New Saltstack Salt formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

README.rst 19KB

9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
9 years ago
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858
  1. ============
  2. Salt Formula
  3. ============
  4. Salt is a new approach to infrastructure management. Easy enough to get
  5. running in minutes, scalable enough to manage tens of thousands of servers,
  6. and fast enough to communicate with them in seconds.
  7. Salt delivers a dynamic communication bus for infrastructures that can be used
  8. for orchestration, remote execution, configuration management and much more.
  9. Sample Metadata
  10. ===============
  11. Salt Master
  12. -----------
  13. Salt master with base formulas and pillar metadata backend
  14. .. literalinclude:: tests/pillar/master_single_pillar.sls
  15. :language: yaml
  16. Salt master with reclass ENC metadata backend
  17. .. literalinclude:: tests/pillar/master_single_reclass.sls
  18. :language: yaml
  19. Salt master with Architect ENC metadata backend
  20. .. code-block:: yaml
  21. salt:
  22. master:
  23. enabled: true
  24. pillar:
  25. engine: architect
  26. project: project-name
  27. host: architect-api
  28. port: 8181
  29. username: salt
  30. password: password
  31. Salt master with multiple ext_pillars
  32. .. literalinclude:: tests/pillar/master_single_extpillars.sls
  33. :language: yaml
  34. Salt master with API
  35. .. literalinclude:: tests/pillar/master_api.sls
  36. :language: yaml
  37. Salt master with defined user ACLs
  38. .. literalinclude:: tests/pillar/master_acl.sls
  39. :language: yaml
  40. Salt master with preset minions
  41. .. code-block:: yaml
  42. salt:
  43. master:
  44. enabled: true
  45. minions:
  46. - name: 'node1.system.location.domain.com'
  47. Salt master with pip based installation (optional)
  48. .. code-block:: yaml
  49. salt:
  50. master:
  51. enabled: true
  52. ...
  53. source:
  54. engine: pip
  55. version: 2016.3.0rc2
  56. Install formula through system package management
  57. .. code-block:: yaml
  58. salt:
  59. master:
  60. enabled: true
  61. ...
  62. environment:
  63. prd:
  64. keystone:
  65. source: pkg
  66. name: salt-formula-keystone
  67. nova:
  68. source: pkg
  69. name: salt-formula-keystone
  70. version: 0.1+0~20160818133412.24~1.gbp6e1ebb
  71. postresql:
  72. source: pkg
  73. name: salt-formula-postgresql
  74. version: purged
  75. Formula keystone is installed latest version and the formulas without version are installed in one call to aptpkg module.
  76. If the version attribute is present sls iterates over formulas and take action to install specific version or remove it.
  77. The version attribute may have these values ``[latest|purged|removed|<VERSION>]``.
  78. Clone master branch of keystone formula as local feature branch
  79. .. code-block:: yaml
  80. salt:
  81. master:
  82. enabled: true
  83. ...
  84. environment:
  85. dev:
  86. formula:
  87. keystone:
  88. source: git
  89. address: git@github.com:openstack/salt-formula-keystone.git
  90. revision: master
  91. branch: feature
  92. Salt master with specified formula refs (for example for Gerrit review)
  93. .. code-block:: yaml
  94. salt:
  95. master:
  96. enabled: true
  97. ...
