From 4db993a79d3e9fb21c2d6c49172b0c3559d0dcc1 Mon Sep 17 00:00:00 2001 From: Grant Ridder Date: Mon, 9 Jan 2017 15:57:59 -0800 Subject: [PATCH 1/2] Fix inspec salt_spec.rb --- test/integration/default/inspec/salt_spec.rb | 2 +- test/integration/salt-api/inspec/salt_spec.rb | 2 +- test/integration/version-pin/inspec/salt_spec.rb | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/test/integration/default/inspec/salt_spec.rb b/test/integration/default/inspec/salt_spec.rb index e2af42f..3aa146a 100644 --- a/test/integration/default/inspec/salt_spec.rb +++ b/test/integration/default/inspec/salt_spec.rb @@ -4,7 +4,7 @@ its(:stdout) { should match(/default-/) } end -base_dir = os_env('CI') ? 'opt' : 'tmp' +base_dir = ENV['CI'] ? 'opt' : 'tmp' describe file("/#{base_dir}/kitchen/ohai/plugins/salt.rb") do it { should be_file } its(:content) { should match(/^Ohai.plugin\(:Salt\) do\n/) } diff --git a/test/integration/salt-api/inspec/salt_spec.rb b/test/integration/salt-api/inspec/salt_spec.rb index 3060d6f..b449283 100644 --- a/test/integration/salt-api/inspec/salt_spec.rb +++ b/test/integration/salt-api/inspec/salt_spec.rb @@ -4,7 +4,7 @@ its(:stdout) { should match(/salt-api-/) } end -base_dir = os_env('CI') ? 'opt' : 'tmp' +base_dir = ENV['CI'] ? 'opt' : 'tmp' describe file("/#{base_dir}/kitchen/ohai/plugins/salt.rb") do it { should be_file } its(:content) { should match(/^Ohai.plugin\(:Salt\) do\n/) } diff --git a/test/integration/version-pin/inspec/salt_spec.rb b/test/integration/version-pin/inspec/salt_spec.rb index d4ed432..2efdab5 100644 --- a/test/integration/version-pin/inspec/salt_spec.rb +++ b/test/integration/version-pin/inspec/salt_spec.rb @@ -4,7 +4,7 @@ its(:stdout) { should match(/version-pin-/) } end -base_dir = os_env('CI') ? 'opt' : 'tmp' +base_dir = ENV['CI'] ? 'opt' : 'tmp' describe file("/#{base_dir}/kitchen/ohai/plugins/salt.rb") do it { should be_file } its(:content) { should match(/^Ohai.plugin\(:Salt\) do\n/) } From 94076630efa3b82bff18124823e8edb28aeff8cf Mon Sep 17 00:00:00 2001 From: Grant Ridder Date: Mon, 9 Jan 2017 17:38:02 -0800 Subject: [PATCH 2/2] Update templates to v2016.11.1 salt release --- CHANGELOG.md | 2 + recipes/master.rb | 6 +- spec/recipes/master_spec.rb | 110 ++++-- templates/default/master.erb | 646 +++++++++++++++++++++++++++++++---- templates/default/minion.erb | 298 ++++++++++++++-- 5 files changed, 940 insertions(+), 122 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3ce7e96..e1d79a0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,8 @@ This file is used to list changes made in each version of the Salt Cookbook - **[PR #29](https://github.com/shortdudey123/chef-salt/pull/29)** - split package repository setup to its own recipe - **[PR #30](https://github.com/shortdudey123/chef-salt/pull/30)** - Set default chefspec platform and version - **[PR #35](https://github.com/shortdudey123/chef-salt/pull/35)** - Switch to using ChefDK +- **[PR #36](https://github.com/shortdudey123/chef-salt/pull/36)** - Add kitchen CI testing +- **[PR #37](https://github.com/shortdudey123/chef-salt/pull/37)** - Update templates to v2016.11.1 salt release ## 2.0.0 (2016-09-13) - Remove CircleCI since TravisCI is already here diff --git a/recipes/master.rb b/recipes/master.rb index f804976..087acbe 100644 --- a/recipes/master.rb +++ b/recipes/master.rb @@ -20,6 +20,9 @@ action :enable end +master_config = node['salt']['master']['config'].to_h +master_config['rest_cherrypy'] = node['salt']['master']['api']['config'].to_h if node['salt']['master']['api']['enable'] + template '/etc/salt/master' do source node['salt']['master']['config_template'] || 'master.erb' cookbook node['salt']['master']['config_cookbook'] || 'salt' @@ -27,8 +30,7 @@ group 'root' mode '0644' variables( - api: node['salt']['master']['api'], - config: node['salt']['master']['config'] + config: master_config ) notifies :restart, 'service[salt-master]', :delayed notifies :restart, 'service[salt-api]', :delayed if node['salt']['master']['api']['enable'] diff --git a/spec/recipes/master_spec.rb b/spec/recipes/master_spec.rb index 922714a..fb3eda3 100644 --- a/spec/recipes/master_spec.rb +++ b/spec/recipes/master_spec.rb @@ -32,26 +32,6 @@ group: 'root', mode: '0644', variables: { - api: { - 'enable' => false, - 'install_opts' => nil, - 'package' => 'salt-api', - 'config' => { - 'collect_stats' => false, - 'debug' => false, - 'disable_ssl' => true, - 'expire_responses' => true, - 'host' => '0.0.0.0', - 'max_request_body_size' => 1048576, - 'port' => 8000, - 'socket_queue_size' => 30, - 'ssl_crt' => nil, - 'ssl_key' => nil, - 'thread_pool' => 100, - 'webhook_disable_auth' => false, - 'webhook_url' => '/hook', - }, - }, config: { 'interface' => '0.0.0.0', 'ipv6' => false, @@ -143,6 +123,96 @@ end.converge(described_recipe) end + it 'create /etc/salt/master template' do + expect(chef_run).to create_template('/etc/salt/master').with( + source: 'master.erb', + cookbook: 'salt', + owner: 'root', + group: 'root', + mode: '0644', + variables: { + config: { + 'interface' => '0.0.0.0', + 'ipv6' => false, + 'publish_port' => '4505', + 'user' => 'root', + 'max_open_files' => 100000, + 'worker_threads' => 5, + 'ret_port' => 4506, + 'pidfile' => '/var/run/salt-master.pid', + 'root_dir' => '/', + 'pki_dir' => '/etc/salt/pki/master', + 'cachedir' => '/var/cache/salt/master', + 'verify_env' => true, + 'keep_jobs' => 24, + 'timeout' => 5, + 'loop_interval' => 60, + 'output' => 'nested', + 'show_timeout' => true, + 'color' => true, + 'strip_colors' => false, + 'sock_dir' => '/var/run/salt/master', + 'enable_gpu_grains' => false, + 'job_cache' => true, + 'minion_data_cache' => true, + 'event_return' => nil, + 'event_return_queue' => 0, + 'max_event_size' => 1048576, + 'ping_on_rotate' => false, + 'preserve_minion_cache' => false, + 'con_cache' => false, + 'open_mode' => false, + 'auto_accept' => false, + 'autosign_timeout' => 120, + 'autosign_file' => '/etc/salt/autosign.conf', + 'autoreject_file' => '/etc/salt/autoreject.conf', + 'permissive_pki_access' => false, + 'sudo_acl' => false, + 'token_expire' => 43200, + 'file_recv' => false, + 'file_recv_max_size' => 100, + 'sign_pub_messages' => false, + 'cython_enable' => false, + 'state_top' => 'top.sls', + 'renderer' => 'yaml_jinja', + 'jinja_lstrip_blocks' => false, + 'failhard' => false, + 'state_verbose' => true, + 'state_output' => 'full', + 'state_aggregate' => false, + 'state_events' => false, + 'hash_type' => 'md5', + 'file_buffer_size' => '1048576', + 'fileserver_events' => false, + 'log_file' => '/var/log/salt/master', + 'key_logfile' => '/var/log/salt/key', + 'log_level' => 'warning', + 'log_level_logfile' => 'warning', + 'log_datefmt' => "'%H:%M:%S'", + 'log_datefmt_logfile' => "'%Y-%m-%d %H:%M:%S'", + 'log_fmt_console' => "'[%(levelname)-8s] %(message)s'", + 'log_fmt_logfile' => "'%(asctime)s,%(msecs)03.0f [%(name)-17s][%(levelname)-8s] %(message)s'", + 'return' => 'mysql', + 'rest_cherrypy' => { + 'collect_stats' => false, + 'debug' => false, + 'disable_ssl' => true, + 'expire_responses' => true, + 'host' => '0.0.0.0', + 'max_request_body_size' => 1048576, + 'port' => 8000, + 'socket_queue_size' => 30, + 'ssl_crt' => nil, + 'ssl_key' => nil, + 'thread_pool' => 100, + 'webhook_disable_auth' => false, + 'webhook_url' => '/hook', + }, + }, + } + ) + end + it 'install salt-api' do expect(chef_run).to install_package('salt-api').with( version: nil, diff --git a/templates/default/master.erb b/templates/default/master.erb index c1d5598..d9a5201 100644 --- a/templates/default/master.erb +++ b/templates/default/master.erb @@ -12,73 +12,83 @@ #default_include: master.d/*.conf # The address of the interface to bind to: +#interface: 0.0.0.0 +<% unless @config['interface'].nil? -%> interface: <%= @config['interface'] %> +<% end %> # Whether the master should listen for IPv6 connections. If this is set to True, # the interface option must be adjusted, too. (For example: "interface: '::'") #ipv6: False +<% unless @config['ipv6'].nil? -%> ipv6: <%= @config['ipv6'] %> +<% end %> # The tcp port used by the publisher: #publish_port: 4505 +<% unless @config['publish_port'].nil? -%> publish_port: <%= @config['publish_port'] %> +<% end %> # The user under which the salt master will run. Salt will update all # permissions to allow the specified user to run the master. The exception is # the job cache, which must be deleted if this user is changed. If the # modified files cause conflicts, set verify_env to False. #user: root +<% unless @config['user'].nil? -%> user: <%= @config['user'] %> - -# Max open files -# -# Each minion connecting to the master uses AT LEAST one file descriptor, the -# master subscription connection. If enough minions connect you might start -# seeing on the console (and then salt-master crashes): -# Too many open files (tcp_listener.cpp:335) -# Aborted (core dumped) -# -# By default this value will be the one of `ulimit -Hn`, ie, the hard limit for -# max open files. -# -# If you wish to set a different value than the default one, uncomment and -# configure this setting. Remember that this value CANNOT be higher than the -# hard limit. Raising the hard limit depends on your OS and/or distribution, -# a good way to find the limit is to search the internet. For example: -# raise max open files hard limit debian -# -#max_open_files: 100000 -max_open_files: <%= @config['max_open_files'] %> - -# The number of worker threads to start. These threads