From edce95f949b6d63671ba6785bdbce9f168d5e961 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Javier=20B=C3=A9rtoli?= Date: Sun, 9 Apr 2017 12:28:50 -0300 Subject: [PATCH] Updated master and minion default config files Added parameters new to 2016.03 (or simply missing in the existing config). --- salt/files/master.d/f_defaults.conf | 256 +++++++++++++++++++++++++--- salt/files/minion.d/f_defaults.conf | 206 +++++++++++++++++++--- 2 files changed, 412 insertions(+), 50 deletions(-) diff --git a/salt/files/master.d/f_defaults.conf b/salt/files/master.d/f_defaults.conf index f196dd8..e2c8d0d 100644 --- a/salt/files/master.d/f_defaults.conf +++ b/salt/files/master.d/f_defaults.conf @@ -1,5 +1,5 @@ # This file managed by Salt, do not edit by hand!! -# Based on salt version 2015.8.7 default config +# Based on salt version 2016.11 default config {% set reserved_keys = ['master', 'minion', 'cloud', 'salt_cloud_certs', 'engines', 'lxc.network_profile', 'lxc.container_profile'] -%} {% set cfg_salt = pillar.get('salt', {}) -%} {% set cfg_master = cfg_salt.get('master', {}) -%} @@ -62,9 +62,23 @@ # key_logfile, pidfile: {{ get_config('root_dir', '/') }} +# The path to the master's configuration file. +{{ get_config('conf_file', '/etc/salt/master') }} + # Directory used to store public key data: {{ get_config('pki_dir', '/etc/salt/pki/master') }} +# Key cache. Increases master speed for large numbers of accepted +# keys. Available options: 'sched'. (Updates on a fixed schedule.) +# Note that enabling this feature means that minions will not be +# available to target for up to the length of the maintanence loop +# which by default is 60s. +{%- if cfg_minion['key_cache'] in cfg_master %} +{{ get_config('key_cache', '') }} +{% else %} +#key_cache: '' +{% endif %} + # Directory to store job and cache data: # This directory may contain sensitive data and should be protected accordingly. # @@ -77,7 +91,7 @@ # Directory for custom modules. This directory can contain subdirectories for # each of Salt's module types such as "runners", "output", "wheel", "modules", -# "states", "returners", etc. +# "states", "returners", "engines", etc. # Like 'extension_modules' but can take an array of paths {% if 'module_dirs' in cfg_master -%} {%- do default_keys.append('module_dirs') %} @@ -101,6 +115,10 @@ module_dirs: # Set the number of hours to keep old job information in the job cache: {{ get_config('keep_jobs', '24') }} +# The number of seconds to wait when the client is requesting information +# about running jobs. +{{ get_config('gather_job_timeout', '10') }} + # Set the default timeout for the salt command and api. The default is 5 # seconds. {{ get_config('timeout', '5') }} @@ -113,6 +131,11 @@ module_dirs: # Set the default outputter used by the salt command. The default is "nested". {{ get_config('output', 'nested') }} +# Set the default output file used by the salt command. Default is to output +# to the CLI and not to a file. Functions the same way as the "--out-file" +# CLI option, only sets this to a single file for all salt commands. +{{ get_config('output_file', 'None') }} + # Return minions that timeout when running commands like test.ping {{ get_config('show_timeout', 'True') }} @@ -124,6 +147,12 @@ module_dirs: # (true by default). {{ get_config('strip_colors', 'False') }} +# To display a summary of the number of minions targeted, the number of +# minions returned, and the number of minions that did not return, set the +# cli_summary value to True. (False by default.) +# +{{ get_config('cli_summary', 'False') }} + # Set the directory used to hold unix sockets: {{ get_config('sock_dir', '/var/run/salt/master') }} @@ -138,9 +167,21 @@ module_dirs: # the jobs system and is not generally recommended. {{ get_config('job_cache', 'True') }} -# Cache minion grains and pillar data in the cachedir. +# Cache minion grains, pillar and mine data via the cache subsystem in the +# cachedir or a database. {{ get_config('minion_data_cache', 'True') }} +# Cache subsystem module to use for minion data cache. +{{ get_config('cache', 'localfs') }} +# Enables a fast in-memory cache booster and sets the expiration time. +{{ get_config('memcache_expire_seconds', '0') }} +# Set a memcache limit in items (bank + key) per cache storage (driver + driver_opts). +{{ get_config('memcache_max_items', '1024') }} +# Each time a cache storage got full cleanup all the expired items not just the oldest one. +{{ get_config('memcache_full_cleanup', 'False') }} +# Enable collecting the memcache stats and log it on `debug` log level. +{{ get_config('memcache_debug', 'False') }} + # Store all returns in the given returner. # Setting this option requires that any returner-specific configuration also # be set. See various returners in salt/returners for details on required @@ -153,7 +194,7 @@ module_dirs: # By default, events are not queued. {{ get_config('event_return_queue', '0') }} -# Only events returns matching tags in a whitelist +# Only return events matching tags in a whitelist, supports glob matches. {% if 'event_return_whitelist' in cfg_master -%} {%- do default_keys.append('event_return_whitelist') %} event_return_whitelist: @@ -166,12 +207,12 @@ event_return_whitelist: - {{ event_return }} {%- endfor -%} {% else -%} -# event_return_whitelist: -# - salt/master/a_tag -# - salt/master/another_tag +#event_return_whitelist: +# - salt/master/a_tag +# - salt/run/*/ret {% endif %} -# Store all event returns _except_ the tags in a blacklist +# Store all event returns **except** the tags in a blacklist supports globs. {% if 'event_return_blacklist' in cfg_master -%} {%- do default_keys.append('event_return_blacklist') %} event_return_blacklist: @@ -184,9 +225,9 @@ event_return_blacklist: - {{ event_return }} {%- endfor -%} {% else -%} -# event_return_blacklist: -# - salt/master/not_this_tag -# - salt/master/or_this_one +#event_return_blacklist: +# - salt/master/not_this_tag +# - salt/wheel/*/ret {% endif %} # Passing very large events can cause the minion to consume large amounts of @@ -270,6 +311,9 @@ event_return_blacklist: # Set the ZeroMQ high water marks # http://api.zeromq.org/3-2:zmq-setsockopt +# The listen queue size / backlog +{{ get_config('zmq_backlog', '1000') }} + # The publisher interface ZeroMQPubServerChannel {{ get_config('pub_hwm', '1000') }} @@ -291,6 +335,19 @@ event_return_blacklist: # ZMQ high-water-mark for EventPublisher pub socket {{ get_config('event_publisher_pub_hwm', '10000') }} +# The master may allocate memory per-event and not +# reclaim it. +# To set a high-water mark for memory allocation, use +# ipc_write_buffer to set a high-water mark for message +# buffering. +# Value: In bytes. Set to 'dynamic' to have Salt select +# a value for you. Default is disabled. +{%- if 'ipc_write_buffer' in cfg_master %} +{{ get_config('ipc_write_buffer', 'dynamic') }} +{%- else %} +# ipc_write_buffer: 'dynamic' +{%- endif %} + ##### Security settings ##### ########################################## @@ -304,7 +361,7 @@ event_return_blacklist: # public keys from the minions. Note that this is insecure. {{ get_config('auto_accept', 'False') }} -# Time in minutes that a incoming public key with a matching name found in +# Time in minutes that an incoming public key with a matching name found in # pki_dir/minion_autosign/keyid is automatically accepted. Expired autosign keys # are removed when the master checks the minion_autosign directory. # 0 equals no timeout @@ -371,6 +428,7 @@ publisher_acl: # larry: # - test.ping # - network.* +# {%- endif %} # Blacklist any of the following users or modules @@ -378,6 +436,12 @@ publisher_acl: # This example would blacklist all non sudo users, including root from # running any commands. It would also blacklist any use of the "cmd" # module. This is completely disabled by default. +# +# +# Check the list of configured users in client ACL against users on the +# system and throw errors if they do not exist. +{{ get_config('client_acl_verify', 'True') }} +# {% if 'publisher_acl_blacklist' in cfg_master %} {%- do default_keys.append('publisher_acl_blacklist') %} publisher_acl_blacklist: @@ -428,6 +492,10 @@ publisher_acl_blacklist: # modules: # - cmd {% endif %} +# +# WARNING: client_acl and client_acl_blacklist options are deprecated and will +# be removed in the future releases. Use publisher_acl and +# publisher_acl_blacklist instead. # Enforce publisher_acl & publisher_acl_blacklist when users have sudo # access to the salt command. @@ -455,6 +523,18 @@ external_auth: # Time (in seconds) for a newly generated token to live. Default: 12 hours {{ get_config('token_expire', '43200') }} +# +# Allow eauth users to specify the expiry time of the tokens they generate. +# A boolean applies to all users or a dictionary of whitelisted eauth backends +# and usernames may be given. +# token_expire_user_override: +# pam: +# - fred +# - tom +# ldap: +# - gary +# +#token_expire_user_override: False # Allow minions to push files to the master. This is disabled by default, for # security purposes. @@ -479,6 +559,15 @@ external_auth: # will cause minion to throw an exception and drop the message. {{ get_config('sign_pub_message', 'False') }} +# Use TLS/SSL encrypted connection between master and minion. +# Can be set to a dictionary containing keyword arguments corresponding to Python's +# 'ssl.wrap_socket' method. +# Default is None. +#ssl: +# keyfile: +# certfile: +# ssl_version: PROTOCOL_TLSv1_2 + # Sign the master auth-replies with a cryptographic signature of the masters public key. # Please see the tutorial how to use these settings in the Multimaster-PKI with Failover Tutorial {{ get_config('master_sign_pubkey', 'False') }} @@ -570,6 +659,27 @@ external_auth: # Pass in an alternative location for the salt-ssh roster file {{ get_config('roster_file', '/etc/salt/roster') }} +# Define locations for roster files so they can be chosen when using Salt API. +# An administrator can place roster files into these locations. Then when +# calling Salt API, parameter 'roster_file' should contain a relative path to +# these locations. That is, "roster_file=/foo/roster" will be resolved as +# "/etc/salt/roster.d/foo/roster" etc. This feature prevents passing insecure +# custom rosters through the Salt API. +# +{%- if 'rosters' in cfg_master %} +rosters: + {% for name in cfg_master['rosters'] -%} + - {{ name }} + {% endfor -%} +{%- else %} +#rosters: +# - /etc/salt/roster.d +# - /opt/salt/some/more/rosters +{%- endif %} + +# The log file of the salt-ssh command: +{{ get_config('ssh_log_file', '/var/log/salt/ssh') }} + # Pass in minion option overrides that will be inserted into the SHIM for # salt-ssh calls. The local minion config is not used for salt-ssh. Can be # overridden on a per-minion basis in the roster (`minion_opts`) @@ -577,6 +687,10 @@ external_auth: # gpg_keydir: /root/gpg {{ get_config('ssh_minion_opts', '{}') }} +# Set this to True to default to using ~/.ssh/id_rsa for salt-ssh +# authentication with minions +{{ get_config('ssh_use_home_key', 'False') }} + ##### Master Module Management ##### ########################################## # Manage how master side modules are loaded. @@ -636,7 +750,7 @@ master_tops: # (block, not variable tag!). Defaults to False, corresponds to the Jinja # environment init variable "trim_blocks". {{ get_config('jinja_trim_blocks', 'False') }} - +# # If this is set to True leading spaces and tabs are stripped from the start # of a line to a block. Defaults to False, corresponds to the Jinja # environment init variable "lstrip_blocks". @@ -709,6 +823,7 @@ master_tops: #file_roots: # base: # - /srv/salt +# {%- endif %} # When using multiple environments, each with their own top file, the @@ -728,9 +843,12 @@ master_tops: {{ get_config('default_top', 'base') }} # The hash_type is the hash to use when discovering the hash of a file on -# the master server. The default is md5, but sha1, sha224, sha256, sha384 +# the master server. The default is md5 but sha1, sha224, sha256, sha384 # and sha512 are also supported. # +# WARNING: While md5 and sha1 are also supported, do not use it due to the high chance +# of possible collisions and thus security breach. +# # Prior to changing this value, the master should be stopped and all Salt # caches should be cleared. {{ get_config('hash_type', 'md5') }} @@ -870,7 +988,7 @@ fileserver_backend: # and the first repo to have the file will return it. # When using the git backend branches and tags are translated into salt # environments. -# Note: file:// repos will be treated as a remote, so refs you want used must +# Note: file:// repos will be treated as a remote, so refs you want used must # exist in that repo as *local* refs. {% if 'gitfs_remotes' in cfg_master -%} {%- do default_keys.append('gitfs_remotes') %} @@ -1006,6 +1124,7 @@ pillar_roots: #pillar_roots: # base: # - /srv/pillar +# {%- endif %} {% if 'ext_pillar' in cfg_master %} @@ -1048,6 +1167,18 @@ ext_pillar: # ext_pillar. {{ get_config('ext_pillar_first', 'False') }} +# The external pillars permitted to be used on-demand using pillar.ext +{%- if 'on_demand_ext_pillar' in cfg_master %} +on_demand_ext_pillar: + {% for name in cfg_master['on_demand_ext_pillar'] -%} + - {{ name }} + {% endfor -%} +{%- else %} +#on_demand_ext_pillar: +# - libvirt +# - virtkey +{%- endif %} + # The pillar_gitfs_ssl_verify option specifies whether to