Salt plugin description
This is a plugin that adds a salt layer to a Cloudify agent.
Salt is a software infrastucture used for computer orchestration, remote execution, configuration management, etc.
The plugin is currently under development.
What it does
- Installs a salt minion on specified host.
- Configures the minion with provided parameters; most importantly - to work with a specific master.
- Ensures the minion's key is accepted by the master.
- Starts the minion service.
- Configures minion's grains.
- Executes highstate on the minion.
This is a one-time operation. Further management of minion state is left to the master.
Import the plugin in blueprint.
Add a node of
minion_configsection add address to the salt-master as
- add URL to salt API, as
- add authorisation data, as
properties: minion_config: master: 127.0.0.1 salt_api_url: http(s)://url/to/api/here salt_api_auth_data: eauth: configuration here
Minimum working example
The following is a basic working example:
tosca_definitions_version: cloudify_dsl_1_0 imports: - http://www.getcloudify.org/spec/cloudify/3.1rc1/types.yaml - http://127.0.0.1:8001/plugin.yaml node_templates: my_host: type: cloudify.nodes.Compute properties: ip: 127.0.0.1 cloudify_agent: user: cloudify_user key: /home/cloudify_user/.ssh/id_rsa my_salted_host: type: saltification properties: minion_config: master: 127.0.0.1 salt_api_url: http://127.0.0.1:8000 salt_api_auth_data: eauth: pam username: cloudify_user password: my secret password relationships: - type: cloudify.relationships.contained_in target: my host
Assumptions for the above example
plugin.zipare served on
- Salt master is up and running on
- Salt API is available on
- Salt API is configured to work without SSL.
cloudify_userexists and can be accessed with
my secret password.
cloudify_userhas access to wheel module and is allowed to execute commands on appropriate minions (check salt-auth for more information on eauth topic).
Example Salt master configuration fulfilling the above assumptions:
rest_cherrypy: port: 8000 disable_ssl: True webhook_disable_auth: True external_auth: pam: cloudify_user: - 'my salted host*' - '@wheel'
Plugin easily can be served with Python's SimpleHTTPServer. Run:
python -m SimpleHTTPServer 8001
in a directory containing
plugin.zip. Also edit
plugin.yaml so that it points to localhost.
minion_config- optional - a dictionary of configuration parameters.
Minion's configuration file will be updated with parameters supplied in this dictionary.
salt_api_url- required - URL to master's REST API.
salt_api_auth_data- required - a dictionary containing authorisation data.
grains- optional - a list of grains for current minion.
Format is: a list of pairs (
grain name: grain value), for example:
properties: grains: - my grain: my grain's value 1 - my grain: my grain's value 2 - my other grain: my grain's value
Other optional but useful properties:
minion_id- optional - current minion's identifier.
If not supplied, a generated identifier will be used.
minion_installation_script- optional - path to the installation script.
If not supplied a default script will be used.
session_options- optional - a dictionary of parameters to be injected into
See the documentation of Requestslibrary for details.
logger_injection- optional - a dictionary of logger parameters to be injected into Cloudify logger.
If not specified, no injection will take place.
If specified, a logger will be injected, inheriting Cloudify logger's properties. Log level can be overridden with
By default all authorisation data will be covered in logs. To disable this functionality use
Under the hood
What happens inside during the plugin's lifecycle.
If provided in properties,
minion_installation_script will be called
to do the actual installation. Otherwise there is a default (and recommended)
installation procedure that works on both Debian- and RedHat-derived systems
(it has been tested on RHEL6 and Ubuntu 14.04).
Minion installation takes place **only if** minion package has not already been installed. The actual check is whether `salt-minion` executable is visible in *PATH*.
Remember that the default installation procedure utilises `apt-get` or `yum` which in turn require **Internet access**.
When deciding to provide a custom installation script, bear in mind that:
- the script must return 0 on success, nonzero values are treated as errors,
- it is assumed that minion process will not be running after the installation script exits,
- minion will be installed as a system service, that means - there will be a SYSV init script.
Minion's configuration file will be updated with parameters provided in
minion_config property. This is the right place to put Salt master's IP
or a DNS-resolvable host.
Unless provided explicitly (in
minion_id property) a default ID will
be generated. The plugin will use node's instance ID as minion's identifier
(for example my_salted_host_a4fe3).
It is assumed that minion configuration files reside in default locations, that is:
- main configuration file:
- minion ID file:
- PKI directory:
- public/private key file names:
After successful configuration the minion will be authorised. The process is performed the following way:
- A HTTP session with Salt REST API is initiated. All operations regarding authorisation process are performed over this channel.
- The plugin checks whether the minion has already been authorised.
- The plugin generates a keypair that is already accepted by the master.
- The plugin writes the keypair to PKI directory.
Starting the minion service
After successful configuration and authorisation the minion service is started.
Setting up grains
The first set of operations after starting the minion is setting up
grains property has been defined. This process
is performed over a HTTP session with Salt REST API.
After setting up grains highstate is always executed.