diff --git a/salt/files/master b/salt/files/master index 21841af..9f19787 100644 --- a/salt/files/master +++ b/salt/files/master @@ -69,7 +69,8 @@ {{ get_config('pidfile', '/var/run/salt-master.pid') }} # The root directory prepended to these options: pki_dir, cachedir, -# sock_dir, log_file, autosign_file, extension_modules, key_logfile, pidfile. +# sock_dir, log_file, autosign_file, autoreject_file, extension_modules, +# key_logfile, pidfile. {{ get_config('root_dir', '/') }} # Directory used to store public key data @@ -88,7 +89,7 @@ # seconds {{ get_config('timeout', '5') }} -# The loop_interval option controls the seconds for the master's maintinance +# The loop_interval option controls the seconds for the master's maintenance # process check cycle. This process updates file server backends, cleans the # job cache and executes the scheduler. {{ get_config('loop_interval', '60') }} @@ -148,11 +149,16 @@ # public keys from the minions. Note that this is insecure. {{ get_config('auto_accept', 'False') }} -# If the autosign_file is specified only incoming keys specified in -# the autosign_file will be automatically accepted. This is insecure. -# Regular expressions as well as globing lines are supported. +# If the autosign_file is specified, incoming keys specified in the +# autosign_file will be automatically accepted. This is insecure. Regular +# expressions as well as globing lines are supported. {{ get_config('autosign_file', '/etc/salt/autosign.conf') }} +# Works like autosign_file, but instead allows you to specify minion IDs for +# which keys will automatically be rejected. Will override both membership in +# the autosign_file and the auto_accept setting. +{{ get_config('autorejecte_file', '/etc/salt/autosign.conf') }} + # Enable permissive access to the salt keys. This allows you to run the # master or minion as root, but have a non-root group be given access to # your pki_dir. To make the access explicit, root must belong to the group @@ -226,6 +232,28 @@ client_acl_blacklist: # security purposes. {{ get_config('file_recv', 'False') }} +# Set a hard-limit on the size of the files that can be pushed to the master. +# It will be interpreted as megabytes. +# Default: 100 +{{ get_config('file_recv_max_size', '100') }} + +# Signature verification on messages published from the master. +# This causes the master to cryptographically sign all messages published to its event +# bus, and minions then verify that signature before acting on the message. +# +# This is False by default. +# +# Note that to facilitate interoperability with masters and minions that are different +# versions, if sign_pub_messages is True but a message is received by a minion with +# no signature, it will still be accepted, and a warning message will be logged. +# Conversely, if sign_pub_messages is False, but a minion receives a signed +# message it will be accepted, the signature will not be checked, and a warning message +# will be logged. This behavior will go away in Salt 0.17.6 (or Hydrogen RC1, whichever +# comes first) and these two situations will cause minion to throw an exception and +# drop the message. +# +{{ get_config('sign_pub_message', 'False') }} + ##### Master Module Management ##### ########################################## # Manage how master side modules are loaded @@ -263,6 +291,19 @@ client_acl_blacklist: # The renderer to use on the minions to render the state data {{ get_config('renderer', 'yaml_jinja') }} +# The Jinja renderer can strip extra carriage returns and whitespace +# See http://jinja.pocoo.org/docs/api/#high-level-api +# +# If this is set to True the first newline after a Jinja block is removed +# (block, not variable tag!). Defaults to False, corresponds to the Jinja +# environment init variable "trim_blocks". +{{ get_config('jinja_trim_blocks', 'False') }} +# +# If this is set to True leading spaces and tabs are stripped from the start +# of a line to a block. Defaults to False, corresponds to the Jinja +# environment init variable "lstrip_blocks". +{{ get_config('jinja_lstrip_blocks', 'False') }} + # The failhard option tells the minions to stop immediately after the first # failure detected in the state execution, defaults to False {{ get_config('failhard', 'False') }} @@ -395,6 +436,21 @@ fileserver_backend: - {{ backend }} {% endfor -%} {% endif %} +# +# Uncomment the line below if you do not want the file_server to follow +# symlinks when walking the filesystem tree. This is set to True +# by default. Currently this only applies to the default roots +# fileserver_backend. +# +{{ get_config('fileserver_followsymlinks', 'False') }} +# +# Uncomment the line below if you do not want symlinks to be +# treated as the files they are pointing to. By default this is set to +# False. By uncommenting the line below, any detected symlink