diff options
author | Alejandro del Castillo <alejandro.delcastillo@ni.com> | 2016-06-10 10:58:28 -0500 |
---|---|---|
committer | Bruce Ashfield <bruce.ashfield@windriver.com> | 2016-06-17 08:37:05 -0400 |
commit | 454b16a0b9734bf9908d64e5a6fdca0023df474b (patch) | |
tree | ada961ed50a22f8d738863e553d9e4b6a69a3f92 /meta-openstack/recipes-support/salt/files | |
parent | e65e7ddbf9744229bf80c1c6f9ec38d86709b4e1 (diff) | |
download | meta-cloud-services-454b16a0b9734bf9908d64e5a6fdca0023df474b.tar.gz |
salt: upgrade to 2016.3
* Update conffiles
* Add PKGCONFIG options for zeromq and TCP transports.
Signed-off-by: Alejandro del Castillo <alejandro.delcastillo@ni.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
Diffstat (limited to 'meta-openstack/recipes-support/salt/files')
-rw-r--r-- | meta-openstack/recipes-support/salt/files/cloud | 7 | ||||
-rw-r--r-- | meta-openstack/recipes-support/salt/files/master | 541 | ||||
-rw-r--r-- | meta-openstack/recipes-support/salt/files/minion | 366 | ||||
-rw-r--r-- | meta-openstack/recipes-support/salt/files/roster | 1 |
4 files changed, 704 insertions, 211 deletions
diff --git a/meta-openstack/recipes-support/salt/files/cloud b/meta-openstack/recipes-support/salt/files/cloud index 2ea54f1..5bd28df 100644 --- a/meta-openstack/recipes-support/salt/files/cloud +++ b/meta-openstack/recipes-support/salt/files/cloud | |||
@@ -1,4 +1,4 @@ | |||
1 | # This file should normally be installed at: /etc/salt/cloud | 1 | # This file should normally be installed at: /etc/salt/cloud |
2 | 2 | ||
3 | 3 | ||
4 | ########################################## | 4 | ########################################## |
@@ -28,6 +28,9 @@ | |||
28 | # The level of messages to send to the console. | 28 | # The level of messages to send to the console. |
29 | # One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'. | 29 | # One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'. |
30 | # | 30 | # |
31 | # The following log levels are considered INSECURE and may log sensitive data: | ||
32 | # ['garbage', 'trace', 'debug'] | ||
33 | # | ||
31 | # Default: 'info' | 34 | # Default: 'info' |
32 | # | 35 | # |
33 | #log_level: info | 36 | #log_level: info |
@@ -65,7 +68,9 @@ | |||
65 | # the coloring of the messages, these color formatters also include padding as | 68 | # the coloring of the messages, these color formatters also include padding as |
66 | # well. Color LogRecord attributes are only available for console logging. | 69 | # well. Color LogRecord attributes are only available for console logging. |
67 | # | 70 | # |
71 | #log_fmt_console: '%(colorlevel)s %(colormsg)s' | ||
68 | #log_fmt_console: '[%(levelname)-8s] %(message)s' | 72 | #log_fmt_console: '[%(levelname)-8s] %(message)s' |
73 | # | ||
69 | #log_fmt_logfile: '%(asctime)s,%(msecs)03.0f [%(name)-17s][%(levelname)-8s] %(message)s' | 74 | #log_fmt_logfile: '%(asctime)s,%(msecs)03.0f [%(name)-17s][%(levelname)-8s] %(message)s' |
70 | 75 | ||
71 | 76 | ||
diff --git a/meta-openstack/recipes-support/salt/files/master b/meta-openstack/recipes-support/salt/files/master index 8129a4f..821f5fc 100644 --- a/meta-openstack/recipes-support/salt/files/master +++ b/meta-openstack/recipes-support/salt/files/master | |||
@@ -1,125 +1,235 @@ | |||
1 | ##### Primary configuration settings ##### | 1 | ##### Primary configuration settings ##### |
2 | ########################################## | 2 | ########################################## |
3 | # This configuration file is used to manage the behavior of the Salt Master | 3 | # This configuration file is used to manage the behavior of the Salt Master. |
4 | # Values that are commented out but have no space after the comment are | 4 | # Values that are commented out but have an empty line after the comment are |
5 | # defaults that need not be set in the config. If there is a space after the | 5 | # defaults that do not need to be set in the config. If there is no blank line |
6 | # comment that the value is presented as an example and is not the default. | 6 | # after the comment then the value is presented as an example and is not the |
7 | # default. | ||
7 | 8 | ||
8 | # Per default, the master will automatically include all config files | 9 | # Per default, the master will automatically include all config files |
9 | # from master.d/*.conf (master.d is a directory in the same directory | 10 | # from master.d/*.conf (master.d is a directory in the same directory |
10 | # as the main master config file) | 11 | # as the main master config file). |
11 | #default_include: master.d/*.conf | 12 | #default_include: master.d/*.conf |
12 | 13 | ||
13 | # The address of the interface to bind to | 14 | # The address of the interface to bind to: |
14 | #interface: 0.0.0.0 | 15 | #interface: 0.0.0.0 |
15 | 16 | ||
16 | # Whether the master should listen for IPv6 connections. If this is set to True, | 17 | # Whether the master should listen for IPv6 connections. If this is set to True, |
17 | # the interface option must be adjusted too (for example: "interface: '::'") | 18 | # the interface option must be adjusted, too. (For example: "interface: '::'") |
18 | #ipv6: False | 19 | #ipv6: False |
19 | 20 | ||
20 | # The tcp port used by the publisher | 21 | # The tcp port used by the publisher: |
21 | #publish_port: 4505 | 22 | #publish_port: 4505 |
22 | 23 | ||
23 | # The user to run the salt-master as. Salt will update all permissions to | 24 | # The user under which the salt master will run. Salt will update all |
24 | # allow the specified user to run the master. If the modified files cause | 25 | # permissions to allow the specified user to run the master. The exception is |
25 | # conflicts set verify_env to False. | 26 | # the job cache, which must be deleted if this user is changed. If the |
27 | # modified files cause conflicts, set verify_env to False. | ||
26 | #user: root | 28 | #user: root |
27 | 29 | ||
28 | # Max open files | ||
29 | # Each minion connecting to the master uses AT LEAST one file descriptor, the | ||
30 | # master subscription connection. If enough minions connect you might start | ||
31 | # seeing on the console(and then salt-master crashes): | ||
32 | # Too many open files (tcp_listener.cpp:335) | ||
33 | # Aborted (core dumped) | ||
34 | # | ||
35 | # By default this value will be the one of `ulimit -Hn`, ie, the hard limit for | ||
36 | # max open files. | ||
37 | # | ||
38 | # If you wish to set a different value than the default one, uncomment and | ||
39 | # configure this setting. Remember that this value CANNOT be higher than the | ||
40 | # hard limit. Raising the hard limit depends on your OS and/or distribution, | ||
41 | # a good way to find the limit is to search the internet for(for example): | ||
42 | # raise max open files hard limit debian | ||
43 | # | ||
44 | #max_open_files: 100000 | ||
45 | |||
46 | # The number of worker threads to start, these threads are used to manage | ||
47 | # return calls made from minions to the master, if the master seems to be | ||
48 | # running slowly, increase the number of threads | ||
49 | #worker_threads: 5 | ||
50 | |||
51 | # The port used by the communication interface. The ret (return) port is the | 30 | # The port used by the communication interface. The ret (return) port is the |
52 | # interface used for the file server, authentication, job returnes, etc. | 31 | # interface used for the file server, authentication, job returns, etc. |
53 | #ret_port: 4506 | 32 | #ret_port: 4506 |
54 | 33 | ||
55 | # Specify the location of the daemon process ID file | 34 | # Specify the location of the daemon process ID file: |
56 | #pidfile: /var/run/salt-master.pid | 35 | #pidfile: /var/run/salt-master.pid |
57 | 36 | ||
58 | # The root directory prepended to these options: pki_dir, cachedir, | 37 | # The root directory prepended to these options: pki_dir, cachedir, |
59 | # sock_dir, log_file, autosign_file, extension_modules, key_logfile, pidfile. | 38 | # sock_dir, log_file, autosign_file, autoreject_file, extension_modules, |
39 | # key_logfile, pidfile: | ||
60 | #root_dir: / | 40 | #root_dir: / |
61 | 41 | ||
62 | # Directory used to store public key data | 42 | # Directory used to store public key data: |
63 | #pki_dir: /etc/salt/pki/master | 43 | #pki_dir: /etc/salt/pki/master |
64 | 44 | ||
65 | # Directory to store job and cache data | 45 | # Directory to store job and cache data: |
46 | # This directory may contain sensitive data and should be protected accordingly. | ||
47 | # | ||
66 | #cachedir: /var/cache/salt/master | 48 | #cachedir: /var/cache/salt/master |
67 | 49 | ||
68 | # Verify and set permissions on configuration directories at startup | 50 | # Directory for custom modules. This directory can contain subdirectories for |
51 | # each of Salt's module types such as "runners", "output", "wheel", "modules", | ||
52 | # "states", "returners", etc. | ||
53 | #extension_modules: <no default> | ||
54 | |||
55 | # Directory for custom modules. This directory can contain subdirectories for | ||
56 | # each of Salt's module types such as "runners", "output", "wheel", "modules", | ||
57 | # "states", "returners", etc. | ||
58 | # Like 'extension_modules' but can take an array of paths | ||
59 | #module_dirs: <no default> | ||
60 | # - /var/cache/salt/minion/extmods | ||
61 | |||
62 | # Verify and set permissions on configuration directories at startup: | ||
69 | #verify_env: True | 63 | #verify_env: True |
70 | 64 | ||
71 | # Set the number of hours to keep old job information in the job cache | 65 | # Set the number of hours to keep old job information in the job cache: |
72 | #keep_jobs: 24 | 66 | #keep_jobs: 24 |
73 | 67 | ||
74 | # Set the default timeout for the salt command and api, the default is 5 | 68 | # Set the default timeout for the salt command and api. The default is 5 |
75 | # seconds | 69 | # seconds. |
76 | #timeout: 5 | 70 | #timeout: 5 |
77 | 71 | ||
78 | # The loop_interval option controls the seconds for the master's maintinance | 72 | # The loop_interval option controls the seconds for the master's maintenance |
79 | # process check cycle. This process updates file server backends, cleans the | 73 | # process check cycle. This process updates file server backends, cleans the |
80 | # job cache and executes the scheduler. | 74 | # job cache and executes the scheduler. |
81 | #loop_interval: 60 | 75 | #loop_interval: 60 |
82 | 76 | ||
83 | # Set the default outputter used by the salt command. The default is "nested" | 77 | # Set the default outputter used by the salt command. The default is "nested". |
84 | #output: nested | 78 | #output: nested |
85 | 79 | ||
86 | # By default output is colored, to disable colored output set the color value | 80 | # Return minions that timeout when running commands like test.ping |
87 | # to False | 81 | #show_timeout: True |
82 | |||
83 | # By default, output is colored. To disable colored output, set the color value | ||
84 | # to False. | ||
88 | #color: True | 85 | #color: True |
89 | 86 | ||
90 | # Set the directory used to hold unix sockets | 87 | # Do not strip off the colored output from nested results and state outputs |
88 | # (true by default). | ||
89 | # strip_colors: False | ||
90 | |||
91 | # Set the directory used to hold unix sockets: | ||
91 | #sock_dir: /var/run/salt/master | 92 | #sock_dir: /var/run/salt/master |
92 | 93 | ||
93 | # The master can take a while to start up when lspci and/or dmidecode is used | 94 | # The master can take a while to start up when lspci and/or dmidecode is used |
94 | # to populate the grains for the master. Enable if you want to see GPU hardware | 95 | # to populate the grains for the master. Enable if you want to see GPU hardware |
95 | # data for your master. | 96 | # data for your master. |
96 | # | ||
97 | # enable_gpu_grains: False | 97 | # enable_gpu_grains: False |
98 | 98 | ||
99 | # The master maintains a job cache, while this is a great addition it can be | 99 | # The master maintains a job cache. While this is a great addition, it can be |
100 | # a burden on the master for larger deployments (over 5000 minions). | 100 | # a burden on the master for larger deployments (over 5000 minions). |
101 | # Disabling the job cache will make previously executed jobs unavailable to | 101 | # Disabling the job cache will make previously executed jobs unavailable to |
102 | # the jobs system and is not generally recommended. | 102 | # the jobs system and is not generally recommended. |