are used to manage -# return calls made from minions to the master. If the master seems to be -# running slowly, increase the number of threads. This setting can not be -# set lower than 3. -#worker_threads: 5 -worker_threads: <%= @config['worker_threads'] %> +<% end %> # The port used by the communication interface. The ret (return) port is the # interface used for the file server, authentication, job returns, etc. #ret_port: 4506 +<% unless @config['ret_port'].nil? -%> ret_port: <%= @config['ret_port'] %> +<% end %> # Specify the location of the daemon process ID file: #pidfile: /var/run/salt-master.pid +<% unless @config['pidfile'].nil? -%> pidfile: <%= @config['pidfile'] %> +<% end %> # The root directory prepended to these options: pki_dir, cachedir, # sock_dir, log_file, autosign_file, autoreject_file, extension_modules, # key_logfile, pidfile: #root_dir: / +<% unless @config['root_dir'].nil? -%> root_dir: <%= @config['root_dir'] %> +<% end %> + +# The path to the master's configuration file. +#conf_file: /etc/salt/master +<% unless @config['conf_file'].nil? -%> +conf_file: <%= @config['conf_file'] %> +<% end %> # Directory used to store public key data: #pki_dir: /etc/salt/pki/master +<% unless @config['pki_dir'].nil? -%> pki_dir: <%= @config['pki_dir'] %> +<% end %> + +# Key cache. Increases master speed for large numbers of accepted +# keys. Available options: 'sched'. (Updates on a fixed schedule.) +# Note that enabling this feature means that minions will not be +# available to target for up to the length of the maintanence loop +# which by default is 60s. +#key_cache: '' +<% unless @config['key_cache'].nil? -%> +key_cache: <%= @config['key_cache'] %> +<% end %> # Directory to store job and cache data: +# This directory may contain sensitive data and should be protected accordingly. +# #cachedir: /var/cache/salt/master +<% unless @config['cachedir'].nil? -%> cachedir: <%= @config['cachedir'] %> +<% end %> # Directory for custom modules. This directory can contain subdirectories for # each of Salt's module types such as "runners", "output", "wheel", "modules", @@ -87,68 +97,116 @@ cachedir: <%= @config['cachedir'] %> # Directory for custom modules. This directory can contain subdirectories for # each of Salt's module types such as "runners", "output", "wheel", "modules", -# "states", "returners", etc. +# "states", "returners", "engines", etc. # Like 'extension_modules' but can take an array of paths #module_dirs: # - /var/cache/salt/minion/extmods # Verify and set permissions on configuration directories at startup: #verify_env: True +<% unless @config['verify_env'].nil? -%> verify_env: <%= @config['verify_env'] %> +<% end %> # Set the number of hours to keep old job information in the job cache: #keep_jobs: 24 +<% unless @config['keep_jobs'].nil? -%> keep_jobs: <%= @config['keep_jobs'] %> +<% end %> + +# The number of seconds to wait when the client is requesting information +# about running jobs. +#gather_job_timeout: 10 +<% unless @config['gather_job_timeout'].nil? -%> +gather_job_timeout: <%= @config['gather_job_timeout'] %> +<% end %> # Set the default timeout for the salt command and api. The default is 5 # seconds. #timeout: 5 +<% unless @config['timeout'].nil? -%> timeout: <%= @config['timeout'] %> +<% end %> # The loop_interval option controls the seconds for the master's maintenance # process check cycle. This process updates file server backends, cleans the # job cache and executes the scheduler. #loop_interval: 60 +<% unless @config['loop_interval'].nil? -%> loop_interval: <%= @config['loop_interval'] %> +<% end %> # Set the default outputter used by the salt command. The default is "nested". #output: nested +<% unless @config['output'].nil? -%> output: <%= @config['output'] %> +<% end %> + +# Set the default output file used by the salt command. Default is to output +# to the CLI and not to a file. Functions the same way as the "--out-file" +# CLI option, only sets this to a single file for all salt commands. +#output_file: None +<% unless @config['output_file'].nil? -%> +output_file: <%= @config['output_file'] %> +<% end %> # Return minions that timeout when running commands like test.ping #show_timeout: True +<% unless @config['show_timeout'].nil? -%> show_timeout: <%= @config['show_timeout'] %> +<% end %> # By default, output is colored. To disable colored output, set the color value # to False. #color: True +<% unless @config['color'].nil? -%> color: <%= @config['color'] %> +<% end %> # Do not strip off the colored output from nested results and state outputs # (true by default). # strip_colors: False +<% unless @config['strip_colors'].nil? -%> strip_colors: <%= @config['strip_colors'] %> +<% end %> + +# To display a summary of the number of minions targeted, the number of +# minions returned, and the number of minions that did not return, set the +# cli_summary value to True. (False by default.) +# +#cli_summary: False +<% unless @config['cli_summary'].nil? -%> +cli_summary: <%= @config['cli_summary'] %> +<% end %> # Set the directory used to hold unix sockets: #sock_dir: /var/run/salt/master +<% unless @config['sock_dir'].nil? -%> sock_dir: <%= @config['sock_dir'] %> +<% end %> # The master can take a while to start up when lspci and/or dmidecode is used # to populate the grains for the master. Enable if you want to see GPU hardware # data for your master. # enable_gpu_grains: False +<% unless @config['enable_gpu_grains'].nil? -%> enable_gpu_grains: <%= @config['enable_gpu_grains'] %> +<% end %> # The master maintains a job cache. While this is a great addition, it can be # a burden on the master for larger deployments (over 5000 minions). # Disabling the job cache will make previously executed jobs unavailable to # the jobs system and is not generally recommended. #job_cache: True +<% unless @config['job_cache'].nil? -%> job_cache: <%= @config['job_cache'] %> +<% end %> # Cache minion grains and pillar data in the cachedir. #minion_data_cache: True +<% unless @config['minion_data_cache'].nil? -%> minion_data_cache: <%= @config['minion_data_cache'] %> +<% end %> # Store all returns in the given returner. # Setting this option requires that any returner-specific configuration also @@ -156,31 +214,36 @@ minion_data_cache: <%= @config['minion_data_cache'] %> # configuration values. (See also, event_return_queue below.) # #event_return: mysql -<% if @config['event_return'] -%>event_return: <%= @config['event_return'] %> -<% end -%> +<% unless @config['event_return'].nil? -%> +event_return: <%= @config['event_return'] %> +<% end %> # On busy systems, enabling event_returns can cause a considerable load on # the storage system for returners. Events can be queued on the master and # stored in a batched fashion using a single transaction for multiple events. # By default, events are not queued. #event_return_queue: 0 +<% unless @config['event_return_queue'].nil? -%> event_return_queue: <%= @config['event_return_queue'] %> +<% end %> -# Only events returns matching tags in a whitelist -# event_return_whitelist: -# - salt/master/a_tag -# - salt/master/another_tag +# Only return events matching tags in a whitelist, supports glob matches. +#event_return_whitelist: +# - salt/master/a_tag +# - salt/run/*/ret -# Store all event returns _except_ the tags in a blacklist -# event_return_blacklist: -# - salt/master/not_this_tag -# - salt/master/or_this_one +# Store all event returns **except** the tags in a blacklist, supports globs. +#event_return_blacklist: +# - salt/master/not_this_tag +# - salt/wheel/*/ret # Passing very large events can cause the minion to consume large amounts of # memory. This value tunes the maximum size of a message allowed onto the # master event bus. The value is expressed in bytes. #max_event_size: 1048576 +<% unless @config['max_event_size'].nil? -%> max_event_size: <%= @config['max_event_size'] %> +<% end %> # By default, the master AES key rotates every 24 hours. The next command # following a key rotation will trigger a key refresh from the minion which may @@ -197,7 +260,9 @@ max_event_size: <%= @config['max_event_size'] %> # If disabled, it is recommended to handle this event by listening for the # 'aes_key_rotate' event with the 'key' tag and acting appropriately. # ping_on_rotate: False +<% unless @config['ping_on_rotate'].nil? -%> ping_on_rotate: <%= @config['ping_on_rotate'] %> +<% end %> # By default, the master deletes its cache of minion data when the key for that # minion is removed. To preserve the cache after key deletion, set @@ -206,7 +271,9 @@ ping_on_rotate: <%= @config['ping_on_rotate'] %> # WARNING: This may have security implications if compromised minions auth with # a previous deleted minion ID. #preserve_minion_cache: False +<% unless @config['preserve_minion_cache'].nil? -%> preserve_minion_cache: <%= @config['preserve_minion_cache'] %> +<% end %> # If max_minions is used in large installations, the master might experience # high-load situations because of having to check the number of connected @@ -214,7 +281,9 @@ preserve_minion_cache: <%= @config['preserve_minion_cache'] %> # all connected minions to all MWorker-processes and greatly improves the # performance of max_minions. # con_cache: False +<% unless @config['con_cache'].nil? -%> con_cache: <%= @config['con_cache'] %> +<% end %> # The master can include configuration from other files. To enable this, # pass a list of paths to this option. The paths can