Salt is a new approach to infrastructure management. Easy enough to get running in minutes, scalable enough to manage tens of thousands of servers, and fast enough to communicate with them in seconds.
Salt delivers a dynamic communication bus for infrastructures that can be used for orchestration, remote execution, configuration management and much more.
Salt master with base formulas and pillar metadata backend
.. literalinclude:: tests/pillar/master_single_pillar.sls :language: yaml
Salt master with reclass ENC metadata backend
.. literalinclude:: tests/pillar/master_single_reclass.sls :language: yaml
Salt master with multiple ext_pillars
.. literalinclude:: tests/pillar/master_single_extpillars.sls :language: yaml
Salt master with API
.. literalinclude:: tests/pillar/master_api.sls :language: yaml
Salt master with defined user ACLs
.. literalinclude:: tests/pillar/master_acl.sls :language: yaml
Salt master with preset minions
salt:
master:
enabled: true
minions:
- name: 'node1.system.location.domain.com'
Salt master with pip based installation (optional)
salt:
master:
enabled: true
...
source:
engine: pip
version: 2016.3.0rc2
Install formula through system package management
salt:
master:
enabled: true
...
environment:
prd:
keystone:
source: pkg
name: salt-formula-keystone
nova:
source: pkg
name: salt-formula-keystone
version: 0.1+0~20160818133412.24~1.gbp6e1ebb
postresql:
source: pkg
name: salt-formula-postgresql
version: purged
Formula keystone is installed latest version and the formulas without version are installed in one call to aptpkg module.
If the version attribute is present sls iterates over formulas and take action to install specific version or remove it.
The version attribute may have these values [latest|purged|removed|<VERSION>]
.
Clone master branch of keystone formula as local feature branch
salt:
master:
enabled: true
...
environment:
dev:
formula:
keystone:
source: git
address: git@github.com:openstack/salt-formula-keystone.git
revision: master
branch: feature
Salt master with specified formula refs (for example for Gerrit review)
salt:
master:
enabled: true
...
environment:
dev:
formula:
keystone:
source: git
address: https://git.openstack.org/openstack/salt-formula-keystone
revision: refs/changes/56/123456/1
Salt master with logging handlers
salt:
master:
enabled: true
handler:
handler01:
engine: udp
bind:
host: 127.0.0.1
port: 9999
minion:
handler:
handler01:
engine: udp
bind:
host: 127.0.0.1
port: 9999
handler02:
engine: zmq
bind:
host: 127.0.0.1
port: 9999
Salt engine definition for saltgraph metadata collector
salt:
master:
engine:
graph_metadata:
engine: saltgraph
host: 127.0.0.1
port: 5432
user: salt
password: salt
database: salt
Salt engine definition for sending events from docker events
salt:
master:
engine:
docker_events:
docker_url: unix://var/run/docker.sock
Salt master peer setup for remote certificate signing
salt:
master:
peer:
".*":
- x509.sign_remote_certificate
Configure verbosity of state output (used for salt command)
salt:
master:
state_output: changes
Salt synchronise node pillar and modules after start
salt:
master:
reactor:
salt/minion/*/start:
- salt://salt/reactor/node_start.sls
Trigger basic node install
salt:
master:
reactor:
salt/minion/install:
- salt://salt/reactor/node_install.sls
Sample event to trigger the node installation
salt-call event.send 'salt/minion/install'
Run any defined orchestration pipeline
salt:
master:
reactor:
salt/orchestrate/start:
- salt://salt/reactor/orchestrate_start.sls
Event to trigger the orchestration pipeline
salt-call event.send 'salt/orchestrate/start' "{'orchestrate': 'salt/orchestrate/infra_install.sls'}"
Synchronise modules and pillars on minion start.
salt:
master:
reactor:
'salt/minion/*/start':
- salt://salt/reactor/minion_start.sls
Add and/or remove the minion key
salt:
master:
reactor:
salt/key/create:
- salt://salt/reactor/key_create.sls
salt/key/remove:
- salt://salt/reactor/key_remove.sls
Event to trigger the key creation
salt-call event.send 'salt/key/create' \
> "{'node_id': 'id-of-minion', 'node_host': '172.16.10.100', 'orch_post_create': 'kubernetes.orchestrate.compute_install', 'post_create_pillar': {'node_name': 'id-of-minion'}}"
Note
You can add pass additional orch_pre_create, orch_post_create, orch_pre_remove or orch_post_remove parameters to the event to call extra orchestrate files. This can be useful for example for registering/unregistering nodes from the monitoring alarms or dashboards.