  98. environment:
  99. dev:
  100. formula:
  101. keystone:
  102. source: git
  103. address: https://git.openstack.org/openstack/salt-formula-keystone
  104. revision: refs/changes/56/123456/1
  105. Salt master logging configuration
  106. .. code-block:: yaml
  107. salt:
  108. master:
  109. enabled: true
  110. log:
  111. level: warning
  112. file: '/var/log/salt/master'
  113. level_logfile: warning
  114. Salt minion logging configuration
  115. .. code-block:: yaml
  116. salt:
  117. minion:
  118. enabled: true
  119. log:
  120. level: info
  121. file: '/var/log/salt/minion'
  122. level_logfile: warning
  123. Salt master with logging handlers
  124. .. code-block:: yaml
  125. salt:
  126. master:
  127. enabled: true
  128. handler:
  129. handler01:
  130. engine: udp
  131. bind:
  132. host: 127.0.0.1
  133. port: 9999
  134. minion:
  135. handler:
  136. handler01:
  137. engine: udp
  138. bind:
  139. host: 127.0.0.1
  140. port: 9999
  141. handler02:
  142. engine: zmq
  143. bind:
  144. host: 127.0.0.1
  145. port: 9999
  146. Salt engine definition for saltgraph metadata collector
  147. .. code-block:: yaml
  148. salt:
  149. master:
  150. engine:
  151. graph_metadata:
  152. engine: saltgraph
  153. host: 127.0.0.1
  154. port: 5432
  155. user: salt
  156. password: salt
  157. database: salt
  158. Salt engine definition for Architect service
  159. .. code-block:: yaml
  160. salt:
  161. master:
  162. engine:
  163. architect:
  164. engine: architect
  165. project: project-name
  166. host: architect-api
  167. port: 8181
  168. username: salt
  169. password: password
  170. Salt engine definition for sending events from docker events
  171. .. code-block:: yaml
  172. salt:
  173. master:
  174. engine:
  175. docker_events:
  176. docker_url: unix://var/run/docker.sock
  177. Salt master peer setup for remote certificate signing
  178. .. code-block:: yaml
  179. salt:
  180. master:
  181. peer:
  182. ".*":
  183. - x509.sign_remote_certificate
  184. Salt master backup configuration
  185. .. code-block:: yaml
  186. salt:
  187. master:
  188. backup: true
  189. initial_data:
  190. engine: backupninja
  191. home_dir: remote-backup-home-dir
  192. source: backup-node-host
  193. host: original-salt-master-id
  194. Configure verbosity of state output (used for `salt` command)
  195. .. code-block:: yaml
  196. salt:
  197. master:
  198. state_output: changes
  199. Pass pillar render error to minion log
  200. .. note:: When set to `False` this option is great for debuging.
  201. However it is not recomended for any production environment as it may contain
  202. templating data as passwords, etc... , that minion should not expose.
  203. .. code-block:: yaml
  204. salt:
  205. master:
  206. pillar_safe_render_error: False
  207. Enable Windows repo support
  208. .. code-block:: yaml
  209. salt:
  210. master:
  211. win_repo:
  212. source: git
  213. address: https://github.com/saltstack/salt-winrepo-ng
  214. revision: master
  215. Event/Reactor Systems
  216. ~~~~~~~~~~~~~~~~~~~~~
  217. Salt synchronise node pillar and modules after start
  218. .. code-block:: yaml
  219. salt:
  220. master:
  221. reactor:
  222. salt/minion/*/start:
  223. - salt://salt/reactor/node_start.sls
  224. Trigger basic node install
  225. .. code-block:: yaml
  226. salt:
  227. master:
  228. reactor:
  229. salt/minion/install:
  230. - salt://salt/reactor/node_install.sls
  231. Sample event to trigger the node installation
  232. .. code-block:: bash
  233. salt-call event.send 'salt/minion/install'
  234. Run any defined orchestration pipeline
  235. .. code-block:: yaml
  236. salt:
  237. master:
  238. reactor:
  239. salt/orchestrate/start:
  240. - salt://salt/reactor/orchestrate_start.sls
  241. Event to trigger the orchestration pipeline
  242. .. code-block:: bash
  243. salt-call event.send 'salt/orchestrate/start' "{'orchestrate': 'salt/orchestrate/infra_install.sls'}"
  244. Synchronise modules and pillars on minion start.
  245. .. code-block:: yaml
  246. salt:
  247. master:
  248. reactor:
  249. 'salt/minion/*/start':
  250. - salt://salt/reactor/minion_start.sls
  251. Add and/or remove the minion key
  252. .. code-block:: yaml
  253. salt:
  254. master:
  255. reactor:
  256. salt/key/create:
  257. - salt://salt/reactor/key_create.sls
  258. salt/key/remove:
  259. - salt://salt/reactor/key_remove.sls
  260. Event to trigger the key creation
  261. .. code-block:: bash
  262. salt-call event.send 'salt/key/create' \
  263. > "{'node_id': 'id-of-minion', 'node_host': '172.16.10.100', 'orch_post_create': 'kubernetes.orchestrate.compute_install', 'post_create_pillar': {'node_name': 'id-of-minion'}}"
  264. .. note::
  265. You can add pass additional `orch_pre_create`, `orch_post_create`,
  266. `orch_pre_remove` or `orch_post_remove` parameters to the event to call
  267. extra orchestrate files. This can be useful for example for
  268. registering/unregistering nodes from the monitoring alarms or dashboards.
  269. The key creation event needs to be run from other machine than the one
  270. being registered.