be either relative or @@ -231,6 +300,85 @@ con_cache: <%= @config['con_cache'] %> # - /etc/salt/extra_config +##### Large-scale tuning settings ##### +########################################## +# Max open files +# +# Each minion connecting to the master uses AT LEAST one file descriptor, the +# master subscription connection. If enough minions connect you might start +# seeing on the console (and then salt-master crashes): +# Too many open files (tcp_listener.cpp:335) +# Aborted (core dumped) +# +# By default this value will be the one of `ulimit -Hn`, ie, the hard limit for +# max open files. +# +# If you wish to set a different value than the default one, uncomment and +# configure this setting. Remember that this value CANNOT be higher than the +# hard limit. Raising the hard limit depends on your OS and/or distribution, +# a good way to find the limit is to search the internet. For example: +# raise max open files hard limit debian +# +#max_open_files: 100000 +<% unless @config['max_open_files'].nil? -%> +max_open_files: <%= @config['max_open_files'] %> +<% end %> + +# The number of worker threads to start. These threads are used to manage +# return calls made from minions to the master. If the master seems to be +# running slowly, increase the number of threads. This setting can not be +# set lower than 3. +#worker_threads: 5 +<% unless @config['worker_threads'].nil? -%> +worker_threads: <%= @config['worker_threads'] %> +<% end %> + +# Set the ZeroMQ high water marks +# http://api.zeromq.org/3-2:zmq-setsockopt + +# The publisher interface ZeroMQPubServerChannel +#pub_hwm: 1000 +<% unless @config['pub_hwm'].nil? -%> +pub_hwm: <%= @config['pub_hwm'] %> +<% end %> + +# These two ZMQ HWM settings, salt_event_pub_hwm and event_publisher_pub_hwm +# are significant for masters with thousands of minions. When these are +# insufficiently high it will manifest in random responses missing in the CLI +# and even missing from the job cache. Masters that have fast CPUs and many +# cores with appropriate worker_threads will not need these set as high. + +# On deployment with 8,000 minions, 2.4GHz CPUs, 24 cores, 32GiB memory has +# these settings: +# +# salt_event_pub_hwm: 128000 +# event_publisher_pub_hwm: 64000 + +# ZMQ high-water-mark for SaltEvent pub socket +#salt_event_pub_hwm: 20000 +<% unless @config['salt_event_pub_hwm'].nil? -%> +salt_event_pub_hwm: <%= @config['salt_event_pub_hwm'] %> +<% end %> + +# ZMQ high-water-mark for EventPublisher pub socket +#event_publisher_pub_hwm: 10000 +<% unless @config['event_publisher_pub_hwm'].nil? -%> +event_publisher_pub_hwm: <%= @config['event_publisher_pub_hwm'] %> +<% end %> + +# The master may allocate memory per-event and not +# reclaim it. +# To set a high-water mark for memory allocation, use +# ipc_write_buffer to set a high-water mark for message +# buffering. +# Value: In bytes. Set to 'dynamic' to have Salt select +# a value for you. Default is disabled. +# ipc_write_buffer: 'dynamic' +<% unless @config['ipc_write_buffer'].nil? -%> +ipc_write_buffer: <%= @config['ipc_write_buffer'] %> +<% end %> + + ##### Security settings ##### ########################################## # Enable "open mode", this mode still maintains encryption, but turns off @@ -238,31 +386,41 @@ con_cache: <%= @config['con_cache'] %> # the situation where your keys end up in a bad state. If you run in open mode # you do so at your own risk! #open_mode: False +<% unless @config['open_mode'].nil? -%> open_mode: <%= @config['open_mode'] %> +<% end %> # Enable auto_accept, this setting will automatically accept all incoming # public keys from the minions. Note that this is insecure. #auto_accept: False +<% unless @config['auto_accept'].nil? -%> auto_accept: <%= @config['auto_accept'] %> +<% end %> -# Time in minutes that a incoming public key with a matching name found in +# Time in minutes that an incoming public key with a matching name found in # pki_dir/minion_autosign/keyid is automatically accepted. Expired autosign keys # are removed when the master checks the minion_autosign directory. # 0 equals no timeout # autosign_timeout: 120 +<% unless @config['autosign_timeout'].nil? -%> autosign_timeout: <%= @config['autosign_timeout'] %> +<% end %> # If the autosign_file is specified, incoming keys specified in the # autosign_file will be automatically accepted. This is insecure. Regular # expressions as well as globing lines are supported. #autosign_file: /etc/salt/autosign.conf +<% unless @config['autosign_file'].nil? -%> autosign_file: <%= @config['autosign_file'] %> +<% end %> # Works like autosign_file, but instead allows you to specify minion IDs for # which keys will automatically be rejected. Will override both membership in # the autosign_file and the auto_accept setting. #autoreject_file: /etc/salt/autoreject.conf +<% unless @config['autoreject_file'].nil? -%> autoreject_file: <%= @config['autoreject_file'] %> +<% end %> # Enable permissive access to the salt keys. This allows you to run the # master or minion as root, but have a non-root group be given access to @@ -271,13 +429,15 @@ autoreject_file: <%= @config['autoreject_file'] %> # is specified, enabling permissive_pki_access will allow group access to that # specific file. #permissive_pki_access: False +<% unless @config['permissive_pki_access'].nil? -%> permissive_pki_access: <%= @config['permissive_pki_access'] %> +<% end %> # Allow users on the master access to execute specific commands on minions. # This setting should be treated with care since it opens up execution # capabilities to non root users. By default this capability is completely # disabled. -#client_acl: +#publisher_acl: # larry: # - test.ping # - network.* @@ -288,18 +448,29 @@ permissive_pki_access: <%= @config['permissive_pki_access'] %> # running any commands. It would also blacklist any use of the "cmd" # module. This is completely disabled by default. # -#client_acl_blacklist: +# +# Check the list of configured users in client ACL against users on the +# system and throw errors if they do not exist. +#client_acl_verify: True +# +#publisher_acl_blacklist: # users: # - root # - '^(?!sudo_).*$' # all non sudo users # modules: # - cmd +# +# WARNING: client_acl and client_acl_blacklist options are deprecated and will +# be removed in the future releases. Use publisher_acl and +# publisher_acl_blacklist instead. -# Enforce client_acl & client_acl_blacklist when users have sudo +# Enforce publisher_acl & publisher_acl_blacklist when users have sudo # access to the salt command. # #sudo_acl: False +<% unless @config['sudo_acl'].nil? -%> sudo_acl: <%= @config['sudo_acl'] %> +<% end %> # The external auth system uses the Salt auth modules to authenticate and # validate users to access areas of the Salt system. @@ -310,17 +481,35 @@ sudo_acl: <%= @config['sudo_acl'] %> # # Time (in seconds) for a newly generated token to live. Default: 12 hours #token_expire: 43200 +<% unless @config['token_expire'].nil? -%> token_expire: <%= @config['token_expire'] %> +<% end %> +# +# Allow eauth users to specify the expiry time of the tokens they generate. +# A boolean applies to all users or a dictionary of whitelisted eauth backends +# and usernames may be given. +# token_expire_user_override: +# pam: +# - fred +# - tom +# ldap: +# - gary +# +#token_expire_user_override: False # Allow minions to push files to the master. This is disabled by default, for # security purposes. #file_recv: False +<% unless @config['file_recv'].nil? -%> file_recv: <%= @config['file_recv'] %> +<% end %> # Set a hard-limit on the size of the files that can be pushed to the master. # It will be interpreted as megabytes. Default: 100 #file_recv_max_size: 100 +<% unless @config['file_recv_max_size'].nil? -%> file_recv_max_size: <%= @config['file_recv_max_size'] %> +<% end %> # Signature verification on messages published from the master. # This causes the master to cryptographically sign all messages published to its event @@ -336,13 +525,33 @@ file_recv_max_size: <%= @config['file_recv_max_size'] %> # will be logged. This behavior went away in Salt 2014.1.0 and these two situations # will cause minion to throw an exception and drop the message. # sign_pub_messages: False +<% unless @config['sign_pub_messages'].nil? -%> sign_pub_messages: <%= @config['sign_pub_messages'] %> +<% end %> + +# Use TLS/SSL encrypted connection between master and minion. +# Can be set to a dictionary containing keyword arguments corresponding to Python's +# 'ssl.wrap_socket' method. +# Default is None. +#ssl: +# keyfile: +# certfile: +# ssl_version: PROTOCOL_TLSv1_2 ##### Salt-SSH Configuration ##### ########################################## # Pass in an alternative location for the salt-ssh roster file #roster_file: /etc/salt/roster +<% unless @config['roster_file'].nil? -%> +roster_file: <%= @config['roster_file'] %> +<% end %> + +# The log file of the salt-ssh command: +#ssh_log_file: /var/log/salt/ssh +<% unless @config['ssh_log_file'].nil? -%> +ssh_log_file: <%= @config['ssh_log_file'] %> +<% end %> # Pass in minion option overrides that will be inserted into the SHIM for # salt-ssh calls. The local minion config is not used for salt-ssh. Can be @@ -350,6 +559,13 @@ sign_pub_messages: <%= @config['sign_pub_messages'] %> #ssh_minion_opts: # gpg_keydir: /root/gpg +# Set this to True to default to using ~/.ssh/id_rsa for salt-ssh +# authentication with minions +#ssh_use_home_key: False +<% unless @config['ssh_use_home_key'].nil? -%> +ssh_use_home_key: <%= @config['ssh_use_home_key'] %> +<% end %> + ##### Master Module Management ##### ########################################## # Manage how master side modules are loaded. @@ -359,7 +575,9 @@ sign_pub_messages: <%= @config['sign_pub_messages'] %> # Enable Cython for master side modules: #cython_enable: False +<% unless @config['cython_enable'].nil? -%> cython_enable: <%= @config['cython_enable'] %> +<% end %> ##### State System settings ##### @@ -368,7 +586,9 @@ cython_enable: <%= @config['cython_enable'] %> # use and what modules to use. The state_top file is defined relative to the # root of the base environment as defined in "File Server settings" below. #state_top: top.sls +<% unless @config['state_top'].nil? -%> state_top: <%= @config['state_top'] %> +<% end %> # The master_tops option replaces the external_nodes option by creating # a plugable system for the generation of external top data. The external_nodes @@ -389,7 +609,9 @@ state_top: <%= @config['state_top'] %> # The renderer to use on the minions to render the state data #renderer: yaml_jinja +<% unless @config['renderer'].nil? -%> renderer: <%= @config['renderer'] %> +<% end %> # The Jinja renderer can strip extra carriage returns and whitespace # See http://jinja.pocoo.org/docs/api/#high-level-api @@ -403,19 +625,25 @@ renderer: <%= @config['renderer'] %> # of a line to a block. Defaults to False, corresponds to the Jinja # environment init variable "lstrip_blocks". #jinja_lstrip_blocks: False +<% unless @config['jinja_lstrip_blocks'].nil? -%> jinja_lstrip_blocks: <%= @config['jinja_lstrip_blocks'] %> +<% end %> # The failhard option tells the minions to stop immediately after the first # failure detected in the state execution, defaults to False #failhard: False +<% unless @config['failhard'].nil? -%> failhard: <%= @config['failhard'] %> +<% end %> # The state_verbose and state_output settings can be used to change the way # state system data is printed to the display. By default all data is printed. # The state_verbose setting can be set to True or False, when set to False # all data that has a result of True and no changes will be suppressed. #state_verbose: True +<% unless @config['state_verbose'].nil? -%> state_verbose: <%= @config['state_verbose'] %> +<% end %> # The state_output setting changes if the output is the full multi line # output for each changed state if set to 'full', but if set to 'terse' @@ -423,7 +651,9 @@ state_verbose: <%= @config['state_verbose'] %> # will be terse unless a state failed, in which case that output will be full. # If set to 'changes', the output will be full unless the state didn't change. #state_output: full +<% unless @config['state_output'].nil? -%> state_output: <%= @config['state_output'] %> +<% end %> # Automatically aggregate all states that have support for mod_aggregate by # setting to 'True'. Or pass a list of state module names to automatically @@ -433,13 +663,17 @@ state_output: <%= @config['state_output'] %> # - pkg # #state_aggregate: False +<% unless @config['state_aggregate'].nil? -%> state_aggregate: <%= @config['state_aggregate'] %> +<% end %> # Send progress events as each function in a state run completes execution # by setting to 'True'. Progress events are in the format # 'salt/job//prog//'. #state_events: False +<% unless @config['state_events'].nil? -%> state_events: <%= @config['state_events'] %> +<% end %> ##### File Server settings ##### ########################################## @@ -465,19 +699,43 @@ state_events: <%= @config['state_events'] %> #file_roots: # base: # - /srv/salt +# + +# When using multiple environments, each with their own top file, the +# default behaviour is an unordered merge. To prevent top files from +# being merged together and instead to only use the top file from the +# requested environment, set this value to 'same'. +#top_file_merging_strategy: merge + +# To specify the order in which environments are merged, set the ordering +# in the env_order option. Given a conflict, the last matching value will +# win. +#env_order: ['base', 'dev', 'prod'] + +# If top_file_merging_strategy is set to 'same' and an environment does not +# contain a top file, the top file in the environment specified by default_top +# will be used instead. +#default_top: base # The hash_type is the hash to use when discovering the hash of a file on -# the master server. The default is md5, but sha1, sha224, sha256, sha384 +# the master server. The default is md5 but sha1, sha224, sha256, sha384 # and sha512 are also supported. # +# WARNING: While md5 is also supported, do not use it due to the high chance +# of possible collisions and thus security breach. +# # Prior to changing this value, the master should be stopped and all Salt # caches should be cleared. -#hash_type: md5 +#hash_type: sha256 +<% unless @config['hash_type'].nil? -%> hash_type: <%= @config['hash_type'] %> +<% end %> # The buffer size in the file server can be adjusted here: #file_buffer_size: 1048576 +<% unless @config['file_buffer_size'].nil? -%> file_buffer_size: <%= @config['file_buffer_size'] %> +<% end %> # A regular expression (or a list of expressions) that will be matched # against the file path before syncing the modules and states to the minions. @@ -537,14 +795,64 @@ file_buffer_size: <%= @config['file_buffer_size'] %> # these are disabled by default, but can be easily turned on by setting this # flag to True #fileserver_events: False +<% unless @config['fileserver_events'].nil? -%> fileserver_events: <%= @config['fileserver_events'] %> +<% end %> # Git File Server Backend Configuration # -# Gitfs can be provided by one of two python modules: GitPython or pygit2. If -# using pygit2, both libgit2 and git must also be installed. -#gitfs_provider: gitpython -# +# Optional parameter used to specify the provider to be used for gitfs. Must +# be one of the following: pygit2, gitpython, or dulwich. If unset, then each +# will be tried in that same order, and the first one with a compatible +# version installed will be the provider that is used. +#gitfs_provider: pygit2 +<% unless @config['gitfs_provider'].nil? -%> +gitfs_provider: <%= @config['gitfs_provider'] %> +<% end %> + +# Along with gitfs_password, is used to authenticate to HTTPS remotes. +# gitfs_user: '' +<% unless @config['gitfs_user'].nil? -%> +gitfs_user: <%= @config['gitfs_user'] %> +<% end %> + +# Along with gitfs_user, is used to authenticate to HTTPS remotes. +# This parameter is not required if the repository does not use authentication. +#gitfs_password: '' +<% unless @config['gitfs_password'].nil? -%> +gitfs_password: <%= @config['gitfs_password'] %> +<% end %> + +# By default, Salt will not authenticate to an HTTP (non-HTTPS) remote. +# This parameter enables authentication over HTTP. Enable this at your own risk. +#gitfs_insecure_auth: False +<% unless @config['gitfs_insecure_auth'].nil? -%> +gitfs_insecure_auth: <%= @config['gitfs_insecure_auth'] %> +<% end %> + +# Along with gitfs_privkey (and optionally gitfs_passphrase), is used to +# authenticate to SSH remotes. This parameter (or its per-remote counterpart) +# is required for SSH remotes. +#gitfs_pubkey: '' +<% unless @config['gitfs_pubkey'].nil? -%> +gitfs_pubkey: <%= @config['gitfs_pubkey'] %> +<% end %> + +# Along with gitfs_pubkey (and optionally gitfs_passphrase), is used to +# authenticate to SSH remotes. This parameter (or its per-remote counterpart) +# is required for SSH remotes. +#gitfs_privkey: '' +<% unless @config['gitfs_privkey'].nil? -%> +gitfs_privkey: <%= @config['gitfs_privkey'] %> +<% end %> + +# This parameter is optional, required only when the SSH key being used to +# authenticate is protected by a passphrase. +#gitfs_passphrase: '' +<% unless @config['gitfs_passphrase'].nil? -%> +gitfs_passphrase: <%= @config['gitfs_passphrase'] %> +<% end %> + # When using the git fileserver backend at least one git remote needs to be # defined. The user running the salt master will need read access to the repo. # @@ -552,7 +860,7 @@ fileserver_events: <%= @config['fileserver_events'] %> # and the first repo to have the file will return it. # When using the git backend branches and tags are translated into salt # environments. -# Note: file:// repos will be treated as a remote, so refs you want used must +# Note: file:// repos will be treated as a remote, so refs you want used must # exist in that repo as *local* refs. #gitfs_remotes: # - git://github.com/saltstack/salt-states.git @@ -603,7 +911,7 @@ fileserver_events: <%= @config['fileserver_events'] %> # master config file that can then be used on minions. #pillar_opts: False -# The pillar_safe_render_error option prevents the master from passing piller +# The pillar_safe_render_error option prevents the master from passing pillar # render errors to the minion. This is set on by default because the error could # contain templating data which would give that minion information it shouldn't # have, like a password! When set true the error message will only show: @@ -611,22 +919,127 @@ fileserver_events: <%= @config['fileserver_events'] %> #pillar_safe_render_error: True # The pillar_source_merging_strategy option allows you to configure merging strategy -# between different sources. It accepts four values: recurse, aggregate, overwrite, -# or smart. Recurse will merge recursively mapping of data. Aggregate instructs -# aggregation