diff --git a/salt/files/master.d/f_defaults.conf b/salt/files/master.d/f_defaults.conf index 539e913..c183514 100644 --- a/salt/files/master.d/f_defaults.conf +++ b/salt/files/master.d/f_defaults.conf @@ -1,5 +1,5 @@ # This file managed by Salt, do not edit by hand!! -# Based on salt version 2014.7 default config +# Based on salt version 2015.8.7 default config {% set reserved_keys = ['master', 'minion', 'cloud', 'salt_cloud_certs'] -%} {% set cfg_salt = pillar.get('salt', {}) -%} {% set cfg_master = cfg_salt.get('master', {}) -%} @@ -15,10 +15,11 @@ {%- from 'salt/formulas.jinja' import file_roots, formulas with context -%} ##### Primary configuration settings ##### ########################################## -# This configuration file is used to manage the behavior of the Salt Master -# Values that are commented out but have no space after the comment are -# defaults that need not be set in the config. If there is a space after the -# comment that the value is presented as an example and is not the default. +# This configuration file is used to manage the behavior of the Salt Master. +# Values that are commented out but have an empty line after the comment are +# defaults that do not need to be set in the config. If there is no blank line +# after the comment then the value is presented as an example and is not the +# default. # Per default, the master will automatically include all config files # from master.d/*.conf (master.d is a directory in the same directory @@ -41,30 +42,6 @@ # modified files cause conflicts, set verify_env to False. {{ get_config('user', 'root') }} -# Max open files -# -# Each minion connecting to the master uses AT LEAST one file descriptor, the -# master subscription connection. If enough minions connect you might start -# seeing on the console (and then salt-master crashes): -# Too many open files (tcp_listener.cpp:335) -# Aborted (core dumped) -# -# By default this value will be the one of `ulimit -Hn`, ie, the hard limit for -# max open files. -# -# If you wish to set a different value than the default one, uncomment and -# configure this setting. Remember that this value CANNOT be higher than the -# hard limit. Raising the hard limit depends on your OS and/or distribution, -# a good way to find the limit is to search the internet. For example: -# raise max open files hard limit debian -# -{{ get_config('max_open_files', '100000') }} - -# The number of worker threads to start. These threads are used to manage -# return calls made from minions to the master. If the master seems to be -# running slowly, increase the number of threads. -{{ get_config('worker_threads', '5') }} - # The port used by the communication interface. The ret (return) port is the # interface used for the file server, authentication, job returns, etc. {{ get_config('ret_port', '4506') }} @@ -81,6 +58,8 @@ {{ get_config('pki_dir', '/etc/salt/pki/master') }} # Directory to store job and cache data: +# This directory may contain sensitive data and should be protected accordingly. +# {{ get_config('cachedir', '/var/cache/salt/master') }} # Directory for custom modules. This directory can contain subdirectories for @@ -88,6 +67,25 @@ # "states", "returners", etc. {{ get_config('extension_modules', '') }} +# Directory for custom modules. This directory can contain subdirectories for +# each of Salt's module types such as "runners", "output", "wheel", "modules", +# "states", "returners", etc. +# Like 'extension_modules' but can take an array of paths +{% if 'module_dirs' in cfg_master -%} +module_dirs: + {%- for dir in cfg_master['module_dirs'] %} + - {{ dir}} + {%- endfor -%} +{% elif 'module_dirs' in cfg_salt -%} +module_dirs: + {%- for dir in cfg_salt['module_dirs'] %} + - {{ dir}} + {%- endfor -%} +{% else -%} +#module_dirs: +# - /var/cache/salt/minion/extmods +{% endif %} + # Verify and set permissions on configuration directories at startup: {{ get_config('verify_env', 'True') }} @@ -109,9 +107,6 @@ # Return minions that timeout when running commands like test.ping {{ get_config('show_timeout', 'True') }} -# Display the jid when a job is published -{{ get_config('show_jid', 'False') }} - # By default, output is colored. To disable colored output, set the color value # to False. {{ get_config('color', 'True') }} @@ -138,10 +133,9 @@ {{ get_config('minion_data_cache', 'True') }} # Store all returns in the given returner. -# Setting this option requires that any returner-specific configuration also +# Setting this option requires that any returner-specific configuration also # be set. See various returners in salt/returners