2
0

Merge pull request #25 from z-saltstack/master

Actualized master and minion config files templates
This commit is contained in:
Forrest 2014-02-10 20:37:25 -07:00
commit d286e47a32
3 changed files with 169 additions and 23 deletions

View File

@ -69,7 +69,8 @@
{{ get_config('pidfile', '/var/run/salt-master.pid') }} {{ get_config('pidfile', '/var/run/salt-master.pid') }}
# The root directory prepended to these options: pki_dir, cachedir, # The root directory prepended to these options: pki_dir, cachedir,
# sock_dir, log_file, autosign_file, extension_modules, key_logfile, pidfile. # sock_dir, log_file, autosign_file, autoreject_file, extension_modules,
# key_logfile, pidfile.
{{ get_config('root_dir', '/') }} {{ get_config('root_dir', '/') }}
# Directory used to store public key data # Directory used to store public key data
@ -88,7 +89,7 @@
# seconds # seconds
{{ get_config('timeout', '5') }} {{ get_config('timeout', '5') }}
# The loop_interval option controls the seconds for the master's maintinance # The loop_interval option controls the seconds for the master's maintenance
# process check cycle. This process updates file server backends, cleans the # process check cycle. This process updates file server backends, cleans the
# job cache and executes the scheduler. # job cache and executes the scheduler.
{{ get_config('loop_interval', '60') }} {{ get_config('loop_interval', '60') }}
@ -148,11 +149,16 @@
# public keys from the minions. Note that this is insecure. # public keys from the minions. Note that this is insecure.
{{ get_config('auto_accept', 'False') }} {{ get_config('auto_accept', 'False') }}
# If the autosign_file is specified only incoming keys specified in # If the autosign_file is specified, incoming keys specified in the
# the autosign_file will be automatically accepted. This is insecure. # autosign_file will be automatically accepted. This is insecure. Regular
# Regular expressions as well as globing lines are supported. # expressions as well as globing lines are supported.
{{ get_config('autosign_file', '/etc/salt/autosign.conf') }} {{ get_config('autosign_file', '/etc/salt/autosign.conf') }}
# Works like autosign_file, but instead allows you to specify minion IDs for
# which keys will automatically be rejected. Will override both membership in
# the autosign_file and the auto_accept setting.
{{ get_config('autorejecte_file', '/etc/salt/autosign.conf') }}
# Enable permissive access to the salt keys. This allows you to run the # Enable permissive access to the salt keys. This allows you to run the
# master or minion as root, but have a non-root group be given access to # master or minion as root, but have a non-root group be given access to
# your pki_dir. To make the access explicit, root must belong to the group # your pki_dir. To make the access explicit, root must belong to the group
@ -226,6 +232,28 @@ client_acl_blacklist:
# security purposes. # security purposes.
{{ get_config('file_recv', 'False') }} {{ get_config('file_recv', 'False') }}
# Set a hard-limit on the size of the files that can be pushed to the master.
# It will be interpreted as megabytes.
# Default: 100
{{ get_config('file_recv_max_size', '100') }}
# Signature verification on messages published from the master.
# This causes the master to cryptographically sign all messages published to its event
# bus, and minions then verify that signature before acting on the message.
#
# This is False by default.
#
# Note that to facilitate interoperability with masters and minions that are different
# versions, if sign_pub_messages is True but a message is received by a minion with
# no signature, it will still be accepted, and a warning message will be logged.
# Conversely, if sign_pub_messages is False, but a minion receives a signed
# message it will be accepted, the signature will not be checked, and a warning message
# will be logged. This behavior will go away in Salt 0.17.6 (or Hydrogen RC1, whichever
# comes first) and these two situations will cause minion to throw an exception and
# drop the message.
#
{{ get_config('sign_pub_message', 'False') }}
##### Master Module Management ##### ##### Master Module Management #####
########################################## ##########################################
# Manage how master side modules are loaded # Manage how master side modules are loaded
@ -263,6 +291,19 @@ client_acl_blacklist:
# The renderer to use on the minions to render the state data # The renderer to use on the minions to render the state data
{{ get_config('renderer', 'yaml_jinja') }} {{ get_config('renderer', 'yaml_jinja') }}
# The Jinja renderer can strip extra carriage returns and whitespace
# See http://jinja.pocoo.org/docs/api/#high-level-api
#
# If this is set to True the first newline after a Jinja block is removed
# (block, not variable tag!). Defaults to False, corresponds to the Jinja
# environment init variable "trim_blocks".
{{ get_config('jinja_trim_blocks', 'False') }}
#
# If this is set to True leading spaces and tabs are stripped from the start
# of a line to a block. Defaults to False, corresponds to the Jinja
# environment init variable "lstrip_blocks".
{{ get_config('jinja_lstrip_blocks', 'False') }}
# The failhard option tells the minions to stop immediately after the first # The failhard option tells the minions to stop immediately after the first
# failure detected in the state execution, defaults to False # failure detected in the state execution, defaults to False
{{ get_config('failhard', 'False') }} {{ get_config('failhard', 'False') }}
