nacl:
  397. key0: unencrypted_value
  398. key1: NACL[hXTkJpC1hcKMS7yZVGESutWrkvzusXfETXkacSklIxYjfWDlMJmR37MlmthdIgjXpg4f2AlBKb8tc9Woma7q]
  399. NACL large files:
  400. .. code-block:: shell
  401. salt-call nacl.enc_file /tmp/cert.crt out=/srv/salt/env/dev/cert.nacl
  402. # or more advanced
  403. cert=$(cat /tmp/cert.crt)
  404. salt-call --out=newline_values_only nacl.enc_pub data="$cert" > /srv/salt/env/dev/cert.nacl
  405. NACL within template/native pillars:
  406. pillarexample:
  407. user: root
  408. password1: {{salt.nacl.dec('DRB7Q6/X5gGSRCTpZyxS6hlbWj0llUA+uaVyvou3vJ4=')|json}}
  409. cert_key: {{salt.nacl.dec_file('/srv/salt/env/dev/certs/example.com/cert.nacl')|json}}
  410. cert_key2: {{salt.nacl.dec_file('salt:///certs/example.com/cert2.nacl')|json}}
  411. Salt Syndic
  412. -----------
  413. The master of masters
  414. .. code-block:: yaml
  415. salt:
  416. master:
  417. enabled: true
  418. order_masters: True
  419. Lower syndicated master
  420. .. code-block:: yaml
  421. salt:
  422. syndic:
  423. enabled: true
  424. master:
  425. host: master-of-master-host
  426. timeout: 5
  427. Syndicated master with multiple master of masters
  428. .. code-block:: yaml
  429. salt:
  430. syndic:
  431. enabled: true
  432. masters:
  433. - host: master-of-master-host1
  434. - host: master-of-master-host2
  435. timeout: 5
  436. Salt Minion
  437. -----------
  438. Simplest Salt minion setup with central configuration node
  439. .. code-block:: yaml
  440. .. literalinclude:: tests/pillar/minion_master.sls
  441. :language: yaml
  442. Multi-master Salt minion setup
  443. .. literalinclude:: tests/pillar/minion_multi_master.sls
  444. :language: yaml
  445. Salt minion with salt mine options
  446. .. literalinclude:: tests/pillar/minion_mine.sls
  447. :language: yaml
  448. Salt minion with graphing dependencies
  449. .. literalinclude:: tests/pillar/minion_graph.sls
  450. :language: yaml
  451. Salt minion behind HTTP proxy
  452. .. code-block:: yaml
  453. salt:
  454. minion:
  455. proxy:
  456. host: 127.0.0.1
  457. port: 3128
  458. Salt minion to specify non-default HTTP backend. The default tornado backend
  459. does not respect HTTP proxy settings set as environment variables. This is
  460. useful for cases where you need to set no_proxy lists.
  461. .. code-block:: yaml
  462. salt:
  463. minion:
  464. backend: urllib2
  465. Salt minion with PKI certificate authority (CA)
  466. .. literalinclude:: tests/pillar/minion_pki_ca.sls
  467. :language: yaml
  468. Salt minion using PKI certificate
  469. .. literalinclude:: tests/pillar/minion_pki_cert.sls
  470. :language: yaml
  471. Salt minion trust CA certificates issued by salt CA on a specific host (ie: salt-master node)
  472. .. code-block:: yaml
  473. salt:
  474. minion:
  475. trusted_ca_minions:
  476. - cfg01
  477. Salt Minion Proxy
  478. ~~~~~~~~~~~~~~~~~
  479. Salt proxy pillar
  480. .. code-block:: yaml
  481. salt:
  482. minion:
  483. proxy_minion:
  484. master: localhost
  485. device:
  486. vsrx01.mydomain.local:
  487. enabled: true
  488. engine: napalm
  489. csr1000v.mydomain.local:
  490. enabled: true
  491. engine: napalm
  492. .. note:: This is pillar of the the real salt-minion
  493. Proxy pillar for IOS device
  494. .. code-block:: yaml
  495. proxy:
  496. proxytype: napalm
  497. driver: ios
  498. host: csr1000v.mydomain.local
  499. username: root
  500. passwd: r00tme
  501. .. note:: This is pillar of the node thats not able to run salt-minion itself
  502. Proxy pillar for JunOS device
  503. .. code-block:: yaml
  504. proxy:
  505. proxytype: napalm
  506. driver: junos
  507. host: vsrx01.mydomain.local