of elements between sources that use the #!yamlex renderer. Overwrite -# will verwrite elements according the order in which they are processed. This is +# between different sources. It accepts five values: none, recurse, aggregate, overwrite, +# or smart. None will not do any merging at all. Recurse will merge recursively mapping of data. +# Aggregate instructs aggregation of elements between sources that use the #!yamlex renderer. Overwrite +# will overwrite elements according the order in which they are processed. This is # behavior of the 2014.1 branch and earlier. Smart guesses the best strategy based # on the "renderer" setting and is the default value. #pillar_source_merging_strategy: smart +# Recursively merge lists by aggregating them instead of replacing them. +#pillar_merge_lists: False + +# Set this option to 'True' to force a 'KeyError' to be raised whenever an +# attempt to retrieve a named value from pillar fails. When this option is set +# to 'False', the failed attempt returns an empty string. Default is 'False'. +#pillar_raise_on_missing: False + +# Git External Pillar (git_pillar) Configuration Options +# +# Specify the provider to be used for git_pillar. Must be either pygit2 or +# gitpython. If unset, then both will be tried in that same order, and the +# first one with a compatible version installed will be the provider that +# is used. +#git_pillar_provider: pygit2 + +# If the desired branch matches this value, and the environment is omitted +# from the git_pillar configuration, then the environment for that git_pillar +# remote will be base. +#git_pillar_base: master + +# If the branch is omitted from a git_pillar remote, then this branch will +# be used instead +#git_pillar_branch: master + +# Environment to use for git_pillar remotes. This is normally derived from +# the branch/tag (or from a per-remote env parameter), but if set this will +# override the process of deriving the env from the branch/tag name. +#git_pillar_env: '' + +# Path relative to the root of the repository where the git_pillar top file +# and SLS files are located. +#git_pillar_root: '' + +# Specifies whether or not to ignore SSL certificate errors when contacting +# the remote repository. +#git_pillar_ssl_verify: False + +# When set to False, if there is an update/checkout lock for a git_pillar +# remote and the pid written to it is not running on the master, the lock +# file will be automatically cleared and a new lock will be obtained. +#git_pillar_global_lock: True + +# Git External Pillar Authentication Options +# +# Along with git_pillar_password, is used to authenticate to HTTPS remotes. +#git_pillar_user: '' + +# Along with git_pillar_user, is used to authenticate to HTTPS remotes. +# This parameter is not required if the repository does not use authentication. +#git_pillar_password: '' + +# By default, Salt will not authenticate to an HTTP (non-HTTPS) remote. +# This parameter enables authentication over HTTP. +#git_pillar_insecure_auth: False + +# Along with git_pillar_privkey (and optionally git_pillar_passphrase), +# is used to authenticate to SSH remotes. +#git_pillar_pubkey: '' + +# Along with git_pillar_pubkey (and optionally git_pillar_passphrase), +# is used to authenticate to SSH remotes. +#git_pillar_privkey: '' + +# This parameter is optional, required only when the SSH key being used +# to authenticate is protected by a passphrase. +#git_pillar_passphrase: '' + +# A master can cache pillars locally to bypass the expense of having to render them +# for each minion on every request. This feature should only be enabled in cases +# where pillar rendering time is known to be unsatisfactory and any attendant security +# concerns about storing pillars in a master cache have been addressed. +# +# When enabling this feature, be certain to read through the additional ``pillar_cache_*`` +# configuration options to fully understand the tunable parameters and their implications. +# +# Note: setting ``pillar_cache: True`` has no effect on targeting Minions with Pillars. +# See https://docs.saltstack.com/en/latest/topics/targeting/pillar.html +#pillar_cache: False + +# If and only if a master has set ``pillar_cache: True``, the cache TTL controls the amount +# of time, in seconds, before the cache is considered invalid by a master and a fresh +# pillar is recompiled and stored. +#pillar_cache_ttl: 3600 + +# If and only if a master has set `pillar_cache: True`, one of several storage providers +# can be utililzed. +# +# `disk`: The default storage backend. This caches rendered pillars to the master cache. +# Rendered pillars are serialized and deserialized as msgpack structures for speed. +# Note that pillars are stored UNENCRYPTED. Ensure that the master cache +# has permissions set appropriately. (Same defaults are provided.) +# +# memory: [EXPERIMENTAL] An optional backend for pillar caches which uses a pure-Python +# in-memory data structure for maximal performance. There are several caveats, +# however. First, because each master worker contains its own in-memory cache, +# there is no guarantee of cache consistency between minion requests. This +# works best in situations where the pillar rarely if ever changes. Secondly, +# and perhaps more importantly, this means that unencrypted pillars will +# be accessible to any process which can examine the memory of the ``salt-master``! +# This may represent a substantial security risk. +# +#pillar_cache_backend: disk + ##### Syndic settings ##### ########################################## # The Salt syndic is used to pass commands through a master from a higher -# master. Using the syndic is simple, if this is a master that will have -# syndic servers(s) below it set the "order_masters" setting to True, if this -# is a master that will be running a syndic daemon for passthrough the -# "syndic_master" setting needs to be set to the location of the master server +# master. Using the syndic is simple. If this is a master that will have +# syndic servers(s) below it, then set the "order_masters" setting to True. +# +# If this is a master that will be running a syndic daemon for passthrough, then +# the "syndic_master" setting needs to be set to the location of the master server # to receive commands from. # Set the order_masters setting to True if this master will command lower @@ -635,7 +1048,7 @@ fileserver_events: <%= @config['fileserver_events'] %> # If this master will be running a salt syndic daemon, syndic_master tells # this master where to receive commands from. -#syndic_master: masterofmaster +#syndic_master: masterofmasters # This is the 'ret_port' of the MasterOfMaster: #syndic_master_port: 4506 @@ -643,8 +1056,14 @@ fileserver_events: <%= @config['fileserver_events'] %> # PID file of the syndic daemon: #syndic_pidfile: /var/run/salt-syndic.pid -# LOG file of the syndic daemon: -#syndic_log_file: syndic.log +# The log file of the salt-syndic daemon: +#syndic_log_file: /var/log/salt/syndic + +# The behaviour of the multi-syndic when connection to a master of masters failed. +# Can specify ``random`` (default) or ``ordered``. If set to ``random``, masters +# will be iterated in random order. If ``ordered`` is specified, the configured +# order will be used. +#syndic_failover: random ##### Peer Publish settings ##### @@ -689,7 +1108,7 @@ fileserver_events: <%= @config['fileserver_events'] %> # # ##### Mine settings ##### -########################################## +##################################### # Restrict mine.get access from minions. By default any minion has a full access # to get all mine data from master cache. In acl definion below, only pcre matches # are allowed. @@ -718,36 +1137,70 @@ fileserver_events: <%= @config['fileserver_events'] %> #log_file: /var/log/salt/master #log_file: file:///dev/log #log_file: udp://loghost:10514 +<% unless @config['log_file'].nil? -%> log_file: <%= @config['log_file'] %> +<% end %> #log_file: /var/log/salt/master #key_logfile: /var/log/salt/key +<% unless @config['key_logfile'].nil? -%> key_logfile: <%= @config['key_logfile'] %> +<% end %> # The level of messages to send to the console. # One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'. +# +# The following log levels are considered INSECURE and may log sensitive data: +# ['garbage', 'trace', 'debug'] +# #log_level: warning +<% unless @config['log_level'].nil? -%> log_level: <%= @config['log_level'] %> +<% end %> # The level of messages to send to the log file. # One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'. # If using 'log_granular_levels' this must be set to the highest desired level. #log_level_logfile: warning +<% unless @config['log_level_logfile'].nil? -%> log_level_logfile: <%= @config['log_level_logfile'] %> +<% end %> -# The date and time format used in log messages. Allowed date/time formating +# The date and time format used in log messages. Allowed date/time formatting # can be seen here: http://docs.python.org/library/time.html#time.strftime #log_datefmt: '%H:%M:%S' #log_datefmt_logfile: '%Y-%m-%d %H:%M:%S' +<% unless @config['log_datefmt'].nil? -%> log_datefmt: <%= @config['log_datefmt'] %> +<% end %> +<% unless @config['log_datefmt_logfile'].nil? -%> log_datefmt_logfile: <%= @config['log_datefmt_logfile'] %> +<% end %> # The format of the console logging messages. Allowed formatting options can # be seen here: http://docs.python.org/library/logging.html#logrecord-attributes +# +# Console