ignore ssl certificate # errors when contacting the pillar gitfs backend. You might want to set this to # false if you're using a git backend that uses a self-signed certificate but @@ -1068,16 +1199,21 @@ ext_pillar: {{ get_config('pillar_safe_render_error', 'True') }} # The pillar_source_merging_strategy option allows you to configure merging strategy -# between different sources. It accepts four values: recurse, aggregate, overwrite, -# or smart. Recurse will merge recursively mapping of data. Aggregate instructs -# aggregation of elements between sources that use the #!yamlex renderer. Overwrite -# will verwrite elements according the order in which they are processed. This is +# between different sources. It accepts five values: none, recurse, aggregate, overwrite, +# or smart. None will not do any merging at all. Recurse will merge recursively mapping of data. +# Aggregate instructs aggregation of elements between sources that use the #!yamlex renderer. Overwrite +# will overwrite elements according the order in which they are processed. This is # behavior of the 2014.1 branch and earlier. Smart guesses the best strategy based # on the "renderer" setting and is the default value. {{ get_config('pillar_source_merging_strategy', 'smart') }} # Recursively merge lists by aggregating them instead of replacing them. -{{ get_config('pillar_merge_lists', False) }} +{{ get_config('pillar_merge_lists', 'False') }} + +# Set this option to 'True' to force a 'KeyError' to be raised whenever an +# attempt to retrieve a named value from pillar fails. When this option is set +# to 'False', the failed attempt returns an empty string. Default is 'False'. +{{ get_config('pillar_raise_on_missing', 'False') }} # Git External Pillar (git_pillar) Configuration Options # @@ -1139,6 +1275,43 @@ ext_pillar: # to authenticate is protected by a passphrase. {{ get_config('git_pillar_passphrase', '') }} +# A master can cache pillars locally to bypass the expense of having to render them +# for each minion on every request. This feature should only be enabled in cases +# where pillar rendering time is known to be unsatisfactory and any attendant security +# concerns about storing pillars in a master cache have been addressed. +# +# When enabling this feature, be certain to read through the additional ``pillar_cache_*`` +# configuration options to fully understand the tunable parameters and their implications. +# +# Note: setting ``pillar_cache: True`` has no effect on targeting Minions with Pillars. +# See https://docs.saltstack.com/en/latest/topics/targeting/pillar.html +{{ get_config('pillar_cache', 'False') }} + +# If and only if a master has set ``pillar_cache: True``, the cache TTL controls the amount +# of time, in seconds, before the cache is considered invalid by a master and a fresh +# pillar is recompiled and stored. +{{ get_config('pillar_cache_ttl', '3600') }} + +# If and only if a master has set `pillar_cache: True`, one of several storage providers +# can be utililzed. +# +# `disk`: The default storage backend. This caches rendered pillars to the master cache. +# Rendered pillars are serialized and deserialized as msgpack structures for speed. +# Note that pillars are stored UNENCRYPTED. Ensure that the master cache +# has permissions set appropriately. (Same defaults are provided.) +# +# memory: [EXPERIMENTAL] An optional backend for pillar caches which uses a pure-Python +# in-memory data structure for maximal performance. There are several caveats, +# however. First, because each master worker contains its own in-memory cache, +# there is no guarantee of cache consistency between minion requests. This +# works best in situations where the pillar rarely if ever changes. Secondly, +# and perhaps more importantly, this means that unencrypted pillars will +# be accessible to any process which can examine the memory of the ``salt-master``! +# This may represent a substantial security risk. +# +{{ get_config('pillar_cache_backend', 'disk') }} + + ##### Syndic settings ##### ########################################## # The Salt syndic is used to pass commands through a master from a higher @@ -1155,7 +1328,7 @@ ext_pillar: # If this master will be running a salt syndic daemon, syndic_master tells # this master where to receive commands from. -{{ get_config('syndic_master', 'masterofmaster') }} +{{ get_config('syndic_master', 'masterofmasters') }} # This is the 'ret_port' of the MasterOfMaster: {{ get_config('syndic_master_port', '4506') }} @@ -1164,11 +1337,22 @@ ext_pillar: {{ get_config('syndic_pidfile', '/var/run/salt-syndic.pid') }} # LOG file of the syndic daemon: -{{ get_config('syndic_log_file', 'syndic.log') }} +{{ get_config('syndic_log_file', '/var/log/salt/syndic') }} # The user under which the salt syndic will run. {{ get_config('syndic_user', 'root') }} +# The behaviour of the multi-syndic when connection to a master of masters failed. +# Can specify ``random`` (default) or ``ordered``. If set to ``random``, masters +# will be iterated in random order. If ``ordered`` is specified, the configured +# order will be used. +{{ get_config('syndic_failover', 'random') }} + +# The number of seconds for the salt client to wait for additional syndics to +# check in with their lists of expected minions before giving up. +{{ get_config('syndic_wait', '5') }} + + ##### Peer Publish settings ##### ########################################## # Salt minions can send commands to other minions, but only if the minion is @@ -1358,11 +1542,18 @@ log_granular_levels: ##### Node Groups ###### ########################################## -# Node groups allow for logical groupings of minion nodes. A group consists of a group -# name and a compound target. +# Node groups allow for logical groupings of minion nodes. A group consists of +# a group name and a compound target. Nodgroups can reference other nodegroups +# with 'N@' classifier. Ensure that you do not have circular references. +# #nodegroups: -# group1: 'L@foo.domain.com,bar.domain.com,baz.domain.com and bl*.domain.com' +# group1: 'L@foo.domain.com,bar.domain.com,baz.domain.com or bl*.domain.com' # group2: 'G@os:Debian and foo.domain.com' +# group3: 'G@os:Debian and N@group1' +# group4: +# - 'G@foo:bar' +# - 'or' +# - 'G@foo:baz' {%- if 'nodegroups' in cfg_master %} {%- do default_keys.append('nodegroups') %} nodegroups: @@ -1473,11 +1664,24 @@ win_gitrepos: {{ get_config('return', '')}} -###### Miscellaneous settings ###### +###### Miscellaneous settings ###### ############################################ # Default match type for filtering events tags: startswith, endswith, find, regex, fnmatch {{ get_config('event_match_type', 'startswith') }} +# Save runner returns to the job cache +{{ get_config('runner_returns', 'True') }} + +# Permanently include any available Python 3rd party modules into Salt Thin +# when they are generated for Salt-SSH or other purposes. +# The modules should be named by the names they are actually imported inside the Python. +# The value of the parameters can be either one module or a comma separated list of them. +{%- if 'thin_extra_mods' in cfg_master %} +{{ get_config('thin_extra_mods', '') }} +{%- else %} +#thin_extra_mods: foo,bar +{%- endif %} + {%- if 'halite' in cfg_master %} {%- do default_keys.append('halite') %} ##### Halite ##### diff --git a/salt/files/minion.d/f_defaults.conf b/salt/files/minion.d/f_defaults.conf index ae52348..a14b9ac 100644 --- a/salt/files/minion.d/f_defaults.conf +++ b/salt/files/minion.d/f_defaults.conf @@ -1,5 +1,5 @@ # This file managed by Salt, do not edit by hand!! -# Based on salt version 2015.8.7 default config +# Based on salt version 2016.11 default config # {% set reserved_keys = ['master', 'minion', 'cloud', 'salt_cloud_certs', 'engines', 'beacons'] -%} {% set cfg_salt = pillar.get('salt', {}) -%} @@ -84,6 +84,8 @@ proxy_password: {{ cfg_minion['proxy_password'] }} # value to "str". Failover masters can be requested by setting # to "failover". MAKE SURE TO SET master_alive_interval if you are # using failover. +# Setting master_type to 'disable' let's you have a running minion (with engines and +# beacons) without a master connection {{ get_config('master_type', 'str') }} # verify_master_pubkey_sign @@ -95,6 +97,16 @@ proxy_password: {{ cfg_minion['proxy_password'] }} # of TCP connections, such as load balancers.) {{ get_config('master_alive_interval', '30') }} +# If the minion is in multi-master mode and the master_type configuration option +# is set to "failover", this setting can be set to "True" to force the minion +# to fail back to the first master in the list if the first master is back online. +{{ get_config('master_fallback', 'False') }} + +# If the minion is in multi-master mode, the "master_type" configuration is set to +# "failover", and the "master_failback" option is enabled, the master failback +# interval can be set to ping the top master with