2
0

Updated master and minion default config files

Added parameters new to 2016.03 (or simply missing in the existing config).
This commit is contained in:
Javier Bértoli 2017-04-09 12:28:50 -03:00
parent 03ec0dce2d
commit edce95f949
2 changed files with 412 additions and 50 deletions

View File

@ -1,5 +1,5 @@
# This file managed by Salt, do not edit by hand!!
# Based on salt version 2015.8.7 default config
# Based on salt version 2016.11 default config
{% set reserved_keys = ['master', 'minion', 'cloud', 'salt_cloud_certs', 'engines', 'lxc.network_profile', 'lxc.container_profile'] -%}
{% set cfg_salt = pillar.get('salt', {}) -%}
{% set cfg_master = cfg_salt.get('master', {}) -%}
@ -62,9 +62,23 @@
# key_logfile, pidfile:
{{ get_config('root_dir', '/') }}
# The path to the master's configuration file.
{{ get_config('conf_file', '/etc/salt/master') }}
# Directory used to store public key data:
{{ get_config('pki_dir', '/etc/salt/pki/master') }}
# Key cache. Increases master speed for large numbers of accepted
# keys. Available options: 'sched'. (Updates on a fixed schedule.)
# Note that enabling this feature means that minions will not be
# available to target for up to the length of the maintanence loop
# which by default is 60s.
{%- if cfg_minion['key_cache'] in cfg_master %}
{{ get_config('key_cache', '') }}
{% else %}
#key_cache: ''
{% endif %}
# Directory to store job and cache data:
# This directory may contain sensitive data and should be protected accordingly.
#
@ -77,7 +91,7 @@
# Directory for custom modules. This directory can contain subdirectories for
# each of Salt's module types such as "runners", "output", "wheel", "modules",
# "states", "returners", etc.
# "states", "returners", "engines", etc.
# Like 'extension_modules' but can take an array of paths
{% if 'module_dirs' in cfg_master -%}
{%- do default_keys.append('module_dirs') %}
@ -101,6 +115,10 @@ module_dirs:
# Set the number of hours to keep old job information in the job cache:
{{ get_config('keep_jobs', '24') }}
# The number of seconds to wait when the client is requesting information
# about running jobs.
{{ get_config('gather_job_timeout', '10') }}
# Set the default timeout for the salt command and api. The default is 5
# seconds.
{{ get_config('timeout', '5') }}
@ -113,6 +131,11 @@ module_dirs:
# Set the default outputter used by the salt command. The default is "nested".
{{ get_config('output', 'nested') }}
# Set the default output file used by the salt command. Default is to output
# to the CLI and not to a file. Functions the same way as the "--out-file"
# CLI option, only sets this to a single file for all salt commands.
{{ get_config('output_file', 'None') }}
# Return minions that timeout when running commands like test.ping
{{ get_config('show_timeout', 'True') }}
@ -124,6 +147,12 @@ module_dirs:
# (true by default).
{{ get_config('strip_colors', 'False') }}
# To display a summary of the number of minions targeted, the number of
# minions returned, and the number of minions that did not return, set the
# cli_summary value to True. (False by default.)
#
{{ get_config('cli_summary', 'False') }}
# Set the directory used to hold unix sockets:
{{ get_config('sock_dir', '/var/run/salt/master') }}
@ -138,9 +167,21 @@ module_dirs:
# the jobs system and is not generally recommended.
{{ get_config('job_cache', 'True') }}
# Cache minion grains and pillar data in the cachedir.
# Cache minion grains, pillar and mine data via the cache subsystem in the
# cachedir or a database.
{{ get_config('minion_data_cache', 'True') }}
# Cache subsystem module to use for minion data cache.
{{ get_config('cache', 'localfs') }}
# Enables a fast in-memory cache booster and sets the expiration time.
{{ get_config('memcache_expire_seconds', '0') }}
# Set a memcache limit in items (bank + key) per cache storage (driver + driver_opts).
{{ get_config('memcache_max_items', '1024') }}
# Each time a cache storage got full cleanup all the expired items not just the oldest one.
{{ get_config('memcache_full_cleanup', 'False') }}
# Enable collecting the memcache stats and log it on `debug` log level.
{{ get_config('memcache_debug', 'False') }}
# Store all returns in the given returner.
# Setting this option requires that any returner-specific configuration also
# be set. See various returners in salt/returners for details on required
@ -153,7 +194,7 @@ module_dirs:
# By default, events are not queued.
{{ get_config('event_return_queue', '0') }}
# Only events returns matching tags in a whitelist
# Only return events matching tags in a whitelist, supports glob matches.
{% if 'event_return_whitelist' in cfg_master -%}
{%- do default_keys.append('event_return_whitelist') %}
event_return_whitelist:
@ -166,12 +207,12 @@ event_return_whitelist:
- {{ event_return }}
{%- endfor -%}
{% else -%}
# event_return_whitelist:
# - salt/master/a_tag
# - salt/master/another_tag
#event_return_whitelist:
# - salt/master/a_tag
# - salt/run/*/ret
{% endif %}
# Store all event returns _except_ the tags in a blacklist
# Store all event returns **except** the tags in a blacklist supports globs.
{% if 'event_return_blacklist' in cfg_master -%}
{%- do default_keys.append('event_return_blacklist') %}
event_return_blacklist:
@ -184,9 +225,9 @@ event_return_blacklist:
- {{ event_return }}
{%- endfor -%}
{% else -%}
# event_return_blacklist:
# - salt/master/not_this_tag
# - salt/master/or_this_one
#event_return_blacklist:
# - salt/master/not_this_tag
# - salt/wheel/*/ret
{% endif %}
# Passing very large events can cause the minion to consume large amounts of
@ -270,6 +311,9 @@ event_return_blacklist:
# Set the ZeroMQ high water marks
# http://api.zeromq.org/3-2:zmq-setsockopt
# The listen queue size / backlog
{{ get_config('zmq_backlog', '1000') }}
# The publisher interface ZeroMQPubServerChannel
{{ get_config('pub_hwm', '1000') }}
@ -291,6 +335,19 @@ event_return_blacklist:
# ZMQ high-water-mark for EventPublisher pub socket
{{ get_config('event_publisher_pub_hwm', '10000') }}
# The master may allocate memory per-event and not
# reclaim it.
# To set a high-water mark for memory allocation, use
# ipc_write_buffer to set a high-water mark for message
# buffering.
# Value: In bytes. Set to 'dynamic' to have Salt select
# a value for you. Default is disabled.
{%- if 'ipc_write_buffer' in cfg_master %}
{{ get_config('ipc_write_buffer', 'dynamic') }}
{%- else %}
# ipc_write_buffer: 'dynamic'
{%- endif %}
##### Security settings #####
##########################################
@ -304,7 +361,7 @@ event_return_blacklist:
# public keys from the minions. Note that this is insecure.
{{ get_config('auto_accept', 'False') }}
# Time in minutes that a incoming public key with a matching name found in
# Time in minutes that an incoming public key with a matching name found in
# pki_dir/minion_autosign/keyid is automatically accepted. Expired autosign keys
# are removed when the master checks the minion_autosign directory.
# 0 equals no timeout
@ -371,6 +428,7 @@ publisher_acl:
# larry:
# - test.ping
# - network.*
#
{%- endif %}
# Blacklist any of the following users or modules
@ -378,6 +436,12 @@ publisher_acl:
# This example would blacklist all non sudo users, including root from
# running any commands. It would also blacklist any use of the "cmd"
# module. This is completely disabled by default.
#
#
# Check the list of configured users in client ACL against users on the
# system and throw errors if they do not exist.
{{ get_config('client_acl_verify', 'True') }}
#
{% if 'publisher_acl_blacklist' in cfg_master %}
{%- do default_keys.append('publisher_acl_blacklist') %}
publisher_acl_blacklist:
@ -428,6 +492,10 @@ publisher_acl_blacklist:
# modules:
# - cmd
{% endif %}
#
# WARNING: client_acl and client_acl_blacklist options are deprecated and will
# be removed in the future releases. Use publisher_acl and
# publisher_acl_blacklist instead.
# Enforce publisher_acl & publisher_acl_blacklist when users have sudo
# access to the salt command.
@ -455,6 +523,18 @@ external_auth:
# Time (in seconds) for a newly generated token to live. Default: 12 hours
{{ get_config('token_expire', '43200') }}
#
# Allow eauth users to specify the expiry time of the tokens they generate.
# A boolean applies to all users or a dictionary of whitelisted eauth backends
# and usernames may be given.
# token_expire_user_override:
# pam:
# - fred
# - tom
# ldap:
# - gary
#
#token_expire_user_override: False
# Allow minions to push files to the master. This is disabled by default, for
# security purposes.
@ -479,6 +559,15 @@ external_auth:
# will cause minion to throw an exception and drop the message.
{{ get_config('sign_pub_message', 'False') }}
# Use TLS/SSL encrypted connection between master and minion.
# Can be set to a dictionary containing keyword arguments corresponding to Python's
# 'ssl.wrap_socket' method.
# Default is None.
#ssl:
# keyfile: <path_to_keyfile>
# certfile: <path_to_certfile>
# ssl_version: PROTOCOL_TLSv1_2
# Sign the master auth-replies with a cryptographic signature of the masters public key.
# Please see the tutorial how to use these settings in the Multimaster-PKI with Failover Tutorial
{{ get_config('master_sign_pubkey', 'False') }}
@ -570,6 +659,27 @@ external_auth:
# Pass in an alternative location for the salt-ssh roster file
{{ get_config('roster_file', '/etc/salt/roster') }}
# Define locations for roster files so they can be chosen when using Salt API.
# An administrator can place roster files into these locations. Then when
# calling Salt API, parameter 'roster_file' should contain a relative path to
# these locations. That is, "roster_file=/foo/roster" will be resolved as
# "/etc/salt/roster.d/foo/roster" etc. This feature prevents passing insecure
# custom rosters through the Salt API.
#
{%- if 'rosters' in cfg_master %}
rosters:
{% for name in cfg_master['rosters'] -%}
- {{ name }}
{% endfor -%}
{%- else %}
#rosters:
# - /etc/salt/roster.d
# - /opt/salt/some/more/rosters
{%- endif %}
# The log file of the salt-ssh command:
{{ get_config('ssh_log_file', '/var/log/salt/ssh') }}
# Pass in minion option overrides that will be inserted into the SHIM for
# salt-ssh calls. The local minion config is not used for salt-ssh. Can be
# overridden on a per-minion basis in the roster (`minion_opts`)
@ -577,6 +687,10 @@ external_auth:
# gpg_keydir: /root/gpg
{{ get_config('ssh_minion_opts', '{}') }}
# Set this to True to default to using ~/.ssh/id_rsa for salt-ssh
# authentication with minions
{{ get_config('ssh_use_home_key', 'False') }}
##### Master Module Management #####
##########################################
# Manage how master side modules are loaded.
@ -636,7 +750,7 @@ master_tops:
# (block, not variable tag!). Defaults to False, corresponds to the Jinja
# environment init variable "trim_blocks".
{{ get_config('jinja_trim_blocks', 'False') }}
#
# If this is set to True leading spaces and tabs are stripped from the start
# of a line to a block. Defaults to False, corresponds to the Jinja
# environment init variable "lstrip_blocks".
@ -709,6 +823,7 @@ master_tops:
#file_roots:
# base:
# - /srv/salt
#
{%- endif %}
# When using multiple environments, each with their own top file, the
@ -728,9 +843,12 @@ master_tops:
{{ get_config('default_top', 'base') }}
# The hash_type is the hash to use when discovering the hash of a file on
# the master server. The default is md5, but sha1, sha224, sha256, sha384
# the master server. The default is md5 but sha1, sha224, sha256, sha384
# and sha512 are also supported.
#
# WARNING: While md5 and sha1 are also supported, do not use it due to the high chance
# of possible collisions and thus security breach.
#
# Prior to changing this value, the master should be stopped and all Salt
# caches should be cleared.
{{ get_config('hash_type', 'md5') }}
@ -870,7 +988,7 @@ fileserver_backend:
# and the first repo to have the file will return it.
# When using the git backend branches and tags are translated into salt
# environments.
# Note: file:// repos will be treated as a remote, so refs you want used must
# Note: file:// repos will be treated as a remote, so refs you want used must
# exist in that repo as *local* refs.
{% if 'gitfs_remotes' in cfg_master -%}
{%- do default_keys.append('gitfs_remotes') %}
@ -1006,6 +1124,7 @@ pillar_roots:
#pillar_roots:
# base:
# - /srv/pillar
#
{%- endif %}
{% if 'ext_pillar' in cfg_master %}
@ -1048,6 +1167,18 @@ ext_pillar:
# ext_pillar.
{{ get_config('ext_pillar_first', 'False') }}
# The external pillars permitted to be used on-demand using pillar.ext
{%- if 'on_demand_ext_pillar' in cfg_master %}
on_demand_ext_pillar:
{% for name in cfg_master['on_demand_ext_pillar'] -%}
- {{ name }}
{% endfor -%}
{%- else %}
#on_demand_ext_pillar:
# - libvirt
# - virtkey
{%- endif %}
# The pillar_gitfs_ssl_verify option specifies whether to ignore ssl certificate
# errors when contacting the pillar gitfs backend. You might want to set this to
# false if you're using a git backend that uses a self-signed certificate but
@ -1068,16 +1199,21 @@ ext_pillar:
{{ get_config('pillar_safe_render_error', 'True') }}
# The pillar_source_merging_strategy option allows you to configure merging strategy
# between different sources. It accepts four values: recurse, aggregate, overwrite,
# or smart. Recurse will merge recursively mapping of data. Aggregate instructs
# aggregation of elements between sources that use the #!yamlex renderer. Overwrite
# will verwrite elements according the order in which they are processed. This is
# between different sources. It accepts five values: none, recurse, aggregate, overwrite,
# or smart. None will not do any merging at all. Recurse will merge recursively mapping of data.
# Aggregate instructs aggregation of elements between sources that use the #!yamlex renderer. Overwrite
# will overwrite elements according the order in which they are processed. This is
# behavior of the 2014.1 branch and earlier. Smart guesses the best strategy based
# on the "renderer" setting and is the default value.
{{ get_config('pillar_source_merging_strategy', 'smart') }}
# Recursively merge lists by aggregating them instead of replacing them.
{{ get_config('pillar_merge_lists', False) }}
{{ get_config('pillar_merge_lists', 'False') }}
# Set this option to 'True' to force a 'KeyError' to be raised whenever an
# attempt to retrieve a named value from pillar fails. When this option is set
# to 'False', the failed attempt returns an empty string. Default is 'False'.
{{ get_config('pillar_raise_on_missing', 'False') }}
# Git External Pillar (git_pillar) Configuration Options
#
@ -1139,6 +1275,43 @@ ext_pillar:
# to authenticate is protected by a passphrase.
{{ get_config('git_pillar_passphrase', '') }}
# A master can cache pillars locally to bypass the expense of having to render them
# for each minion on every request. This feature should only be enabled in cases
# where pillar rendering time is known to be unsatisfactory and any attendant security
# concerns about storing pillars in a master cache have been addressed.
#
# When enabling this feature, be certain to read through the additional ``pillar_cache_*``
# configuration options to fully understand the tunable parameters and their implications.
#
# Note: setting ``pillar_cache: True`` has no effect on targeting Minions with Pillars.
# See https://docs.saltstack.com/en/latest/topics/targeting/pillar.html
{{ get_config('pillar_cache', 'False') }}
# If and only if a master has set ``pillar_cache: True``, the cache TTL controls the amount
# of time, in seconds, before the cache is considered invalid by a master and a fresh
# pillar is recompiled and stored.
{{ get_config('pillar_cache_ttl', '3600') }}
# If and only if a master has set `pillar_cache: True`, one of several storage providers
# can be utililzed.
#
# `disk`: The default storage backend. This caches rendered pillars to the master cache.
# Rendered pillars are serialized and deserialized as msgpack structures for speed.
# Note that pillars are stored UNENCRYPTED. Ensure that the master cache
# has permissions set appropriately. (Same defaults are provided.)
#
# memory: [EXPERIMENTAL] An optional backend for pillar caches which uses a pure-Python
# in-memory data structure for maximal performance. There are several caveats,
# however. First, because each master worker contains its own in-memory cache,
# there is no guarantee of cache consistency between minion requests. This
# works best in situations where the pillar rarely if ever changes. Secondly,
# and perhaps more importantly, this means that unencrypted pillars will
# be accessible to any process which can examine the memory of the ``salt-master``!
# This may represent a substantial security risk.
#
{{ get_config('pillar_cache_backend', 'disk') }}
##### Syndic settings #####
##########################################
# The Salt syndic is used to pass commands through a master from a higher
@ -1155,7 +1328,7 @@ ext_pillar:
# If this master will be running a salt syndic daemon, syndic_master tells
# this master where to receive commands from.
{{ get_config('syndic_master', 'masterofmaster') }}
{{ get_config('syndic_master', 'masterofmasters') }}
# This is the 'ret_port' of the MasterOfMaster:
{{ get_config('syndic_master_port', '4506') }}
@ -1164,11 +1337,22 @@ ext_pillar:
{{ get_config('syndic_pidfile', '/var/run/salt-syndic.pid') }}
# LOG file of the syndic daemon:
{{ get_config('syndic_log_file', 'syndic.log') }}
{{ get_config('syndic_log_file', '/var/log/salt/syndic') }}
# The user under which the salt syndic will run.
{{ get_config('syndic_user', 'root') }}
# The behaviour of the multi-syndic when connection to a master of masters failed.
# Can specify ``random`` (default) or ``ordered``. If set to ``random``, masters
# will be iterated in random order. If ``ordered`` is specified, the configured
# order will be used.
{{ get_config('syndic_failover', 'random') }}
# The number of seconds for the salt client to wait for additional syndics to
# check in with their lists of expected minions before giving up.
{{ get_config('syndic_wait', '5') }}
##### Peer Publish settings #####
##########################################
# Salt minions can send commands to other minions, but only if the minion is
@ -1358,11 +1542,18 @@ log_granular_levels:
##### Node Groups ######
##########################################
# Node groups allow for logical groupings of minion nodes. A group consists of a group
# name and a compound target.
# Node groups allow for logical groupings of minion nodes. A group consists of
# a group name and a compound target. Nodgroups can reference other nodegroups
# with 'N@' classifier. Ensure that you do not have circular references.
#
#nodegroups:
# group1: 'L@foo.domain.com,bar.domain.com,baz.domain.com and bl*.domain.com'
# group1: 'L@foo.domain.com,bar.domain.com,baz.domain.com or bl*.domain.com'
# group2: 'G@os:Debian and foo.domain.com'
# group3: 'G@os:Debian and N@group1'
# group4:
# - 'G@foo:bar'
# - 'or'
# - 'G@foo:baz'
{%- if 'nodegroups' in cfg_master %}
{%- do default_keys.append('nodegroups') %}
nodegroups:
@ -1473,11 +1664,24 @@ win_gitrepos:
{{ get_config('return', '')}}
###### Miscellaneous settings ######
###### Miscellaneous settings ######
############################################
# Default match type for filtering events tags: startswith, endswith, find, regex, fnmatch
{{ get_config('event_match_type', 'startswith') }}
# Save runner returns to the job cache
{{ get_config('runner_returns', 'True') }}
# Permanently include any available Python 3rd party modules into Salt Thin
# when they are generated for Salt-SSH or other purposes.
# The modules should be named by the names they are actually imported inside the Python.
# The value of the parameters can be either one module or a comma separated list of them.
{%- if 'thin_extra_mods' in cfg_master %}
{{ get_config('thin_extra_mods', '') }}
{%- else %}
#thin_extra_mods: foo,bar
{%- endif %}
{%- if 'halite' in cfg_master %}
{%- do default_keys.append('halite') %}
##### Halite #####

View File

@ -1,5 +1,5 @@
# This file managed by Salt, do not edit by hand!!
# Based on salt version 2015.8.7 default config
# Based on salt version 2016.11 default config
#
{% set reserved_keys = ['master', 'minion', 'cloud', 'salt_cloud_certs', 'engines', 'beacons'] -%}