log colors are specified by these additional formatters: +# +# %(colorlevel)s +# %(colorname)s +# %(colorprocess)s +# %(colormsg)s +# +# Since it is desirable to include the surrounding brackets, '[' and ']', in +# the coloring of the messages, these color formatters also include padding as +# well. Color LogRecord attributes are only available for console logging. +# +#log_fmt_console: '%(colorlevel)s %(colormsg)s' #log_fmt_console: '[%(levelname)-8s] %(message)s' -#log_fmt_logfile: '%(asctime)s,%(msecs)03.0f [%(name)-17s][%(levelname)-8s] %(message)s' +# +#log_fmt_logfile: '%(asctime)s,%(msecs)03d [%(name)-17s][%(levelname)-8s] %(message)s' +<% unless @config['log_fmt_console'].nil? -%> log_fmt_console: <%= @config['log_fmt_console'] %> +<% end %> +<% unless @config['log_fmt_logfile'].nil? -%> log_fmt_logfile: <%= @config['log_fmt_logfile'] %> +<% end %> # This can be used to control logging levels more specificically. This # example sets the main salt library at the 'warning' level, but sets @@ -759,13 +1212,20 @@ log_fmt_logfile: <%= @config['log_fmt_logfile'] %> #log_granular_levels: {} -##### Node Groups ##### +##### Node Groups ###### ########################################## -# Node groups allow for logical groupings of minion nodes. A group consists of a group -# name and a compound target. +# Node groups allow for logical groupings of minion nodes. A group consists of +# a group name and a compound target. Nodgroups can reference other nodegroups +# with 'N@' classifier. Ensure that you do not have circular references. +# #nodegroups: -# group1: 'L@foo.domain.com,bar.domain.com,baz.domain.com and bl*.domain.com' +# group1: 'L@foo.domain.com,bar.domain.com,baz.domain.com or bl*.domain.com' # group2: 'G@os:Debian and foo.domain.com' +# group3: 'G@os:Debian and N@group1' +# group4: +# - 'G@foo:bar' +# - 'or' +# - 'G@foo:baz' ##### Range Cluster settings ##### @@ -776,27 +1236,63 @@ log_fmt_logfile: <%= @config['log_fmt_logfile'] %> #range_server: range:80 -##### Windows Software Repo settings ##### -############################################## +##### Windows Software Repo settings ##### +########################################### # Location of the repo on the master: -#win_repo: '/srv/salt/win/repo' +#winrepo_dir_ng: '/srv/salt/win/repo-ng' +# +# List of git repositories to include with the local repo: +#winrepo_remotes_ng: +# - 'https://github.com/saltstack/salt-winrepo-ng.git' + + +##### Windows Software Repo settings - Pre 2015.8 ##### +######################################################## +# Legacy repo settings for pre-2015.8 Windows minions. +# +# Location of the repo on the master: +#winrepo_dir: '/srv/salt/win/repo' # # Location of the master's repo cache file: -#win_repo_mastercachefile: '/srv/salt/win/repo/winrepo.p' +#winrepo_mastercachefile: '/srv/salt/win/repo/winrepo.p' # # List of git repositories to include with the local repo: -#win_gitrepos: +#winrepo_remotes: # - 'https://github.com/saltstack/salt-winrepo.git' + ##### Returner settings ###### ############################################ # Which returner(s) will be used for minion's result: #return: mysql +<% unless @config['return'].nil? -%> return: <%= @config['return'] %> -<% if @api[:enable] -%> +<% end %> + + +###### Miscellaneous settings ###### +############################################ +# Default match type for filtering events tags: startswith, endswith, find, regex, fnmatch +#event_match_type: startswith +<% unless @config['event_match_type'].nil? -%> +event_match_type: <%= @config['event_match_type'] %> +<% end %> + +# Save runner returns to the job cache +#runner_returns: True +<% unless @config['runner_returns'].nil? -%> +runner_returns: <%= @config['runner_returns'] %> +<% end %> + +# Permanently include any available Python 3rd party modules into Salt Thin +# when they are generated for Salt-SSH or other purposes. +# The modules should be named by the names they are actually imported inside the Python. +# The value of the parameters can be either one module or a comma separated list of them. +#thin_extra_mods: foo,bar +<% unless @config['rest_cherrypy'].nil? -%> rest_cherrypy: - <% @api[:config].sort.each do |key, value| -%> + <% @config['rest_cherrypy'].sort.each do |key, value| -%> <%= key %>: <%= value %> <% end %> <% end %> diff --git a/templates/default/minion.erb b/templates/default/minion.erb index c648ec3..e117abd 100644 --- a/templates/default/minion.erb +++ b/templates/default/minion.erb @@ -13,6 +13,7 @@ # Set the location of the salt master server. If the master server cannot be # resolved, then the minion will fail to start. +#master: salt <%- if @master.length == 1 %> master: <%= @master.first %> <%- elsif @master.length > 1 %> @@ -22,28 +23,54 @@ master: <%- end %> <%- end %> +# Set http proxy information for the minion when doing requests +#proxy_host: +#proxy_port: +#proxy_username: +#proxy_password: + # If multiple masters are specified in the 'master' setting, the default behavior # is to always try to connect to them in the order they are listed. If random_master is # set to True, the order will be randomized instead. This can be helpful in distributing # the load of many minions executing salt-call requests, for example, from a cron job. # If only one master is listed, this setting is ignored and a warning will be logged. +# NOTE: If master_type is set to failover, use master_shuffle instead. #random_master: False +# Use if master_type is set to failover. +#master_shuffle: False + # Minions can connect to multiple masters simultaneously (all masters # are "hot"), or can be configured to failover if a master becomes # unavailable. Multiple hot masters are configured by setting this # value to "str". Failover masters can be requested by setting # to "failover". MAKE SURE TO SET master_alive_interval if you are # using failover. +# Setting master_type to 'disable' let's you have a running minion (with engines and +# beacons) without a master connection # master_type: str # Poll interval in seconds for checking if the master is still there. Only -# respected if master_type above is "failover". +# respected if master_type above is "failover". To disable the interval entirely, +# set the value to -1. (This may be necessary on machines which have high numbers +# of TCP connections, such as load balancers.) # master_alive_interval: 30 +# If the minion is in multi-master mode and the master_type configuration option +# is set to "failover", this setting can be set to "True" to force the minion +# to fail back to the first master in the list if the first master is back online. +#master_failback: False + +# If the minion is in multi-master mode, the "master_type" configuration is set to +# "failover", and the "master_failback" option is enabled, the master failback +# interval can be set to ping the top master with this interval, in seconds. +#master_failback_interval: 0 + # Set whether the minion should connect to the master via IPv6: #ipv6: False +<% unless @config['ipv6'].nil? -%> ipv6: <%= @config['ipv6'] %> +<% end %> # Set the number of seconds to wait before attempting to resolve # the master hostname if name resolution fails. Defaults to 30 seconds. @@ -52,37 +79,73 @@ ipv6: <%= @config['ipv6'] %> # Set the port used by the master reply and authentication server. #master_port: 4506 +<% unless @config['master_port'].nil? -%> master_port: <%= @config['master_port'] %> +<% end %> # The user to run salt. #user: root +<% unless @config['user'].nil? -%> user: <%= @config['user'] %> - -# Setting sudo_user will cause salt to run all execution modules under an sudo -# to the user given in sudo_user. The user under which the salt minion process -# itself runs will still be that provided in the user config above, but all -# execution modules run by the minion will be rerouted through sudo. -#sudo_user: saltdev +<% end %> + +# The user to run salt remote execution commands as via sudo. If this option is +# enabled then sudo will be used to change the active user executing the remote +# command. If enabled the user will need to be allowed access via the sudoers +# file for the user that the salt minion is configured to run as. The most +# common option would be to use the root user. If this option is set the user +# option should also be set to a non-root user. If migrating from a root minion +# to a non root minion the minion cache should be cleared and the minion pki +# directory will need to be changed to the ownership of the new user. +#sudo_user: root +<% unless @config['sudo_user'].nil? -%> +sudo_user: <%= @config['sudo_user'] %> +<% end %> # Specify the location of the daemon process ID file. #pidfile: /var/run/salt-minion.pid +<% unless @config['pidfile'].nil? -%> pidfile: <%= @config['pidfile'] %> +<% end %> # The root directory prepended to these options: pki_dir, cachedir, log_file, # sock_dir, pidfile. #root_dir: / +<% unless @config['root_dir'].nil? -%> root_dir: <%= @config['root_dir'] %> +<% end %> + +# The path to the minion's configuration file. +#conf_file: /etc/salt/minion +<% unless @config['conf_file'].nil? -%> +conf_file: <%= @config['conf_file'] %> +<% end %> # The directory to store the pki information in #pki_dir: /etc/salt/pki/minion +<% unless @config['pki_dir'].nil? -%> pki_dir: <%= @config['pki_dir'] %> +<% end %> # Explicitly declare the id for this minion to use, if left commented the id # will be the hostname as returned by the python call: socket.getfqdn() # Since salt uses detached ids it is possible to run multiple minions on the # same machine but with different ids, this can be useful for salt compute # clusters. +#id: +<% unless @config['id'].nil? -%> id: <%= @config['id'] %> +<% end %> + +# Cache the minion id to a file when the minion's id is not statically defined +# in the minion config. Defaults to "True". This setting prevents potential +# problems when automatic minion id resolution changes, which can cause the +# minion to lose connection with the master. To turn off minion id caching, +# set this config to ``False``. +#minion_id_caching: True +<% unless @config['minion_id_caching'].nil? -%> +minion_id_caching: <%= @config['minion_id_caching'] %> +<% end %> # Append a domain to a hostname in the event that it does not exist. This is # useful for systems where socket.getfqdn() does not actually result in a @@ -119,12 +182,24 @@ grains: # # Where cache data goes. +# This data may contain sensitive data and should be protected accordingly. #cachedir: /var/cache/salt/minion +<% unless @config['cachedir'].nil? -%> cachedir: <%= @config['cachedir'] %> +<% end %> + +# Append minion_id to these directories. Helps with +# multiple proxies and minions running on the same machine. +# Allowed elements in the list: pki_dir, cachedir, extension_modules +# Normally not needed unless running several proxies and/or minions on the same machine +# Defaults to ['cachedir'] for proxies, [] (empty list) for regular minions +#append_minionid_config_dirs: # Verify and set permissions on configuration directories at startup. #verify_env: True +<% unless @config['verify_env'].nil? -%> verify_env: <%= @config['verify_env'] %> +<% end %> # The minion can locally cache the return data from jobs sent to it, this # can be a good way to keep track of jobs the minion has executed @@ -134,7 +209,9 @@ verify_env: <%= @config['verify_env'] %> # Set the directory used to hold unix sockets. #sock_dir: /var/run/salt/minion +<% unless @config['sock_dir'].nil? -%> sock_dir: <%= @config['sock_dir'] %> +<% end %> # Set the default outputter used by the salt-call command. The default is # "nested". @@ -143,12 +220,16 @@ sock_dir: <%= @config['sock_dir'] %> # By default output is colored. To disable colored output, set the color value # to False. #color: True +<% unless @config['color'].nil? -%> color: <%= @config['color'] %> +<% end %> # Do not strip off the colored output from nested results and state outputs # (true by default). # strip_colors: False +<% unless @config['strip_colors'].nil? -%> strip_colors: <%= @config['strip_colors'] %> +<% end %> # Backup files that are replaced by file.managed and file.recurse under # 'cachedir'/file_backups relative to their original location and appended @@ -189,12 +270,28 @@ strip_colors: <%= @config['strip_colors'] %> # will wait for acceptance_wait_time seconds before trying again. Unless your master # is under unusually heavy load, this should be left at the default. #auth_timeout: 60 +<% unless @config['auth_timeout'].nil? -%> auth_timeout: <%= @config['auth_timeout'] %> +<% end %> # Number of consecutive SaltReqTimeoutError that are acceptable when trying to # authenticate. #auth_tries: 7 +# The number of attempts to connect to a master before giving up. +# Set this to -1 for unlimited attempts. This allows for a master to have +# downtime and the minion to reconnect to it later when it comes back up. +# In 'failover' mode, it is the number of attempts for each set of masters. +# In this mode, it will cycle through the list of masters for each attempt. +# +# This is different than auth_tries because auth_tries attempts to +# retry auth attempts with a single master. auth_tries is under the +# assumption that you can connect to the master but not gain +# authorization from it. master_tries will still cycle through all +# the masters in a given try, so it is appropriate if you expect +# occasional downtime from the master(s). +#master_tries: 1 + # If authentication fails due to SaltReqTimeoutError during a ping_interval, # cause sub minion process to restart. #auth_safemode: False @@ -273,11 +370,26 @@ auth_timeout: <%= @config['auth_timeout'] %> # # # The loop_interval sets how long in seconds the minion will wait between -# evaluating the scheduler and running cleanup tasks. This defaults to a -# sane 60 seconds, but if the minion scheduler needs to be evaluated more -# often lower this value -#loop_interval: 60 +# evaluating the scheduler and running cleanup tasks. This defaults to 1 +# second on the minion scheduler. +#loop_interval: 1 +<% unless @config['loop_interval'].nil? -%> loop_interval: <%= @config['loop_interval'] %> +<% end %> + +# Some installations choose to start all job returns in a cache or a returner +# and forgo sending the results back to a master. In this workflow, jobs +# are most often executed with --async from the Salt CLI and then results +# are evaluated by examining job caches on the minions or any configured returners. +# WARNING: Setting this to False will **disable** returns back to the master. +#pub_ret: True + + +# The grains can be merged, instead of overridden, using this option. +# This allows custom grains to defined different subvalues of a dictionary +# grain. By default this feature is disabled, to enable set grains_deep_merge +# to ``True``. +#grains_deep_merge: False # The grains_refresh_every setting allows for a minion to periodically check # its grains to see if they have changed and, if so, to inform the master @@ -294,12 +406,37 @@ loop_interval: <%= @config['loop_interval'] %> # Cache grains on the minion. Default is False. #grains_cache: False +# Cache rendered pillar data on the minion. Default is False. +# This may cause 'cachedir'/pillar to contain sensitive data that should be +# protected accordingly. +#minion_pillar_cache: False + # Grains cache expiration, in seconds. If the cache file is older than this # number of seconds then the grains cache will be dumped and fully re-populated # with fresh data. Defaults to 5 minutes. Will have no effect if 'grains_cache' # is not enabled. # grains_cache_expiration: 300 +# Determines whether or not the salt minion should run scheduled mine updates. +# Defaults to "True". Set to "False" to disable the scheduled mine updates +# (this essentially just does not add the mine update function to the minion's +# scheduler). +#mine_enabled: True + +# Determines whether or not scheduled mine updates should be accompanied by a job +# return for the job cache. Defaults to "False". Set to "True" to include job +# returns in the job cache for mine updates. +#mine_return_job: False + +# Example functions that can be run via the mine facility +# NO mine functions are established by default. +# Note these can be defined in the minion's pillar as well. +#mine_functions: +# test.ping: [] +# network.ip_addrs: +# interface: eth0 +# cidr: '10.0.0.0/8' + # Windows platforms lack posix IPC and must rely on slower TCP based inter- # process communications. Set ipc_mode to 'tcp' on such systems #ipc_mode: ipc @@ -333,16 +470,33 @@ loop_interval: <%= @config['loop_interval'] %> #include: # - /etc/salt/extra_config # - /etc/roles/webserver + +# The syndic minion can verify that it is talking to the correct master via the +# key fingerprint of the higher-level master with the "syndic_finger" config. +#syndic_finger: '' # # # ##### Minion module management ##### ########################################## # Disable specific modules. This allows the admin to limit the level of -# access the master has to the minion. -#disable_modules: [cmd,test] +# access the master has to the minion. The default here is the empty list, +# below is an example of how this needs to be formatted in the config file +#disable_modules: +# - cmdmod +# - test #disable_returners: [] -# + +# This is the reverse of disable_modules. The default, like disable_modules, is the empty list, +# but if this option is set to *anything* then *only* those modules will load. +# Note that this is a very large hammer and it can be quite difficult to keep the minion working +# the way you think it should since Salt uses many modules internally itself. At a bare minimum +# you need the following enabled or else the minion won't start. +#whitelist_modules: +# - cmdmod +# - test +# - config + # Modules can be loaded from arbitrary paths. This enables the easy deployment # of third party modules. Modules for returners and minions can be loaded. # Specify a list of extra directories to search for minion modules and @@ -388,9 +542,7 @@ loop_interval: <%= @config['loop_interval'] %> # failure detected in the state execution. Defaults to False. #failhard: False # -# autoload_dynamic_modules turns on automatic loading of modules found in the -# environments on the master. This is turned on by default. To turn of -# autoloading modules when states run, set this value to False. +# Reload the modules prior to a highstate run. #autoload_dynamic_modules: True # # clean_dynamic_modules keeps the dynamic modules on the minion in sync with @@ -405,6 +557,15 @@ loop_interval: <%= @config['loop_interval'] %> # environments is to isolate via the top file. #environment: None # +# Isolates the pillar environment on the minion side. This functions the same +# as the environment setting, but for pillar instead of states. +#pillarenv: None +# +# Set this option to 'True' to force a 'KeyError' to be