103 | # | ||
104 | #job_cache: True | 103 | #job_cache: True |
105 | 104 | ||
106 | # Cache minion grains and pillar data in the cachedir. | 105 | # Cache minion grains and pillar data in the cachedir. |
107 | #minion_data_cache: True | 106 | #minion_data_cache: True |
108 | 107 | ||
108 | # Store all returns in the given returner. | ||
109 | # Setting this option requires that any returner-specific configuration also | ||
110 | # be set. See various returners in salt/returners for details on required | ||
111 | # configuration values. (See also, event_return_queue below.) | ||
112 | # | ||
113 | #event_return: mysql | ||
114 | |||
115 | # On busy systems, enabling event_returns can cause a considerable load on | ||
116 | # the storage system for returners. Events can be queued on the master and | ||
117 | # stored in a batched fashion using a single transaction for multiple events. | ||
118 | # By default, events are not queued. | ||
119 | #event_return_queue: 0 | ||
120 | |||
121 | # Only events returns matching tags in a whitelist | ||
122 | # event_return_whitelist: | ||
123 | # - salt/master/a_tag | ||
124 | # - salt/master/another_tag | ||
125 | |||
126 | # Store all event returns _except_ the tags in a blacklist | ||
127 | # event_return_blacklist: | ||
128 | # - salt/master/not_this_tag | ||
129 | # - salt/master/or_this_one | ||
130 | |||
131 | # Passing very large events can cause the minion to consume large amounts of | ||
132 | # memory. This value tunes the maximum size of a message allowed onto the | ||
133 | # master event bus. The value is expressed in bytes. | ||
134 | #max_event_size: 1048576 | ||
135 | |||
136 | # By default, the master AES key rotates every 24 hours. The next command | ||
137 | # following a key rotation will trigger a key refresh from the minion which may | ||
138 | # result in minions which do not respond to the first command after a key refresh. | ||
139 | # | ||
140 | # To tell the master to ping all minions immediately after an AES key refresh, set | ||
141 | # ping_on_rotate to True. This should mitigate the issue where a minion does not | ||
142 | # appear to initially respond after a key is rotated. | ||
143 | # | ||
144 | # Note that ping_on_rotate may cause high load on the master immediately after | ||
145 | # the key rotation event as minions reconnect. Consider this carefully if this | ||
146 | # salt master is managing a large number of minions. | ||
147 | # | ||
148 | # If disabled, it is recommended to handle this event by listening for the | ||
149 | # 'aes_key_rotate' event with the 'key' tag and acting appropriately. | ||
150 | # ping_on_rotate: False | ||
151 | |||
152 | # By default, the master deletes its cache of minion data when the key for that | ||
153 | # minion is removed. To preserve the cache after key deletion, set | ||
154 | # 'preserve_minion_cache' to True. | ||
155 | # | ||
156 | # WARNING: This may have security implications if compromised minions auth with | ||
157 | # a previous deleted minion ID. | ||
158 | #preserve_minion_cache: False | ||
159 | |||
160 | # If max_minions is used in large installations, the master might experience | ||
161 | # high-load situations because of having to check the number of connected | ||
162 | # minions for every authentication. This cache provides the minion-ids of | ||
163 | # all connected minions to all MWorker-processes and greatly improves the | ||
164 | # performance of max_minions. | ||
165 | # con_cache: False | ||
166 | |||
109 | # The master can include configuration from other files. To enable this, | 167 | # The master can include configuration from other files. To enable this, |
110 | # pass a list of paths to this option. The paths can be either relative or | 168 | # pass a list of paths to this option. The paths can be either relative or |
111 | # absolute; if relative, they are considered to be relative to the directory | 169 | # absolute; if relative, they are considered to be relative to the directory |
112 | # the main master configuration file lives in (this file). Paths can make use | 170 | # the main master configuration file lives in (this file). Paths can make use |
113 | # of shell-style globbing. If no files are matched by a path passed to this | 171 | # of shell-style globbing. If no files are matched by a path passed to this |
114 | # option then the master will log a warning message. | 172 | # option, then the master will log a warning message. |
115 | # | ||
116 | # | 173 | # |
117 | # Include a config file from some other path: | 174 | # Include a config file from some other path: |
118 | #include: /etc/salt/extra_config | 175 | # include: /etc/salt/extra_config |
119 | # | 176 | # |
120 | # Include config from several files and directories: | 177 | # Include config from several files and directories: |
121 | #include: | 178 | # include: |
122 | # - /etc/salt/extra_config | 179 | # - /etc/salt/extra_config |
180 | |||
181 | |||
182 | ##### Large-scale tuning settings ##### | ||
183 | ########################################## | ||
184 | # Max open files | ||
185 | # | ||
186 | # Each minion connecting to the master uses AT LEAST one file descriptor, the | ||
187 | # master subscription connection. If enough minions connect you might start | ||
188 | # seeing on the console (and then salt-master crashes): | ||
189 | # Too many open files (tcp_listener.cpp:335) | ||
190 | # Aborted (core dumped) | ||
191 | # | ||
192 | # By default this value will be the one of `ulimit -Hn`, ie, the hard limit for | ||
193 | # max open files. | ||
194 | # | ||
195 | # If you wish to set a different value than the default one, uncomment and | ||
196 | # configure this setting. Remember that this value CANNOT be higher than the | ||
197 | # hard limit. Raising the hard limit depends on your OS and/or distribution, | ||
198 | # a good way to find the limit is to search the internet. For example: | ||
199 | # raise max open files hard limit debian | ||
200 | # | ||
201 | #max_open_files: 100000 | ||
202 | |||
203 | # The number of worker threads to start. These threads are used to manage | ||
204 | # return calls made from minions to the master. If the master seems to be | ||
205 | # running slowly, increase the number of threads. This setting can not be | ||
206 | # set lower than 3. | ||
207 | #worker_threads: 5 | ||
208 | |||
209 | # Set the ZeroMQ high water marks | ||
210 | # http://api.zeromq.org/3-2:zmq-setsockopt | ||
211 | |||
212 | # The publisher interface ZeroMQPubServerChannel | ||
213 | #pub_hwm: 1000 | ||
214 | |||
215 | # These two ZMQ HWM settings, salt_event_pub_hwm and event_publisher_pub_hwm | ||
216 | # are significant for masters with thousands of minions. When these are | ||
217 | # insufficiently high it will manifest in random responses missing in the CLI | ||
218 | # and even missing from the job cache. Masters that have fast CPUs and many | ||
219 | # cores with appropriate worker_threads will not need these set as high. | ||
220 | |||
221 | # On deployment with 8,000 minions, 2.4GHz CPUs, 24 cores, 32GiB memory has | ||
222 | # these settings: | ||
223 | # | ||
224 | # salt_event_pub_hwm: 128000 | ||
225 | # event_publisher_pub_hwm: 64000 | ||
226 | |||
227 | # ZMQ high-water-mark for SaltEvent pub socket | ||
228 | #salt_event_pub_hwm: 20000 | ||
229 | |||
230 | # ZMQ high-water-mark for EventPublisher pub socket | ||
231 | #event_publisher_pub_hwm: 10000 | ||
232 | |||
123 | 233 | ||
124 | 234 | ||
125 | ##### Security settings ##### | 235 | ##### Security settings ##### |
@@ -134,53 +244,68 @@ | |||
134 | # public keys from the minions. Note that this is insecure. | 244 | # public keys from the minions. Note that this is insecure. |
135 | #auto_accept: False | 245 | #auto_accept: False |
136 | 246 | ||
137 | # If the autosign_file is specified only incoming keys specified in | 247 | # Time in minutes that a incoming public key with a matching name found in |
138 | # the autosign_file will be automatically accepted. This is insecure. | 248 | # pki_dir/minion_autosign/keyid is automatically accepted. Expired autosign keys |
139 | # Regular expressions as well as globing lines are supported. | 249 | # are removed when the master checks the minion_autosign directory. |
250 | # 0 equals no timeout | ||
251 | # autosign_timeout: 120 | ||
252 | |||
253 | # If the autosign_file is specified, incoming keys specified in the | ||
254 | # autosign_file will be automatically accepted. This is insecure. Regular | ||
255 | # expressions as well as globing lines are supported. | ||
140 | #autosign_file: /etc/salt/autosign.conf | 256 | #autosign_file: /etc/salt/autosign.conf |
141 | 257 | ||
142 | # Enable permissive access to the salt keys. This allows you to run the | 258 | # Works like autosign_file, but instead allows you to specify minion IDs for |
259 | # which keys will automatically be rejected. Will override both membership in | ||
260 | # the autosign_file and the auto_accept setting. | ||
261 | #autoreject_file: /etc/salt/autoreject.conf | ||
262 | |||
263 | # Enable permissive access to the salt keys. This allows you to run the | ||
143 | # master or minion as root, but have a non-root group be given access to | 264 | # master or minion as root, but have a non-root group be given access to |
144 | # your pki_dir. To make the access explicit, root must belong to the group | 265 | # your pki_dir. To make the access explicit, root must belong to the group |
145 | # you've given access to. This is potentially quite insecure. | 266 | # you've given access to. This is potentially quite insecure. If an autosign_file |
146 | # If an autosign_file is specified, enabling permissive_pki_access will allow group access | 267 | # is specified, enabling permissive_pki_access will allow group access to that |
147 | # to that specific file. | 268 | # specific file. |
148 | #permissive_pki_access: False | 269 | #permissive_pki_access: False |
149 | 270 | ||
150 | # Allow users on the master access to execute specific commands on minions. | 271 | # Allow users on the master access to execute specific commands on minions. |
151 | # This setting should be treated with care since it opens up execution | 272 | # This setting should be treated with care since it opens up execution |
152 | # capabilities to non root users. By default this capability is completely | 273 | # capabilities to non root users. By default this capability is completely |
153 | # disabled. | 274 | # disabled. |
154 | # | 275 | #pulisher_acl: |
155 | #client_acl: | ||
156 | # larry: | 276 | # larry: |
157 | # - test.ping | 277 | # - test.ping |
158 | # - network.* | 278 | # - network.* |
159 | # | 279 | # |
160 | |||
161 | # Blacklist any of the following users or modules | 280 | # Blacklist any of the following users or modules |
162 | # | 281 | # |
163 | # This example would blacklist all non sudo users, including root from | 282 | # This example would blacklist all non sudo users, including root from |
164 | # running any commands. It would also blacklist any use of the "cmd" | 283 | # running any commands. It would also blacklist any use of the "cmd" |
165 | # module. | 284 | # module. This is completely disabled by default. |
166 | # This is completely disabled by default. | ||
167 | # | 285 | # |
168 | #client_acl_blacklist: | 286 | #publisher_acl_blacklist: |
169 | # users: | 287 | # users: |
170 | # - root | 288 | # - root |
171 | # - '^(?!sudo_).*$' # all non sudo users | 289 | # - '^(?!sudo_).*$' # all non sudo users |
172 | # modules: | 290 | # modules: |
173 | # - cmd | 291 | # - cmd |
292 | # | ||
293 | # WARNING: client_acl and client_acl_blacklist options are deprecated and will | ||
294 | # be removed in the future releases. Use publisher_acl and | ||
295 | # publisher_acl_blacklist instead. | ||
296 | |||
297 | # Enforce publisher_acl & publisher_acl_blacklist when users have sudo | ||
298 | # access to the salt command. | ||
299 | # | ||
300 | #sudo_acl: False | ||
174 | 301 | ||
175 | # The external auth system uses the Salt auth modules to authenticate and | 302 | # The external auth system uses the Salt auth modules to authenticate and |
176 | # validate users to access areas of the Salt system. | 303 | # validate users to access areas of the Salt system. |
177 | # | ||
178 | #external_auth: | 304 | #external_auth: |
179 | # pam: | 305 | # pam: |
180 | # fred: | 306 | # fred: |
181 | # - test.* | 307 | # - test.* |
182 | # | 308 | # |