  271. Event to trigger the key removal
  272. .. code-block:: bash
  273. salt-call event.send 'salt/key/remove'
  274. Control VM provisioning
  275. .. code-block:: yaml
  276. virt:
  277. disk:
  278. three_disks:
  279. - system:
  280. size: 4096
  281. image: ubuntu.qcow
  282. - repository_snapshot:
  283. size: 8192
  284. image: snapshot.qcow
  285. - cinder-volume:
  286. size: 2048
  287. nic:
  288. control:
  289. - name: nic01
  290. bridge: br-pxe
  291. model: virtio
  292. - name: nic02
  293. bridge: br-cp
  294. model: virtio
  295. - name: nic03
  296. bridge: br-store-front
  297. model: virtio
  298. - name: nic04
  299. bridge: br-public
  300. model: virtio
  301. - name: nic05
  302. bridge: br-prv
  303. model: virtio
  304. virtualport:
  305. type: openvswitch
  306. salt:
  307. control:
  308. enabled: true
  309. virt_enabled: true
  310. size:
  311. medium_three_disks:
  312. cpu: 2
  313. ram: 4
  314. disk_profile: three_disks
  315. cluster:
  316. mycluster:
  317. domain: neco.virt.domain.com
  318. engine: virt
  319. #Option to set rng globaly
  320. rng: false
  321. node:
  322. ubuntu1:
  323. provider: node01.domain.com
  324. image: ubuntu.qcow
  325. size: medium
  326. img_dest: /var/lib/libvirt/ssdimages
  327. #Rng defined on node will have higher priority then global one
  328. rng:
  329. backend: /dev/urandom
  330. model: random
  331. rate:
  332. period: '1800'
  333. bytes: '1500'
  334. mac:
  335. nic01: AC:DE:48:AA:AA:AA
  336. nic02: AC:DE:48:AA:AA:BB
  337. To enable Redis plugin for the Salt caching subsystem. The below pillar structure should be used
  338. .. code-block:: yaml
  339. salt:
  340. master:
  341. cache:
  342. plugin: redis
  343. host: localhost
  344. port: 6379
  345. db: '0'
  346. password: pass_word
  347. bank_prefix: 'MCP'
  348. bank_keys_prefix: 'MCPKEY'
  349. key_prefix: 'KEY'
  350. separator: '@'
  351. Jinja options
  352. -------------
  353. Use following options to update default jinja renderer options. Salt recognize Jinja options for templates and for sls files.
  354. For full list of options check jinja documentation: http://jinja.pocoo.org/docs/api/#high-level-api.
  355. .. code-block:: yaml
  356. salt:
  357. renderer:
  358. # for templates
  359. jinja: &jina_env
  360. # Default Jinja environment options
  361. block_start_string: '{%'
  362. block_end_string: '%}'
  363. variable_start_string: '{{'
  364. variable_end_string: '}}'
  365. comment_start_string: '{#'
  366. comment_end_string: '#}'
  367. keep_trailing_newline: False
  368. newline_sequence: '\n'
  369. # Next two are enabled by default in Salt
  370. trim_blocks: True
  371. lstrip_blocks: True
  372. # Next two are not enabled by default in Salt
  373. # but worth to consider to enable in future for salt-formulas
  374. line_statement_prefix: '%'
  375. line_comment_prefix: '##'
  376. # for .sls state files
  377. jinja_sls: *jinja_env
  378. With the line_statement/comment* _prefix options enabled following code statements are valid:
  379. .. code-block:: yaml
  380. %- set myvar = 'one'
  381. ## You can mix even with '{%'