for details on required # configuration values. (See also, event_return_queue below.) -# {{ get_config('event_return', 'mysql') }} # On busy systems, enabling event_returns can cause a considerable load on @@ -182,7 +176,6 @@ event_return_blacklist: # event_return_blacklist: # - salt/master/not_this_tag # - salt/master/or_this_one - {% endif %} # Passing very large events can cause the minion to consume large amounts of @@ -202,12 +195,12 @@ event_return_blacklist: # the key rotation event as minions reconnect. Consider this carefully if this # salt master is managing a large number of minions. # -# If disabled, it is recommended to handle this event by listening for the +# If disabled, it is recommended to handle this event by listening for the # 'aes_key_rotate' event with the 'key' tag and acting appropriately. {{ get_config('ping_on_rotate', 'False') }} # By default, the master deletes its cache of minion data when the key for that -# minion is removed. To preserve the cache after key deletion, set +# minion is removed. To preserve the cache after key deletion, set # 'preserve_minion_cache' to True. # # WARNING: This may have security implications if compromised minions auth with @@ -236,6 +229,58 @@ event_return_blacklist: # - /etc/salt/extra_config {{ get_config('include', '[]') }} +##### Large-scale tuning settings ##### +########################################## +# Max open files +# +# Each minion connecting to the master uses AT LEAST one file descriptor, the +# master subscription connection. If enough minions connect you might start +# seeing on the console (and then salt-master crashes): +# Too many open files (tcp_listener.cpp:335) +# Aborted (core dumped) +# +# By default this value will be the one of `ulimit -Hn`, ie, the hard limit for +# max open files. +# +# If you wish to set a different value than the default one, uncomment and +# configure this setting. Remember that this value CANNOT be higher than the +# hard limit. Raising the hard limit depends on your OS and/or distribution, +# a good way to find the limit is to search the internet. For example: +# raise max open files hard limit debian +# +{{ get_config('max_open_files', '100000') }} + +# The number of worker threads to start. These threads are used to manage +# return calls made from minions to the master. If the master seems to be +# running slowly, increase the number of threads. This setting can not be +# set lower than 3. +{{ get_config('worker_threads', '5') }} + +# Set the ZeroMQ high water marks +# http://api.zeromq.org/3-2:zmq-setsockopt + +# The publisher interface ZeroMQPubServerChannel +{{ get_config('pub_hwm', '1000') }} + +# These two ZMQ HWM settings, salt_event_pub_hwm and event_publisher_pub_hwm +# are significant for masters with thousands of minions. When these are +# insufficiently high it will manifest in random responses missing in the CLI +# and even missing from the job cache. Masters that have fast CPUs and many +# cores with appropriate worker_threads will not need these set as high. + +# On deployment with 8,000 minions, 2.4GHz CPUs, 24 cores, 32GiB memory has +# these settings: +# +# salt_event_pub_hwm: 128000 +# event_publisher_pub_hwm: 64000 + +# ZMQ high-water-mark for SaltEvent pub socket +{{ get_config('salt_event_pub_hwm', '20000') }} + +# ZMQ high-water-mark for EventPublisher pub socket +{{ get_config('event_publisher_pub_hwm', '10000') }} + + ##### Security settings ##### ########################################## # Enable "open mode", this mode still maintains encryption, but turns off @@ -276,10 +321,6 @@ event_return_blacklist: # This setting should be treated with care since it opens up execution # capabilities to non root users. By default this capability is completely # disabled. -#client_acl: -# larry: -# - test.ping -# - network.* {% if 'client_acl' in cfg_master -%} client_acl: {%- for name, user in cfg_master['client_acl']|dictsort %} @@ -308,7 +349,6 @@ client_acl: # This example would blacklist all non sudo users, including root from # running any commands. It would also blacklist any use of the "cmd" # module. This is completely disabled by default. -# {% if 'client_acl_blacklist' in cfg_master %} client_acl_blacklist: users: @@ -339,8 +379,7 @@ client_acl_blacklist: {% endif %} # Enforce client_acl & client_acl_blacklist when users have sudo -# access to the salt command. -# +# access to the salt command. {{ get_config('sudo_acl', 'False') }} # The external auth system uses the Salt auth modules to authenticate and @@ -377,9 +416,41 @@ client_acl_blacklist: # will cause minion to throw an