183 | |||
184 | # Time (in seconds) for a newly generated token to live. Default: 12 hours | 309 | # Time (in seconds) for a newly generated token to live. Default: 12 hours |
185 | #token_expire: 43200 | 310 | #token_expire: 43200 |
186 | 311 | ||
@@ -188,6 +313,10 @@ | |||
188 | # security purposes. | 313 | # security purposes. |
189 | #file_recv: False | 314 | #file_recv: False |
190 | 315 | ||
316 | # Set a hard-limit on the size of the files that can be pushed to the master. | ||
317 | # It will be interpreted as megabytes. Default: 100 | ||
318 | #file_recv_max_size: 100 | ||
319 | |||
191 | # Signature verification on messages published from the master. | 320 | # Signature verification on messages published from the master. |
192 | # This causes the master to cryptographically sign all messages published to its event | 321 | # This causes the master to cryptographically sign all messages published to its event |
193 | # bus, and minions then verify that signature before acting on the message. | 322 | # bus, and minions then verify that signature before acting on the message. |
@@ -199,20 +328,30 @@ | |||
199 | # no signature, it will still be accepted, and a warning message will be logged. | 328 | # no signature, it will still be accepted, and a warning message will be logged. |
200 | # Conversely, if sign_pub_messages is False, but a minion receives a signed | 329 | # Conversely, if sign_pub_messages is False, but a minion receives a signed |
201 | # message it will be accepted, the signature will not be checked, and a warning message | 330 | # message it will be accepted, the signature will not be checked, and a warning message |
202 | # will be logged. This behavior will go away in Salt 0.17.6 (or Hydrogen RC1, whichever | 331 | # will be logged. This behavior went away in Salt 2014.1.0 and these two situations |
203 | # comes first) and these two situations will cause minion to throw an exception and | 332 | # will cause minion to throw an exception and drop the message. |
204 | # drop the message. | ||
205 | # | ||
206 | # sign_pub_messages: False | 333 | # sign_pub_messages: False |
207 | 334 | ||
335 | ##### Salt-SSH Configuration ##### | ||
336 | ########################################## | ||
337 | |||
338 | # Pass in an alternative location for the salt-ssh roster file | ||
339 | #roster_file: /etc/salt/roster | ||
340 | |||
341 | # Pass in minion option overrides that will be inserted into the SHIM for | ||
342 | # salt-ssh calls. The local minion config is not used for salt-ssh. Can be | ||
343 | # overridden on a per-minion basis in the roster (`minion_opts`) | ||
344 | #ssh_minion_opts: | ||
345 | # gpg_keydir: /root/gpg | ||
346 | |||
208 | ##### Master Module Management ##### | 347 | ##### Master Module Management ##### |
209 | ########################################## | 348 | ########################################## |
210 | # Manage how master side modules are loaded | 349 | # Manage how master side modules are loaded. |
211 | 350 | ||
212 | # Add any additional locations to look for master runners | 351 | # Add any additional locations to look for master runners: |
213 | #runner_dirs: [] | 352 | #runner_dirs: [] |
214 | 353 | ||
215 | # Enable Cython for master side modules | 354 | # Enable Cython for master side modules: |
216 | #cython_enable: False | 355 | #cython_enable: False |
217 | 356 | ||
218 | 357 | ||
@@ -226,6 +365,7 @@ | |||
226 | # The master_tops option replaces the external_nodes option by creating | 365 | # The master_tops option replaces the external_nodes option by creating |
227 | # a plugable system for the generation of external top data. The external_nodes | 366 | # a plugable system for the generation of external top data. The external_nodes |
228 | # option is deprecated by the master_tops option. | 367 | # option is deprecated by the master_tops option. |
368 | # | ||
229 | # To gain the capabilities of the classic external_nodes system, use the | 369 | # To gain the capabilities of the classic external_nodes system, use the |
230 | # following configuration: | 370 | # following configuration: |
231 | # master_tops: | 371 | # master_tops: |
@@ -242,6 +382,19 @@ | |||
242 | # The renderer to use on the minions to render the state data | 382 | # The renderer to use on the minions to render the state data |
243 | #renderer: yaml_jinja | 383 | #renderer: yaml_jinja |
244 | 384 | ||
385 | # The Jinja renderer can strip extra carriage returns and whitespace | ||
386 | # See http://jinja.pocoo.org/docs/api/#high-level-api | ||
387 | # | ||
388 | # If this is set to True the first newline after a Jinja block is removed | ||
389 | # (block, not variable tag!). Defaults to False, corresponds to the Jinja | ||
390 | # environment init variable "trim_blocks". | ||
391 | #jinja_trim_blocks: False | ||
392 | # | ||
393 | # If this is set to True leading spaces and tabs are stripped from the start | ||
394 | # of a line to a block. Defaults to False, corresponds to the Jinja | ||
395 | # environment init variable "lstrip_blocks". | ||
396 | #jinja_lstrip_blocks: False | ||
397 | |||
245 | # The failhard option tells the minions to stop immediately after the first | 398 | # The failhard option tells the minions to stop immediately after the first |
246 | # failure detected in the state execution, defaults to False | 399 | # failure detected in the state execution, defaults to False |
247 | #failhard: False | 400 | #failhard: False |
@@ -256,8 +409,22 @@ | |||
256 | # output for each changed state if set to 'full', but if set to 'terse' | 409 | # output for each changed state if set to 'full', but if set to 'terse' |
257 | # the output will be shortened to a single line. If set to 'mixed', the output | 410 | # the output will be shortened to a single line. If set to 'mixed', the output |
258 | # will be terse unless a state failed, in which case that output will be full. | 411 | # will be terse unless a state failed, in which case that output will be full. |
412 | # If set to 'changes', the output will be full unless the state didn't change. | ||
259 | #state_output: full | 413 | #state_output: full |
260 | 414 | ||
415 | # Automatically aggregate all states that have support for mod_aggregate by | ||
416 | # setting to 'True'. Or pass a list of state module names to automatically | ||
417 | # aggregate just those types. | ||
418 | # | ||
419 | # state_aggregate: | ||
420 | # - pkg | ||
421 | # | ||
422 | #state_aggregate: False | ||
423 | |||
424 | # Send progress events as each function in a state run completes execution | ||
425 | # by setting to 'True'. Progress events are in the format | ||
426 | # 'salt/job/<JID>/prog/<MID>/<RUN NUM>'. | ||
427 | #state_events: False | ||
261 | 428 | ||
262 | ##### File Server settings ##### | 429 | ##### File Server settings ##### |
263 | ########################################## | 430 | ########################################## |
@@ -279,14 +446,34 @@ | |||
279 | # prod: | 446 | # prod: |
280 | # - /srv/salt/prod/services | 447 | # - /srv/salt/prod/services |
281 | # - /srv/salt/prod/states | 448 | # - /srv/salt/prod/states |
282 | 449 | # | |
283 | #file_roots: | 450 | #file_roots: |
284 | # base: | 451 | # base: |
285 | # - /srv/salt | 452 | # - /srv/salt |
453 | # | ||
454 | |||
455 | # When using multiple environments, each with their own top file, the | ||
456 | # default behaviour is an unordered merge. To prevent top files from | ||
457 | # being merged together and instead to only use the top file from the | ||
458 | # requested environment, set this value to 'same'. | ||
459 | #top_file_merging_strategy: merge | ||
460 | |||
461 | # To specify the order in which environments are merged, set the ordering | ||
462 | # in the env_order option. Given a conflict, the last matching value will | ||
463 | # win. | ||
464 | #env_order: ['base', 'dev', 'prod'] | ||
465 | |||
466 | # If top_file_merging_strategy is set to 'same' and an environment does not | ||
467 | # contain a top file, the top file in the environment specified by default_top | ||
468 | # will be used instead. | ||
469 | #default_top: base | ||
286 | 470 | ||
287 | # The hash_type is the hash to use when discovering the hash of a file on | 471 | # The hash_type is the hash to use when discovering the hash of a file on |
288 | # the master server. The default is md5, but sha1, sha224, sha256, sha384 | 472 | # the master server. The default is md5, but sha1, sha224, sha256, sha384 |
289 | # and sha512 are also supported. | 473 | # and sha512 are also supported. |
474 | # | ||
475 | # Prior to changing this value, the master should be stopped and all Salt | ||
476 | # caches should be cleared. | ||
290 | #hash_type: md5 | 477 | #hash_type: md5 |
291 | 478 | ||
292 | # The buffer size in the file server can be adjusted here: | 479 | # The buffer size in the file server can be adjusted here: |
@@ -298,7 +485,6 @@ | |||
298 | # For example, if you manage your custom modules and states in subversion | 485 | # For example, if you manage your custom modules and states in subversion |
299 | # and don't want all the '.svn' folders and content synced to your minions, | 486 | # and don't want all the '.svn' folders and content synced to your minions, |
300 | # you could set this to '/\.svn($|/)'. By default nothing is ignored. | 487 | # you could set this to '/\.svn($|/)'. By default nothing is ignored. |
301 | # | ||
302 | #file_ignore_regex: | 488 | #file_ignore_regex: |
303 | # - '/\.svn($|/)' | 489 | # - '/\.svn($|/)' |
304 | # - '/\.git($|/)' | 490 | # - '/\.git($|/)' |
@@ -307,58 +493,83 @@ | |||
307 | # path before syncing the modules and states to the minions. This is similar | 493 | # path before syncing the modules and states to the minions. This is similar |
308 | # to file_ignore_regex above, but works on globs instead of regex. By default | 494 | # to file_ignore_regex above, but works on globs instead of regex. By default |
309 | # nothing is ignored. | 495 | # nothing is ignored. |
310 | # | ||
311 | # file_ignore_glob: | 496 | # file_ignore_glob: |
312 | # - '*.pyc' | 497 | # - '*.pyc' |
313 | # - '*/somefolder/*.bak' | 498 | # - '*/somefolder/*.bak' |
314 | # - '*.swp' | 499 | # - '*.swp' |
315 | 500 | ||
316 | # File Server Backend | 501 | # File Server Backend |
502 | # | ||
317 | # Salt supports a modular fileserver backend system, this system allows | 503 | # Salt supports a modular fileserver backend system, this system allows |
318 | # the salt master to link directly to third party systems to gather and | 504 | # the salt master to link directly to third party systems to gather and |
319 | # manage the files available to minions. Multiple backends can be | 505 | # manage the files available to minions. Multiple backends can be |
320 | # configured and will be searched for the requested file in the order in which | 506 | # configured and will be searched for the requested file in the order in which |
321 | # they are defined here. The default setting only enables the standard backend | 507 | # they are defined here. The default setting only enables the standard backend |
322 | # "roots" which uses the "file_roots" option. | 508 | # "roots" which uses the "file_roots" option. |
323 | # | ||
324 | #fileserver_backend: | 509 | #fileserver_backend: |
325 | # - roots | 510 | # - roots |
326 | # | 511 | # |
327 | # To use multiple backends list them in the order they are searched: | 512 | # To use multiple backends list them in the order they are searched: |
328 | # | ||
329 | #fileserver_backend: | 513 | #fileserver_backend: |
330 | # - git | 514 | # - git |
331 | # - roots | 515 | # - roots |
332 | # | 516 | # |
517 | # Uncomment the line below if you do not want the file_server to follow | ||
518 | # symlinks when walking the filesystem tree. This is set to True | ||
519 | # by default. Currently this only applies to the default roots | ||
520 | # fileserver_backend. | ||
521 | #fileserver_followsymlinks: False | ||
522 | # | ||
523 | # Uncomment the line below if you do not want symlinks to be | ||
524 | # treated as the files they are pointing to. By default this is set to | ||
525 | # False. By uncommenting the line below, any detected symlink while listing | ||
526 | # files on the Master will not be returned to the Minion. | ||
527 | #fileserver_ignoresymlinks: True | ||
528 | # | ||
333 | # By default, the Salt fileserver recurses fully into all defined environments | 529 | # By default, the Salt fileserver recurses fully into all defined environments |