{% set cfg_salt = pillar.get('salt', {}) -%}
@ -84,6 +84,8 @@ proxy_password: {{ cfg_minion['proxy_password'] }}
# value to "str". Failover masters can be requested by setting
# to "failover". MAKE SURE TO SET master_alive_interval if you are
# using failover.
# Setting master_type to 'disable' let's you have a running minion (with engines and
# beacons) without a master connection
{{ get_config('master_type', 'str') }}
# verify_master_pubkey_sign
@ -95,6 +97,16 @@ proxy_password: {{ cfg_minion['proxy_password'] }}
# of TCP connections, such as load balancers.)
{{ get_config('master_alive_interval', '30') }}
# If the minion is in multi-master mode and the master_type configuration option
# is set to "failover", this setting can be set to "True" to force the minion
# to fail back to the first master in the list if the first master is back online.
{{ get_config('master_fallback', 'False') }}
# If the minion is in multi-master mode, the "master_type" configuration is set to
# "failover", and the "master_failback" option is enabled, the master failback
# interval can be set to ping the top master with this interval, in seconds.
{{ get_config('master_fallback_interval', '0') }}
# Set whether the minion should connect to the master via IPv6:
{{ get_config('ipv6', 'False') }}
@ -109,10 +121,14 @@ proxy_password: {{ cfg_minion['proxy_password'] }}
# The user to run salt.
{{ get_config('user', 'root') }}
# Setting sudo_user will cause salt to run all execution modules under an sudo
# to the user given in sudo_user. The user under which the salt minion process
# itself runs will still be that provided in the user config above, but all
# execution modules run by the minion will be rerouted through sudo.
# The user to run salt remote execution commands as via sudo. If this option is
# enabled then sudo will be used to change the active user executing the remote
# command. If enabled the user will need to be allowed access via the sudoers
# file for the user that the salt minion is configured to run as. The most
# common option would be to use the root user. If this option is set the user
# option should also be set to a non-root user. If migrating from a root minion
# to a non root minion the minion cache should be cleared and the minion pki
# directory will need to be changed to the ownership of the new user.
{{ get_config('sudo_user', 'saltdev') }}
# Specify the location of the daemon process ID file.
@ -122,6 +138,9 @@ proxy_password: {{ cfg_minion['proxy_password'] }}
# sock_dir, pidfile.
{{ get_config('root_dir', '/') }}
# The path to the minion's configuration file.
{{ get_config('conf_file', '/etc/salt/minion') }}
# The directory to store the pki information in
{{ get_config('pki_dir', '/etc/salt/pki/minion') }}
@ -137,6 +156,13 @@ id: {{ cfg_minion['id'] }}
#id:
{%- endif %}
# Cache the minion id to a file when the minion's id is not statically defined
# in the minion config. Defaults to "True". This setting prevents potential
# problems when automatic minion id resolution changes, which can cause the
# minion to lose connection with the master. To turn off minion id caching,
# set this config to ``False``.
{{ get_config('minion_id_caching', 'True') }}
# Append a domain to a hostname in the event that it does not exist. This is
# useful for systems where socket.getfqdn() does not actually result in a
# FQDN (for instance, Solaris).
@ -158,6 +184,20 @@ id: {{ cfg_minion['id'] }}
# This data may contain sensitive data and should be protected accordingly.
{{ get_config('cachedir', '/var/cache/salt/minion') }}
# Append minion_id to these directories. Helps with
# multiple proxies and minions running on the same machine.
# Allowed elements in the list: pki_dir, cachedir, extension_modules
# Normally not needed unless running several proxies and/or minions on the same machine
# Defaults to ['cachedir'] for proxies, [] (empty list) for regular minions
{% if 'append_minionid_config_dirs' in cfg_minion -%}
append_minionid_config_dirs:
{% for dir in cfg_minion['append_minionid_config_dirs'] -%}
- {{ dir }}
{% endfor -%}
{%- else %}
#append_minionid_config_dirs:
{%- endif %}
# Verify and set permissions on configuration directories at startup.
{{ get_config('verify_env', 'True') }}
@ -226,6 +266,20 @@ id: {{ cfg_minion['id'] }}
# authenticate.
{{ get_config('auth_tries', '7') }}
# The number of attempts to connect to a master before giving up.
# Set this to -1 for unlimited attempts. This allows for a master to have
# downtime and the minion to reconnect to it later when it comes back up.
# In 'failover' mode, it is the number of attempts for each set of masters.
# In this mode, it will cycle through the list of masters for each attempt.
#
# This is different than auth_tries because auth_tries attempts to
# retry auth attempts with a single master. auth_tries is under the
# assumption that you can connect to the master but not gain
# authorization from it. master_tries will still cycle through all
# the masters in a given try, so it is appropriate if you expect
# occasional downtime from the master(s).
{{ get_config('master_tries', '1') }}
# If authentication fails due to SaltReqTimeoutError during a ping_interval,
# cause sub minion process to restart.
{{ get_config('auth_safemode', 'False') }}
@ -312,10 +366,23 @@ mine_functions:
{{ get_config('recon_randomize', 'False') }}
# The loop_interval sets how long in seconds the minion will wait between
# evaluating the scheduler and running cleanup tasks. This defaults to a
# sane 60 seconds, but if the minion scheduler needs to be evaluated more
# often lower this value
{{ get_config('loop_interval', '60') }}
# evaluating the scheduler and running cleanup tasks. This defaults to 1
# second on the minion scheduler.
{{ get_config('loop_interval', '1') }}
# Some installations choose to start all job returns in a cache or a returner
# and forgo sending the results back to a master. In this workflow, jobs
# are most often executed with --async from the Salt CLI and then results
# are evaluated by examining job caches on the minions or any configured returners.
# WARNING: Setting this to False will **disable** returns back to the master.
{{ get_config('pub_ret', 'True') }}
# The grains can be merged, instead of overridden, using this option.
# This allows custom grains to defined different subvalues of a dictionary
# grain. By default this feature is disabled, to enable set grains_deep_merge
# to ``True``.
{{ get_config('grains_deep_merge', 'False') }}
# The grains_refresh_every setting allows for a minion to periodically check
# its grains to see if they have changed and, if so, to inform the master
@ -332,12 +399,37 @@ mine_functions:
# Cache grains on the minion. Default is False.
{{ get_config('grains_cache', 'False') }}
# Cache rendered pillar data on the minion. Default is False.
# This may cause 'cachedir'/pillar to contain sensitive data that should be
# protected accordingly.
{{ get_config('minion_pillar_cache', 'False') }}
# Grains cache expiration, in seconds. If the cache file is older than this
# number of seconds then the grains cache will be dumped and fully re-populated
# with fresh data. Defaults to 5 minutes. Will have no effect if 'grains_cache'
# is not enabled.
{{ get_config('grains_cache_expiration', '300') }}
# Determines whether or not the salt minion should run scheduled mine updates.
# Defaults to "True". Set to "False" to disable the scheduled mine updates
# (this essentially just does not add the mine update function to the minion's
# scheduler).
{{ get_config('mine_enabled', 'True') }}
# Determines whether or not scheduled mine updates should be accompanied by a job
# return for the job cache. Defaults to "False". Set to "True" to include job
# returns in the job cache for mine updates.
{{ get_config('mine_return_job', 'False') }}
# Example functions that can be run via the mine facility
# NO mine functions are established by default.
# Note these can be defined in the minion's pillar as well.
#mine_functions:
# test.ping: []
# network.ip_addrs:
# interface: eth0
# cidr: '10.0.0.0/8'
# Windows platforms lack posix IPC and must rely on slower TCP based inter-
# process communications. Set ipc_mode to 'tcp' on such systems
{{ get_config('ipc_mode', 'ipc') }}
@ -386,13 +478,34 @@ mine_functions:
{%- endif -%}
{% endif %}
# The syndic minion can verify that it is talking to the correct master via the
# key fingerprint of the higher-level master with the "syndic_finger" config.
{{ get_config('syndic_finger', '') }}
##### Minion module management #####
##########################################
# Disable specific modules. This allows the admin to limit the level of
# access the master has to the minion.
{{ get_config('disable_modules', '[cmd,test]') }}
# access the master has to the minion. The default here is the empty list,
# below is an example of how this needs to be formatted in the config file
#disable_modules:
# - cmdmod
# - test
#disable_returners: []
{{ get_config('disable_modules', '[]') }}
{{ get_config('disable_returners', '[]') }}
# This is the reverse of disable_modules. The default, like disable_modules, is the empty list,
# but if this option is set to *anything* then *only* those modules will load.
# Note that this is a very large hammer and it can be quite difficult to keep the minion working
# the way you think it should since Salt uses many modules internally itself. At a bare minimum
# you need the following enabled or else the minion won't start.
#whitelist_modules:
# - cmdmod
# - test
# - config
{{ get_config('whitelist_modules', '[]') }}
# Modules can be loaded from arbitrary paths. This enables the easy deployment
# of third party modules. Modules for returners and minions can be loaded.
# Specify a list of extra directories to search for minion modules and
@ -452,7 +565,16 @@ mine_functions:
# by statically setting it. Remember that the recommended way to manage
# environments is to isolate via the top file.
{{ get_config('environment', 'None') }}
#
# Isolates the pillar environment on the minion side. This functions the same
# as the environment setting, but for pillar instead of states.
{{ get_config('pillarenv', 'None') }}
#
# Set this option to 'True' to force a 'KeyError' to be raised whenever an
# attempt to retrieve a named value from pillar fails. When this option is set
# to 'False', the failed attempt returns an empty string. Default is 'False'.
{{ get_config('pillar_raise_on_missing', 'False') }}
#
# If using the local file directory, then the state top file name needs to be
# defined, by default this is top.sls.
{{ get_config('state_top', 'top.sls') }}
@ -526,17 +648,17 @@ file_client: local
# - /srv/salt
{%- endif %}
# File Server Backend
# Uncomment the line below if you do not want the file_server to follow
# symlinks when walking the filesystem tree. This is set to True
# by default. Currently this only applies to the default roots
# fileserver_backend.
{{ get_config('fileserver_followsymlinks', 'True') }}
#
# Salt supports a modular fileserver backend system, this system allows
# the salt minion to link directly to third party systems to gather and
# manage the files available to minions. Multiple backends can be
# configured and will be searched for the requested file in the order in which
# they are defined here. The default setting only enables the standard backend
# "roots" which uses the "file_roots" option.
#fileserver_backend:
# - roots
# Uncomment the line below if you do not want symlinks to be
# treated as the files they are pointing to. By default this is set to
# False. By uncommenting the line below, any detected symlink while listing
# files on the Master will not be returned to the Minion.
{{ get_config('fileserver_ignoresymlinks', 'False') }}
#
# To use multiple backends list them in the order they are searched:
#fileserver_backend:
@ -558,10 +680,13 @@ fileserver_backend:
# is False.
{{ get_config('fileserver_limit_traversal', 'False') }}
# The hash_type is the hash to use when discovering the hash of a file in
# The hash_type is the hash to use when discovering the hash of a file on
# the local fileserver. The default is md5, but sha1, sha224, sha256, sha384
# and sha512 are also supported.
#
# WARNING: While md5 and sha1 are also supported, do not use it due to the high chance
# of possible collisions and thus security breach.
#
# Warning: Prior to changing this value, the minion should be stopped and all
# Salt caches should be cleared.
{{ get_config('hash_type', 'md5') }}
@ -687,6 +812,10 @@ pillar_roots:
# - /srv/pillar
{%- endif %}
# Set a hard-limit on the size of the files that can be pushed to the master.
# It will be interpreted as megabytes. Default: 100
{{ get_config('file_recv_max_size', '100') }}
{% if 'ext_pillar' in cfg_minion %}
{%- do default_keys.append('ext_pillar') %}
ext_pillar:
@ -858,11 +987,24 @@ ext_pillar:
# "salt-key -F master" on the Salt master.
{{ get_config('master_finger', "''") }}
# Use TLS/SSL encrypted connection between master and minion.
# Can be set to a dictionary containing keyword arguments corresponding to Python's
# 'ssl.wrap_socket' method.
# Default is None.
#ssl:
# keyfile: <path_to_keyfile>
# certfile: <path_to_certfile>
# ssl_version: PROTOCOL_TLSv1_2
###### Thread settings #####
###########################################
# Disable multiprocessing support, by default when a minion receives a
# publication a new process is spawned and the command is executed therein.
#
# WARNING: Disabling multiprocessing may result in substantial slowdowns
# when processing large pillars. See https://github.com/saltstack/salt/issues/38758
# for a full explanation.
{{ get_config('multiprocessing', 'True') }}
@ -1024,8 +1166,24 @@ ext_pillar:
###### Returner settings ######
############################################
# Which returner(s) will be used for minion's result:
# Default Minion returners. Can be a comma delimited string or a list:
#
#return: mysql
#
#return: mysql,slack,redis
#
#return:
# - mysql
# - hipchat
# - slack
{%- if 'return' in cfg_minion and cfg_minion['return'] is not string %}
return:
{% for name in cfg_minion['return'] -%}
- {{ name }}
{% endfor -%}
{%- else %}
{{ get_config('return', '') }}
{%- endif %}
###### Miscellaneous settings ######
############################################