@ -395,6 +436,21 @@ fileserver_backend:
- {{ backend }} - {{ backend }}
{% endfor -%} {% endfor -%}
{% endif %} {% endif %}
#
# Uncomment the line below if you do not want the file_server to follow
# symlinks when walking the filesystem tree. This is set to True
# by default. Currently this only applies to the default roots
# fileserver_backend.
#
{{ get_config('fileserver_followsymlinks', 'False') }}
#
# Uncomment the line below if you do not want symlinks to be
# treated as the files they are pointing to. By default this is set to
# False. By uncommenting the line below, any detected symlink while listing
# files on the Master will not be returned to the Minion.
#
{{ get_config('fileserver_ignoresymlinks', 'True') }}
# #
# By default, the Salt fileserver recurses fully into all defined environments # By default, the Salt fileserver recurses fully into all defined environments
# to attempt to find files. To limit this behavior so that the fileserver only # to attempt to find files. To limit this behavior so that the fileserver only
@ -404,14 +460,20 @@ fileserver_backend:
# #
{{ get_config('fileserver_limit_traversal', 'False') }} {{ get_config('fileserver_limit_traversal', 'False') }}
# #
# The fileserver can fire events off every time the fileserver is updated,
# these are disabled by default, but can be easily turned on by setting this
# flag to True
{{ get_config('fileserver_events', 'False') }}
#
# Git fileserver backend configuration # Git fileserver backend configuration
#
# Gitfs can be provided by one of two python modules: GitPython or pygit2. If
# using pygit2, both libgit2 and git must also be installed.
{{ get_config('gitfs_provider', 'gitpython') }}
#
# When using the git fileserver backend at least one git remote needs to be # When using the git fileserver backend at least one git remote needs to be
# defined. The user running the salt master will need read access to the repo. # defined. The user running the salt master will need read access to the repo.
# #
#gitfs_remotes:
# - git://github.com/saltstack/salt-states.git
# - file:///var/git/saltmaster
#
# The repos will be searched in order to find the file requested by a client # The repos will be searched in order to find the file requested by a client
# and the first repo to have the file will return it. # and the first repo to have the file will return it.
# When using the git backend branches and tags are translated into salt # When using the git backend branches and tags are translated into salt
@ -424,6 +486,18 @@ gitfs_remotes:
- {{ remote }}{% endfor -%} - {{ remote }}{% endfor -%}
{%- endif %} {%- endif %}
# #
#gitfs_remotes:
# - git://github.com/saltstack/salt-states.git
# - file:///var/git/saltmaster
#
# The gitfs_ssl_verify option specifies whether to ignore ssl certificate
# errors when contacting the gitfs backend. You might want to set this to
# false if you're using a git backend that uses a self-signed certificate but
# keep in mind that setting this flag to anything other than the default of True
# is a security concern, you may want to try using the ssh transport.
{{ get_config('gitfs_ssl_verify', 'True') }}
#
#
# The gitfs_root option gives the ability to serve files from a subdirectory # The gitfs_root option gives the ability to serve files from a subdirectory
# within the repository. The path is defined relative to the root of the # within the repository. The path is defined relative to the root of the
# repository and defaults to the repository root. # repository and defaults to the repository root.
@ -475,6 +549,13 @@ ext_pillar:
# - cmd_yaml: cat /etc/salt/yaml # - cmd_yaml: cat /etc/salt/yaml
{%- endif %} {%- endif %}
# The pillar_gitfs_ssl_verify option specifies whether to ignore ssl certificate
# errors when contacting the pillar gitfs backend. You might want to set this to
# false if you're using a git backend that uses a self-signed certificate but
# keep in mind that setting this flag to anything other than the default of True
# is a security concern, you may want to try using the ssh transport.
{{ get_config('pillar_gitfs_ssl_verify', 'True') }}
# The pillar_opts option adds the master configuration file data to a dict in # The pillar_opts option adds the master configuration file data to a dict in
# the pillar called "master". This is used to set simple configurations in the # the pillar called "master". This is used to set simple configurations in the
# master config file that can then be used on minions. # master config file that can then be used on minions.
@ -585,6 +666,26 @@ peer_run:
{% endfor -%} {% endfor -%}
{% endif -%} {% endif -%}
##### Mine settings #####
##########################################
# Restrict mine.get access from minions. By default any minion has a full access
# to get all mine data from master cache. In acl definion below, only pcre matches
# are allowed.
#
# mine_get:
# .*:
# - .*
#
# Example below enables minion foo.example.com to get 'network.interfaces' mine data only
# , minions web* to get all network.* and disk.* mine data and all other minions won't get
# any mine data.
#
# mine_get:
# foo.example.com:
# - network.inetrfaces
# web.*:
# - network.*
# - disk.*
##### Logging settings ##### ##### Logging settings #####
########################################## ##########################################
@ -701,3 +802,4 @@ halite:
{{ name }}: {{ value }} {{ name }}: {{ value }}
{%- endfor %} {%- endfor %}
{%- endif %} {%- endif %}