334 | # to attempt to find files. To limit this behavior so that the fileserver only | 530 | # to attempt to find files. To limit this behavior so that the fileserver only |
335 | # traverses directories with SLS files and special Salt directories like _modules, | 531 | # traverses directories with SLS files and special Salt directories like _modules, |
336 | # enable the option below. This might be useful for installations where a file root | 532 | # enable the option below. This might be useful for installations where a file root |
337 | # has a very large number of files and performance is impacted. Default is False. | 533 | # has a very large number of files and performance is impacted. Default is False. |
338 | # | ||
339 | # fileserver_limit_traversal: False | 534 | # fileserver_limit_traversal: False |
340 | # | 535 | # |
341 | # Git fileserver backend configuration | 536 | # The fileserver can fire events off every time the fileserver is updated, |
537 | # these are disabled by default, but can be easily turned on by setting this | ||
538 | # flag to True | ||
539 | #fileserver_events: False | ||
540 | |||
541 | # Git File Server Backend Configuration | ||
542 | # | ||
543 | # Gitfs can be provided by one of two python modules: GitPython or pygit2. If | ||
544 | # using pygit2, both libgit2 and git must also be installed. | ||
545 | #gitfs_provider: gitpython | ||
546 | # | ||
342 | # When using the git fileserver backend at least one git remote needs to be | 547 | # When using the git fileserver backend at least one git remote needs to be |
343 | # defined. The user running the salt master will need read access to the repo. | 548 | # defined. The user running the salt master will need read access to the repo. |
344 | # | 549 | # |
345 | #gitfs_remotes: | ||
346 | # - git://github.com/saltstack/salt-states.git | ||
347 | # - file:///var/git/saltmaster | ||
348 | # | ||
349 | # The repos will be searched in order to find the file requested by a client | 550 | # The repos will be searched in order to find the file requested by a client |
350 | # and the first repo to have the file will return it. | 551 | # and the first repo to have the file will return it. |
351 | # When using the git backend branches and tags are translated into salt | 552 | # When using the git backend branches and tags are translated into salt |
352 | # environments. | 553 | # environments. |
353 | # Note: file:// repos will be treated as a remote, so refs you want used must | 554 | # Note: file:// repos will be treated as a remote, so refs you want used must |
354 | # exist in that repo as *local* refs. | 555 | # exist in that repo as *local* refs. |
556 | #gitfs_remotes: | ||
557 | # - git://github.com/saltstack/salt-states.git | ||
558 | # - file:///var/git/saltmaster | ||
559 | # | ||
560 | # The gitfs_ssl_verify option specifies whether to ignore ssl certificate | ||
561 | # errors when contacting the gitfs backend. You might want to set this to | ||
562 | # false if you're using a git backend that uses a self-signed certificate but | ||
563 | # keep in mind that setting this flag to anything other than the default of True | ||
564 | # is a security concern, you may want to try using the ssh transport. | ||
565 | #gitfs_ssl_verify: True | ||
355 | # | 566 | # |
356 | # The gitfs_root option gives the ability to serve files from a subdirectory | 567 | # The gitfs_root option gives the ability to serve files from a subdirectory |
357 | # within the repository. The path is defined relative to the root of the | 568 | # within the repository. The path is defined relative to the root of the |
358 | # repository and defaults to the repository root. | 569 | # repository and defaults to the repository root. |
359 | #gitfs_root: somefolder/otherfolder | 570 | #gitfs_root: somefolder/otherfolder |
360 | 571 | # | |
361 | 572 | # | |
362 | ##### Pillar settings ##### | 573 | ##### Pillar settings ##### |
363 | ########################################## | 574 | ########################################## |
364 | # Salt Pillars allow for the building of global data that can be made selectively | 575 | # Salt Pillars allow for the building of global data that can be made selectively |
@@ -366,28 +577,59 @@ | |||
366 | # Pillar is laid out in the same fashion as the file server, with environments, | 577 | # Pillar is laid out in the same fashion as the file server, with environments, |
367 | # a top file and sls files. However, pillar data does not need to be in the | 578 | # a top file and sls files. However, pillar data does not need to be in the |
368 | # highstate format, and is generally just key/value pairs. | 579 | # highstate format, and is generally just key/value pairs. |
369 | |||
370 | #pillar_roots: | 580 | #pillar_roots: |
371 | # base: | 581 | # base: |
372 | # - /srv/pillar | 582 | # - /srv/pillar |
373 | 583 | # | |
374 | #ext_pillar: | 584 | #ext_pillar: |
375 | # - hiera: /etc/hiera.yaml | 585 | # - hiera: /etc/hiera.yaml |
376 | # - cmd_yaml: cat /etc/salt/yaml | 586 | # - cmd_yaml: cat /etc/salt/yaml |
377 | 587 | ||
588 | # The ext_pillar_first option allows for external pillar sources to populate | ||
589 | # before file system pillar. This allows for targeting file system pillar from | ||
590 | # ext_pillar. | ||
591 | #ext_pillar_first: False | ||
592 | |||
593 | # The pillar_gitfs_ssl_verify option specifies whether to ignore ssl certificate | ||
594 | # errors when contacting the pillar gitfs backend. You might want to set this to | ||
595 | # false if you're using a git backend that uses a self-signed certificate but | ||
596 | # keep in mind that setting this flag to anything other than the default of True | ||
597 | # is a security concern, you may want to try using the ssh transport. | ||
598 | #pillar_gitfs_ssl_verify: True | ||
599 | |||
378 | # The pillar_opts option adds the master configuration file data to a dict in | 600 | # The pillar_opts option adds the master configuration file data to a dict in |
379 | # the pillar called "master". This is used to set simple configurations in the | 601 | # the pillar called "master". This is used to set simple configurations in the |
380 | # master config file that can then be used on minions. | 602 | # master config file that can then be used on minions. |
381 | #pillar_opts: True | 603 | #pillar_opts: False |
604 | |||
605 | # The pillar_safe_render_error option prevents the master from passing pillar | ||
606 | # render errors to the minion. This is set on by default because the error could | ||
607 | # contain templating data which would give that minion information it shouldn't | ||
608 | # have, like a password! When set true the error message will only show: | ||
609 | # Rendering SLS 'my.sls' failed. Please see master log for details. | ||
610 | #pillar_safe_render_error: True | ||
611 | |||
612 | # The pillar_source_merging_strategy option allows you to configure merging strategy | ||
613 | # between different sources. It accepts four values: recurse, aggregate, overwrite, | ||
614 | # or smart. Recurse will merge recursively mapping of data. Aggregate instructs | ||
615 | # aggregation of elements between sources that use the #!yamlex renderer. Overwrite | ||
616 | # will verwrite elements according the order in which they are processed. This is | ||
617 | # behavior of the 2014.1 branch and earlier. Smart guesses the best strategy based | ||
618 | # on the "renderer" setting and is the default value. | ||
619 | #pillar_source_merging_strategy: smart | ||
620 | |||
621 | # Recursively merge lists by aggregating them instead of replacing them. | ||
622 | #pillar_merge_lists: False | ||
382 | 623 | ||
383 | 624 | ||
384 | ##### Syndic settings ##### | 625 | ##### Syndic settings ##### |
385 | ########################################## | 626 | ########################################## |
386 | # The Salt syndic is used to pass commands through a master from a higher | 627 | # The Salt syndic is used to pass commands through a master from a higher |
387 | # master. Using the syndic is simple, if this is a master that will have | 628 | # master. Using the syndic is simple. If this is a master that will have |
388 | # syndic servers(s) below it set the "order_masters" setting to True, if this | 629 | # syndic servers(s) below it, then set the "order_masters" setting to True. |
389 | # is a master that will be running a syndic daemon for passthrough the | 630 | # |
390 | # "syndic_master" setting needs to be set to the location of the master server | 631 | # If this is a master that will be running a syndic daemon for passthrough, then |
632 | # the "syndic_master" setting needs to be set to the location of the master server | ||
391 | # to receive commands from. | 633 | # to receive commands from. |
392 | 634 | ||
393 | # Set the order_masters setting to True if this master will command lower | 635 | # Set the order_masters setting to True if this master will command lower |
@@ -398,15 +640,16 @@ | |||
398 | # this master where to receive commands from. | 640 | # this master where to receive commands from. |
399 | #syndic_master: masterofmaster | 641 | #syndic_master: masterofmaster |
400 | 642 | ||
401 | # This is the 'ret_port' of the MasterOfMaster | 643 | # This is the 'ret_port' of the MasterOfMaster: |
402 | #syndic_master_port: 4506 | 644 | #syndic_master_port: 4506 |
403 | 645 | ||
404 | # PID file of the syndic daemon | 646 | # PID file of the syndic daemon: |
405 | #syndic_pidfile: /var/run/salt-syndic.pid | 647 | #syndic_pidfile: /var/run/salt-syndic.pid |
406 | 648 | ||
407 | # LOG file of the syndic daemon | 649 | # LOG file of the syndic daemon: |
408 | #syndic_log_file: syndic.log | 650 | #syndic_log_file: syndic.log |
409 | 651 | ||
652 | |||
410 | ##### Peer Publish settings ##### | 653 | ##### Peer Publish settings ##### |
411 | ########################################## | 654 | ########################################## |
412 | # Salt minions can send commands to other minions, but only if the minion is | 655 | # Salt minions can send commands to other minions, but only if the minion is |
@@ -418,14 +661,12 @@ | |||
418 | # of regular expressions to match functions. The following will allow the | 661 | # of regular expressions to match functions. The following will allow the |
419 | # minion authenticated as foo.example.com to execute functions from the test | 662 | # minion authenticated as foo.example.com to execute functions from the test |
420 | # and pkg modules. | 663 | # and pkg modules. |
421 | # | ||
422 | #peer: | 664 | #peer: |
423 | # foo.example.com: | 665 | # foo.example.com: |
424 | # - test.* | 666 | # - test.* |
425 | # - pkg.* | 667 | # - pkg.* |
426 | # | 668 | # |
427 | # This will allow all minions to execute all commands: | 669 | # This will allow all minions to execute all commands: |
428 | # | ||
429 | #peer: | 670 | #peer: |
430 | # .*: | 671 | # .*: |
431 | # - .* | 672 | # - .* |
@@ -440,16 +681,34 @@ | |||
440 | # | 681 | # |
441 | # All peer runner support is turned off by default and must be enabled before | 682 | # All peer runner support is turned off by default and must be enabled before |
442 | # using. This will enable all peer runners for all minions: | 683 | # using. This will enable all peer runners for all minions: |
443 | # | ||
444 | #peer_run: | 684 | #peer_run: |
445 | # .*: | 685 | # .*: |
446 | # - .* | 686 | # - .* |
447 | # | 687 | # |
448 | # To enable just the manage.up runner for the minion foo.example.com: | 688 | # To enable just the manage.up runner for the minion foo.example.com: |
449 | # | ||
450 | #peer_run: | 689 | #peer_run: |
451 | # foo.example.com: | 690 | # foo.example.com: |
452 | # - manage.up | 691 | # - manage.up |
692 | # | ||
693 | # | ||
694 | ##### Mine settings ##### | ||
695 | ##################################### | ||
696 | # Restrict mine.get access from minions. By default any minion has a full access | ||
697 | # to get all mine data from master cache. In acl definion below, only pcre matches | ||
698 | # are allowed. | ||
699 | # mine_get: | ||
700 | # .*: | ||
701 | # - .* | ||
702 | # | ||
703 | # The example below enables minion foo.example.com to get 'network.interfaces' mine | ||
704 | # data only, minions web* to get all network.* and disk.* mine data and all other | ||
705 | # minions won't get any mine data. | ||
706 | # mine_get: | ||