exception and drop the message. {{ get_config('sign_pub_message', 'False') }} - +# Sign the master auth-replies with a cryptographic signature of the masters public key. +# Please see the tutorial how to use these settings in the Multimaster-PKI with Failover Tutorial {{ get_config('master_sign_pubkey', 'False') }} +# The customizable name of the signing-key-pair without suffix. +# master_sign_key_name: +{{ get_config('master_sign', '{}') }} + +# The name of the file in the masters pki-directory that holds the pre-calculated +# signature of the masters public-key. +# master_pubkey_signature: +{{ get_config('master_pubkey_signature', '{}') }} + +# Instead of computing the signature for each auth-reply, use a pre-calculated signature. +# The master_pubkey_signature must also be set for this. +{{ get_config('master_use_pubkey_signature', 'False') }} + +# Rotate the salt-masters AES-key when a minion-public is deleted with salt-key. +# This is a very important security-setting. Disabling it will enable deleted minions to still +# listen in on the messages published by the salt-master. +# Do not disable this unless it is absolutely clear what this does. +{{ get_config('rotate_aes_key', 'True') }} + +##### Salt-SSH Configuration ##### +########################################## + +# Pass in an alternative location for the salt-ssh roster file +{{ get_config('roster_file', '/etc/salt/roster') }} + +# Pass in minion option overrides that will be inserted into the SHIM for +# salt-ssh calls. The local minion config is not used for salt-ssh. Can be +# overridden on a per-minion basis in the roster (`minion_opts`) +#ssh_minion_opts: +# gpg_keydir: /root/gpg +{{ get_config('ssh_minion_opts', '{}') }} ##### Master Module Management ##### ########################################## @@ -408,6 +479,7 @@ client_acl_blacklist: # master_tops: # ext_nodes: # +#master_tops: {} {% if 'master_tops' in cfg_master %} master_tops: {%- for master in cfg_master['master_tops'] -%} @@ -438,7 +510,7 @@ master_tops: # (block, not variable tag!). Defaults to False, corresponds to the Jinja # environment init variable "trim_blocks". {{ get_config('jinja_trim_blocks', 'False') }} -# + # If this is set to True leading spaces and tabs are stripped from the start # of a line to a block. Defaults to False, corresponds to the Jinja # environment init variable "lstrip_blocks". @@ -462,13 +534,19 @@ master_tops: {{ get_config('state_output', 'full') }} # Automatically aggregate all states that have support for mod_aggregate by -# setting to True. Or pass a list of state module names to automatically +# setting to 'True'. Or pass a list of state module names to automatically # aggregate just those types. # # state_aggregate: # - pkg # #state_aggregate: False +{{ get_config('state_aggregate', '{}') }} + +# Send progress events as each function in a state run completes execution +# by setting to 'True'. Progress events are in the format +# 'salt/job//prog//'. +{{ get_config('state_events', 'False') }} ##### File Server settings ##### ########################################## @@ -490,7 +568,7 @@ master_tops: # prod: # - /srv/salt/prod/services # - /srv/salt/prod/states - +# {% if 'file_roots' in cfg_master -%} {{ file_roots(cfg_master['file_roots']) }} {%- elif 'file_roots' in cfg_salt -%} @@ -503,11 +581,27 @@ master_tops: # - /srv/salt {%- endif %} +# When using multiple environments, each with their own top file, the +# default behaviour is an unordered merge. To prevent top files from +# being merged together and instead to only use the top file from the +# requested environment, set this value to 'same'. +{{ get_config('top_file_merging_stragety', 'merge') }} + +# To specify the order in which environments are merged, set the ordering +# in the env_order option. Given a conflict, the last matching value will +# win. +{{ get_config('env_order', '["base", "dev", "prod"]') }} + +# If top_file_merging_strategy is set to 'same' and an environment does not +# contain a top file, the top file in the environment specified by default_top +# will be used instead. +{{ get_config('default_top', 'base') }} + # The hash_type is the hash to use when discovering the hash of a file on # the master server. The default is md5, but sha1, sha224, sha256, sha384 # and sha512 are also supported. # -# Prior to changing this value, the master should be stopped and all Salt +# Prior to changing this value, the master should be stopped and all Salt # caches should be cleared. {{ get_config('hash_type', 'md5') }} @@ -578,26 +672,26 @@ fileserver_backend: - {{ backend }} {%- endfor -%} {%- endif %} -# + # Uncomment the line below if you do not want the file_server to follow # symlinks when walking the filesystem tree. This is set to True # by default. Currently this only applies to the default roots # fileserver_backend. {{ get_config('fileserver_followsymlinks', 'False') }} -# + # Uncomment the line below if you do not want symlinks to be # treated as the files they are pointing to. By default this is set to # False. By uncommenting the line below, any detected symlink while listing # files on the Master will not be returned to the Minion. {{ get_config('fileserver_ignoresymlinks', 'True') }} -# + # By default, the Salt fileserver recurses fully into all defined environments # to attempt to find files. To limit this behavior so that the fileserver only # traverses directories with SLS files and special Salt directories like _modules, # enable the option below. This might be useful for installations where a file root # has a very large number of files and performance is impacted. Default is False. {{ get_config('fileserver_limit_traversal', 'False') }} -# + # The fileserver can fire events off every time the fileserver is updated, # these are disabled by default, but can be easily turned on by setting this # flag to True @@ -608,7 +702,7 @@ fileserver_backend: # Gitfs can be provided by one of two python modules: GitPython or pygit2. If # using pygit2, both libgit2 and git must also be installed. {{ get_config('gitfs_provider', 'gitpython') }} -# + # When using the git fileserver backend at least one git remote needs to be # defined. The user running the salt master will need read access to the repo. # @@ -646,7 +740,7 @@ gitfs_remotes: # keep in mind that setting this flag to anything other than the default of True # is a security concern, you may want to try using the ssh transport. {{ get_config('gitfs_ssl_verify', 'True') }} -# + # The gitfs_root option gives the ability to serve files from a subdirectory # within the repository. The path is defined relative to the root of the # repository and defaults to the repository root. @@ -676,7 +770,6 @@ gitfs_env_blacklist: # - feature/* {% endif %} - ##### Pillar settings ##### ########################################## # Salt Pillars allow for the building of global data that can be made selectively @@ -705,7 +798,7 @@ pillar_roots: # base: # - /srv/pillar {%- endif %} -# + {% if 'ext_pillar' in cfg_master %} ext_pillar: {%- for pillar in cfg_master['ext_pillar'] -%} @@ -718,7 +811,7 @@ ext_pillar: - {{ parameter }} {%- endfor -%} {%- elif pillar[key] is mapping and pillar[key] is not string %} - - {{ key }}: + - {{ key }}: {%- for parameter in pillar[key] %} {{ parameter }}: {{pillar[key][parameter]}} {%- endfor %} @@ -755,6 +848,13 @@ ext_pillar: # master config file that can then be used on minions. {{ get_config('pillar_opts', 'True') }} +# The pillar_safe_render_error option prevents the master from passing pillar +# render errors to the minion. This is set on by default because the error could +# contain templating data which would give that minion information it shouldn't +# have, like a password! When set true the error message will only show: +# Rendering SLS 'my.sls' failed. Please see master log for details. +{{ get_config('pillar_safe_render_error', 'True') }} + # The pillar_source_merging_strategy option allows you to configure merging strategy # between different sources. It accepts four values: recurse, aggregate, overwrite, # or smart. Recurse will merge recursively mapping of data. Aggregate instructs @@ -764,13 +864,18 @@ ext_pillar: # on the "renderer" setting and is the default value. {{ get_config('pillar_source_merging_strategy', 'smart') }} +# Recursively merge lists by aggregating them instead of replacing them. +{{ get_config('pillar_merge_lists', 'False') }} + + ##### Syndic settings ##### ########################################## # The Salt syndic is used to pass commands through a master from a higher -# master. Using the syndic is simple, if this is a master that will have -# syndic servers(s) below it set the "order_masters" setting to True, if this -# is a master that will be running a syndic daemon for passthrough the -# "syndic_master" setting needs to be set to the location of the master server +# master. Using the syndic is simple. If this is a master that will have +# syndic servers(s) below it, then set the "order_masters" setting to True. +# +# If this is a master that will be running a syndic daemon for passthrough, then +# the "syndic_master" setting needs to be set to the location of the master server # to receive