View File

@ -23,6 +23,13 @@
# resolved, then the minion will fail to start. # resolved, then the minion will fail to start.
{{ get_config('master', 'salt') }} {{ get_config('master', 'salt') }}
# If multiple masters are specified in the 'master' setting, the default behavior
# is to always try to connect to them in the order they are listed. If random_master is
# set to True, the order will be randomized instead. This can be helpful in distributing
# the load of many minions executing salt-call requests, for example from a cron job.
# If only one master is listed, this setting is ignored and a warning will be logged.
{{ get_config('random_master', 'False') }}
# Set whether the minion should connect to the master via IPv6 # Set whether the minion should connect to the master via IPv6
{{ get_config('ipv6', 'False') }} {{ get_config('ipv6', 'False') }}
@ -129,6 +136,13 @@ id: {{ minion['id'] }}
# 0 and the defined value. # 0 and the defined value.
{{ get_config('random_reauth_delay', '60') }} {{ get_config('random_reauth_delay', '60') }}
# When waiting for a master to accept the minion's public key, salt will
# continuously attempt to reconnect until successful. This is the timeout value,
# in seconds, for each individual attempt. After this timeout expires, the minion
# will wait for acceptance_wait_time seconds before trying again.
# Unless your master is under unusually heavy load, this should be left at the default.
{{ get_config('auth_timeout', '3') }}
# If you don't have any problems with syn-floods, dont bother with the # If you don't have any problems with syn-floods, dont bother with the
# three recon_* settings described below, just leave the defaults! # three recon_* settings described below, just leave the defaults!
@ -200,6 +214,28 @@ id: {{ minion['id'] }}
# often lower this value # often lower this value
{{ get_config('loop_interval', '60') }} {{ get_config('loop_interval', '60') }}
# The grains_refresh_every setting allows for a minion to periodically check
# its grains to see if they have changed and, if so, to inform the master
# of the new grains. This operation is moderately expensive, therefore
# care should be taken not to set this value too low.
#
# Note: This value is expressed in __minutes__!
#
# A value of 10 minutes is a reasonable default.
#
# If the value is set to zero, this check is disabled.
{{ get_config('grains_refresh_every', '1') }}
# Cache grains on the minion. Default is False.
{{ get_config('grains_cache', 'False') }}
# Grains cache expiration, in seconds. If the cache file is older than this
# number of seconds then the grains cache will be dumped and fully re-populated
# with fresh data. Defaults to 5 minutes. Will have no effect if 'grains_cache'
# is not enabled.
{{ get_config('grains_cache_expiration', '300') }}
# When healing, a dns_check is run. This is to make sure that the originally # When healing, a dns_check is run. This is to make sure that the originally
# resolved dns has not changed. If this is something that does not happen in # resolved dns has not changed. If this is something that does not happen in
# your environment, set this value to False. # your environment, set this value to False.
@ -276,6 +312,13 @@ id: {{ minion['id'] }}
# Enable Cython modules searching and loading. (Default: False) # Enable Cython modules searching and loading. (Default: False)
{{ get_config('cython_enable', 'False') }} {{ get_config('cython_enable', 'False') }}
# #
#
#
# Specify a max size (in bytes) for modules on import
# this feature is currently only supported on *nix OSs and requires psutil
{{ get_config('modules_max_memory', '-1') }}
##### State Management Settings ##### ##### State Management Settings #####
########################################### ###########################################
@ -359,7 +402,6 @@ id: {{ minion['id'] }}
# - /srv/salt/prod/services # - /srv/salt/prod/services
# - /srv/salt/prod/states # - /srv/salt/prod/states
# #
# Default:
{% if 'file_roots' in minion -%} {% if 'file_roots' in minion -%}
file_roots: file_roots:
{% for name, roots in minion['file_roots'].items() -%} {% for name, roots in minion['file_roots'].items() -%}

View File

@ -10,7 +10,9 @@
'RedHat': {'salt-master': 'salt-master', 'RedHat': {'salt-master': 'salt-master',
'salt-minion': 'salt-minion'}, 'salt-minion': 'salt-minion'},
'Gentoo': {'salt-master': 'app-admin/salt', 'Gentoo': {'salt-master': 'app-admin/salt',
'salt-minion': 'app-admin/salt'} 'salt-minion': 'app-admin/salt'},
'Arch': {'salt-master': 'salt',
'salt-minion': 'salt'}
} %} } %}
{% if 'package_table' in pillar %} {% if 'package_table' in pillar %}