raised whenever an +# attempt to retrieve a named value from pillar fails. When this option is set +# to 'False', the failed attempt returns an empty string. Default is 'False'. +#pillar_raise_on_missing: False +# # If using the local file directory, then the state top file name needs to be # defined, by default this is top.sls. #state_top: top.sls @@ -441,7 +602,8 @@ loop_interval: <%= @config['loop_interval'] %> # Set the file client. The client defaults to looking on the master server for # files, but can be directed to look at the local file directory setting -# defined below by setting it to local. +# defined below by setting it to "local". Setting a local file_client runs the +# minion in masterless mode. #file_client: remote # The file directory works on environments passed to the minion, each environment @@ -463,6 +625,18 @@ loop_interval: <%= @config['loop_interval'] %> # base: # - /srv/salt +# Uncomment the line below if you do not want the file_server to follow +# symlinks when walking the filesystem tree. This is set to True +# by default. Currently this only applies to the default roots +# fileserver_backend. +#fileserver_followsymlinks: False +# +# Uncomment the line below if you do not want symlinks to be +# treated as the files they are pointing to. By default this is set to +# False. By uncommenting the line below, any detected symlink while listing +# files on the Master will not be returned to the Minion. +#fileserver_ignoresymlinks: True +# # By default, the Salt fileserver recurses fully into all defined environments # to attempt to find files. To limit this behavior so that the fileserver only # traverses directories with SLS files and special Salt directories like _modules, @@ -471,14 +645,22 @@ loop_interval: <%= @config['loop_interval'] %> # is False. #fileserver_limit_traversal: False -# The hash_type is the hash to use when discovering the hash of a file in +# The hash_type is the hash to use when discovering the hash of a file on # the local fileserver. The default is md5, but sha1, sha224, sha256, sha384 # and sha512 are also supported. # +# WARNING: While md5 and sha1 are also supported, do not use it due to the high chance +# of possible collisions and thus security breach. +# +# WARNING: While md5 is also supported, do not use it due to the high chance +# of possible collisions and thus security breach. +# # Warning: Prior to changing this value, the minion should be stopped and all # Salt caches should be cleared. -#hash_type: md5 +#hash_type: sha256 +<% unless @config['hash_type'].nil? -%> hash_type: <%= @config['hash_type'] %> +<% end %> # The Salt pillar is searched for locally if file_client is set to local. If # this is the case, and pillar data is defined, then the pillar_roots need to @@ -486,6 +668,10 @@ hash_type: <%= @config['hash_type'] %> #pillar_roots: # base: # - /srv/pillar + +# Set a hard-limit on the size of the files that can be pushed to the master. +# It will be interpreted as megabytes. Default: 100 +#file_recv_max_size: 100 # # ###### Security settings ##### @@ -495,27 +681,35 @@ hash_type: <%= @config['hash_type'] %> # the situation where your keys end up in a bad state. If you run in open mode # you do so at your own risk! #open_mode: False +<% unless @config['open_mode'].nil? -%> open_mode: <%= @config['open_mode'] %> +<% end %> # Enable permissive access to the salt keys. This allows you to run the # master or minion as root, but have a non-root group be given access to # your pki_dir. To make the access explicit, root must belong to the group # you've given access to. This is potentially quite insecure. #permissive_pki_access: False +<% unless @config['permissive_pki_access'].nil? -%> permissive_pki_access: <%= @config['permissive_pki_access'] %> +<% end %> # The state_verbose and state_output settings can be used to change the way # state system data is printed to the display. By default all data is printed. # The state_verbose setting can be set to True or False, when set to False # all data that has a result of True and no changes will be suppressed. #state_verbose: True +<% unless @config['state_verbose'].nil? -%> state_verbose: <%= @config['state_verbose'] %> +<% end %> # The state_output setting changes if the output is the full multi line # output for each changed state if set to 'full', but if set to 'terse' # the output will be shortened to a single line. #state_output: full +<% unless @config['state_output'].nil? -%> state_output: <%= @config['state_output'] %> +<% end %> # The state_output_diff setting changes whether or not the output from # successful states is returned. Useful when even the terse output of these @@ -528,9 +722,18 @@ state_output: <%= @config['state_output'] %> # Fingerprint of the master public key to validate the identity of your Salt master # before the initial key exchange. The master fingerprint can be found by running -# "salt-key -F master" on the Salt master. +# "salt-key -f master.pub" on the Salt master. #master_finger: '' +# Use TLS/SSL encrypted connection between master and minion. +# Can be set to a dictionary containing keyword arguments corresponding to Python's +# 'ssl.wrap_socket' method. +# Default is None. +#ssl: +# keyfile: +# certfile: +# ssl_version: PROTOCOL_TLSv1_2 + ###### Thread settings ##### ########################################### @@ -552,35 +755,72 @@ state_output: <%= @config['state_output'] %> # #log_file: /var/log/salt/minion #key_logfile: /var/log/salt/key +<% unless @config['log_file'].nil? -%> log_file: <%= @config['log_file'] %> +<% end %> +<% unless @config['key_logfile'].nil? -%> key_logfile: <%= @config['key_logfile'] %> +<% end %> # The level of messages to send to the console. # One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'. +# +# The following log levels are considered INSECURE and may log sensitive data: +# ['garbage', 'trace', 'debug'] +# # Default: 'warning' #log_level: warning +<% unless @config['log_level'].nil? -%> log_level: <%= @config['log_level'] %> +<% end %> + # The level of messages to send to the log file. # One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'. # If using 'log_granular_levels' this must be set to the highest desired level. # Default: 'warning' #log_level_logfile: +<% unless @config['log_level_logfile'].nil? -%> log_level_logfile: <%= @config['log_level_logfile'] %> +<% end %> + -# The date and time format used in log messages. Allowed date/time formating +# The date and time format used in log messages. Allowed date/time formatting # can be seen here: http://docs.python.org/library/time.html#time.strftime #log_datefmt: '%H:%M:%S' #log_datefmt_logfile: '%Y-%m-%d %H:%M:%S' +<% unless @config['log_datefmt'].nil? -%> log_datefmt: <%= @config['log_datefmt'] %> +<% end %> +<% unless @config['log_datefmt_logfile'].nil? -%> log_datefmt_logfile: <%= @config['log_datefmt_logfile'] %> +<% end %> + # The format of the console logging messages. Allowed formatting options can # be seen here: http://docs.python.org/library/logging.html#logrecord-attributes +# +# Console log colors are specified by these additional formatters: +# +# %(colorlevel)s +# %(colorname)s +# %(colorprocess)s +# %(colormsg)s +# +# Since it is desirable to include the surrounding brackets, '[' and ']', in +# the coloring of the messages, these color formatters also include padding as +# well. Color LogRecord attributes are only available for console logging. +# +#log_fmt_console: '%(colorlevel)s %(colormsg)s' #log_fmt_console: '[%(levelname)-8s] %(message)s' -#log_fmt_logfile: '%(asctime)s,%(msecs)03.0f [%(name)-17s][%(levelname)-8s] %(message)s' +# +#log_fmt_logfile: '%(asctime)s,%(msecs)03d [%(name)-17s][%(levelname)-8s] %(message)s' +<% unless @config['log_fmt_console'].nil? -%> log_fmt_console: <%= @config['log_fmt_console'] %> +<% end %> +<% unless @config['log_fmt_logfile'].nil? -%> log_fmt_logfile: <%= @config['log_fmt_logfile'] %> +<% end %> # This can be used to control logging levels more specificically. This # example sets the main salt library at the 'warning' level, but sets @@ -592,7 +832,7 @@ log_fmt_logfile: <%= @config['log_fmt_logfile'] %> #log_granular_levels: {} # To diagnose issues with minions disconnecting or missing returns, ZeroMQ -# supports the use of monitor sockets # to log connection events. This +# supports the use of monitor sockets to log connection events. This # feature requires ZeroMQ 4.0 or higher. # # To enable ZeroMQ monitor sockets, set 'zmq_monitor' to 'True' and log at a @@ -604,7 +844,7 @@ log_fmt_logfile: <%= @config['log_fmt_logfile'] %> # 'value': 27, 'description': 'EVENT_DISCONNECTED'} # # All events logged will include the string 'ZeroMQ event'. A connection event -# should be logged on the as the minion starts up and initially connects to the +# should be logged as the minion starts up and initially connects to the # master. If not, check for debug log level and that the necessary version of # ZeroMQ is installed. # @@ -682,4 +922,12 @@ log_fmt_logfile: <%= @config['log_fmt_logfile'] %> ############################################ # Which returner(s) will be used for minion's result: #return: mysql +<% unless @config['return'].nil? -%> return: <%= @config['return'] %> +<% end %> + + +###### Miscellaneous settings ###### +############################################ +# Default match type for filtering events tags: startswith, endswith, find, regex, fnmatch +#event_match_type: startswith