NAME¶

salt - Salt Documentation

FREQUENTLY ASKED QUESTIONS¶

FAQ¶

Is Salt open-core?¶

No. Salt is 100% committed to being open-source, including all of our APIs and the new 'Halite' web interface which was introduced in version 0.17.0. It is developed under the Apache 2.0 license, allowing it to be used in both open and proprietary projects.

What ports should I open on my firewall?¶

Minions need to be able to connect to the Master on TCP ports 4505 and 4506. Minions do not need any inbound ports open. More detailed information on firewall settings can be found here.

I'm seeing weird behavior (including but not limited to packages not installing their users properly)¶

This is often caused by SELinux. Try disabling SELinux or putting it in permissive mode and see if the weird behavior goes away.

My script runs every time I run a state.highstate. Why?¶

You are probably using cmd.run rather than cmd.wait. A cmd.wait state will only run when there has been a change in a state that it is watching. A cmd.run state will run the corresponding command every time (unless it is prevented from running by the unless or onlyif arguments). More details can be found in the docmentation for the cmd states.

When I run test.ping, why don't the Minions that aren't responding return anything? Returning False would be helpful.¶

When you run test.ping the Master tells Minions to run commands/functions, and listens for the return data, printing it to the screen when it is received. If it doesn't receive anything back, it doesn't have anything to display for that Minion. There are a couple options for getting information on Minions that are not responding. One is to use the verbose ( -v) option when you run salt commands, as it will display "Minion did not return" for any Minions which time out.
Another option is to use the manage.down runner:

How does Salt determine the Minion's id?¶

If the Minion id is not configured explicitly (using the id parameter), Salt will determine the id based on the hostname. Exactly how this is determined varies a little between operating systems and is described in detail here.

I'm trying to manage packages/services but I get an error saying that the state is not available. Why?¶

Salt detects the Minion's operating system and assigns the correct package or service management module based on what is detected. However, for certain custom spins and OS derivatives this detection fails. In cases like this, an issue should be opened on our tracker, with the following information:

I'm using gitfs and my custom modules/states/etc are not syncing. Why?¶

In versions of Salt 0.16.3 or older, there is a bug in gitfs which can affect the syncing of custom types. Upgrading to 0.16.4 or newer will fix this.

Why aren't my custom modules/states/etc. available on my Minions?¶

Custom modules are only synced to Minions when state.highstate, saltutil.sync_modules, or saltutil.sync_all is run. Similarly, custom states are only synced to Minions when state.highstate, saltutil.sync_states, or saltutil.sync_all is run. Other custom types (renderers, outputters, etc.) have similar behavior, see the documentation for the saltutil module for more information.

Module X isn't available, even though the shell command it uses is installed. Why?¶

This is most likely a PATH issue. Did you custom-compile the software which the module requires? RHEL/CentOS/etc. in particular override the root user's path in /etc/init.d/functions, setting it to /sbin:/usr/sbin:/bin:/usr/bin, making software installed into /usr/local/bin unavailable to Salt when the Minion is started using the initscript. In version 2014.1.0, Salt will have a better solution for these sort of PATH-related issues, but recompiling the software to install it into a location within the PATH should resolve the issue in the meantime. Alternatively, you can create a symbolic link within the PATH using a file.symlink state.

Can I run different versions of Salt on my Master and Minion?¶

As of release 0.17.1 backwards compatibility was broken (specifically for 0.17.1 trying to interface with older releases) due to a protocol change for security purposes. The Salt team continues to emphasize backwards compatiblity as an important feature and plans to support it to the best of our ability to do so.

Does Salt support backing up managed files?¶

Yes. Salt provides an easy to use addition to your file.managed states that allow you to back up files via backup_mode, backup_mode can be configured on a per state basis, or in the minion config (note that if set in the minion config this would simply be the default method to use, you still need to specify that the file should be backed up!).

INTRODUCTION TO SALT¶

We’re not just talking about NaCl..SS The 30 second summary Salt is:
It was developed in order to bring the best solutions found in the world of remote execution together and make them better, faster, and more malleable. Salt accomplishes this through its ability to handle large loads of information, and not just dozens but hundreds and even thousands of individual servers quickly through a simple and manageable interface.

