merge options from 2015.8.7 version in f_defaults.conf

2016-02-20 21:07:17 +01:00 · 2016-02-20 21:07:17 +01:00 · bfcaca38a6
commit bfcaca38a6
parent 8573ba96e2
1 changed files with 224 additions and 71 deletions
--- a/salt/files/master.d/f_defaults.conf
+++ b/salt/files/master.d/f_defaults.conf
@ -1,5 +1,5 @@
 # This file managed by Salt, do not edit by hand!!
-#  Based on salt version 2014.7 default config
+# Based on salt version 2015.8.7 default config
 {% set reserved_keys = ['master', 'minion', 'cloud', 'salt_cloud_certs'] -%}
 {% set cfg_salt = pillar.get('salt', {}) -%}
 {% set cfg_master = cfg_salt.get('master', {}) -%}
@ -15,10 +15,11 @@
 {%- from 'salt/formulas.jinja' import file_roots, formulas with context -%}
 ##### Primary configuration settings #####
 ##########################################
-# This configuration file is used to manage the behavior of the Salt Master
-# Values that are commented out but have no space after the comment are
-# defaults that need not be set in the config. If there is a space after the
-# comment that the value is presented as an example and is not the default.
+# This configuration file is used to manage the behavior of the Salt Master.
+# Values that are commented out but have an empty line after the comment are
+# defaults that do not need to be set in the config. If there is no blank line
+# after the comment then the value is presented as an example and is not the
+# default.

 # Per default, the master will automatically include all config files
 # from master.d/*.conf (master.d is a directory in the same directory
@ -41,30 +42,6 @@
 # modified files cause conflicts, set verify_env to False.
 {{ get_config('user', 'root') }}

-# Max open files
-#
-# Each minion connecting to the master uses AT LEAST one file descriptor, the
-# master subscription connection. If enough minions connect you might start
-# seeing on the console (and then salt-master crashes):
-#   Too many open files (tcp_listener.cpp:335)
-#   Aborted (core dumped)
-#
-# By default this value will be the one of `ulimit -Hn`, ie, the hard limit for
-# max open files.
-#
-# If you wish to set a different value than the default one, uncomment and
-# configure this setting. Remember that this value CANNOT be higher than the
-# hard limit. Raising the hard limit depends on your OS and/or distribution,
-# a good way to find the limit is to search the internet. For example:
-#   raise max open files hard limit debian
-#
-{{ get_config('max_open_files', '100000') }}
-
-# The number of worker threads to start. These threads are used to manage
-# return calls made from minions to the master. If the master seems to be
-# running slowly, increase the number of threads.
-{{ get_config('worker_threads', '5') }}
-
 # The port used by the communication interface. The ret (return) port is the
 # interface used for the file server, authentication, job returns, etc.
 {{ get_config('ret_port', '4506') }}
@ -81,6 +58,8 @@
 {{ get_config('pki_dir', '/etc/salt/pki/master') }}

 # Directory to store job and cache data:
+# This directory may contain sensitive data and should be protected accordingly.
+# 
 {{ get_config('cachedir', '/var/cache/salt/master') }}

 # Directory for custom modules. This directory can contain subdirectories for
@ -88,6 +67,25 @@
 # "states", "returners", etc.
 {{ get_config('extension_modules', '<no default>') }}

+# Directory for custom modules. This directory can contain subdirectories for
+# each of Salt's module types such as "runners", "output", "wheel", "modules",
+# "states", "returners", etc.
+# Like 'extension_modules' but can take an array of paths
+{% if 'module_dirs' in cfg_master -%}
+module_dirs:
+  {%- for dir in cfg_master['module_dirs'] %}
+  - {{ dir}}
+  {%- endfor -%}
+{% elif 'module_dirs' in cfg_salt -%}
+module_dirs:
+  {%- for dir in cfg_salt['module_dirs'] %}
+  - {{ dir}}
+  {%- endfor -%}
+{% else -%}
+#module_dirs: <no default>
+#   - /var/cache/salt/minion/extmods
+{% endif %}
+
 # Verify and set permissions on configuration directories at startup:
 {{ get_config('verify_env', 'True') }}