commands from. # Set the order_masters setting to True if this master will command lower @@ -790,6 +895,7 @@ ext_pillar: # LOG file of the syndic daemon: {{ get_config('syndic_log_file', 'syndic.log') }} + ##### Peer Publish settings ##### ########################################## # Salt minions can send commands to other minions, but only if the minion is @@ -864,9 +970,8 @@ peer_run: {% endfor %} {% endif %} - ##### Mine settings ##### -########################################## +##################################### # Restrict mine.get access from minions. By default any minion has a full access # to get all mine data from master cache. In acl definion below, only pcre matches # are allowed. @@ -902,7 +1007,6 @@ mine_get: # - disk.* {%- endif %} - ##### Logging settings ##### ########################################## # The location of the master log file @@ -919,10 +1023,15 @@ mine_get: # The level of messages to send to the console. # One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'. +# +# The following log levels are considered INSECURE and may log sensitive data: +# ['garbage', 'trace', 'debug'] +# {{ get_config('log_level', 'warning') }} # The level of messages to send to the log file. # One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'. +# If using 'log_granular_levels' this must be set to the highest desired level. {{ get_config('log_level_logfile', 'warning') }} # The date and time format used in log messages. Allowed date/time formating @@ -932,7 +1041,21 @@ mine_get: # The format of the console logging messages. Allowed formatting options can # be seen here: http://docs.python.org/library/logging.html#logrecord-attributes +# +# Console log colors are specified by these additional formatters: +# +# %(colorlevel)s +# %(colorname)s +# %(colorprocess)s +# %(colormsg)s +# +# Since it is desirable to include the surrounding brackets, '[' and ']', in +# the coloring of the messages, these color formatters also include padding as +# well. Color LogRecord attributes are only available for console logging. +# +{{ get_config('log_fmt_console', "'%(colorlevel)s %(colormsg)s'") }} {{ get_config('log_fmt_console', "'[%(levelname)-8s] %(message)s'") }} + {{ get_config('log_fmt_logfile', "'%(asctime)s,%(msecs)03.0f [%(name)-17s][%(levelname)-8s] %(message)s'") }} # This can be used to control logging levels more specificically. This @@ -956,8 +1079,7 @@ log_granular_levels: #log_granular_levels: {} {% endif %} - -##### Node Groups ##### +##### Node Groups ###### ########################################## # Node groups allow for logical groupings of minion nodes. A group consists of a group # name and a compound target. @@ -976,7 +1098,6 @@ nodegroups: {% endfor %} {% endif %} - ##### Range Cluster settings ##### ########################################## # The range server (and optional port) that serves your cluster information @@ -984,8 +1105,33 @@ nodegroups: # {{ get_config('range_server', 'range:80') }} -##### Windows Software Repo settings ##### -############################################## + +##### Windows Software Repo settings ##### +########################################### +# Location of the repo on the master: +{{ get_config('win_repo_dir_ng', '/srv/salt/win/repo-ng') }} + +# List of git repositories to include with the local repo: +{% if 'win_gitrepos_ng' in cfg_master %} +win_gitrepos_ng: + {% for repo in cfg_master['win_gitrepos_ng'] %} + - {{ repo }} + {% endfor %} +{% elif 'win_gitrepos_ng' in cfg_salt %} +win_gitrepos_ng: + {% for repo in cfg_salt['win_gitrepos_ng'] %} + - {{ repo }} + {% endfor %} +{% else %} +#winrepo_remotes_ng: +# - 'https://github.com/saltstack/salt-winrepo-ng.git' +{% endif %} + + +##### Windows Software Repo settings - Pre 2015.8 ##### +######################################################## +# Legacy repo settings for pre-2015.8 Windows minions. +# # Location of the repo on the master: {{ get_config('win_repo', '/srv/salt/win/repo') }} @@ -1004,7 +1150,7 @@ win_gitrepos: - {{ repo }} {% endfor %} {% else %} -#win_gitrepos: +#winrepo_remotes: # - 'https://github.com/saltstack/salt-winrepo.git' {% endif %} @@ -1012,6 +1158,13 @@ win_gitrepos: ############################################ # Which returner(s) will be used for minion's result: #return: mysql +{{ get_config('return', '')}} + + +###### Miscellaneous settings ###### +############################################ +# Default match type for filtering events tags: startswith, endswith, find, regex, fnmatch +{{ get_config('event_match_type', 'startswith') }} {% if 'halite' in cfg_master %} ##### Halite #####