Simplicity¶

Providing versatility between massive scale deployments and smaller systems may seem daunting, but Salt is very simple to set up and maintain, regardless of the size of the project. The architecture of Salt is designed to work with any number of servers, from a handful of local network systems to international deployments across different datacenters. The topology is a simple server/client model with the needed functionality built into a single set of daemons. While the default configuration will work with little to no modification, Salt can be fine tuned to meet specific needs.

Parallel execution¶

The core functions of Salt:
Salt also introduces more granular controls to the realm of remote execution, allowing systems to be targeted not just by hostname, but also by system properties.

Building on proven technology¶

Salt takes advantage of a number of technologies and techniques. The networking layer is built with the excellent ZeroMQ networking library, so the Salt daemon includes a viable and transparent AMQ broker. Salt uses public keys for authentication with the master daemon, then uses faster AES encryption for payload communication; authentication and encryption are integral to Salt. Salt takes advantage of communication via msgpack, enabling fast and light network traffic.

Python client interface¶

In order to allow for simple expansion, Salt execution routines can be written as plain Python modules. The data collected from Salt executions can be sent back to the master server, or to any arbitrary program. Salt can be called from a simple Python API, or from the command line, so that Salt can be used to execute one-off commands as well as operate as an integral part of a larger application.

Fast, flexible, scalable¶

The result is a system that can execute commands at high speed on target server groups ranging from one to very many servers. Salt is very fast, easy to set up, amazingly malleable and provides a single remote execution architecture that can manage the diverse requirements of any number of servers. The Salt infrastructure brings together the best of the remote execution world, amplifies its capabilities and expands its range, resulting in a system that is as versatile as it is practical, suitable for any network.

Open¶

Salt is developed under the Apache 2.0 license, and can be used for open and proprietary projects. Please submit your expansions back to the Salt project so that we can all benefit together as Salt grows. Please feel free to sprinkle Salt around your systems and let the deliciousness come forth.

INSTALLATION¶

The Salt system setup is amazingly simple, as this is one of the central design goals of Salt. SEE ALSO:

Quick Install¶

Many popular distributions will be able to install the salt minion by executing the bootstrap script:
Run the following script to install just the Salt Master:
The script should also make it simple to install a salt master, if desired. Currently the install script has been tested to work on:
See Salt Bootstrap for more information.

Platform-specific installation instructions¶

These guides go into detail how to install salt on a given platform.

Arch Linux¶

Installation¶

Salt is currently available via the Arch User Repository (AUR). There are currently stable and -git packages available.

Stable Release¶

Install Salt stable releases from the Arch Linux AUR as follows:
A few of Salt's dependencies are currently only found within the AUR, so it is necessary to download and run makepkg -is on these as well. As a reference, Salt currently relies on the following packages which are only available via the AUR:
NOTE:

Tracking develop¶

To install the bleeding edge version of Salt ( may include bugs!), use the -git package. Installing the -git package as follows:
See the note above about Salt's dependencies.

Post-installation tasks¶

systemd Activate the Salt Master and/or Minion via systemctl as follows:
Start the Master Once you've completed all of these steps you're ready to start your Salt Master. You should be able to start your Salt Master now using the command seen here:
Now go to the Configuring Salt page.

Debian Installation¶

Currently the latest packages for Debian Old Stable, Stable and Unstable (Squeeze, Wheezy and Sid) are published in our (saltstack.com) debian repository.

Configure Apt¶

Squeeze (Old Stable)¶

For squeeze, you will need to enable the debian backports repository as well as the debian.saltstack.com repository. To do so, add the following to /etc/apt/sources.list or a file in /etc/apt/sources.list.d:

Wheezy (Stable)¶

For wheezy, the following line is needed in either /etc/apt/sources.list or a file in /etc/apt/sources.list.d:

Sid (Unstable)¶

For sid, the following line is needed in either /etc/apt/sources.list or a file in /etc/apt/sources.list.d:

Import the repository key.¶

You will need to import the key used for signing.
NOTE:

Update the package database¶

Install packages¶

Install the Salt master, minion, or syndic from the repository with the apt-get command. These examples each install one daemon, but more than one package name may be given at a time:

Post-installation tasks¶

Now, go to the Configuring Salt page.