@ -109,9 +107,6 @@
 # Return minions that timeout when running commands like test.ping
 {{ get_config('show_timeout', 'True') }}

-# Display the jid when a job is published
-{{ get_config('show_jid', 'False') }}
-
 # By default, output is colored. To disable colored output, set the color value
 # to False.
 {{ get_config('color', 'True') }}
@ -138,10 +133,9 @@
 {{ get_config('minion_data_cache', 'True') }}

 # Store all returns in the given returner.
-# Setting this option requires that any returner-specific configuration also
+# Setting this option requires that any returner-specific configuration also 
 # be set. See various returners in salt/returners for details on required
 # configuration values. (See also, event_return_queue below.)
-#
 {{ get_config('event_return', 'mysql') }}

 # On busy systems, enabling event_returns can cause a considerable load on
@ -182,7 +176,6 @@ event_return_blacklist:
 # event_return_blacklist:
 #   - salt/master/not_this_tag
 #   - salt/master/or_this_one
-
 {% endif %}

 # Passing very large events can cause the minion to consume large amounts of
@ -202,12 +195,12 @@ event_return_blacklist:
 # the key rotation event as minions reconnect. Consider this carefully if this
 # salt master is managing a large number of minions.
 #
-# If disabled, it is recommended to handle this event by listening for the
+# If disabled, it is recommended to handle this event by listening for the 
 # 'aes_key_rotate' event with the 'key' tag and acting appropriately.
 {{ get_config('ping_on_rotate', 'False') }}

 # By default, the master deletes its cache of minion data when the key for that
-# minion is removed. To preserve the cache after key deletion, set
+# minion is removed. To preserve the cache after key deletion, set 
 # 'preserve_minion_cache' to True.
 #
 # WARNING: This may have security implications if compromised minions auth with
@ -236,6 +229,58 @@ event_return_blacklist:
 #   - /etc/salt/extra_config
 {{ get_config('include', '[]') }}

+#####  Large-scale tuning settings   #####
+##########################################
+# Max open files
+#
+# Each minion connecting to the master uses AT LEAST one file descriptor, the
+# master subscription connection. If enough minions connect you might start
+# seeing on the console (and then salt-master crashes):
+#   Too many open files (tcp_listener.cpp:335)
+#   Aborted (core dumped)
+#
+# By default this value will be the one of `ulimit -Hn`, ie, the hard limit for
+# max open files.
+#
+# If you wish to set a different value than the default one, uncomment and
+# configure this setting. Remember that this value CANNOT be higher than the
+# hard limit. Raising the hard limit depends on your OS and/or distribution,
+# a good way to find the limit is to search the internet. For example:
+#   raise max open files hard limit debian
+#
+{{ get_config('max_open_files', '100000') }}
+
+# The number of worker threads to start. These threads are used to manage
+# return calls made from minions to the master. If the master seems to be
+# running slowly, increase the number of threads. This setting can not be
+# set lower than 3.
+{{ get_config('worker_threads', '5') }}
+
+# Set the ZeroMQ high water marks
+# http://api.zeromq.org/3-2:zmq-setsockopt
+
+# The publisher interface ZeroMQPubServerChannel
+{{ get_config('pub_hwm', '1000') }}
+
+# These two ZMQ HWM settings, salt_event_pub_hwm and event_publisher_pub_hwm
+# are significant for masters with thousands of minions.  When these are
+# insufficiently high it will manifest in random responses missing in the CLI
+# and even missing from the job cache.  Masters that have fast CPUs and many
+# cores with appropriate worker_threads will not need these set as high.
+
+# On deployment with 8,000 minions, 2.4GHz CPUs, 24 cores, 32GiB memory has
+# these settings:
+#
+#   salt_event_pub_hwm: 128000
+#   event_publisher_pub_hwm: 64000
+
+# ZMQ high-water-mark for SaltEvent pub socket
+{{ get_config('salt_event_pub_hwm', '20000') }}
+
+# ZMQ high-water-mark for EventPublisher pub socket
+{{ get_config('event_publisher_pub_hwm', '10000') }}
+
+
 #####        Security settings       #####
 ##########################################
 # Enable "open mode", this mode still maintains encryption, but turns off
@ -276,10 +321,6 @@ event_return_blacklist:
 # This setting should be treated with care since it opens up execution
 # capabilities to non root users. By default this capability is completely
 # disabled.
-#client_acl:
-#  larry:
-#    - test.ping
-#    - network.*
 {% if 'client_acl' in cfg_master -%}
 client_acl:
 {%- for name, user in cfg_master['client_acl']|dictsort %}
@ -308,7 +349,6 @@ client_acl:
 # This example would blacklist all non sudo users, including root from
 # running any commands. It would also blacklist any use of the "cmd"
 # module. This is completely disabled by default.
-#
 {% if 'client_acl_blacklist' in cfg_master %}
 client_acl_blacklist:
  users:
@ -339,8 +379,7 @@ client_acl_blacklist:
 {% endif %}