this interval, in seconds. +{{ get_config('master_fallback_interval', '0') }} + # Set whether the minion should connect to the master via IPv6: {{ get_config('ipv6', 'False') }} @@ -109,10 +121,14 @@ proxy_password: {{ cfg_minion['proxy_password'] }} # The user to run salt. {{ get_config('user', 'root') }} -# Setting sudo_user will cause salt to run all execution modules under an sudo -# to the user given in sudo_user. The user under which the salt minion process -# itself runs will still be that provided in the user config above, but all -# execution modules run by the minion will be rerouted through sudo. +# The user to run salt remote execution commands as via sudo. If this option is +# enabled then sudo will be used to change the active user executing the remote +# command. If enabled the user will need to be allowed access via the sudoers +# file for the user that the salt minion is configured to run as. The most +# common option would be to use the root user. If this option is set the user +# option should also be set to a non-root user. If migrating from a root minion +# to a non root minion the minion cache should be cleared and the minion pki +# directory will need to be changed to the ownership of the new user. {{ get_config('sudo_user', 'saltdev') }} # Specify the location of the daemon process ID file. @@ -122,6 +138,9 @@ proxy_password: {{ cfg_minion['proxy_password'] }} # sock_dir, pidfile. {{ get_config('root_dir', '/') }} +# The path to the minion's configuration file. +{{ get_config('conf_file', '/etc/salt/minion') }} + # The directory to store the pki information in {{ get_config('pki_dir', '/etc/salt/pki/minion') }} @@ -137,6 +156,13 @@ id: {{ cfg_minion['id'] }} #id: {%- endif %} +# Cache the minion id to a file when the minion's id is not statically defined +# in the minion config. Defaults to "True". This setting prevents potential +# problems when automatic minion id resolution changes, which can cause the +# minion to lose connection with the master. To turn off minion id caching, +# set this config to ``False``. +{{ get_config('minion_id_caching', 'True') }} + # Append a domain to a hostname in the event that it does not exist. This is # useful for systems where socket.getfqdn() does not actually result in a # FQDN (for instance, Solaris). @@ -158,6 +184,20 @@ id: {{ cfg_minion['id'] }} # This data may contain sensitive data and should be protected accordingly. {{ get_config('cachedir', '/var/cache/salt/minion') }} +# Append minion_id to these directories. Helps with +# multiple proxies and minions running on the same machine. +# Allowed elements in the list: pki_dir, cachedir, extension_modules +# Normally not needed unless running several proxies and/or minions on the same machine +# Defaults to ['cachedir'] for proxies, [] (empty list) for regular minions +{% if 'append_minionid_config_dirs' in cfg_minion -%} +append_minionid_config_dirs: + {% for dir in cfg_minion['append_minionid_config_dirs'] -%} + - {{ dir }} + {% endfor -%} +{%- else %} +#append_minionid_config_dirs: +{%- endif %} + # Verify and set permissions on configuration directories at startup. {{ get_config('verify_env', 'True') }} @@ -226,6 +266,20 @@ id: {{ cfg_minion['id'] }} # authenticate. {{ get_config('auth_tries', '7') }} +# The number of attempts to connect to a master before giving up. +# Set this to -1 for unlimited attempts. This allows for a master to have +# downtime and the minion to reconnect to it later when it comes back up. +# In 'failover' mode, it is the number of attempts for each set of masters. +# In this mode, it will cycle through the list of masters for each attempt. +# +# This is different than auth_tries because auth_tries attempts to +# retry auth attempts with a single master. auth_tries is under the +# assumption that you can connect to the master but not gain +# authorization from it. master_tries will still cycle through all +# the masters in a given try, so it is appropriate if you expect +# occasional downtime from the master(s). +{{ get_config('master_tries', '1') }} + # If authentication fails due to SaltReqTimeoutError during a ping_interval, # cause sub minion process to restart. {{ get_config('auth_safemode', 'False') }} @@ -312,10 +366,23 @@ mine_functions: {{ get_config('recon_randomize', 'False') }} # The loop_interval sets how long in seconds the minion will wait between -# evaluating the scheduler and running cleanup tasks. This defaults to a -# sane 