Updated master and minion default config files
Added parameters new to 2016.03 (or simply missing in the existing config).
This commit is contained in:
parent
03ec0dce2d
commit
edce95f949
@ -1,5 +1,5 @@
|
||||
# This file managed by Salt, do not edit by hand!!
|
||||
# Based on salt version 2015.8.7 default config
|
||||
# Based on salt version 2016.11 default config
|
||||
{% set reserved_keys = ['master', 'minion', 'cloud', 'salt_cloud_certs', 'engines', 'lxc.network_profile', 'lxc.container_profile'] -%}
|
||||
{% set cfg_salt = pillar.get('salt', {}) -%}
|
||||
{% set cfg_master = cfg_salt.get('master', {}) -%}
|
||||
@ -62,9 +62,23 @@
|
||||
# key_logfile, pidfile:
|
||||
{{ get_config('root_dir', '/') }}
|
||||
|
||||
# The path to the master's configuration file.
|
||||
{{ get_config('conf_file', '/etc/salt/master') }}
|
||||
|
||||
# Directory used to store public key data:
|
||||
{{ get_config('pki_dir', '/etc/salt/pki/master') }}
|
||||
|
||||
# Key cache. Increases master speed for large numbers of accepted
|
||||
# keys. Available options: 'sched'. (Updates on a fixed schedule.)
|
||||
# Note that enabling this feature means that minions will not be
|
||||
# available to target for up to the length of the maintanence loop
|
||||
# which by default is 60s.
|
||||
{%- if cfg_minion['key_cache'] in cfg_master %}
|
||||
{{ get_config('key_cache', '') }}
|
||||
{% else %}
|
||||
#key_cache: ''
|
||||
{% endif %}
|
||||
|
||||
# Directory to store job and cache data:
|
||||
# This directory may contain sensitive data and should be protected accordingly.
|
||||
#
|
||||
@ -77,7 +91,7 @@
|
||||
|
||||
# Directory for custom modules. This directory can contain subdirectories for
|
||||
# each of Salt's module types such as "runners", "output", "wheel", "modules",
|
||||
# "states", "returners", etc.
|
||||
# "states", "returners", "engines", etc.
|
||||
# Like 'extension_modules' but can take an array of paths
|
||||
{% if 'module_dirs' in cfg_master -%}
|
||||
{%- do default_keys.append('module_dirs') %}
|
||||
@ -101,6 +115,10 @@ module_dirs:
|
||||
# Set the number of hours to keep old job information in the job cache:
|
||||
{{ get_config('keep_jobs', '24') }}
|
||||
|
||||
# The number of seconds to wait when the client is requesting information
|
||||
# about running jobs.
|
||||
{{ get_config('gather_job_timeout', '10') }}
|
||||
|
||||
# Set the default timeout for the salt command and api. The default is 5
|
||||
# seconds.
|
||||
{{ get_config('timeout', '5') }}
|
||||
@ -113,6 +131,11 @@ module_dirs:
|
||||
# Set the default outputter used by the salt command. The default is "nested".
|
||||
{{ get_config('output', 'nested') }}
|
||||
|
||||
# Set the default output file used by the salt command. Default is to output
|
||||
# to the CLI and not to a file. Functions the same way as the "--out-file"
|
||||
# CLI option, only sets this to a single file for all salt commands.
|
||||
{{ get_config('output_file', 'None') }}
|
||||
|
||||
# Return minions that timeout when running commands like test.ping
|
||||
{{ get_config('show_timeout', 'True') }}
|
||||
|
||||
@ -124,6 +147,12 @@ module_dirs:
|
||||
# (true by default).
|
||||
{{ get_config('strip_colors', 'False') }}
|
||||
|
||||
# To display a summary of the number of minions targeted, the number of
|
||||
# minions returned, and the number of minions that did not return, set the
|
||||
# cli_summary value to True. (False by default.)
|
||||
#
|
||||
{{ get_config('cli_summary', 'False') }}
|
||||
|
||||
# Set the directory used to hold unix sockets:
|
||||
{{ get_config('sock_dir', '/var/run/salt/master') }}
|
||||
|
||||
@ -138,9 +167,21 @@ module_dirs:
|
||||
# the jobs system and is not generally recommended.
|
||||
{{ get_config('job_cache', 'True') }}
|
||||
|
||||
# Cache minion grains and pillar data in the cachedir.
|
||||
# Cache minion grains, pillar and mine data via the cache subsystem in the
|
||||
# cachedir or a database.
|
||||
{{ get_config('minion_data_cache', 'True') }}
|
||||
|
||||
# Cache subsystem module to use for minion data cache.
|
||||
{{ get_config('cache', 'localfs') }}
|
||||
# Enables a fast in-memory cache booster and sets the expiration time.
|
||||
{{ get_config('memcache_expire_seconds', '0') }}
|
||||
# Set a memcache limit in items (bank + key) per cache storage (driver + driver_opts).
|
||||
{{ get_config('memcache_max_items', '1024') }}
|
||||
# Each time a cache storage got full cleanup all the expired items not just the oldest one.
|
||||
{{ get_config('memcache_full_cleanup', 'False') }}
|
||||
# Enable collecting the memcache stats and log it on `debug` log level.
|
||||
{{ get_config('memcache_debug', 'False') }}
|
||||
|
||||
# Store all returns in the given returner.
|
||||
# Setting this option requires that any returner-specific configuration also
|
||||
# be set. See various returners in salt/returners for details on required
|
||||
@ -153,7 +194,7 @@ module_dirs:
|
||||
# By default, events are not queued.
|
||||
{{ get_config('event_return_queue', '0') }}
|
||||
|
||||
# Only events returns matching tags in a whitelist
|
||||
# Only return events matching tags in a whitelist, supports glob matches.
|
||||
{% if 'event_return_whitelist' in cfg_master -%}
|
||||
{%- do default_keys.append('event_return_whitelist') %}
|
||||
event_return_whitelist:
|
||||
@ -168,10 +209,10 @@ event_return_whitelist:
|
||||
{% else -%}
|
||||
#event_return_whitelist:
|
||||
# - salt/master/a_tag
|
||||
# - salt/master/another_tag
|
||||
# - salt/run/*/ret
|
||||
{% endif %}
|
||||
|
||||
# Store all event returns _except_ the tags in a blacklist
|
||||
# Store all event returns **except** the tags in a blacklist supports globs.
|
||||
{% if 'event_return_blacklist' in cfg_master -%}
|
||||
{%- do default_keys.append('event_return_blacklist') %}
|
||||
event_return_blacklist:
|
||||
@ -186,7 +227,7 @@ event_return_blacklist:
|
||||
{% else -%}
|
||||
#event_return_blacklist:
|
||||
# - salt/master/not_this_tag
|
||||
# - salt/master/or_this_one
|
||||
# - salt/wheel/*/ret
|
||||
{% endif %}
|
||||
|
||||
# Passing very large events can cause the minion to consume large amounts of
|
||||
@ -270,6 +311,9 @@ event_return_blacklist:
|
||||
# Set the ZeroMQ high water marks
|
||||
# http://api.zeromq.org/3-2:zmq-setsockopt
|
||||
|
||||
# The listen queue size / backlog
|
||||
{{ get_config('zmq_backlog', '1000') }}
|
||||
|
||||
# The publisher interface ZeroMQPubServerChannel
|
||||
{{ get_config('pub_hwm', '1000') }}
|
||||
|
||||
@ -291,6 +335,19 @@ event_return_blacklist:
|
||||
# ZMQ high-water-mark for EventPublisher pub socket
|
||||
{{ get_config('event_publisher_pub_hwm', '10000') }}
|
||||
|
||||
# The master may allocate memory per-event and not
|
||||
# reclaim it.
|
||||
# To set a high-water mark for memory allocation, use
|
||||
# ipc_write_buffer to set a high-water mark for message
|
||||
# buffering.
|
||||
# Value: In bytes. Set to 'dynamic' to have Salt select
|
||||
# a value for you. Default is disabled.
|
||||
{%- if 'ipc_write_buffer' in cfg_master %}
|
||||
{{ get_config('ipc_write_buffer', 'dynamic') }}
|
||||
{%- else %}
|
||||
# ipc_write_buffer: 'dynamic'
|
||||
{%- endif %}
|
||||
|
||||
|
||||
##### Security settings #####
|
||||
##########################################
|
||||
@ -304,7 +361,7 @@ event_return_blacklist:
|
||||
# public keys from the minions. Note that this is insecure.
|
||||
{{ get_config('auto_accept', 'False') }}
|
||||
|
||||
# Time in minutes that a incoming public key with a matching name found in
|
||||
# Time in minutes that an incoming public key with a matching name found in
|
||||
# pki_dir/minion_autosign/keyid is automatically accepted. Expired autosign keys
|
||||
# are removed when the master checks the minion_autosign directory.
|
||||
# 0 equals no timeout
|
||||
@ -371,6 +428,7 @@ publisher_acl:
|
||||
# larry:
|
||||
# - test.ping
|
||||
# - network.*
|
||||
#
|
||||
{%- endif %}
|
||||
|
||||
# Blacklist any of the following users or modules
|
||||
@ -378,6 +436,12 @@ publisher_acl:
|
||||
# This example would blacklist all non sudo users, including root from
|
||||
# running any commands. It would also blacklist any use of the "cmd"
|
||||
# module. This is completely disabled by default.
|
||||
#
|
||||
#
|
||||
# Check the list of configured users in client ACL against users on the
|
||||
# system and throw errors if they do not exist.
|
||||
{{ get_config('client_acl_verify', 'True') }}
|
||||
#
|
||||
{% if 'publisher_acl_blacklist' in cfg_master %}
|
||||
{%- do default_keys.append('publisher_acl_blacklist') %}
|
||||
publisher_acl_blacklist:
|
||||
@ -428,6 +492,10 @@ publisher_acl_blacklist:
|
||||
# modules:
|
||||
# - cmd
|
||||
{% endif %}
|
||||
#
|
||||
# WARNING: client_acl and client_acl_blacklist options are deprecated and will
|
||||
# be removed in the future releases. Use publisher_acl and
|
||||
# publisher_acl_blacklist instead.
|
||||
|
||||
# Enforce publisher_acl & publisher_acl_blacklist when users have sudo
|
||||
# access to the salt command.
|
||||
@ -455,6 +523,18 @@ external_auth:
|
||||
|
||||
# Time (in seconds) for a newly generated token to live. Default: 12 hours
|
||||
{{ get_config('token_expire', '43200') }}
|
||||
#
|
||||
# Allow eauth users to specify the expiry time of the tokens they generate.
|
||||
# A boolean applies to all users or a dictionary of whitelisted eauth backends
|
||||
# and usernames may be given.
|
||||
# token_expire_user_override:
|
||||
# pam:
|
||||
# - fred
|
||||
# - tom
|
||||
# ldap:
|
||||
# - gary
|
||||
#
|
||||
#token_expire_user_override: False
|
||||
|
||||
# Allow minions to push files to the master. This is disabled by default, for
|
||||
# security purposes.
|
||||
@ -479,6 +559,15 @@ external_auth:
|
||||
# will cause minion to throw an exception and drop the message.
|
||||
{{ get_config('sign_pub_message', 'False') }}
|
||||
|
||||
# Use TLS/SSL encrypted connection between master and minion.
|
||||
# Can be set to a dictionary containing keyword arguments corresponding to Python's
|
||||
# 'ssl.wrap_socket' method.
|
||||
# Default is None.
|
||||
#ssl:
|
||||
# keyfile: <path_to_keyfile>
|
||||
# certfile: <path_to_certfile>
|
||||
# ssl_version: PROTOCOL_TLSv1_2
|
||||
|
||||
# Sign the master auth-replies with a cryptographic signature of the masters public key.
|
||||
# Please see the tutorial how to use these settings in the Multimaster-PKI with Failover Tutorial
|
||||
{{ get_config('master_sign_pubkey', 'False') }}
|
||||
@ -570,6 +659,27 @@ external_auth:
|
||||
# Pass in an alternative location for the salt-ssh roster file
|
||||
{{ get_config('roster_file', '/etc/salt/roster') }}
|
||||
|
||||
# Define locations for roster files so they can be chosen when using Salt API.
|
||||
# An administrator can place roster files into these locations. Then when
|
||||
# calling Salt API, parameter 'roster_file' should contain a relative path to
|
||||
# these locations. That is, "roster_file=/foo/roster" will be resolved as
|
||||
# "/etc/salt/roster.d/foo/roster" etc. This feature prevents passing insecure
|
||||
# custom rosters through the Salt API.
|
||||
#
|
||||
{%- if 'rosters' in cfg_master %}
|
||||
rosters:
|
||||
{% for name in cfg_master['rosters'] -%}
|
||||
- {{ name }}
|
||||
{% endfor -%}
|
||||
{%- else %}
|
||||
#rosters:
|
||||
# - /etc/salt/roster.d
|
||||
# - /opt/salt/some/more/rosters
|
||||
{%- endif %}
|
||||
|
||||
# The log file of the salt-ssh command:
|
||||
{{ get_config('ssh_log_file', '/var/log/salt/ssh') }}
|
||||
|
||||
# Pass in minion option overrides that will be inserted into the SHIM for
|
||||
# salt-ssh calls. The local minion config is not used for salt-ssh. Can be
|
||||
# overridden on a per-minion basis in the roster (`minion_opts`)
|
||||
@ -577,6 +687,10 @@ external_auth:
|
||||
# gpg_keydir: /root/gpg
|
||||
{{ get_config('ssh_minion_opts', '{}') }}
|
||||
|
||||
# Set this to True to default to using ~/.ssh/id_rsa for salt-ssh
|
||||
# authentication with minions
|
||||
{{ get_config('ssh_use_home_key', 'False') }}
|
||||
|
||||
##### Master Module Management #####
|
||||
##########################################
|
||||
# Manage how master side modules are loaded.
|
||||
@ -636,7 +750,7 @@ master_tops:
|
||||
# (block, not variable tag!). Defaults to False, corresponds to the Jinja
|
||||
# environment init variable "trim_blocks".
|
||||
{{ get_config('jinja_trim_blocks', 'False') }}
|
||||
|
||||
#
|
||||
# If this is set to True leading spaces and tabs are stripped from the start
|
||||
# of a line to a block. Defaults to False, corresponds to the Jinja
|
||||
# environment init variable "lstrip_blocks".
|
||||
@ -709,6 +823,7 @@ master_tops:
|
||||
#file_roots:
|
||||
# base:
|
||||
# - /srv/salt
|
||||
#
|
||||
{%- endif %}
|
||||
|
||||
# When using multiple environments, each with their own top file, the
|
||||
@ -728,9 +843,12 @@ master_tops:
|
||||
{{ get_config('default_top', 'base') }}
|
||||
|
||||
# The hash_type is the hash to use when discovering the hash of a file on
|
||||
# the master server. The default is md5, but sha1, sha224, sha256, sha384
|
||||
# the master server. The default is md5 but sha1, sha224, sha256, sha384
|
||||
# and sha512 are also supported.
|
||||
#
|
||||
# WARNING: While md5 and sha1 are also supported, do not use it due to the high chance
|
||||
# of possible collisions and thus security breach.
|
||||
#
|
||||
# Prior to changing this value, the master should be stopped and all Salt
|
||||
# caches should be cleared.
|
||||
{{ get_config('hash_type', 'md5') }}
|
||||
@ -1006,6 +1124,7 @@ pillar_roots:
|
||||
#pillar_roots:
|
||||
# base:
|
||||
# - /srv/pillar
|
||||
#
|
||||
{%- endif %}
|
||||
|
||||
{% if 'ext_pillar' in cfg_master %}
|
||||
@ -1048,6 +1167,18 @@ ext_pillar:
|
||||
# ext_pillar.
|
||||
{{ get_config('ext_pillar_first', 'False') }}
|
||||
|
||||
# The external pillars permitted to be used on-demand using pillar.ext
|
||||
{%- if 'on_demand_ext_pillar' in cfg_master %}
|
||||
on_demand_ext_pillar:
|
||||
{% for name in cfg_master['on_demand_ext_pillar'] -%}
|
||||
- {{ name }}
|
||||
{% endfor -%}
|
||||
{%- else %}
|
||||
#on_demand_ext_pillar:
|
||||
# - libvirt
|
||||
# - virtkey
|
||||
{%- endif %}
|
||||
|
||||
# The pillar_gitfs_ssl_verify option specifies whether to ignore ssl certificate
|
||||
# errors when contacting the pillar gitfs backend. You might want to set this to
|
||||
# false if you're using a git backend that uses a self-signed certificate but
|
||||
@ -1068,16 +1199,21 @@ ext_pillar:
|
||||
{{ get_config('pillar_safe_render_error', 'True') }}
|
||||
|
||||
# The pillar_source_merging_strategy option allows you to configure merging strategy
|
||||
# between different sources. It accepts four values: recurse, aggregate, overwrite,
|
||||
# or smart. Recurse will merge recursively mapping of data. Aggregate instructs
|
||||
# aggregation of elements between sources that use the #!yamlex renderer. Overwrite
|
||||
# will verwrite elements according the order in which they are processed. This is
|
||||
# between different sources. It accepts five values: none, recurse, aggregate, overwrite,
|
||||
# or smart. None will not do any merging at all. Recurse will merge recursively mapping of data.
|
||||
# Aggregate instructs aggregation of elements between sources that use the #!yamlex renderer. Overwrite
|
||||
# will overwrite elements according the order in which they are processed. This is
|
||||
# behavior of the 2014.1 branch and earlier. Smart guesses the best strategy based
|
||||
# on the "renderer" setting and is the default value.
|
||||
{{ get_config('pillar_source_merging_strategy', 'smart') }}
|
||||
|
||||
# Recursively merge lists by aggregating them instead of replacing them.
|
||||
{{ get_config('pillar_merge_lists', False) }}
|
||||
{{ get_config('pillar_merge_lists', 'False') }}
|
||||
|
||||
# Set this option to 'True' to force a 'KeyError' to be raised whenever an
|
||||
# attempt to retrieve a named value from pillar fails. When this option is set
|
||||
# to 'False', the failed attempt returns an empty string. Default is 'False'.
|
||||
{{ get_config('pillar_raise_on_missing', 'False') }}
|
||||
|
||||
# Git External Pillar (git_pillar) Configuration Options
|
||||
#
|
||||
@ -1139,6 +1275,43 @@ ext_pillar:
|
||||
# to authenticate is protected by a passphrase.
|
||||
{{ get_config('git_pillar_passphrase', '') }}
|
||||
|
||||
# A master can cache pillars locally to bypass the expense of having to render them
|
||||
# for each minion on every request. This feature should only be enabled in cases
|
||||
# where pillar rendering time is known to be unsatisfactory and any attendant security
|
||||
# concerns about storing pillars in a master cache have been addressed.
|
||||
#
|
||||
# When enabling this feature, be certain to read through the additional ``pillar_cache_*``
|
||||
# configuration options to fully understand the tunable parameters and their implications.
|
||||
#
|
||||
# Note: setting ``pillar_cache: True`` has no effect on targeting Minions with Pillars.
|
||||
# See https://docs.saltstack.com/en/latest/topics/targeting/pillar.html
|
||||
{{ get_config('pillar_cache', 'False') }}
|
||||
|
||||
# If and only if a master has set ``pillar_cache: True``, the cache TTL controls the amount
|
||||
# of time, in seconds, before the cache is considered invalid by a master and a fresh
|
||||
# pillar is recompiled and stored.
|
||||
{{ get_config('pillar_cache_ttl', '3600') }}
|
||||
|
||||
# If and only if a master has set `pillar_cache: True`, one of several storage providers
|
||||
# can be utililzed.
|
||||
#
|
||||
# `disk`: The default storage backend. This caches rendered pillars to the master cache.
|
||||
# Rendered pillars are serialized and deserialized as msgpack structures for speed.
|
||||
# Note that pillars are stored UNENCRYPTED. Ensure that the master cache
|
||||
# has permissions set appropriately. (Same defaults are provided.)
|
||||
#
|
||||
# memory: [EXPERIMENTAL] An optional backend for pillar caches which uses a pure-Python
|
||||
# in-memory data structure for maximal performance. There are several caveats,
|
||||
# however. First, because each master worker contains its own in-memory cache,
|
||||
# there is no guarantee of cache consistency between minion requests. This
|
||||
# works best in situations where the pillar rarely if ever changes. Secondly,
|
||||
# and perhaps more importantly, this means that unencrypted pillars will
|
||||
# be accessible to any process which can examine the memory of the ``salt-master``!
|
||||
# This may represent a substantial security risk.
|
||||
#
|
||||
{{ get_config('pillar_cache_backend', 'disk') }}
|
||||
|
||||
|
||||
##### Syndic settings #####
|
||||
##########################################
|
||||
# The Salt syndic is used to pass commands through a master from a higher
|
||||
@ -1155,7 +1328,7 @@ ext_pillar:
|
||||
|
||||
# If this master will be running a salt syndic daemon, syndic_master tells
|
||||
# this master where to receive commands from.
|
||||
{{ get_config('syndic_master', 'masterofmaster') }}
|
||||
{{ get_config('syndic_master', 'masterofmasters') }}
|
||||
|
||||
# This is the 'ret_port' of the MasterOfMaster:
|
||||
{{ get_config('syndic_master_port', '4506') }}
|
||||
@ -1164,11 +1337,22 @@ ext_pillar:
|
||||
{{ get_config('syndic_pidfile', '/var/run/salt-syndic.pid') }}
|
||||
|
||||
# LOG file of the syndic daemon:
|
||||
{{ get_config('syndic_log_file', 'syndic.log') }}
|
||||
{{ get_config('syndic_log_file', '/var/log/salt/syndic') }}
|
||||
|
||||
# The user under which the salt syndic will run.
|
||||
{{ get_config('syndic_user', 'root') }}
|
||||
|
||||
# The behaviour of the multi-syndic when connection to a master of masters failed.
|
||||
# Can specify ``random`` (default) or ``ordered``. If set to ``random``, masters
|
||||
# will be iterated in random order. If ``ordered`` is specified, the configured
|
||||
# order will be used.
|
||||
{{ get_config('syndic_failover', 'random') }}
|
||||
|
||||
# The number of seconds for the salt client to wait for additional syndics to
|
||||
# check in with their lists of expected minions before giving up.
|
||||
{{ get_config('syndic_wait', '5') }}
|
||||
|
||||
|
||||
##### Peer Publish settings #####
|
||||
##########################################
|
||||
# Salt minions can send commands to other minions, but only if the minion is
|
||||
@ -1358,11 +1542,18 @@ log_granular_levels:
|
||||
|
||||
##### Node Groups ######
|
||||
##########################################
|
||||
# Node groups allow for logical groupings of minion nodes. A group consists of a group
|
||||
# name and a compound target.
|
||||
# Node groups allow for logical groupings of minion nodes. A group consists of
|
||||
# a group name and a compound target. Nodgroups can reference other nodegroups
|
||||
# with 'N@' classifier. Ensure that you do not have circular references.
|
||||
#
|
||||
#nodegroups:
|
||||
# group1: 'L@foo.domain.com,bar.domain.com,baz.domain.com and bl*.domain.com'
|
||||
# group1: 'L@foo.domain.com,bar.domain.com,baz.domain.com or bl*.domain.com'
|
||||
# group2: 'G@os:Debian and foo.domain.com'
|
||||
# group3: 'G@os:Debian and N@group1'
|
||||
# group4:
|
||||
# - 'G@foo:bar'
|
||||
# - 'or'
|
||||
# - 'G@foo:baz'
|
||||
{%- if 'nodegroups' in cfg_master %}
|
||||
{%- do default_keys.append('nodegroups') %}
|
||||
nodegroups:
|
||||
@ -1478,6 +1669,19 @@ win_gitrepos:
|
||||
# Default match type for filtering events tags: startswith, endswith, find, regex, fnmatch
|
||||
{{ get_config('event_match_type', 'startswith') }}
|
||||
|
||||
# Save runner returns to the job cache
|
||||
{{ get_config('runner_returns', 'True') }}
|
||||
|
||||
# Permanently include any available Python 3rd party modules into Salt Thin
|
||||
# when they are generated for Salt-SSH or other purposes.
|
||||
# The modules should be named by the names they are actually imported inside the Python.
|
||||
# The value of the parameters can be either one module or a comma separated list of them.
|
||||
{%- if 'thin_extra_mods' in cfg_master %}
|
||||
{{ get_config('thin_extra_mods', '') }}
|
||||
{%- else %}
|
||||
#thin_extra_mods: foo,bar
|
||||
{%- endif %}
|
||||
|
||||
{%- if 'halite' in cfg_master %}
|
||||
{%- do default_keys.append('halite') %}
|
||||
##### Halite #####
|
||||
|
@ -1,5 +1,5 @@
|
||||
# This file managed by Salt, do not edit by hand!!
|
||||
# Based on salt version 2015.8.7 default config
|
||||
# Based on salt version 2016.11 default config
|
||||
#
|
||||
{% set reserved_keys = ['master', 'minion', 'cloud', 'salt_cloud_certs', 'engines', 'beacons'] -%}