 # Enforce client_acl & client_acl_blacklist when users have sudo
-# access to the salt command.
-#
+# access to the salt command. 
 {{ get_config('sudo_acl', 'False') }}

 # The external auth system uses the Salt auth modules to authenticate and
@ -377,9 +416,41 @@ client_acl_blacklist:
 # will cause minion to throw an exception and drop the message.
 {{ get_config('sign_pub_message', 'False') }}

-
+# Sign the master auth-replies with a cryptographic signature of the masters public key. 
+# Please see the tutorial how to use these settings in the Multimaster-PKI with Failover Tutorial
 {{ get_config('master_sign_pubkey', 'False') }}

+# The customizable name of the signing-key-pair without suffix.
+# master_sign_key_name: <filename_without_suffix>
+{{ get_config('master_sign', '{}') }}
+
+# The name of the file in the masters pki-directory that holds the pre-calculated 
+# signature of the masters public-key.
+# master_pubkey_signature: <filename>
+{{ get_config('master_pubkey_signature', '{}') }}
+
+# Instead of computing the signature for each auth-reply, use a pre-calculated signature. 
+# The master_pubkey_signature must also be set for this.
+{{ get_config('master_use_pubkey_signature', 'False') }}
+
+# Rotate the salt-masters AES-key when a minion-public is deleted with salt-key. 
+# This is a very important security-setting. Disabling it will enable deleted minions to still 
+# listen in on the messages published by the salt-master. 
+# Do not disable this unless it is absolutely clear what this does.
+{{ get_config('rotate_aes_key', 'True') }}
+
+#####     Salt-SSH Configuration     #####
+##########################################
+
+# Pass in an alternative location for the salt-ssh roster file
+{{ get_config('roster_file', '/etc/salt/roster') }}
+
+# Pass in minion option overrides that will be inserted into the SHIM for
+# salt-ssh calls. The local minion config is not used for salt-ssh. Can be
+# overridden on a per-minion basis in the roster (`minion_opts`)
+#ssh_minion_opts:
+#  gpg_keydir: /root/gpg
+{{ get_config('ssh_minion_opts', '{}') }}

 #####    Master Module Management    #####
 ##########################################
@ -408,6 +479,7 @@ client_acl_blacklist:
 # master_tops:
 #   ext_nodes: <Shell command which returns yaml>
 #
+#master_tops: {}
 {% if 'master_tops' in cfg_master %}
 master_tops:
 {%- for master in cfg_master['master_tops'] -%}
@ -438,7 +510,7 @@ master_tops:
 # (block, not variable tag!). Defaults to False, corresponds to the Jinja
 # environment init variable "trim_blocks".
 {{ get_config('jinja_trim_blocks', 'False') }}
-#
+
 # If this is set to True leading spaces and tabs are stripped from the start
 # of a line to a block. Defaults to False, corresponds to the Jinja
 # environment init variable "lstrip_blocks".
@ -462,13 +534,19 @@ master_tops:
 {{ get_config('state_output', 'full') }}