707 | # foo.example.com: | ||
708 | # - network.interfaces | ||
709 | # web.*: | ||
710 | # - network.* | ||
711 | # - disk.* | ||
453 | 712 | ||
454 | 713 | ||
455 | ##### Logging settings ##### | 714 | ##### Logging settings ##### |
@@ -468,10 +727,15 @@ | |||
468 | 727 | ||
469 | # The level of messages to send to the console. | 728 | # The level of messages to send to the console. |
470 | # One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'. | 729 | # One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'. |
730 | # | ||
731 | # The following log levels are considered INSECURE and may log sensitive data: | ||
732 | # ['garbage', 'trace', 'debug'] | ||
733 | # | ||
471 | #log_level: warning | 734 | #log_level: warning |
472 | 735 | ||
473 | # The level of messages to send to the log file. | 736 | # The level of messages to send to the log file. |
474 | # One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'. | 737 | # One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'. |
738 | # If using 'log_granular_levels' this must be set to the highest desired level. | ||
475 | #log_level_logfile: warning | 739 | #log_level_logfile: warning |
476 | 740 | ||
477 | # The date and time format used in log messages. Allowed date/time formating | 741 | # The date and time format used in log messages. Allowed date/time formating |
@@ -481,24 +745,37 @@ | |||
481 | 745 | ||
482 | # The format of the console logging messages. Allowed formatting options can | 746 | # The format of the console logging messages. Allowed formatting options can |
483 | # be seen here: http://docs.python.org/library/logging.html#logrecord-attributes | 747 | # be seen here: http://docs.python.org/library/logging.html#logrecord-attributes |
748 | # | ||
749 | # Console log colors are specified by these additional formatters: | ||
750 | # | ||
751 | # %(colorlevel)s | ||
752 | # %(colorname)s | ||
753 | # %(colorprocess)s | ||
754 | # %(colormsg)s | ||
755 | # | ||
756 | # Since it is desirable to include the surrounding brackets, '[' and ']', in | ||
757 | # the coloring of the messages, these color formatters also include padding as | ||
758 | # well. Color LogRecord attributes are only available for console logging. | ||
759 | # | ||
760 | #log_fmt_console: '%(colorlevel)s %(colormsg)s' | ||
484 | #log_fmt_console: '[%(levelname)-8s] %(message)s' | 761 | #log_fmt_console: '[%(levelname)-8s] %(message)s' |
762 | # | ||
485 | #log_fmt_logfile: '%(asctime)s,%(msecs)03.0f [%(name)-17s][%(levelname)-8s] %(message)s' | 763 | #log_fmt_logfile: '%(asctime)s,%(msecs)03.0f [%(name)-17s][%(levelname)-8s] %(message)s' |
486 | 764 | ||
487 | # This can be used to control logging levels more specificically. This | 765 | # This can be used to control logging levels more specificically. This |
488 | # example sets the main salt library at the 'warning' level, but sets | 766 | # example sets the main salt library at the 'warning' level, but sets |
489 | # 'salt.modules' to log at the 'debug' level: | 767 | # 'salt.modules' to log at the 'debug' level: |
490 | # log_granular_levels: | 768 | # log_granular_levels: |
491 | # 'salt': 'warning', | 769 | # 'salt': 'warning' |
492 | # 'salt.modules': 'debug' | 770 | # 'salt.modules': 'debug' |
493 | # | 771 | # |
494 | #log_granular_levels: {} | 772 | #log_granular_levels: {} |
495 | 773 | ||
496 | 774 | ||
497 | ##### Node Groups ##### | 775 | ##### Node Groups ###### |
498 | ########################################## | 776 | ########################################## |
499 | # Node groups allow for logical groupings of minion nodes. | 777 | # Node groups allow for logical groupings of minion nodes. A group consists of a group |
500 | # A group consists of a group name and a compound target. | 778 | # name and a compound target. |
501 | # | ||
502 | #nodegroups: | 779 | #nodegroups: |
503 | # group1: 'L@foo.domain.com,bar.domain.com,baz.domain.com and bl*.domain.com' | 780 | # group1: 'L@foo.domain.com,bar.domain.com,baz.domain.com and bl*.domain.com' |
504 | # group2: 'G@os:Debian and foo.domain.com' | 781 | # group2: 'G@os:Debian and foo.domain.com' |
@@ -507,19 +784,43 @@ | |||
507 | ##### Range Cluster settings ##### | 784 | ##### Range Cluster settings ##### |
508 | ########################################## | 785 | ########################################## |
509 | # The range server (and optional port) that serves your cluster information | 786 | # The range server (and optional port) that serves your cluster information |
510 | # https://github.com/grierj/range/wiki/Introduction-to-Range-with-YAML-files | 787 | # https://github.com/ytoolshed/range/wiki/%22yamlfile%22-module-file-spec |
511 | # | 788 | # |
512 | #range_server: range:80 | 789 | #range_server: range:80 |
513 | 790 | ||
514 | 791 | ||
515 | ##### Windows Software Repo settings ##### | 792 | ##### Windows Software Repo settings ##### |
516 | ############################################## | 793 | ########################################### |
517 | # Location of the repo on the master | 794 | # Location of the repo on the master: |
518 | #win_repo: '/srv/salt/win/repo' | 795 | #winrepo_dir_ng: '/srv/salt/win/repo-ng' |
796 | # | ||
797 | # List of git repositories to include with the local repo: | ||
798 | #winrepo_remotes_ng: | ||
799 | # - 'https://github.com/saltstack/salt-winrepo-ng.git' | ||
519 | 800 | ||
520 | # Location of the master's repo cache file | ||
521 | #win_repo_mastercachefile: '/srv/salt/win/repo/winrepo.p' | ||
522 | 801 | ||
523 | # List of git repositories to include with the local repo | 802 | ##### Windows Software Repo settings - Pre 2015.8 ##### |
524 | #win_gitrepos: | 803 | ######################################################## |
804 | # Legacy repo settings for pre-2015.8 Windows minions. | ||
805 | # | ||
806 | # Location of the repo on the master: | ||
807 | #winrepo_dir: '/srv/salt/win/repo' | ||
808 | # | ||
809 | # Location of the master's repo cache file: | ||
810 | #winrepo_mastercachefile: '/srv/salt/win/repo/winrepo.p' | ||
811 | # | ||
812 | # List of git repositories to include with the local repo: | ||
813 | #winrepo_remotes: | ||
525 | # - 'https://github.com/saltstack/salt-winrepo.git' | 814 | # - 'https://github.com/saltstack/salt-winrepo.git' |
815 | |||
816 | |||
817 | ##### Returner settings ###### | ||
818 | ############################################ | ||
819 | # Which returner(s) will be used for minion's result: | ||
820 | #return: mysql | ||
821 | |||
822 | |||
823 | ###### Miscellaneous settings ###### | ||
824 | ############################################ | ||
825 | # Default match type for filtering events tags: startswith, endswith, find, regex, fnmatch | ||
826 | #event_match_type: startswith | ||
diff --git a/meta-openstack/recipes-support/salt/files/minion b/meta-openstack/recipes-support/salt/files/minion index 8fdde14..bd97c43 100644 --- a/meta-openstack/recipes-support/salt/files/minion +++ b/meta-openstack/recipes-support/salt/files/minion | |||
@@ -1,16 +1,52 @@ | |||
1 | ##### Primary configuration settings ##### | 1 | ##### Primary configuration settings ##### |
2 | ########################################## | 2 | ########################################## |
3 | # This configuration file is used to manage the behavior of the Salt Minion. | ||
4 | # With the exception of the location of the Salt Master Server, values that are | ||
5 | # commented out but have an empty line after the comment are defaults that need | ||
6 | # not be set in the config. If there is no blank line after the comment, the | ||
7 | # value is presented as an example and is not the default. | ||
3 | 8 | ||
4 | # Per default the minion will automatically include all config files | 9 | # Per default the minion will automatically include all config files |
5 | # from minion.d/*.conf (minion.d is a directory in the same directory | 10 | # from minion.d/*.conf (minion.d is a directory in the same directory |
6 | # as the main minion config file). | 11 | # as the main minion config file). |
7 | #default_include: minion.d/*.conf | 12 | #default_include: minion.d/*.conf |
8 | 13 | ||
9 | # Set the location of the salt master server, if the master server cannot be | 14 | # Set the location of the salt master server. If the master server cannot be |
10 | # resolved, then the minion will fail to start. | 15 | # resolved, then the minion will fail to start. |
11 | #master: salt | 16 | #master: salt |
12 | 17 | ||
13 | # Set whether the minion should connect to the master via IPv6 | 18 | # Set http proxy information for the minion when doing requests |
19 | #proxy_host: | ||
20 | #proxy_port: | ||
21 | #proxy_username: | ||
22 | #proxy_password: | ||
23 | |||
24 | # If multiple masters are specified in the 'master' setting, the default behavior | ||
25 | # is to always try to connect to them in the order they are listed. If random_master is | ||
26 | # set to True, the order will be randomized instead. This can be helpful in distributing | ||
27 | # the load of many minions executing salt-call requests, for example, from a cron job. | ||
28 | # If only one master is listed, this setting is ignored and a warning will be logged. | ||
29 | # NOTE: If master_type is set to failover, use master_shuffle instead. | ||
30 | #random_master: False | ||
31 | |||
32 | # Use if master_type is set to failover. | ||
33 | #master_shuffle: False | ||
34 | |||
35 | # Minions can connect to multiple masters simultaneously (all masters | ||
36 | # are "hot"), or can be configured to failover if a master becomes | ||
37 | # unavailable. Multiple hot masters are configured by setting this | ||
38 | # value to "str". Failover masters can be requested by setting | ||
39 | # to "failover". MAKE SURE TO SET master_alive_interval if you are | ||
40 | # using failover. | ||
41 | # master_type: str | ||
42 | |||
43 | # Poll interval in seconds for checking if the master is still there. Only | ||
44 | # respected if master_type above is "failover". To disable the interval entirely, | ||
45 | # set the value to -1. (This may be necessary on machines which have high numbers | ||
46 | # of TCP connections, such as load balancers.) | ||
47 | # master_alive_interval: 30 | ||
48 | |||
49 | # Set whether the minion should connect to the master via IPv6: | ||
14 | #ipv6: False | 50 | #ipv6: False |
15 | 51 | ||
16 | # Set the number of seconds to wait before attempting to resolve | 52 | # Set the number of seconds to wait before attempting to resolve |
@@ -18,13 +54,19 @@ | |||
18 | # Set to zero if the minion should shutdown and not retry. | 54 | # Set to zero if the minion should shutdown and not retry. |
19 | # retry_dns: 30 | 55 | # retry_dns: 30 |
20 | 56 | ||
21 | # Set the port used by the master reply and authentication server | 57 | # Set the port used by the master reply and authentication server. |
22 | #master_port: 4506 | 58 | #master_port: 4506 |
23 | 59 | ||
24 | # The user to run salt | 60 | # The user to run salt. |
25 | #user: root | 61 | #user: root |
26 | 62 | ||
27 | # Specify the location of the daemon process ID file | 63 | # Setting sudo_user will cause salt to run all execution modules under an sudo |
64 | # to the user given in sudo_user. The user under which the salt minion process | ||
65 | # itself runs will still be that provided in the user config above, but all | ||
66 | # execution modules run by the minion will be rerouted through sudo. | ||
67 | #sudo_user: saltdev | ||
68 | |||
69 | # Specify the location of the daemon process ID file. | ||
28 | #pidfile: /var/run/salt-minion.pid | 70 | #pidfile: /var/run/salt-minion.pid |
29 | 71 | ||
30 | # The root directory prepended to these options: pki_dir, cachedir, log_file, | 72 | # The root directory prepended to these options: pki_dir, cachedir, log_file, |
@@ -48,7 +90,7 @@ | |||
48 | 90 | ||
49 | # Custom static grains for this minion can be specified here and used in SLS | 91 | # Custom static grains for this minion can be specified here and used in SLS |
50 | # files just like all other grains. This example sets 4 custom grains, with | 92 | # files just like all other grains. This example sets 4 custom grains, with |
51 | # the 'roles' grain having two values that can be matched against: | 93 | # the 'roles' grain having two values that can be matched against. |
52 | #grains: | 94 | #grains: |
53 | # roles: | 95 | # roles: |
54 | # - webserver | 96 | # - webserver |
@@ -56,36 +98,40 @@ | |||