  382. {%- set myvar = 'two' %} ## comment
  383. %- set mylist = ['one', 'two', 'three'] ## comment
  384. ## comment
  385. %- for item in mylist: ## comment
  386. {{- item }}
  387. %- endfor
  388. Encrypted pillars
  389. ~~~~~~~~~~~~~~~~~
  390. Note: NACL + below configuration will be available in Salt > 2017.7.
  391. External resources:
  392. - Tutorial to configure salt + reclass ext_pillar and nacl: http://apealive.net/post/2017-09-salt-nacl-ext-pillar/
  393. - Saltstack documentation: https://docs.saltstack.com/en/latest/ref/modules/all/salt.modules.nacl.html
  394. Configure salt NACL module:
  395. .. code-block:: shell
  396. pip install --upgrade libnacl===1.5.2
  397. salt-call --local nacl.keygen /etc/salt/pki/master/nacl
  398. local:
  399. saved sk_file:/etc/salt/pki/master/nacl pk_file: /etc/salt/pki/master/nacl.pub
  400. .. code-block:: yaml
  401. salt:
  402. master:
  403. pillar:
  404. reclass: *reclass
  405. nacl:
  406. index: 99
  407. nacl:
  408. box_type: sealedbox
  409. sk_file: /etc/salt/pki/master/nacl
  410. pk_file: /etc/salt/pki/master/nacl.pub
  411. #sk: None
  412. #pk: None
  413. NACL encrypt secrets:
  414. salt-call --local nacl.enc 'my_secret_value' pk_file=/etc/salt/pki/master/nacl.pub
  415. hXTkJpC1hcKMS7yZVGESutWrkvzusXfETXkacSklIxYjfWDlMJmR37MlmthdIgjXpg4f2AlBKb8tc9Woma7q
  416. # or
  417. salt-run nacl.enc 'myotherpass'
  418. ADDFD0Rav6p6+63sojl7Htfrncp5rrDVyeE4BSPO7ipq8fZuLDIVAzQLf4PCbDqi+Fau5KD3/J/E+Pw=
  419. NACL encrypted values on pillar:
  420. Use Boxed syntax `NACL[CryptedValue=]` to encode value on pillar:
  421. .. code-block:: yaml
  422. my_pillar:
  423. my_nacl:
  424. key0: unencrypted_value
  425. key1: NACL[hXTkJpC1hcKMS7yZVGESutWrkvzusXfETXkacSklIxYjfWDlMJmR37MlmthdIgjXpg4f2AlBKb8tc9Woma7q]
  426. NACL large files:
  427. .. code-block:: shell
  428. salt-call nacl.enc_file /tmp/cert.crt out=/srv/salt/env/dev/cert.nacl
  429. # or more advanced
  430. cert=$(cat /tmp/cert.crt)
  431. salt-call --out=newline_values_only nacl.enc_pub data="$cert" > /srv/salt/env/dev/cert.nacl
  432. NACL within template/native pillars:
  433. pillarexample:
  434. user: root
  435. password1: {{salt.nacl.dec('DRB7Q6/X5gGSRCTpZyxS6hlbWj0llUA+uaVyvou3vJ4=')|json}}
  436. cert_key: {{salt.nacl.dec_file('/srv/salt/env/dev/certs/example.com/cert.nacl')|json}}
  437. cert_key2: {{salt.nacl.dec_file('salt:///certs/example.com/cert2.nacl')|json}}
  438. Salt Syndic
  439. -----------
  440. The master of masters
  441. .. code-block:: yaml
  442. salt:
  443. master:
  444. enabled: true
  445. order_masters: True
  446. Lower syndicated master
  447. .. code-block:: yaml
  448. salt:
  449. syndic:
  450. enabled: true
  451. master:
  452. host: master-of-master-host
  453. timeout: 5
  454. Syndicated master with multiple master of masters
  455. .. code-block:: yaml
  456. salt:
  457. syndic:
  458. enabled: true
  459. masters:
  460. - host: master-of-master-host1
  461. - host: master-of-master-host2
  462. timeout: 5
  463. Salt Minion
  464. -----------
  465. Simplest Salt minion setup with central configuration node
  466. .. code-block:: yaml
  467. .. literalinclude:: tests/pillar/minion_master.sls
  468. :language: yaml
  469. Multi-master Salt minion setup
  470. .. literalinclude:: tests/pillar/minion_multi_master.sls
  471. :language: yaml
  472. Salt minion with salt mine options
  473. .. literalinclude:: tests/pillar/minion_mine.sls
  474. :language: yaml
  475. Salt minion with graphing dependencies
  476. .. literalinclude:: tests/pillar/minion_graph.sls
  477. :language: yaml
  478. Salt minion behind HTTP proxy
  479. .. code-block:: yaml
  480. salt:
  481. minion:
  482. proxy:
  483. host: 127.0.0.1
  484. port: 3128
  485. Salt minion to specify non-default HTTP backend. The default tornado backend
  486. does not respect HTTP proxy settings set as environment variables. This is
  487. useful for cases where you need to set no_proxy lists.