 # Automatically aggregate all states that have support for mod_aggregate by
-# setting to True. Or pass a list of state module names to automatically
+# setting to 'True'. Or pass a list of state module names to automatically
 # aggregate just those types.
 #
 # state_aggregate:
 #   - pkg
 #
 #state_aggregate: False
+{{ get_config('state_aggregate', '{}') }}
+
+# Send progress events as each function in a state run completes execution
+# by setting to 'True'. Progress events are in the format
+# 'salt/job/<JID>/prog/<MID>/<RUN NUM>'.
+{{ get_config('state_events', 'False') }}

 #####      File Server settings      #####
 ##########################################
@ -490,7 +568,7 @@ master_tops:
 #   prod:
 #     - /srv/salt/prod/services
 #     - /srv/salt/prod/states
-
+#
 {% if 'file_roots' in cfg_master -%}
 {{ file_roots(cfg_master['file_roots']) }}
 {%- elif 'file_roots' in cfg_salt -%}
@ -503,11 +581,27 @@ master_tops:
 #    - /srv/salt
 {%- endif %}

+# When using multiple environments, each with their own top file, the
+# default behaviour is an unordered merge. To prevent top files from
+# being merged together and instead to only use the top file from the
+# requested environment, set this value to 'same'. 
+{{ get_config('top_file_merging_stragety', 'merge') }}
+
+# To specify the order in which environments are merged, set the ordering
+# in the env_order option. Given a conflict, the last matching value will
+# win.
+{{ get_config('env_order', '["base", "dev", "prod"]') }}
+
+# If top_file_merging_strategy is set to 'same' and an environment does not
+# contain a top file, the top file in the environment specified by default_top
+# will be used instead.
+{{ get_config('default_top', 'base') }}
+
 # The hash_type is the hash to use when discovering the hash of a file on
 # the master server. The default is md5, but sha1, sha224, sha256, sha384
 # and sha512 are also supported.
 #
-# Prior to changing this value, the master should be stopped and all Salt
+# Prior to changing this value, the master should be stopped and all Salt 
 # caches should be cleared.
 {{ get_config('hash_type', 'md5') }}

@ -578,26 +672,26 @@ fileserver_backend:
  - {{ backend }}
 {%- endfor -%}
 {%- endif %}
-#
+
 # Uncomment the line below if you do not want the file_server to follow
 # symlinks when walking the filesystem tree. This is set to True
 # by default. Currently this only applies to the default roots
 # fileserver_backend.
 {{ get_config('fileserver_followsymlinks', 'False') }}
-#
+
 # Uncomment the line below if you do not want symlinks to be
 # treated as the files they are pointing to. By default this is set to
 # False. By uncommenting the line below, any detected symlink while listing
 # files on the Master will not be returned to the Minion.
 {{ get_config('fileserver_ignoresymlinks', 'True') }}
-#
+
 # By default, the Salt fileserver recurses fully into all defined environments
 # to attempt to find files. To limit this behavior so that the fileserver only
 # traverses directories with SLS files and special Salt directories like _modules,
 # enable the option below. This might be useful for installations where a file root
 # has a very large number of files and performance is impacted. Default is False.
 {{ get_config('fileserver_limit_traversal', 'False') }}
-#
+
 # The fileserver can fire events off every time the fileserver is updated,
 # these are disabled by default, but can be easily turned on by setting this
 # flag to True
@ -608,7 +702,7 @@ fileserver_backend:
 # Gitfs can be provided by one of two python modules: GitPython or pygit2. If
 # using pygit2, both libgit2 and git must also be installed.
 {{ get_config('gitfs_provider', 'gitpython') }}
-#
+
 # When using the git fileserver backend at least one git remote needs to be
 # defined. The user running the salt master will need read access to the repo.
 #
@ -646,7 +740,7 @@ gitfs_remotes:
 # keep in mind that setting this flag to anything other than the default of True
 # is a security concern, you may want to try using the ssh transport.
 {{ get_config('gitfs_ssl_verify', 'True') }}
-#
+
 # The gitfs_root option gives the ability to serve files from a subdirectory
 # within the repository. The path is defined relative to the root of the
 # repository and defaults to the repository root.
@ -676,7 +770,6 @@ gitfs_env_blacklist:
 #   - feature/*
 {% endif %}