56 | # deployment: datacenter4 | 98 | # deployment: datacenter4 |
57 | # cabinet: 13 | 99 | # cabinet: 13 |
58 | # cab_u: 14-15 | 100 | # cab_u: 14-15 |
59 | 101 | # | |
60 | # Where cache data goes | 102 | # Where cache data goes. |
103 | # This data may contain sensitive data and should be protected accordingly. | ||
61 | #cachedir: /var/cache/salt/minion | 104 | #cachedir: /var/cache/salt/minion |
62 | 105 | ||
63 | # Verify and set permissions on configuration directories at startup | 106 | # Verify and set permissions on configuration directories at startup. |
64 | #verify_env: True | 107 | #verify_env: True |
65 | 108 | ||
66 | # The minion can locally cache the return data from jobs sent to it, this | 109 | # The minion can locally cache the return data from jobs sent to it, this |
67 | # can be a good way to keep track of jobs the minion has executed | 110 | # can be a good way to keep track of jobs the minion has executed |
68 | # (on the minion side). By default this feature is disabled, to enable | 111 | # (on the minion side). By default this feature is disabled, to enable, set |
69 | # set cache_jobs to True | 112 | # cache_jobs to True. |
70 | #cache_jobs: False | 113 | #cache_jobs: False |
71 | 114 | ||
72 | # set the directory used to hold unix sockets | 115 | # Set the directory used to hold unix sockets. |
73 | #sock_dir: /var/run/salt/minion | 116 | #sock_dir: /var/run/salt/minion |
74 | 117 | ||
75 | # Set the default outputter used by the salt-call command. The default is | 118 | # Set the default outputter used by the salt-call command. The default is |
76 | # "nested" | 119 | # "nested". |
77 | #output: nested | 120 | #output: nested |
78 | # | 121 | # |
79 | # By default output is colored, to disable colored output set the color value | 122 | # By default output is colored. To disable colored output, set the color value |
80 | # to False | 123 | # to False. |
81 | #color: True | 124 | #color: True |
82 | 125 | ||
126 | # Do not strip off the colored output from nested results and state outputs | ||
127 | # (true by default). | ||
128 | # strip_colors: False | ||
129 | |||
83 | # Backup files that are replaced by file.managed and file.recurse under | 130 | # Backup files that are replaced by file.managed and file.recurse under |
84 | # 'cachedir'/file_backups relative to their original location and appended | 131 | # 'cachedir'/file_backups relative to their original location and appended |
85 | # with a timestamp. The only valid setting is "minion". Disabled by default. | 132 | # with a timestamp. The only valid setting is "minion". Disabled by default. |
86 | # | 133 | # |
87 | # Alternatively this can be specified for each file in state files: | 134 | # Alternatively this can be specified for each file in state files: |
88 | # | ||
89 | # /etc/ssh/sshd_config: | 135 | # /etc/ssh/sshd_config: |
90 | # file.managed: | 136 | # file.managed: |
91 | # - source: salt://ssh/sshd_config | 137 | # - source: salt://ssh/sshd_config |
@@ -103,27 +149,55 @@ | |||
103 | # set to zero, the time between reconnection attempts will stay constant. | 149 | # set to zero, the time between reconnection attempts will stay constant. |
104 | #acceptance_wait_time_max: 0 | 150 | #acceptance_wait_time_max: 0 |
105 | 151 | ||
152 | # If the master rejects the minion's public key, retry instead of exiting. | ||
153 | # Rejected keys will be handled the same as waiting on acceptance. | ||
154 | #rejected_retry: False | ||
155 | |||
106 | # When the master key changes, the minion will try to re-auth itself to receive | 156 | # When the master key changes, the minion will try to re-auth itself to receive |
107 | # the new master key. In larger environments this can cause a SYN flood on the | 157 | # the new master key. In larger environments this can cause a SYN flood on the |
108 | # master because all minions try to re-auth immediately. To prevent this and | 158 | # master because all minions try to re-auth immediately. To prevent this and |
109 | # have a minion wait for a random amount of time, use this optional parameter. | 159 | # have a minion wait for a random amount of time, use this optional parameter. |
110 | # The wait-time will be a random number of seconds between | 160 | # The wait-time will be a random number of seconds between 0 and the defined value. |
111 | # 0 and the defined value. | ||
112 | #random_reauth_delay: 60 | 161 | #random_reauth_delay: 60 |
113 | 162 | ||
163 | # When waiting for a master to accept the minion's public key, salt will | ||
164 | # continuously attempt to reconnect until successful. This is the timeout value, | ||
165 | # in seconds, for each individual attempt. After this timeout expires, the minion | ||
166 | # will wait for acceptance_wait_time seconds before trying again. Unless your master | ||
167 | # is under unusually heavy load, this should be left at the default. | ||
168 | #auth_timeout: 60 | ||
169 | |||
170 | # Number of consecutive SaltReqTimeoutError that are acceptable when trying to | ||
171 | # authenticate. | ||
172 | #auth_tries: 7 | ||
173 | |||
174 | # If authentication fails due to SaltReqTimeoutError during a ping_interval, | ||
175 | # cause sub minion process to restart. | ||
176 | #auth_safemode: False | ||
177 | |||
178 | # Ping Master to ensure connection is alive (minutes). | ||
179 | #ping_interval: 0 | ||
180 | |||
181 | # To auto recover minions if master changes IP address (DDNS) | ||
182 | # auth_tries: 10 | ||
183 | # auth_safemode: False | ||
184 | # ping_interval: 90 | ||
185 | # | ||
186 | # Minions won't know master is missing until a ping fails. After the ping fail, | ||
187 | # the minion will attempt authentication and likely fails out and cause a restart. | ||
188 | # When the minion restarts it will resolve the masters IP and attempt to reconnect. | ||
114 | 189 | ||
115 | # If you don't have any problems with syn-floods, dont bother with the | 190 | # If you don't have any problems with syn-floods, don't bother with the |
116 | # three recon_* settings described below, just leave the defaults! | 191 | # three recon_* settings described below, just leave the defaults! |
117 | # | 192 | # |
118 | # The ZeroMQ pull-socket that binds to the masters publishing interface tries | 193 | # The ZeroMQ pull-socket that binds to the masters publishing interface tries |
119 | # to reconnect immediately, if the socket is disconnected (for example if | 194 | # to reconnect immediately, if the socket is disconnected (for example if |
120 | # the master processes are restarted). In large setups this will have all | 195 | # the master processes are restarted). In large setups this will have all |
121 | # minions reconnect immediately which might flood the master (the ZeroMQ-default | 196 | # minions reconnect immediately which might flood the master (the ZeroMQ-default |
122 | # is usually a 100ms delay). To prevent this, these three recon_* settings | 197 | # is usually a 100ms delay). To prevent this, these three recon_* settings |
123 | # can be used. | 198 | # can be used. |
124 | # | 199 | # recon_default: the interval in milliseconds that the socket should wait before |
125 | # recon_default: the interval in milliseconds that the socket should wait before | 200 | # trying to reconnect to the master (1000ms = 1 second) |
126 | # trying to reconnect to the master (100ms = 1 second) | ||
127 | # | 201 | # |
128 | # recon_max: the maximum time a socket should wait. each interval the time to wait | 202 | # recon_max: the maximum time a socket should wait. each interval the time to wait |
129 | # is calculated by doubling the previous time. if recon_max is reached, | 203 | # is calculated by doubling the previous time. if recon_max is reached, |
@@ -136,29 +210,26 @@ | |||
136 | # reconnect 5: value from previous interval * 2 | 210 | # reconnect 5: value from previous interval * 2 |
137 | # reconnect x: if value >= recon_max, it starts again with recon_default | 211 | # reconnect x: if value >= recon_max, it starts again with recon_default |
138 | # | 212 | # |
139 | # recon_randomize: generate a random wait time on minion start. The wait time will | 213 | # recon_randomize: generate a random wait time on minion start. The wait time will |
140 | # be a random value between recon_default and recon_default + | 214 | # be a random value between recon_default and recon_default + |
141 | # recon_max. Having all minions reconnect with the same recon_default | 215 | # recon_max. Having all minions reconnect with the same recon_default |
142 | # and recon_max value kind of defeats the purpose of being able to | 216 | # and recon_max value kind of defeats the purpose of being able to |
143 | # change these settings. If all minions have the same values and your | 217 | # change these settings. If all minions have the same values and your |
144 | # setup is quite large (several thousand minions), they will still | 218 | # setup is quite large (several thousand minions), they will still |
145 | # flood the master. The desired behaviour is to have timeframe within | 219 | # flood the master. The desired behavior is to have timeframe within |
146 | # all minions try to reconnect. | 220 | # all minions try to reconnect. |
147 | 221 | # | |
148 | # Example on how to use these settings: | 222 | # Example on how to use these settings. The goal: have all minions reconnect within a |
149 | # The goal: have all minions reconnect within a 60 second timeframe on a disconnect | 223 | # 60 second timeframe on a disconnect. |
150 | # | 224 | # recon_default: 1000 |
151 | # The settings: | 225 | # recon_max: 59000 |
152 | #recon_default: 1000 | 226 | # recon_randomize: True |
153 | #recon_max: 59000 | ||
154 | #recon_randomize: True | ||
155 | # | 227 | # |
156 | # Each minion will have a randomized reconnect value between 'recon_default' | 228 | # Each minion will have a randomized reconnect value between 'recon_default' |
157 | # and 'recon_default + recon_max', which in this example means between 1000ms | 229 | # and 'recon_default + recon_max', which in this example means between 1000ms |
158 | # 60000ms (or between 1 and 60 seconds). The generated random-value will be | 230 | # 60000ms (or between 1 and 60 seconds). The generated random-value will be |
159 | # doubled after each attempt to reconnect. Lets say the generated random | 231 | # doubled after each attempt to reconnect. Lets say the generated random |
160 | # value is 11 seconds (or 11000ms). | 232 | # value is 11 seconds (or 11000ms). |
161 | # | ||
162 | # reconnect 1: wait 11 seconds | 233 | # reconnect 1: wait 11 seconds |
163 | # reconnect 2: wait 22 seconds | 234 | # reconnect 2: wait 22 seconds |
164 | # reconnect 3: wait 33 seconds | 235 | # reconnect 3: wait 33 seconds |
@@ -172,29 +243,68 @@ | |||
172 | # | 243 | # |
173 | # In a setup with ~6000 thousand hosts these settings would average the reconnects | 244 | # In a setup with ~6000 thousand hosts these settings would average the reconnects |
174 | # to about 100 per second and all hosts would be reconnected within 60 seconds. | 245 | # to about 100 per second and all hosts would be reconnected within 60 seconds. |
175 | #recon_default: 100 | 246 | # recon_default: 100 |
176 | #recon_max: 5000 | 247 | # recon_max: 5000 |
177 | #recon_randomize: False | 248 | # recon_randomize: False |
178 | 249 | # | |
250 | # | ||
179 | # The loop_interval sets how long in seconds the minion will wait between | 251 | # The loop_interval sets how long in seconds the minion will wait between |
180 | # evaluating the scheduler and running cleanup tasks. This defaults to a | 252 | # evaluating the scheduler and running cleanup tasks. This defaults to a |
181 | # sane 60 seconds, but if the minion scheduler needs to be evaluated more | 253 | # sane 60 seconds, but if the minion scheduler needs to be evaluated more |
182 | # often lower this value | 254 | # often lower this value |
183 | #loop_interval: 60 | 255 | #loop_interval: 60 |
184 | 256 | ||
185 | # When healing, a dns_check is run. This is to make sure that the originally | 257 | # The grains can be merged, instead of overridden, using this option. |
186 | # resolved dns has not changed. If this is something that does not happen in | 258 | # This allows custom grains to defined different subvalues of a dictionary |
187 | # your environment, set this value to False. | 259 | # grain. By default this feature is disabled, to enable set grains_deep_merge |