while listing +# files on the Master will not be returned to the Minion. +# +{{ get_config('fileserver_ignoresymlinks', 'True') }} + # # By default, the Salt fileserver recurses fully into all defined environments # to attempt to find files. To limit this behavior so that the fileserver only @@ -404,14 +460,20 @@ fileserver_backend: # {{ get_config('fileserver_limit_traversal', 'False') }} # +# The fileserver can fire events off every time the fileserver is updated, +# these are disabled by default, but can be easily turned on by setting this +# flag to True +{{ get_config('fileserver_events', 'False') }} +# # Git fileserver backend configuration +# +# Gitfs can be provided by one of two python modules: GitPython or pygit2. If +# using pygit2, both libgit2 and git must also be installed. +{{ get_config('gitfs_provider', 'gitpython') }} +# # When using the git fileserver backend at least one git remote needs to be # defined. The user running the salt master will need read access to the repo. # -#gitfs_remotes: -# - git://github.com/saltstack/salt-states.git -# - file:///var/git/saltmaster -# # The repos will be searched in order to find the file requested by a client # and the first repo to have the file will return it. # When using the git backend branches and tags are translated into salt @@ -424,6 +486,18 @@ gitfs_remotes: - {{ remote }}{% endfor -%} {%- endif %} # +#gitfs_remotes: +# - git://github.com/saltstack/salt-states.git +# - file:///var/git/saltmaster +# +# The gitfs_ssl_verify option specifies whether to ignore ssl certificate +# errors when contacting the gitfs backend. You might want to set this to +# false if you're using a git backend that uses a self-signed certificate but +# keep in mind that setting this flag to anything other than the default of True +# is a security concern, you may want to try using the ssh transport. +{{ get_config('gitfs_ssl_verify', 'True') }} +# +# # The gitfs_root option gives the ability to serve files from a subdirectory # within the repository. The path is defined relative to the root of the # repository and defaults to the repository root. @@ -475,6 +549,13 @@ ext_pillar: # - cmd_yaml: cat /etc/salt/yaml {%- endif %} +# The pillar_gitfs_ssl_verify option specifies whether to ignore ssl certificate +# errors when contacting the pillar gitfs backend. You might want to set this to +# false if you're using a git backend that uses a self-signed certificate but +# keep in mind that setting this flag to anything other than the default of True +# is a security concern, you may want to try using the ssh transport. +{{ get_config('pillar_gitfs_ssl_verify', 'True') }} + # The pillar_opts option adds the master configuration file data to a dict in # the pillar called "master". This is used to set simple configurations in the # master config file that can then be used on minions. @@ -585,6 +666,26 @@ peer_run: {% endfor -%} {% endif -%} +##### Mine settings ##### +########################################## +# Restrict mine.get access from minions. By default any minion has a full access +# to get all mine data from master cache. In acl definion below, only pcre matches +# are allowed. +# +# mine_get: +# .*: +# - .* +# +# Example below enables minion foo.example.com to get 'network.interfaces' mine data only +# , minions web* to get all network.* and disk.* mine data and all other minions won't get +# any mine data. +# +# mine_get: +# foo.example.com: +# - network.inetrfaces +# web.*: +# - network.* +# - disk.* ##### Logging settings ##### ########################################## @@ -701,3 +802,4 @@ halite: {{ name }}: {{ value }} {%- endfor %} {%- endif %} + diff --git a/salt/files/minion b/salt/files/minion index e3b45ea..d03f3d8 100644 --- a/salt/files/minion +++ b/salt/files/minion @@ -23,6 +23,13 @@ # resolved, then the minion will fail to start. {{ get_config('master', 'salt') }} +# If multiple masters are specified in the 'master' setting, the default behavior +# is to always try to connect to them in the order they are listed. If random_master is +# set to True, the order will be randomized instead. This can be helpful in distributing +# the load of many minions executing salt-call requests, for example from a cron job. +# If only one master is listed, this setting is ignored and a warning will be logged. +{{ get_config('random_master', 'False') }} + # Set whether the minion should connect to the master via IPv6 {{ get_config('ipv6', 'False') }} @@ -129,6 +136,13 @@ id: {{ minion['id'] }} # 0 and the defined value. {{ get_config('random_reauth_delay', '60') }} +# When waiting for a master to accept the minion's public key, salt will +# continuously attempt to reconnect until successful. This is the timeout value, +# in seconds, for each individual attempt. After this timeout expires, the minion +# will