The key creation event needs to be run from other machine than the one being registered.
Event to trigger the key removal
salt-call event.send 'salt/key/remove'
Note: NACL + below configuration will be available in Salt > 2017.7.
External resources:
- Tutorial to configure salt + reclass ext_pillar and nacl: http://apealive.net/post/2017-09-salt-nacl-ext-pillar/
- Saltstack documentation: https://docs.saltstack.com/en/latest/ref/modules/all/salt.modules.nacl.html
Configure salt NACL module:
pip install --upgrade libnacl===1.5.2
salt-call --local nacl.keygen /etc/salt/pki/master/nacl
local:
saved sk_file:/etc/salt/pki/master/nacl pk_file: /etc/salt/pki/master/nacl.pub
salt:
master:
pillar:
reclass: *reclass
nacl:
index: 99
nacl:
box_type: sealedbox
sk_file: /etc/salt/pki/master/nacl
pk_file: /etc/salt/pki/master/nacl.pub
#sk: None
#pk: None
NACL encrypt secrets:
- salt-call --local nacl.enc 'my_secret_value' pk_file=/etc/salt/pki/master/nacl.pub
- hXTkJpC1hcKMS7yZVGESutWrkvzusXfETXkacSklIxYjfWDlMJmR37MlmthdIgjXpg4f2AlBKb8tc9Woma7q
# or salt-run nacl.enc 'myotherpass'
ADDFD0Rav6p6+63sojl7Htfrncp5rrDVyeE4BSPO7ipq8fZuLDIVAzQLf4PCbDqi+Fau5KD3/J/E+Pw=
NACL encrypted values on pillar:
Use Boxed syntax NACL[CryptedValue=] to encode value on pillar:
my_pillar:
my_nacl:
key0: unencrypted_value
key1: NACL[hXTkJpC1hcKMS7yZVGESutWrkvzusXfETXkacSklIxYjfWDlMJmR37MlmthdIgjXpg4f2AlBKb8tc9Woma7q]
NACL large files:
NACL within template/native pillars:
- pillarexample:
- user: root password1: {{salt.nacl.dec('DRB7Q6/X5gGSRCTpZyxS6hlbWj0llUA+uaVyvou3vJ4=')|json}} cert_key: {{salt.nacl.dec_file('/srv/salt/env/dev/certs/example.com/cert.nacl')|json}} cert_key2: {{salt.nacl.dec_file('salt:///certs/example.com/cert2.nacl')|json}}
The master of masters
salt:
master:
enabled: true
order_masters: True
Lower syndicated master
salt:
syndic:
enabled: true
master:
host: master-of-master-host
timeout: 5
Syndicated master with multiple master of masters
salt:
syndic:
enabled: true
masters:
- host: master-of-master-host1
- host: master-of-master-host2
timeout: 5
Salt proxy pillar
salt:
minion:
proxy_minion:
master: localhost
device:
vsrx01.mydomain.local:
enabled: true
engine: napalm
csr1000v.mydomain.local:
enabled: true
engine: napalm
Note
This is pillar of the the real salt-minion
Proxy pillar for IOS device
proxy:
proxytype: napalm
driver: ios
host: csr1000v.mydomain.local
username: root
passwd: r00tme
Note
This is pillar of the node thats not able to run salt-minion itself
Proxy pillar for JunOS device
proxy:
proxytype: napalm
driver: junos
host: vsrx01.mydomain.local
username: root
passwd: r00tme
optional_args:
config_format: set
Note
This is pillar of the node thats not able to run salt-minion itself
Salt SSH with sudoer using key
.. literalinclude:: tests/pillar/master_ssh_minion_key.sls :language: yaml
Salt SSH with sudoer using password
.. literalinclude:: tests/pillar/master_ssh_minion_password.sls :language: yaml
Salt SSH with root using password
.. literalinclude:: tests/pillar/master_ssh_minion_root.sls :language: yaml
Simplest Salt minion setup with central configuration node
.. literalinclude:: tests/pillar/minion_master.sls :language: yaml
Multi-master Salt minion setup
.. literalinclude:: tests/pillar/minion_multi_master.sls :language: yaml
Salt minion with salt mine options
.. literalinclude:: tests/pillar/minion_mine.sls :language: yaml
Salt minion with graphing dependencies
.. literalinclude:: tests/pillar/minion_graph.sls :language: yaml
Salt minion behind HTTP proxy
salt:
minion:
proxy:
host: 127.0.0.1
port: 3128
Salt minion to specify non-default HTTP backend. The default tornado backend does not respect HTTP proxy settings set as environment variables. This is useful for cases where you need to set no_proxy lists.