60 seconds, but if the minion scheduler needs to be evaluated more -# often lower this value -{{ get_config('loop_interval', '60') }} +# evaluating the scheduler and running cleanup tasks. This defaults to 1 +# second on the minion scheduler. +{{ get_config('loop_interval', '1') }} + +# Some installations choose to start all job returns in a cache or a returner +# and forgo sending the results back to a master. In this workflow, jobs +# are most often executed with --async from the Salt CLI and then results +# are evaluated by examining job caches on the minions or any configured returners. +# WARNING: Setting this to False will **disable** returns back to the master. +{{ get_config('pub_ret', 'True') }} + + +# The grains can be merged, instead of overridden, using this option. +# This allows custom grains to defined different subvalues of a dictionary +# grain. By default this feature is disabled, to enable set grains_deep_merge +# to ``True``. +{{ get_config('grains_deep_merge', 'False') }} # The grains_refresh_every setting allows for a minion to periodically check # its grains to see if they have changed and, if so, to inform the master @@ -332,12 +399,37 @@ mine_functions: # Cache grains on the minion. Default is False. {{ get_config('grains_cache', 'False') }} +# Cache rendered pillar data on the minion. Default is False. +# This may cause 'cachedir'/pillar to contain sensitive data that should be +# protected accordingly. +{{ get_config('minion_pillar_cache', 'False') }} + # Grains cache expiration, in seconds. If the cache file is older than this # number of seconds then the grains cache will be dumped and fully re-populated # with fresh data. Defaults to 5 minutes. Will have no effect if 'grains_cache' # is not enabled. {{ get_config('grains_cache_expiration', '300') }} +# Determines whether or not the salt minion should run scheduled mine updates. +# Defaults to "True". Set to "False" to disable the scheduled mine updates +# (this essentially just does not add the mine update function to the minion's +# scheduler). +{{ get_config('mine_enabled', 'True') }} + +# Determines whether or not scheduled mine updates should be accompanied by a job +# return for the job cache. Defaults to "False". Set to "True" to include job +# returns in the job cache for mine updates. +{{ get_config('mine_return_job', 'False') }} + +# Example functions that can be run via the mine facility +# NO mine functions are established by default. +# Note these can be defined in the minion's pillar as well. +#mine_functions: +# test.ping: [] +# network.ip_addrs: +# interface: eth0 +# cidr: '10.0.0.0/8' + # Windows platforms lack posix IPC and must rely on slower TCP based inter- # process communications. Set ipc_mode to 'tcp' on such systems {{ get_config('ipc_mode', 'ipc') }} @@ -386,13 +478,34 @@ mine_functions: {%- endif -%} {% endif %} +# The syndic minion can verify that it is talking to the correct master via the +# key fingerprint of the higher-level master with the "syndic_finger" config. +{{ get_config('syndic_finger', '') }} + + ##### Minion module management ##### ########################################## # Disable specific modules. This allows the admin to limit the level of -# access the master has to the minion. -{{ get_config('disable_modules', '[cmd,test]') }} +# access the master has to the minion. The default here is the empty list, +# below is an example of how this needs to be formatted in the config file +#disable_modules: +# - cmdmod +# - test +#disable_returners: [] +{{ get_config('disable_modules', '[]') }} {{ get_config('disable_returners', '[]') }} +# This is the reverse of disable_modules. The default, like disable_modules, is the empty list, +# but if this option is set to *anything* then *only* those modules will load. +# Note that this is a very large hammer and it can be quite difficult to keep the minion working +# the way you think it should since Salt uses many modules internally itself. At a bare minimum +# you need the following enabled or else the minion won't start. +#whitelist_modules: +# - cmdmod +# - test +# - config +{{ get_config('whitelist_modules', '[]') }} + # Modules can be loaded from arbitrary paths. This enables the easy deployment # of third party modules. Modules for returners and minions can be loaded. # Specify a list of extra directories to search for minion modules and @@ -452,7 +565,16 @@ mine_functions: # by statically setting it. Remember that the