wait for acceptance_wait_time seconds before trying again. +# Unless your master is under unusually heavy load, this should be left at the default. +{{ get_config('auth_timeout', '3') }} + # If you don't have any problems with syn-floods, dont bother with the # three recon_* settings described below, just leave the defaults! @@ -137,10 +151,10 @@ id: {{ minion['id'] }} # to reconnect immediately, if the socket is disconnected (for example if # the master processes are restarted). In large setups this will have all # minions reconnect immediately which might flood the master (the ZeroMQ-default -# is usually a 100ms delay). To prevent this, these three recon_* settings +# is usually a 100ms delay). To prevent this, these three recon_* settings # can be used. # -# recon_default: the interval in milliseconds that the socket should wait before +# recon_default: the interval in milliseconds that the socket should wait before # trying to reconnect to the master (100ms = 1 second) # # recon_max: the maximum time a socket should wait. each interval the time to wait @@ -154,14 +168,14 @@ id: {{ minion['id'] }} # reconnect 5: value from previous interval * 2 # reconnect x: if value >= recon_max, it starts again with recon_default # -# recon_randomize: generate a random wait time on minion start. The wait time will -# be a random value between recon_default and recon_default + -# recon_max. Having all minions reconnect with the same recon_default -# and recon_max value kind of defeats the purpose of being able to -# change these settings. If all minions have the same values and your -# setup is quite large (several thousand minions), they will still +# recon_randomize: generate a random wait time on minion start. The wait time will +# be a random value between recon_default and recon_default + +# recon_max. Having all minions reconnect with the same recon_default +# and recon_max value kind of defeats the purpose of being able to +# change these settings. If all minions have the same values and your +# setup is quite large (several thousand minions), they will still # flood the master. The desired behaviour is to have timeframe within -# all minions try to reconnect. +# all minions try to reconnect. # Example on how to use these settings: # The goal: have all minions reconnect within a 60 second timeframe on a disconnect @@ -173,9 +187,9 @@ id: {{ minion['id'] }} # # Each minion will have a randomized reconnect value between 'recon_default' # and 'recon_default + recon_max', which in this example means between 1000ms -# 60000ms (or between 1 and 60 seconds). The generated random-value will be -# doubled after each attempt to reconnect. Lets say the generated random -# value is 11 seconds (or 11000ms). +# 60000ms (or between 1 and 60 seconds). The generated random-value will be +# doubled after each attempt to reconnect. Lets say the generated random +# value is 11 seconds (or 11000ms). # # reconnect 1: wait 11 seconds # reconnect 2: wait 22 seconds @@ -200,6 +214,28 @@ id: {{ minion['id'] }} # often lower this value {{ get_config('loop_interval', '60') }} +# The grains_refresh_every setting allows for a minion to periodically check +# its grains to see if they have changed and, if so, to inform the master +# of the new grains. This operation is moderately expensive, therefore +# care should be taken not to set this value too low. +# +# Note: This value is expressed in __minutes__! +# +# A value of 10 minutes is a reasonable default. +# +# If the value is set to zero, this check is disabled. +{{ get_config('grains_refresh_every', '1') }} + +# Cache grains on the minion. Default is False. +{{ get_config('grains_cache', 'False') }} + +# Grains cache expiration, in seconds. If the cache file is older than this +# number of seconds then the grains cache will be dumped and fully re-populated +# with fresh data. Defaults to 5 minutes. Will have no effect if 'grains_cache' +# is not enabled. +{{ get_config('grains_cache_expiration', '300') }} + + # When healing, a dns_check is run. This is to make sure that the originally # resolved dns has not changed. If this is something that does not happen in # your environment, set this value to False. @@ -276,6 +312,13 @@ id: {{ minion['id'] }} # Enable Cython modules searching and loading. (Default: False) {{ get_config('cython_enable', 'False') }} # +# +# +# Specify a max size (in bytes) for modules on import +# this feature is currently only supported on *nix OSs and requires psutil +{{ get_config('modules_max_memory', '-1') }} + + ##### State Management Settings ##### ########################################### @@ -359,7 +402,6 @@ id: {{ minion['id'] }} # - /srv/salt/prod/services # - /srv/salt/prod/states # -# Default: {% if 'file_roots' in minion -%} file_roots: {% for name, roots in minion['file_roots'].items() -%}