salt:
minion:
backend: urllib2
Salt minion with PKI certificate authority (CA)
.. literalinclude:: tests/pillar/minion_pki_ca.sls :language: yaml
Salt minion using PKI certificate
.. literalinclude:: tests/pillar/minion_pki_cert.sls :language: yaml
Salt minion trust CA certificates issued by salt CA on a specific host (ie: salt-master node)
salt:
minion:
trusted_ca_minions:
- cfg01
Salt cloud with local OpenStack provider
.. literalinclude:: tests/pillar/control_cloud_openstack.sls :language: yaml
Salt cloud with Digital Ocean provider
.. literalinclude:: tests/pillar/control_cloud_digitalocean.sls :language: yaml
Salt virt with KVM cluster
.. literalinclude:: tests/pillar/control_virt.sls :language: yaml
Working with salt-cloud
salt-cloud -m /path/to/map --assume-yes
Debug LIBCLOUD for salt-cloud connection
export LIBCLOUD_DEBUG=/dev/stderr; salt-cloud --list-sizes provider_name --log-level all
- http://salt.readthedocs.org/en/latest/
- https://github.com/DanielBryan/salt-state-graph
- http://karlgrz.com/testing-salt-states-rapidly-with-docker/
- https://mywushublog.com/2013/03/configuration-management-with-salt-stack/
- http://russell.ballestrini.net/replace-the-nagios-scheduler-and-nrpe-with-salt-stack/
- https://github.com/saltstack-formulas/salt-formula
- http://docs.saltstack.com/en/latest/topics/tutorials/multimaster.html
- http://www.blog.sandro-mathys.ch/2013/07/setting-user-password-when-launching.html
- http://cloudinit.readthedocs.org/en/latest/topics/examples.html
- http://salt-cloud.readthedocs.org/en/latest/topics/install/index.html
- http://docs.saltstack.com/topics/cloud/digitalocean.html
- http://salt-cloud.readthedocs.org/en/latest/topics/rackspace.html
- http://salt-cloud.readthedocs.org/en/latest/topics/map.html
- http://docs.saltstack.com/en/latest/topics/tutorials/multimaster.html
To learn how to install and update salt-formulas, consult the documentation available online at:
http://salt-formulas.readthedocs.io/
In the unfortunate event that bugs are discovered, they should be reported to the appropriate issue tracker. Use Github issue tracker for specific salt formula:
https://github.com/salt-formulas/salt-formula-salt/issues
For feature requests, bug reports or blueprints affecting entire ecosystem, use Launchpad salt-formulas project:
https://launchpad.net/salt-formulas
You can also join salt-formulas-users team and subscribe to mailing list:
https://launchpad.net/~salt-formulas-users
Developers wishing to work on the salt-formulas projects should always base their work on master branch and submit pull request against specific formula.
https://github.com/salt-formulas/salt-formula-salt
Any questions or feedback is always welcome so feel free to join our IRC channel:
#salt-formulas @ irc.freenode.net