-
 #####         Pillar settings        #####
 ##########################################
 # Salt Pillars allow for the building of global data that can be made selectively
@ -705,7 +798,7 @@ pillar_roots:
 #  base:
 #    - /srv/pillar
 {%- endif %}
-#
+
 {% if 'ext_pillar' in cfg_master %}
 ext_pillar:
 {%- for pillar in cfg_master['ext_pillar'] -%}
@ -718,7 +811,7 @@ ext_pillar:
    - {{ parameter }}
      {%- endfor -%}
    {%- elif pillar[key] is mapping and pillar[key] is not string %}
-  - {{ key }}: 
+  - {{ key }}:
      {%- for parameter in pillar[key] %}
      {{ parameter }}: {{pillar[key][parameter]}}
      {%- endfor %}
@ -755,6 +848,13 @@ ext_pillar:
 # master config file that can then be used on minions.
 {{ get_config('pillar_opts', 'True') }}

+# The pillar_safe_render_error option prevents the master from passing pillar
+# render errors to the minion. This is set on by default because the error could
+# contain templating data which would give that minion information it shouldn't
+# have, like a password! When set true the error message will only show:
+#   Rendering SLS 'my.sls' failed. Please see master log for details.
+{{ get_config('pillar_safe_render_error', 'True') }}
+
 # The pillar_source_merging_strategy option allows you to configure merging strategy
 # between different sources. It accepts four values: recurse, aggregate, overwrite,
 # or smart. Recurse will merge recursively mapping of data. Aggregate instructs
@ -764,13 +864,18 @@ ext_pillar:
 # on the "renderer" setting and is the default value.
 {{ get_config('pillar_source_merging_strategy', 'smart') }}

+# Recursively merge lists by aggregating them instead of replacing them.
+{{ get_config('pillar_merge_lists', 'False') }}
+
+
 #####          Syndic settings       #####
 ##########################################
 # The Salt syndic is used to pass commands through a master from a higher
-# master. Using the syndic is simple, if this is a master that will have
-# syndic servers(s) below it set the "order_masters" setting to True, if this
-# is a master that will be running a syndic daemon for passthrough the
-# "syndic_master" setting needs to be set to the location of the master server
+# master. Using the syndic is simple. If this is a master that will have
+# syndic servers(s) below it, then set the "order_masters" setting to True.
+#
+# If this is a master that will be running a syndic daemon for passthrough, then
+# the "syndic_master" setting needs to be set to the location of the master server
 # to receive commands from.

 # Set the order_masters setting to True if this master will command lower
@ -790,6 +895,7 @@ ext_pillar:
 # LOG file of the syndic daemon:
 {{ get_config('syndic_log_file', 'syndic.log') }}

+
 #####      Peer Publish settings     #####
 ##########################################
 # Salt minions can send commands to other minions, but only if the minion is
@ -864,9 +970,8 @@ peer_run:
  {% endfor %}
 {% endif %}

-
 #####         Mine settings     #####
-##########################################
+#####################################
 # Restrict mine.get access from minions. By default any minion has a full access
 # to get all mine data from master cache. In acl definion below, only pcre matches
 # are allowed.
@ -902,7 +1007,6 @@ mine_get:
 #     - disk.*
 {%- endif %}

-
 #####         Logging settings       #####
 ##########################################
 # The location of the master log file
@ -919,10 +1023,15 @@ mine_get:

 # The level of messages to send to the console.
 # One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'.
+#
+# The following log levels are considered INSECURE and may log sensitive data:
+# ['garbage', 'trace', 'debug']
+#
 {{ get_config('log_level', 'warning') }}

 # The level of messages to send to the log file.
 # One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'.
+# If using 'log_granular_levels' this must be set to the highest desired level.
 {{ get_config('log_level_logfile', 'warning') }}

 # The date and time format used in log messages. Allowed date/time formating
@ -932,7 +1041,21 @@ mine_get:

 # The format of the console logging messages. Allowed formatting options can
 # be seen here: http://docs.python.org/library/logging.html#logrecord-attributes
+#
+# Console log colors are specified by these additional formatters:
+#
+# %(colorlevel)s
+# %(colorname)s
+# %(colorprocess)s
+# %(colormsg)s
+#
+# Since it is desirable to include the surrounding brackets, '[' and ']', in
+# the coloring of the messages, these color formatters also include padding as
+# well.  Color LogRecord attributes are only available for console logging.
+#
+{{ get_config('log_fmt_console', "'%(colorlevel)s %(colormsg)s'") }}
 {{ get_config('log_fmt_console', "'[%(levelname)-8s] %(message)s'") }}
+
 {{ get_config('log_fmt_logfile', "'%(asctime)s,%(msecs)03.0f [%(name)-17s][%(levelname)-8s] %(message)s'") }}

 # This can be used to control logging levels more specificically.  This
@ -956,8 +1079,7 @@ log_granular_levels:
 #log_granular_levels: {}
 {% endif %}

-
-#####         Node Groups           #####
+#####         Node Groups           ######
 ##########################################
 # Node groups allow for logical groupings of minion nodes. A group consists of a group
 # name and a compound target.
@ -976,7 +1098,6 @@ nodegroups:
  {% endfor %}
 {% endif %}

-
 #####     Range Cluster settings     #####
 ##########################################
 # The range server (and optional port) that serves your cluster information
@ -984,8 +1105,33 @@ nodegroups:
 #
 {{ get_config('range_server', 'range:80') }}

-#####     Windows Software Repo settings #####
-##############################################
+
+#####  Windows Software Repo settings #####
+###########################################
+# Location of the repo on the master:
+{{ get_config('win_repo_dir_ng', '/srv/salt/win/repo-ng') }}
+
+# List of git repositories to include with the local repo:
+{% if 'win_gitrepos_ng' in cfg_master %}
+win_gitrepos_ng:
+  {% for repo in cfg_master['win_gitrepos_ng'] %}
+  - {{ repo }}
+  {% endfor %}
+{% elif 'win_gitrepos_ng' in cfg_salt %}
+win_gitrepos_ng:
+  {% for repo in cfg_salt['win_gitrepos_ng'] %}
+  - {{ repo }}
+  {% endfor %}
+{% else %}
+#winrepo_remotes_ng:
+#  - 'https://github.com/saltstack/salt-winrepo-ng.git'
+{% endif %}
+
+
+#####  Windows Software Repo settings - Pre 2015.8 #####
+########################################################
+# Legacy repo settings for pre-2015.8 Windows minions.
+#
 # Location of the repo on the master:
 {{ get_config('win_repo', '/srv/salt/win/repo') }}

@ -1004,7 +1150,7 @@ win_gitrepos:
  - {{ repo }}
  {% endfor %}
 {% else %}
-#win_gitrepos:
+#winrepo_remotes:
 #  - 'https://github.com/saltstack/salt-winrepo.git'
 {% endif %}

@ -1012,6 +1158,13 @@ win_gitrepos:
 ############################################
 # Which returner(s) will be used for minion's result:
 #return: mysql
+{{ get_config('return', '')}}
+
+
+######    Miscellaneous  settings     ######
+############################################
+# Default match type for filtering events tags: startswith, endswith, find, regex, fnmatch
+{{ get_config('event_match_type', 'startswith') }}

 {% if 'halite' in cfg_master %}
 #####             Halite             #####