recommended way to manage # environments is to isolate via the top file. {{ get_config('environment', 'None') }} - +# +# Isolates the pillar environment on the minion side. This functions the same +# as the environment setting, but for pillar instead of states. +{{ get_config('pillarenv', 'None') }} +# +# Set this option to 'True' to force a 'KeyError' to be raised whenever an +# attempt to retrieve a named value from pillar fails. When this option is set +# to 'False', the failed attempt returns an empty string. Default is 'False'. +{{ get_config('pillar_raise_on_missing', 'False') }} +# # If using the local file directory, then the state top file name needs to be # defined, by default this is top.sls. {{ get_config('state_top', 'top.sls') }} @@ -526,17 +648,17 @@ file_client: local # - /srv/salt {%- endif %} - -# File Server Backend +# Uncomment the line below if you do not want the file_server to follow +# symlinks when walking the filesystem tree. This is set to True +# by default. Currently this only applies to the default roots +# fileserver_backend. +{{ get_config('fileserver_followsymlinks', 'True') }} # -# Salt supports a modular fileserver backend system, this system allows -# the salt minion to link directly to third party systems to gather and -# manage the files available to minions. Multiple backends can be -# configured and will be searched for the requested file in the order in which -# they are defined here. The default setting only enables the standard backend -# "roots" which uses the "file_roots" option. -#fileserver_backend: -# - roots +# Uncomment the line below if you do not want symlinks to be +# treated as the files they are pointing to. By default this is set to +# False. By uncommenting the line below, any detected symlink while listing +# files on the Master will not be returned to the Minion. +{{ get_config('fileserver_ignoresymlinks', 'False') }} # # To use multiple backends list them in the order they are searched: #fileserver_backend: @@ -558,10 +680,13 @@ fileserver_backend: # is False. {{ get_config('fileserver_limit_traversal', 'False') }} -# The hash_type is the hash to use when discovering the hash of a file in +# The hash_type is the hash to use when discovering the hash of a file on # the local fileserver. The default is md5, but sha1, sha224, sha256, sha384 # and sha512 are also supported. # +# WARNING: While md5 and sha1 are also supported, do not use it due to the high chance +# of possible collisions and thus security breach. +# # Warning: Prior to changing this value, the minion should be stopped and all # Salt caches should be cleared. {{ get_config('hash_type', 'md5') }} @@ -687,6 +812,10 @@ pillar_roots: # - /srv/pillar {%- endif %} +# Set a hard-limit on the size of the files that can be pushed to the master. +# It will be interpreted as megabytes. Default: 100 +{{ get_config('file_recv_max_size', '100') }} + {% if 'ext_pillar' in cfg_minion %} {%- do default_keys.append('ext_pillar') %} ext_pillar: @@ -858,11 +987,24 @@ ext_pillar: # "salt-key -F master" on the Salt master. {{ get_config('master_finger', "''") }} +# Use TLS/SSL encrypted connection between master and minion. +# Can be set to a dictionary containing keyword arguments corresponding to Python's +# 'ssl.wrap_socket' method. +# Default is None. +#ssl: +# keyfile: +# certfile: +# ssl_version: PROTOCOL_TLSv1_2 + ###### Thread settings ##### ########################################### # Disable multiprocessing support, by default when a minion receives a # publication a new process is spawned and the command is executed therein. +# +# WARNING: Disabling multiprocessing may result in substantial slowdowns +# when processing large pillars. See https://github.com/saltstack/salt/issues/38758 +# for a full explanation. {{ get_config('multiprocessing', 'True') }} @@ -1024,8 +1166,24 @@ ext_pillar: ###### Returner settings ###### ############################################ -# Which returner(s) will be used for minion's result: +# Default Minion returners. Can be a comma delimited string or a list: +# +#return: mysql +# +#return: mysql,slack,redis +# +#return: +# - mysql +# - hipchat +# - slack +{%- if 'return' in cfg_minion and cfg_minion['return'] is not string %} +return: + {% for name in cfg_minion['return'] -%} + - {{ name }} + {% endfor -%} +{%- else %} {{ get_config('return', '') }} +{%- endif %} ###### Miscellaneous settings ###### ############################################