|
||||
{% set cfg_salt = pillar.get('salt', {}) -%}
|
||||
@ -84,6 +84,8 @@ proxy_password: {{ cfg_minion['proxy_password'] }}
|
||||
# value to "str". Failover masters can be requested by setting
|
||||
# to "failover". MAKE SURE TO SET master_alive_interval if you are
|
||||
# using failover.
|
||||
# Setting master_type to 'disable' let's you have a running minion (with engines and
|
||||
# beacons) without a master connection
|
||||
{{ get_config('master_type', 'str') }}
|
||||
|
||||
# verify_master_pubkey_sign
|
||||
@ -95,6 +97,16 @@ proxy_password: {{ cfg_minion['proxy_password'] }}
|
||||
# of TCP connections, such as load balancers.)
|
||||
{{ get_config('master_alive_interval', '30') }}
|
||||
|
||||
# If the minion is in multi-master mode and the master_type configuration option
|
||||
# is set to "failover", this setting can be set to "True" to force the minion
|
||||
# to fail back to the first master in the list if the first master is back online.
|
||||
{{ get_config('master_fallback', 'False') }}
|
||||
|
||||
# If the minion is in multi-master mode, the "master_type" configuration is set to
|
||||
# "failover", and the "master_failback" option is enabled, the master failback
|
||||
# interval can be set to ping the top master with this interval, in seconds.
|
||||
{{ get_config('master_fallback_interval', '0') }}
|
||||
|
||||
# Set whether the minion should connect to the master via IPv6:
|
||||
{{ get_config('ipv6', 'False') }}
|
||||
|
||||
@ -109,10 +121,14 @@ proxy_password: {{ cfg_minion['proxy_password'] }}
|
||||
# The user to run salt.
|
||||
{{ get_config('user', 'root') }}
|
||||
|
||||
# Setting sudo_user will cause salt to run all execution modules under an sudo
|
||||
# to the user given in sudo_user. The user under which the salt minion process
|
||||
# itself runs will still be that provided in the user config above, but all
|
||||
# execution modules run by the minion will be rerouted through sudo.
|
||||
# The user to run salt remote execution commands as via sudo. If this option is
|
||||
# enabled then sudo will be used to change the active user executing the remote
|
||||
# command. If enabled the user will need to be allowed access via the sudoers
|
||||
# file for the user that the salt minion is configured to run as. The most
|
||||
# common option would be to use the root user. If this option is set the user
|
||||
# option should also be set to a non-root user. If migrating from a root minion
|
||||
# to a non root minion the minion cache should be cleared and the minion pki
|
||||
# directory will need to be changed to the ownership of the new user.
|
||||
{{ get_config('sudo_user', 'saltdev') }}
|
||||
|
||||
# Specify the location of the daemon process ID file.
|
||||
@ -122,6 +138,9 @@ proxy_password: {{ cfg_minion['proxy_password'] }}
|
||||
# sock_dir, pidfile.
|
||||
{{ get_config('root_dir', '/') }}
|
||||
|
||||
# The path to the minion's configuration file.
|
||||
{{ get_config('conf_file', '/etc/salt/minion') }}
|
||||
|
||||
# The directory to store the pki information in
|
||||
{{ get_config('pki_dir', '/etc/salt/pki/minion') }}
|
||||
|
||||
@ -137,6 +156,13 @@ id: {{ cfg_minion['id'] }}
|
||||
#id:
|
||||
{%- endif %}
|
||||
|
||||
# Cache the minion id to a file when the minion's id is not statically defined
|
||||
# in the minion config. Defaults to "True". This setting prevents potential
|
||||
# problems when automatic minion id resolution changes, which can cause the
|
||||
# minion to lose connection with the master. To turn off minion id caching,
|
||||
# set this config to ``False``.
|
||||
{{ get_config('minion_id_caching', 'True') }}
|
||||
|
||||
# Append a domain to a hostname in the event that it does not exist. This is
|
||||
# useful for systems where socket.getfqdn() does not actually result in a
|
||||
# FQDN (for instance, Solaris).
|
||||
@ -158,6 +184,20 @@ id: {{ cfg_minion['id'] }}
|
||||
# This data may contain sensitive data and should be protected accordingly.
|
||||
{{ get_config('cachedir', '/var/cache/salt/minion') }}
|
||||
|
||||
# Append minion_id to these directories. Helps with
|
||||
# multiple proxies and minions running on the same machine.
|
||||
# Allowed elements in the list: pki_dir, cachedir, extension_modules
|
||||
# Normally not needed unless running several proxies and/or minions on the same machine
|
||||
# Defaults to ['cachedir'] for proxies, [] (empty list) for regular minions
|
||||
{% if 'append_minionid_config_dirs' in cfg_minion -%}
|
||||
append_minionid_config_dirs:
|
||||
{% for dir in cfg_minion['append_minionid_config_dirs'] -%}
|
||||
- {{ dir }}
|
||||
{% endfor -%}
|
||||
{%- else %}
|
||||
#append_minionid_config_dirs:
|
||||
{%- endif %}
|
||||
|
||||
# Verify and set permissions on configuration directories at startup.
|
||||
{{ get_config('verify_env', 'True') }}
|
||||
|
||||
@ -226,6 +266,20 @@ id: {{ cfg_minion['id'] }}
|
||||
# authenticate.
|
||||
{{ get_config('auth_tries', '7') }}
|
||||
|
||||
# The number of attempts to connect to a master before giving up.
|
||||
# Set this to -1 for unlimited attempts. This allows for a master to have
|
||||
# downtime and the minion to reconnect to it later when it comes back up.
|
||||
# In 'failover' mode, it is the number of attempts for each set of masters.
|
||||
# In this mode, it will cycle through the list of masters for each attempt.
|
||||
#
|
||||
# This is different than auth_tries because auth_tries attempts to
|
||||
# retry auth attempts with a single master. auth_tries is under the
|
||||
# assumption that you can connect to the master but not gain
|
||||
# authorization from it. master_tries will still cycle through all
|
||||
# the masters in a given try, so it is appropriate if you expect
|
||||
# occasional downtime from the master(s).
|
||||
{{ get_config('master_tries', '1') }}
|
||||
|
||||
# If authentication fails due to SaltReqTimeoutError during a ping_interval,
|
||||
# cause sub minion process to restart.
|
||||
{{ get_config('auth_safemode', 'False') }}
|
||||
@ -312,10 +366,23 @@ mine_functions:
|
||||
{{ get_config('recon_randomize', 'False') }}
|
||||
|
||||
# The loop_interval sets how long in seconds the minion will wait between
|
||||
# evaluating the scheduler and running cleanup tasks. This defaults to a
|
||||
# sane 60 seconds, but if the minion scheduler needs to be evaluated more
|
||||
# often lower this value
|
||||
{{ get_config('loop_interval', '60') }}
|
||||
# evaluating the scheduler and running cleanup tasks. This defaults to 1
|
||||
# second on the minion scheduler.
|
||||
{{ get_config('loop_interval', '1') }}
|
||||
|
||||
# Some installations choose to start all job returns in a cache or a returner
|
||||
# and forgo sending the results back to a master. In this workflow, jobs
|
||||
# are most often executed with --async from the Salt CLI and then results
|
||||
# are evaluated by examining job caches on the minions or any configured returners.
|
||||
# WARNING: Setting this to False will **disable** returns back to the master.
|
||||
{{ get_config('pub_ret', 'True') }}
|
||||
|
||||
|
||||
# The grains can be merged, instead of overridden, using this option.
|
||||
# This allows custom grains to defined different subvalues of a dictionary
|
||||
# grain. By default this feature is disabled, to enable set grains_deep_merge
|
||||
# to ``True``.
|
||||
{{ get_config('grains_deep_merge', 'False') }}
|
||||
|
||||
# The grains_refresh_every setting allows for a minion to periodically check
|
||||
# its grains to see if they have changed and, if so, to inform the master
|
||||
@ -332,12 +399,37 @@ mine_functions:
|
||||
# Cache grains on the minion. Default is False.
|
||||
{{ get_config('grains_cache', 'False') }}
|
||||
|
||||
# Cache rendered pillar data on the minion. Default is False.
|
||||
# This may cause 'cachedir'/pillar to contain sensitive data that should be
|
||||
# protected accordingly.
|
||||
{{ get_config('minion_pillar_cache', 'False') }}
|
||||
|
||||
# Grains cache expiration, in seconds. If the cache file is older than this
|
||||
# number of seconds then the grains cache will be dumped and fully re-populated
|
||||
# with fresh data. Defaults to 5 minutes. Will have no effect if 'grains_cache'
|
||||
# is not enabled.
|
||||
{{ get_config('grains_cache_expiration', '300') }}
|
||||
|
||||
# Determines whether or not the salt minion should run scheduled mine updates.
|
||||
# Defaults to "True". Set to "False" to disable the scheduled mine updates
|
||||
# (this essentially just does not add the mine update function to the minion's
|
||||
# scheduler).
|
||||
{{ get_config('mine_enabled', 'True') }}
|
||||
|
||||
# Determines whether or not scheduled mine updates should be accompanied by a job
|
||||
# return for the job cache. Defaults to "False". Set to "True" to include job
|
||||
# returns in the job cache for mine updates.
|
||||
{{ get_config('mine_return_job', 'False') }}
|
||||
|
||||
# Example functions that can be run via the mine facility
|
||||
# NO mine functions are established by default.
|
||||
# Note these can be defined in the minion's pillar as well.
|
||||
#mine_functions:
|
||||
# test.ping: []
|
||||
# network.ip_addrs:
|
||||
# interface: eth0
|
||||
# cidr: '10.0.0.0/8'
|
||||
|
||||
# Windows platforms lack posix IPC and must rely on slower TCP based inter-
|
||||
# process communications. Set ipc_mode to 'tcp' on such systems
|
||||
{{ get_config('ipc_mode', 'ipc') }}
|
||||
@ -386,13 +478,34 @@ mine_functions:
|
||||
{%- endif -%}
|
||||
{% endif %}
|
||||
|
||||
# The syndic minion can verify that it is talking to the correct master via the
|
||||
# key fingerprint of the higher-level master with the "syndic_finger" config.
|
||||
{{ get_config('syndic_finger', '') }}
|
||||
|
||||
|
||||
##### Minion module management #####
|
||||
##########################################
|
||||
# Disable specific modules. This allows the admin to limit the level of
|
||||
# access the master has to the minion.
|
||||
{{ get_config('disable_modules', '[cmd,test]') }}
|
||||
# access the master has to the minion. The default here is the empty list,
|
||||
# below is an example of how this needs to be formatted in the config file
|
||||
#disable_modules:
|
||||
# - cmdmod
|
||||
# - test
|
||||
#disable_returners: []
|
||||
{{ get_config('disable_modules', '[]') }}
|
||||
{{ get_config('disable_returners', '[]') }}
|
||||
|
||||
# This is the reverse of disable_modules. The default, like disable_modules, is the empty list,
|
||||
# but if this option is set to *anything* then *only* those modules will load.
|
||||
# Note that this is a very large hammer and it can be quite difficult to keep the minion working
|
||||
# the way you think it should since Salt uses many modules internally itself. At a bare minimum
|
||||
# you need the following enabled or else the minion won't start.
|
||||
#whitelist_modules:
|
||||
# - cmdmod
|
||||
# - test
|
||||
# - config
|
||||
{{ get_config('whitelist_modules', '[]') }}
|
||||
|
||||
# Modules can be loaded from arbitrary paths. This enables the easy deployment
|
||||
# of third party modules. Modules for returners and minions can be loaded.
|
||||
# Specify a list of extra directories to search for minion modules and
|
||||
@ -452,7 +565,16 @@ mine_functions:
|
||||
# by statically setting it. Remember that the recommended way to manage
|
||||
# environments is to isolate via the top file.
|
||||
{{ get_config('environment', 'None') }}
|
||||
|
||||
#
|
||||
# Isolates the pillar environment on the minion side. This functions the same
|
||||
# as the environment setting, but for pillar instead of states.
|
||||
{{ get_config('pillarenv', 'None') }}
|
||||
#
|
||||
# Set this option to 'True' to force a 'KeyError' to be raised whenever an
|
||||
# attempt to retrieve a named value from pillar fails. When this option is set
|
||||
# to 'False', the failed attempt returns an empty string. Default is 'False'.
|
||||
{{ get_config('pillar_raise_on_missing', 'False') }}
|
||||
#
|
||||
# If using the local file directory, then the state top file name needs to be
|
||||
# defined, by default this is top.sls.
|
||||
{{ get_config('state_top', 'top.sls') }}
|
||||
@ -526,17 +648,17 @@ file_client: local
|
||||
# - /srv/salt
|
||||
{%- endif %}
|
||||
|
||||
|
||||
# File Server Backend
|
||||
# Uncomment the line below if you do not want the file_server to follow
|
||||
# symlinks when walking the filesystem tree. This is set to True
|
||||
# by default. Currently this only applies to the default roots
|
||||
# fileserver_backend.
|
||||
{{ get_config('fileserver_followsymlinks', 'True') }}
|
||||
#
|
||||
# Salt supports a modular fileserver backend system, this system allows
|
||||
# the salt minion to link directly to third party systems to gather and
|
||||
# manage the files available to minions. Multiple backends can be
|
||||
# configured and will be searched for the requested file in the order in which
|
||||
# they are defined here. The default setting only enables the standard backend
|
||||
# "roots" which uses the "file_roots" option.
|
||||
#fileserver_backend:
|
||||
# - roots
|
||||
# Uncomment the line below if you do not want symlinks to be
|
||||
# treated as the files they are pointing to. By default this is set to
|
||||
# False. By uncommenting the line below, any detected symlink while listing
|
||||
# files on the Master will not be returned to the Minion.
|
||||
{{ get_config('fileserver_ignoresymlinks', 'False') }}
|
||||
#
|
||||
# To use multiple backends list them in the order they are searched:
|
||||
#fileserver_backend:
|
||||
@ -558,10 +680,13 @@ fileserver_backend:
|
||||
# is False.
|
||||
{{ get_config('fileserver_limit_traversal', 'False') }}
|
||||
|
||||
# The hash_type is the hash to use when discovering the hash of a file in
|
||||
# The hash_type is the hash to use when discovering the hash of a file on
|
||||
# the local fileserver. The default is md5, but sha1, sha224, sha256, sha384
|
||||
# and sha512 are also supported.
|
||||
#
|
||||
# WARNING: While md5 and sha1 are also supported, do not use it due to the high chance
|
||||
# of possible collisions and thus security breach.
|
||||
#
|
||||
# Warning: Prior to changing this value, the minion should be stopped and all
|
||||
# Salt caches should be cleared.
|
||||
{{ get_config('hash_type', 'md5') }}
|
||||
@ -687,6 +812,10 @@ pillar_roots:
|
||||
# - /srv/pillar
|
||||
{%- endif %}
|
||||
|
||||
# Set a hard-limit on the size of the files that can be pushed to the master.
|
||||
# It will be interpreted as megabytes. Default: 100
|
||||
{{ get_config('file_recv_max_size', '100') }}
|
||||
|
||||
{% if 'ext_pillar' in cfg_minion %}
|
||||
{%- do default_keys.append('ext_pillar') %}
|
||||
ext_pillar:
|
||||
@ -858,11 +987,24 @@ ext_pillar:
|
||||
# "salt-key -F master" on the Salt master.
|
||||
{{ get_config('master_finger', "''") }}
|
||||
|
||||
# Use TLS/SSL encrypted connection between master and minion.
|
||||
# Can be set to a dictionary containing keyword arguments corresponding to Python's
|
||||
# 'ssl.wrap_socket' method.
|
||||
# Default is None.
|
||||
#ssl:
|
||||
# keyfile: <path_to_keyfile>
|
||||
# certfile: <path_to_certfile>
|
||||
# ssl_version: PROTOCOL_TLSv1_2
|
||||
|
||||
|
||||
###### Thread settings #####
|
||||
###########################################
|
||||
# Disable multiprocessing support, by default when a minion receives a
|
||||
# publication a new process is spawned and the command is executed therein.
|
||||
#
|
||||
# WARNING: Disabling multiprocessing may result in substantial slowdowns
|
||||
# when processing large pillars. See https://github.com/saltstack/salt/issues/38758
|
||||
# for a full explanation.
|
||||
{{ get_config('multiprocessing', 'True') }}
|
||||
|
||||
|
||||
@ -1024,8 +1166,24 @@ ext_pillar:
|
||||
|
||||
###### Returner settings ######
|
||||
############################################
|
||||
# Which returner(s) will be used for minion's result:
|
||||
# Default Minion returners. Can be a comma delimited string or a list:
|
||||
#
|
||||
#return: mysql
|
||||
#
|
||||
#return: mysql,slack,redis
|
||||
#
|
||||
#return:
|
||||
# - mysql
|
||||
# - hipchat
|
||||
# - slack
|
||||
{%- if 'return' in cfg_minion and cfg_minion['return'] is not string %}
|
||||
return:
|
||||
{% for name in cfg_minion['return'] -%}
|
||||
- {{ name }}
|
||||
{% endfor -%}
|
||||
{%- else %}
|
||||
{{ get_config('return', '') }}
|
||||
{%- endif %}
|
||||
|
||||
###### Miscellaneous settings ######
|
||||
############################################
|
||||
|
Loading…
Reference in New Issue
Block a user