188 | #dns_check: True | 260 | # to ``True``. |
261 | #grains_deep_merge: False | ||
262 | |||
263 | # The grains_refresh_every setting allows for a minion to periodically check | ||
264 | # its grains to see if they have changed and, if so, to inform the master | ||
265 | # of the new grains. This operation is moderately expensive, therefore | ||
266 | # care should be taken not to set this value too low. | ||
267 | # | ||
268 | # Note: This value is expressed in __minutes__! | ||
269 | # | ||
270 | # A value of 10 minutes is a reasonable default. | ||
271 | # | ||
272 | # If the value is set to zero, this check is disabled. | ||
273 | #grains_refresh_every: 1 | ||
274 | |||
275 | # Cache grains on the minion. Default is False. | ||
276 | #grains_cache: False | ||
277 | |||
278 | # Cache rendered pillar data on the minion. Default is False. | ||
279 | # This may cause 'cachedir'/pillar to contain sensitive data that should be | ||
280 | # protected accordingly. | ||
281 | #minion_pillar_cache: False | ||
282 | |||
283 | # Grains cache expiration, in seconds. If the cache file is older than this | ||
284 | # number of seconds then the grains cache will be dumped and fully re-populated | ||
285 | # with fresh data. Defaults to 5 minutes. Will have no effect if 'grains_cache' | ||
286 | # is not enabled. | ||
287 | # grains_cache_expiration: 300 | ||
189 | 288 | ||
190 | # Windows platforms lack posix IPC and must rely on slower TCP based inter- | 289 | # Windows platforms lack posix IPC and must rely on slower TCP based inter- |
191 | # process communications. Set ipc_mode to 'tcp' on such systems | 290 | # process communications. Set ipc_mode to 'tcp' on such systems |
192 | #ipc_mode: ipc | 291 | #ipc_mode: ipc |
193 | # | 292 | |
194 | # Overwrite the default tcp ports used by the minion when in tcp mode | 293 | # Overwrite the default tcp ports used by the minion when in tcp mode |
195 | #tcp_pub_port: 4510 | 294 | #tcp_pub_port: 4510 |
196 | #tcp_pull_port: 4511 | 295 | #tcp_pull_port: 4511 |
197 | 296 | ||
297 | # Passing very large events can cause the minion to consume large amounts of | ||
298 | # memory. This value tunes the maximum size of a message allowed onto the | ||
299 | # minion event bus. The value is expressed in bytes. | ||
300 | #max_event_size: 1048576 | ||
301 | |||
302 | # To detect failed master(s) and fire events on connect/disconnect, set | ||
303 | # master_alive_interval to the number of seconds to poll the masters for | ||
304 | # connection events. | ||
305 | # | ||
306 | #master_alive_interval: 30 | ||
307 | |||
198 | # The minion can include configuration from other files. To enable this, | 308 | # The minion can include configuration from other files. To enable this, |
199 | # pass a list of paths to this option. The paths can be either relative or | 309 | # pass a list of paths to this option. The paths can be either relative or |
200 | # absolute; if relative, they are considered to be relative to the directory | 310 | # absolute; if relative, they are considered to be relative to the directory |
@@ -202,7 +312,6 @@ | |||
202 | # of shell-style globbing. If no files are matched by a path passed to this | 312 | # of shell-style globbing. If no files are matched by a path passed to this |
203 | # option then the minion will log a warning message. | 313 | # option then the minion will log a warning message. |
204 | # | 314 | # |
205 | # | ||
206 | # Include a config file from some other path: | 315 | # Include a config file from some other path: |
207 | # include: /etc/salt/extra_config | 316 | # include: /etc/salt/extra_config |
208 | # | 317 | # |
@@ -210,11 +319,13 @@ | |||
210 | #include: | 319 | #include: |
211 | # - /etc/salt/extra_config | 320 | # - /etc/salt/extra_config |
212 | # - /etc/roles/webserver | 321 | # - /etc/roles/webserver |
213 | 322 | # | |
323 | # | ||
324 | # | ||
214 | ##### Minion module management ##### | 325 | ##### Minion module management ##### |
215 | ########################################## | 326 | ########################################## |
216 | # Disable specific modules. This allows the admin to limit the level of | 327 | # Disable specific modules. This allows the admin to limit the level of |
217 | # access the master has to the minion | 328 | # access the master has to the minion. |
218 | #disable_modules: [cmd,test] | 329 | #disable_modules: [cmd,test] |
219 | #disable_returners: [] | 330 | #disable_returners: [] |
220 | # | 331 | # |
@@ -226,18 +337,22 @@ | |||
226 | #returner_dirs: [] | 337 | #returner_dirs: [] |
227 | #states_dirs: [] | 338 | #states_dirs: [] |
228 | #render_dirs: [] | 339 | #render_dirs: [] |
340 | #utils_dirs: [] | ||
229 | # | 341 | # |
230 | # A module provider can be statically overwritten or extended for the minion | 342 | # A module provider can be statically overwritten or extended for the minion |
231 | # via the providers option, in this case the default module will be | 343 | # via the providers option, in this case the default module will be |
232 | # overwritten by the specified module. In this example the pkg module will | 344 | # overwritten by the specified module. In this example the pkg module will |
233 | # be provided by the yumpkg5 module instead of the system default. | 345 | # be provided by the yumpkg5 module instead of the system default. |
234 | # | ||
235 | #providers: | 346 | #providers: |
236 | # pkg: yumpkg5 | 347 | # pkg: yumpkg5 |
237 | # | 348 | # |
238 | # Enable Cython modules searching and loading. (Default: False) | 349 | # Enable Cython modules searching and loading. (Default: False) |
239 | #cython_enable: False | 350 | #cython_enable: False |
240 | # | 351 | # |
352 | # Specify a max size (in bytes) for modules on import. This feature is currently | ||
353 | # only supported on *nix operating systems and requires psutil. | ||
354 | # modules_max_memory: -1 | ||
355 | |||
241 | 356 | ||
242 | ##### State Management Settings ##### | 357 | ##### State Management Settings ##### |
243 | ########################################### | 358 | ########################################### |
@@ -256,21 +371,19 @@ | |||
256 | #renderer: yaml_jinja | 371 | #renderer: yaml_jinja |
257 | # | 372 | # |
258 | # The failhard option tells the minions to stop immediately after the first | 373 | # The failhard option tells the minions to stop immediately after the first |
259 | # failure detected in the state execution, defaults to False | 374 | # failure detected in the state execution. Defaults to False. |
260 | #failhard: False | 375 | #failhard: False |
261 | # | 376 | # |
262 | # autoload_dynamic_modules Turns on automatic loading of modules found in the | 377 | # Reload the modules prior to a highstate run. |
263 | # environments on the master. This is turned on by default, to turn of | ||
264 | # autoloading modules when states run set this value to False | ||
265 | #autoload_dynamic_modules: True | 378 | #autoload_dynamic_modules: True |
266 | # | 379 | # |
267 | # clean_dynamic_modules keeps the dynamic modules on the minion in sync with | 380 | # clean_dynamic_modules keeps the dynamic modules on the minion in sync with |
268 | # the dynamic modules on the master, this means that if a dynamic module is | 381 | # the dynamic modules on the master, this means that if a dynamic module is |
269 | # not on the master it will be deleted from the minion. By default this is | 382 | # not on the master it will be deleted from the minion. By default, this is |
270 | # enabled and can be disabled by changing this value to False | 383 | # enabled and can be disabled by changing this value to False. |
271 | #clean_dynamic_modules: True | 384 | #clean_dynamic_modules: True |
272 | # | 385 | # |
273 | # Normally the minion is not isolated to any single environment on the master | 386 | # Normally, the minion is not isolated to any single environment on the master |
274 | # when running states, but the environment can be isolated on the minion side | 387 | # when running states, but the environment can be isolated on the minion side |
275 | # by statically setting it. Remember that the recommended way to manage | 388 | # by statically setting it. Remember that the recommended way to manage |
276 | # environments is to isolate via the top file. | 389 | # environments is to isolate via the top file. |
@@ -286,14 +399,23 @@ | |||
286 | # 'top' -- Read top_file option and execute based on that file on the Master | 399 | # 'top' -- Read top_file option and execute based on that file on the Master |
287 | #startup_states: '' | 400 | #startup_states: '' |
288 | # | 401 | # |
289 | # list of states to run when the minion starts up if startup_states is 'sls' | 402 | # List of states to run when the minion starts up if startup_states is 'sls': |
290 | #sls_list: | 403 | #sls_list: |
291 | # - edit.vim | 404 | # - edit.vim |
292 | # - hyper | 405 | # - hyper |
293 | # | 406 | # |
294 | # top file to execute if startup_states is 'top' | 407 | # Top file to execute if startup_states is 'top': |
295 | #top_file: '' | 408 | #top_file: '' |
296 | 409 | ||
410 | # Automatically aggregate all states that have support for mod_aggregate by | ||
411 | # setting to True. Or pass a list of state module names to automatically | ||
412 | # aggregate just those types. | ||
413 | # | ||
414 | # state_aggregate: | ||
415 | # - pkg | ||
416 | # | ||
417 | #state_aggregate: False | ||
418 | |||
297 | ##### File Directory Settings ##### | 419 | ##### File Directory Settings ##### |
298 | ########################################## | 420 | ########################################## |
299 | # The Salt Minion can redirect all file server operations to a local directory, | 421 | # The Salt Minion can redirect all file server operations to a local directory, |
@@ -303,7 +425,8 @@ | |||
303 | 425 | ||
304 | # Set the file client. The client defaults to looking on the master server for | 426 | # Set the file client. The client defaults to looking on the master server for |
305 | # files, but can be directed to look at the local file directory setting | 427 | # files, but can be directed to look at the local file directory setting |
306 | # defined below by setting it to local. | 428 | # defined below by setting it to "local". Setting a local file_client runs the |
429 | # minion in masterless mode. | ||
307 | #file_client: remote | 430 | #file_client: remote |
308 | 431 | ||
309 | # The file directory works on environments passed to the minion, each environment | 432 | # The file directory works on environments passed to the minion, each environment |
@@ -329,15 +452,16 @@ | |||
329 | # to attempt to find files. To limit this behavior so that the fileserver only | 452 | # to attempt to find files. To limit this behavior so that the fileserver only |
330 | # traverses directories with SLS files and special Salt directories like _modules, | 453 | # traverses directories with SLS files and special Salt directories like _modules, |
331 | # enable the option below. This might be useful for installations where a file root | 454 | # enable the option below. This might be useful for installations where a file root |
332 | # has a very large number of files and performance is negatively impacted. | 455 | # has a very large number of files and performance is negatively impacted. Default |
333 | # | 456 | # is False. |
334 | # Default is False. | 457 | #fileserver_limit_traversal: False |
335 | # | ||
336 | # fileserver_limit_traversal: False | ||
337 | 458 | ||
338 | # The hash_type is the hash to use when discovering the hash of a file in | 459 | # The hash_type is the hash to use when discovering the hash of a file in |
339 | # the local fileserver. The default is md5, but sha1, sha224, sha256, sha384 | 460 | # the local fileserver. The default is md5, but sha1, sha224, sha256, sha384 |
340 | # and sha512 are also supported. | 461 | # and sha512 are also supported. |
462 | # | ||
463 | # Warning: Prior to changing this value, the minion should be stopped and all | ||
464 | # Salt caches should be cleared. | ||
341 | #hash_type: md5 | 465 | #hash_type: md5 |
342 | 466 | ||
343 | # The Salt pillar is searched for locally if file_client is set to local. If | 467 | # The Salt pillar is searched for locally if file_client is set to local. If |
@@ -346,7 +470,8 @@ | |||
346 | #pillar_roots: | 470 | #pillar_roots: |
347 | # base: | 471 | # base: |
348 | # - /srv/pillar | 472 | # - /srv/pillar |
349 | 473 | # | |