  508. username: root
  509. passwd: r00tme
  510. optional_args:
  511. config_format: set
  512. .. note:: This is pillar of the node thats not able to run salt-minion itself
  513. Salt SSH
  514. ~~~~~~~~
  515. Salt SSH with sudoer using key
  516. .. literalinclude:: tests/pillar/master_ssh_minion_key.sls
  517. :language: yaml
  518. Salt SSH with sudoer using password
  519. .. literalinclude:: tests/pillar/master_ssh_minion_password.sls
  520. :language: yaml
  521. Salt SSH with root using password
  522. .. literalinclude:: tests/pillar/master_ssh_minion_root.sls
  523. :language: yaml
  524. Salt control (cloud/kvm/docker)
  525. -------------------------------
  526. Salt cloud with local OpenStack provider
  527. .. literalinclude:: tests/pillar/control_cloud_openstack.sls
  528. :language: yaml
  529. Salt cloud with Digital Ocean provider
  530. .. literalinclude:: tests/pillar/control_cloud_digitalocean.sls
  531. :language: yaml
  532. Salt virt with KVM cluster
  533. .. literalinclude:: tests/pillar/control_virt.sls
  534. :language: yaml
  535. salt virt with custom destination for image file
  536. .. literalinclude:: tests/pillar/control_virt_custom.sls
  537. :language: yaml
  538. Usage
  539. =====
  540. Working with salt-cloud
  541. .. code-block:: bash
  542. salt-cloud -m /path/to/map --assume-yes
  543. Debug LIBCLOUD for salt-cloud connection
  544. .. code-block:: bash
  545. export LIBCLOUD_DEBUG=/dev/stderr; salt-cloud --list-sizes provider_name --log-level all
  546. References
  547. ==========
  548. * http://salt.readthedocs.org/en/latest/
  549. * https://github.com/DanielBryan/salt-state-graph
  550. * http://karlgrz.com/testing-salt-states-rapidly-with-docker/
  551. * https://mywushublog.com/2013/03/configuration-management-with-salt-stack/
  552. * http://russell.ballestrini.net/replace-the-nagios-scheduler-and-nrpe-with-salt-stack/
  553. * https://github.com/saltstack-formulas/salt-formula
  554. * http://docs.saltstack.com/en/latest/topics/tutorials/multimaster.html
  555. salt-cloud
  556. ----------
  557. * http://www.blog.sandro-mathys.ch/2013/07/setting-user-password-when-launching.html
  558. * http://cloudinit.readthedocs.org/en/latest/topics/examples.html
  559. * http://salt-cloud.readthedocs.org/en/latest/topics/install/index.html
  560. * http://docs.saltstack.com/topics/cloud/digitalocean.html
  561. * http://salt-cloud.readthedocs.org/en/latest/topics/rackspace.html
  562. * http://salt-cloud.readthedocs.org/en/latest/topics/map.html
  563. * http://docs.saltstack.com/en/latest/topics/tutorials/multimaster.html
  564. Documentation and Bugs
  565. ======================
  566. To learn how to install and update salt-formulas, consult the documentation
  567. available online at:
  568. http://salt-formulas.readthedocs.io/
  569. In the unfortunate event that bugs are discovered, they should be reported to
  570. the appropriate issue tracker. Use Github issue tracker for specific salt
  571. formula:
  572. https://github.com/salt-formulas/salt-formula-salt/issues
  573. For feature requests, bug reports or blueprints affecting entire ecosystem,
  574. use Launchpad salt-formulas project:
  575. https://launchpad.net/salt-formulas
  576. You can also join salt-formulas-users team and subscribe to mailing list:
  577. https://launchpad.net/~salt-formulas-users
  578. Developers wishing to work on the salt-formulas projects should always base
  579. their work on master branch and submit pull request against specific formula.
  580. https://github.com/salt-formulas/salt-formula-salt
  581. Any questions or feedback is always welcome so feel free to join our IRC
  582. channel:
  583. #salt-formulas @ irc.freenode.net