  488. .. code-block:: yaml
  489. salt:
  490. minion:
  491. backend: urllib2
  492. Salt minion with PKI certificate authority (CA)
  493. .. literalinclude:: tests/pillar/minion_pki_ca.sls
  494. :language: yaml
  495. Salt minion using PKI certificate
  496. .. literalinclude:: tests/pillar/minion_pki_cert.sls
  497. :language: yaml
  498. Salt minion trust CA certificates issued by salt CA on a specific host (ie: salt-master node)
  499. .. code-block:: yaml
  500. salt:
  501. minion:
  502. trusted_ca_minions:
  503. - cfg01
  504. Salt Minion Proxy
  505. ~~~~~~~~~~~~~~~~~
  506. Salt proxy pillar
  507. .. code-block:: yaml
  508. salt:
  509. minion:
  510. proxy_minion:
  511. master: localhost
  512. device:
  513. vsrx01.mydomain.local:
  514. enabled: true
  515. engine: napalm
  516. csr1000v.mydomain.local:
  517. enabled: true
  518. engine: napalm
  519. .. note:: This is pillar of the the real salt-minion
  520. Proxy pillar for IOS device
  521. .. code-block:: yaml
  522. proxy:
  523. proxytype: napalm
  524. driver: ios
  525. host: csr1000v.mydomain.local
  526. username: root
  527. passwd: r00tme
  528. .. note:: This is pillar of the node thats not able to run salt-minion itself
  529. Proxy pillar for JunOS device
  530. .. code-block:: yaml
  531. proxy:
  532. proxytype: napalm
  533. driver: junos
  534. host: vsrx01.mydomain.local
  535. username: root
  536. passwd: r00tme
  537. optional_args:
  538. config_format: set
  539. .. note:: This is pillar of the node thats not able to run salt-minion itself
  540. Salt SSH
  541. ~~~~~~~~
  542. Salt SSH with sudoer using key
  543. .. literalinclude:: tests/pillar/master_ssh_minion_key.sls
  544. :language: yaml
  545. Salt SSH with sudoer using password
  546. .. literalinclude:: tests/pillar/master_ssh_minion_password.sls
  547. :language: yaml
  548. Salt SSH with root using password
  549. .. literalinclude:: tests/pillar/master_ssh_minion_root.sls
  550. :language: yaml
  551. Salt control (cloud/kvm/docker)
  552. -------------------------------
  553. Salt cloud with local OpenStack provider
  554. .. literalinclude:: tests/pillar/control_cloud_openstack.sls
  555. :language: yaml
  556. Salt cloud with Digital Ocean provider
  557. .. literalinclude:: tests/pillar/control_cloud_digitalocean.sls
  558. :language: yaml
  559. Salt virt with KVM cluster
  560. .. literalinclude:: tests/pillar/control_virt.sls
  561. :language: yaml
  562. salt virt with custom destination for image file
  563. .. literalinclude:: tests/pillar/control_virt_custom.sls
  564. :language: yaml
  565. Usage
  566. =====
  567. Working with salt-cloud
  568. .. code-block:: bash
  569. salt-cloud -m /path/to/map --assume-yes
  570. Debug LIBCLOUD for salt-cloud connection
  571. .. code-block:: bash
  572. export LIBCLOUD_DEBUG=/dev/stderr; salt-cloud --list-sizes provider_name --log-level all
  573. References
  574. ==========
  575. * http://salt.readthedocs.org/en/latest/
  576. * https://github.com/DanielBryan/salt-state-graph
  577. * http://karlgrz.com/testing-salt-states-rapidly-with-docker/
  578. * https://mywushublog.com/2013/03/configuration-management-with-salt-stack/
  579. * http://russell.ballestrini.net/replace-the-nagios-scheduler-and-nrpe-with-salt-stack/
  580. * https://github.com/saltstack-formulas/salt-formula
  581. * http://docs.saltstack.com/en/latest/topics/tutorials/multimaster.html
  582. salt-cloud
  583. ----------
  584. * http://www.blog.sandro-mathys.ch/2013/07/setting-user-password-when-launching.html
  585. * http://cloudinit.readthedocs.org/en/latest/topics/examples.html
  586. * http://salt-cloud.readthedocs.org/en/latest/topics/install/index.html
  587. * http://docs.saltstack.com/topics/cloud/digitalocean.html
  588. * http://salt-cloud.readthedocs.org/en/latest/topics/rackspace.html
  589. * http://salt-cloud.readthedocs.org/en/latest/topics/map.html
  590. * http://docs.saltstack.com/en/latest/topics/tutorials/multimaster.html
  591. Documentation and Bugs
  592. ======================
  593. To learn how to install and update salt-formulas, consult the documentation
  594. available online at:
  595. http://salt-formulas.readthedocs.io/
  596. In the unfortunate event that bugs are discovered, they should be reported to
  597. the appropriate issue tracker. Use Github issue tracker for specific salt
  598. formula:
  599. https://github.com/salt-formulas/salt-formula-salt/issues
  600. For feature requests, bug reports or blueprints affecting entire ecosystem,
  601. use Launchpad salt-formulas project:
  602. https://launchpad.net/salt-formulas
  603. You can also join salt-formulas-users team and subscribe to mailing list:
  604. https://launchpad.net/~salt-formulas-users
  605. Developers wishing to work on the salt-formulas projects should always base
  606. their work on master branch and submit pull request against specific formula.
  607. https://github.com/salt-formulas/salt-formula-salt
  608. Any questions or feedback is always welcome so feel free to join our IRC
  609. channel:
  610. #salt-formulas @ irc.freenode.net