474 | # | ||
350 | ###### Security settings ##### | 475 | ###### Security settings ##### |
351 | ########################################### | 476 | ########################################### |
352 | # Enable "open mode", this mode still maintains encryption, but turns off | 477 | # Enable "open mode", this mode still maintains encryption, but turns off |
@@ -366,23 +491,34 @@ | |||
366 | # The state_verbose setting can be set to True or False, when set to False | 491 | # The state_verbose setting can be set to True or False, when set to False |
367 | # all data that has a result of True and no changes will be suppressed. | 492 | # all data that has a result of True and no changes will be suppressed. |
368 | #state_verbose: True | 493 | #state_verbose: True |
369 | # | 494 | |
370 | # The state_output setting changes if the output is the full multi line | 495 | # The state_output setting changes if the output is the full multi line |
371 | # output for each changed state if set to 'full', but if set to 'terse' | 496 | # output for each changed state if set to 'full', but if set to 'terse' |
372 | # the output will be shortened to a single line. | 497 | # the output will be shortened to a single line. |
373 | #state_output: full | 498 | #state_output: full |
374 | # | 499 | |
375 | # Fingerprint of the master public key to double verify the master is valid, | 500 | # The state_output_diff setting changes whether or not the output from |
376 | # the master fingerprint can be found by running "salt-key -F master" on the | 501 | # successful states is returned. Useful when even the terse output of these |
377 | # salt master. | 502 | # states is cluttering the logs. Set it to True to ignore them. |
503 | #state_output_diff: False | ||
504 | |||
505 | # The state_output_profile setting changes whether profile information | ||
506 | # will be shown for each state run. | ||
507 | #state_output_profile: True | ||
508 | |||
509 | # Fingerprint of the master public key to validate the identity of your Salt master | ||
510 | # before the initial key exchange. The master fingerprint can be found by running | ||
511 | # "salt-key -F master" on the Salt master. | ||
378 | #master_finger: '' | 512 | #master_finger: '' |
379 | 513 | ||
514 | |||
380 | ###### Thread settings ##### | 515 | ###### Thread settings ##### |
381 | ########################################### | 516 | ########################################### |
382 | # Disable multiprocessing support, by default when a minion receives a | 517 | # Disable multiprocessing support, by default when a minion receives a |
383 | # publication a new process is spawned and the command is executed therein. | 518 | # publication a new process is spawned and the command is executed therein. |
384 | #multiprocessing: True | 519 | #multiprocessing: True |
385 | 520 | ||
521 | |||
386 | ##### Logging settings ##### | 522 | ##### Logging settings ##### |
387 | ########################################## | 523 | ########################################## |
388 | # The location of the minion log file | 524 | # The location of the minion log file |
@@ -396,14 +532,19 @@ | |||
396 | # | 532 | # |
397 | #log_file: /var/log/salt/minion | 533 | #log_file: /var/log/salt/minion |
398 | #key_logfile: /var/log/salt/key | 534 | #key_logfile: /var/log/salt/key |
399 | # | 535 | |
400 | # The level of messages to send to the console. | 536 | # The level of messages to send to the console. |
401 | # One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'. | 537 | # One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'. |
538 | # | ||
539 | # The following log levels are considered INSECURE and may log sensitive data: | ||
540 | # ['garbage', 'trace', 'debug'] | ||
541 | # | ||
402 | # Default: 'warning' | 542 | # Default: 'warning' |
403 | #log_level: warning | 543 | #log_level: warning |
404 | # | 544 | |
405 | # The level of messages to send to the log file. | 545 | # The level of messages to send to the log file. |
406 | # One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'. | 546 | # One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'. |
547 | # If using 'log_granular_levels' this must be set to the highest desired level. | ||
407 | # Default: 'warning' | 548 | # Default: 'warning' |
408 | #log_level_logfile: | 549 | #log_level_logfile: |
409 | 550 | ||
@@ -411,21 +552,54 @@ | |||
411 | # can be seen here: http://docs.python.org/library/time.html#time.strftime | 552 | # can be seen here: http://docs.python.org/library/time.html#time.strftime |
412 | #log_datefmt: '%H:%M:%S' | 553 | #log_datefmt: '%H:%M:%S' |
413 | #log_datefmt_logfile: '%Y-%m-%d %H:%M:%S' | 554 | #log_datefmt_logfile: '%Y-%m-%d %H:%M:%S' |
414 | # | 555 | |
415 | # The format of the console logging messages. Allowed formatting options can | 556 | # The format of the console logging messages. Allowed formatting options can |
416 | # be seen here: http://docs.python.org/library/logging.html#logrecord-attributes | 557 | # be seen here: http://docs.python.org/library/logging.html#logrecord-attributes |
558 | # | ||
559 | # Console log colors are specified by these additional formatters: | ||
560 | # | ||
561 | # %(colorlevel)s | ||
562 | # %(colorname)s | ||
563 | # %(colorprocess)s | ||
564 | # %(colormsg)s | ||
565 | # | ||
566 | # Since it is desirable to include the surrounding brackets, '[' and ']', in | ||
567 | # the coloring of the messages, these color formatters also include padding as | ||
568 | # well. Color LogRecord attributes are only available for console logging. | ||
569 | # | ||
570 | #log_fmt_console: '%(colorlevel)s %(colormsg)s' | ||
417 | #log_fmt_console: '[%(levelname)-8s] %(message)s' | 571 | #log_fmt_console: '[%(levelname)-8s] %(message)s' |
418 | #log_fmt_logfile: '%(asctime)s,%(msecs)03.0f [%(name)-17s][%(levelname)-8s] %(message)s' | ||
419 | # | 572 | # |
573 | #log_fmt_logfile: '%(asctime)s,%(msecs)03.0f [%(name)-17s][%(levelname)-8s] %(message)s' | ||
574 | |||
420 | # This can be used to control logging levels more specificically. This | 575 | # This can be used to control logging levels more specificically. This |
421 | # example sets the main salt library at the 'warning' level, but sets | 576 | # example sets the main salt library at the 'warning' level, but sets |
422 | # 'salt.modules' to log at the 'debug' level: | 577 | # 'salt.modules' to log at the 'debug' level: |
423 | # log_granular_levels: | 578 | # log_granular_levels: |
424 | # 'salt': 'warning', | 579 | # 'salt': 'warning' |
425 | # 'salt.modules': 'debug' | 580 | # 'salt.modules': 'debug' |
426 | # | 581 | # |
427 | #log_granular_levels: {} | 582 | #log_granular_levels: {} |
428 | 583 | ||
584 | # To diagnose issues with minions disconnecting or missing returns, ZeroMQ | ||
585 | # supports the use of monitor sockets to log connection events. This | ||
586 | # feature requires ZeroMQ 4.0 or higher. | ||
587 | # | ||
588 | # To enable ZeroMQ monitor sockets, set 'zmq_monitor' to 'True' and log at a | ||
589 | # debug level or higher. | ||
590 | # | ||
591 | # A sample log event is as follows: | ||
592 | # | ||
593 | # [DEBUG ] ZeroMQ event: {'endpoint': 'tcp://127.0.0.1:4505', 'event': 512, | ||
594 | # 'value': 27, 'description': 'EVENT_DISCONNECTED'} | ||
595 | # | ||
596 | # All events logged will include the string 'ZeroMQ event'. A connection event | ||
597 | # should be logged as the minion starts up and initially connects to the | ||
598 | # master. If not, check for debug log level and that the necessary version of | ||
599 | # ZeroMQ is installed. | ||
600 | # | ||
601 | #zmq_monitor: False | ||
602 | |||
429 | ###### Module configuration ##### | 603 | ###### Module configuration ##### |
430 | ########################################### | 604 | ########################################### |
431 | # Salt allows for modules to be passed arbitrary configuration data, any data | 605 | # Salt allows for modules to be passed arbitrary configuration data, any data |
@@ -445,8 +619,8 @@ | |||
445 | # | 619 | # |
446 | # A dict for the test module: | 620 | # A dict for the test module: |
447 | #test.baz: {spam: sausage, cheese: bread} | 621 | #test.baz: {spam: sausage, cheese: bread} |
448 | 622 | # | |
449 | 623 | # | |
450 | ###### Update settings ###### | 624 | ###### Update settings ###### |
451 | ########################################### | 625 | ########################################### |
452 | # Using the features in Esky, a salt minion can both run as a frozen app and | 626 | # Using the features in Esky, a salt minion can both run as a frozen app and |
@@ -468,27 +642,39 @@ | |||
468 | # the risk that it could tear down the connection the master and minion | 642 | # the risk that it could tear down the connection the master and minion |
469 | # without informing either party that their connection has been taken away. | 643 | # without informing either party that their connection has been taken away. |
470 | # Enabling TCP Keepalives prevents this from happening. | 644 | # Enabling TCP Keepalives prevents this from happening. |
471 | # | 645 | |
472 | # Overall state of TCP Keepalives, enable (1 or True), disable (0 or False) | 646 | # Overall state of TCP Keepalives, enable (1 or True), disable (0 or False) |
473 | # or leave to the OS defaults (-1), on Linux, typically disabled. Default True, enabled. | 647 | # or leave to the OS defaults (-1), on Linux, typically disabled. Default True, enabled. |
474 | #tcp_keepalive: True | 648 | #tcp_keepalive: True |
475 | # | 649 | |
476 | # How long before the first keepalive should be sent in seconds. Default 300 | 650 | # How long before the first keepalive should be sent in seconds. Default 300 |
477 | # to send the first keepalive after 5 minutes, OS default (-1) is typically 7200 seconds | 651 | # to send the first keepalive after 5 minutes, OS default (-1) is typically 7200 seconds |
478 | # on Linux see /proc/sys/net/ipv4/tcp_keepalive_time. | 652 | # on Linux see /proc/sys/net/ipv4/tcp_keepalive_time. |
479 | #tcp_keepalive_idle: 300 | 653 | #tcp_keepalive_idle: 300 |
480 | # | 654 | |
481 | # How many lost probes are needed to consider the connection lost. Default -1 | 655 | # How many lost probes are needed to consider the connection lost. Default -1 |
482 | # to use OS defaults, typically 9 on Linux, see /proc/sys/net/ipv4/tcp_keepalive_probes. | 656 | # to use OS defaults, typically 9 on Linux, see /proc/sys/net/ipv4/tcp_keepalive_probes. |
483 | #tcp_keepalive_cnt: -1 | 657 | #tcp_keepalive_cnt: -1 |
484 | # | 658 | |
485 | # How often, in seconds, to send keepalives after the first one. Default -1 to | 659 | # How often, in seconds, to send keepalives after the first one. Default -1 to |
486 | # use OS defaults, typically 75 seconds on Linux, see | 660 | # use OS defaults, typically 75 seconds on Linux, see |
487 | # /proc/sys/net/ipv4/tcp_keepalive_intvl. | 661 | # /proc/sys/net/ipv4/tcp_keepalive_intvl. |
488 | #tcp_keepalive_intvl: -1 | 662 | #tcp_keepalive_intvl: -1 |
489 | 663 | ||
490 | 664 | ||
491 | ###### Windows Software settings ###### | 665 | ###### Windows Software settings ###### |
492 | ############################################ | 666 | ############################################ |
493 | # Location of the repository cache file on the master | 667 | # Location of the repository cache file on the master: |
494 | #win_repo_cachefile: 'salt://win/repo/winrepo.p' | 668 | #win_repo_cachefile: 'salt://win/repo/winrepo.p' |
669 | |||
670 | |||
671 | ###### Returner settings ###### | ||
672 | ############################################ | ||
673 | # Which returner(s) will be used for minion's result: | ||
674 | #return: mysql | ||
675 | |||
676 | |||
677 | ###### Miscellaneous settings ###### | ||
678 | ############################################ | ||
679 | # Default match type for filtering events tags: startswith, endswith, find, regex, fnmatch | ||
680 | #event_match_type: startswith | ||
diff --git a/meta-openstack/recipes-support/salt/files/roster b/meta-openstack/recipes-support/salt/files/roster index 3eac2fa..e5a8318 100644 --- a/meta-openstack/recipes-support/salt/files/roster +++ b/meta-openstack/recipes-support/salt/files/roster | |||
@@ -6,3 +6,4 @@ | |||
6 | # sudo: True # Whether to sudo to root, not enabled by default | 6 | # sudo: True # Whether to sudo to root, not enabled by default |
7 | #web2: | 7 | #web2: |
8 | # host: 192.168.42.2 | 8 | # host: 192.168.42.2 |
9 | |||