Notes¶

1. These packages will be backported from the packages intended to be uploaded into debian unstable. This means that the packages will be built for unstable first and then backported over the next day or so. 2. These packages will be tracking the released versions of salt rather than maintaining a stable fixed feature set. If a fixed version is what you desire, then either pinning or manual installation may be more appropriate for you. 3. The version numbering and backporting process should provide clean upgrade paths between debian versions. If you have any questions regarding these, please email the mailing list or look for joehh on irc.

Fedora¶

Beginning with version 0.9.4, Salt has been available in the primary Fedora repositories and EPEL. It is installable using yum. Fedora will have more up to date versions of Salt than other members of the Red Hat family, which makes it a great place to help improve Salt! WARNING: Fedora 19 comes with systemd 204. Systemd has known bugs fixed in later revisions that prevent the salt-master from starting reliably or opening the network connections that it needs to. It's not likely that a salt-master will start or run reliably on any distribution that uses systemd version 204 or earlier. Running salt-minions should be OK.

Installation¶

Salt can be installed using yum and is available in the standard Fedora repositories.

Stable Release¶

Salt is packaged separately for the minion and the master. It is necessary only to install the appropriate package for the role the machine will play. Typically, there will be one master and multiple minions.

Post-installation tasks¶

Master To have the Master start automatically at boot time:
To start the Master:
Minion To have the Minion start automatically at boot time:
To start the Minion:
Now go to the Configuring Salt page.

FreeBSD¶

Salt was added to the FreeBSD ports tree Dec 26th, 2011 by Christer Edwards < christer.edwards@gmail.com>. It has been tested on FreeBSD 7.4, 8.2, 9.0 and 9.1 releases. Salt is dependent on the following additional ports. These will be installed as dependencies of the sysutils/py-salt port.

Installation¶

To install Salt from the FreeBSD ports tree, use the command:

Post-installation tasks¶

Master Copy the sample configuration file:
rc.conf Activate the Salt Master in /etc/rc.conf or /etc/rc.conf.local and add:
Start the Master Start the Salt Master as follows:
Minion Copy the sample configuration file:
rc.conf Activate the Salt Minion in /etc/rc.conf or /etc/rc.conf.local and add:
Start the Minion Start the Salt Minion as follows:
Now go to the Configuring Salt page.

Gentoo¶

Salt can be easily installed on Gentoo via Portage:

Post-installation tasks¶

Now go to the Configuring Salt page.

OS X¶

Dependency Installation¶

When installing via Homebrew, dependency resolution is handled for you.
When using macports, zmq, swig, and pip may need to be installed this way:
For installs using the OS X system python, pip install needs to use 'sudo':

Salt-Master Customizations¶

To run salt-master on OS X, the root user maxfiles limit must be increased:
And sudo add this configuration option to the /etc/salt/master file:
Now the salt-master should run without errors:

Post-installation tasks¶

Now go to the Configuring Salt page.

RHEL / CentOS / Scientific Linux / Amazon Linux / Oracle Linux¶

Beginning with version 0.9.4, Salt has been available in EPEL. It is installable using yum. Salt should work properly with all mainstream derivatives of RHEL, including CentOS, Scientific Linux, Oracle Linux and Amazon Linux. Report any bugs or issues to the salt GitHub project.

Installation¶

Salt and all dependencies have been accepted into the yum repositories for EPEL5 and EPEL6. The latest salt version can be found in epel-testing, while an older but more tested version can be found in regular epel. Example showing how to install salt from epel-testing:
On RHEL6, the proper Jinja package 'python-jinja2' was moved from EPEL to the "RHEL Server Optional Channel". Verify this repository is enabled before installing salt on RHEL6. Salt can be installed using yum and is available in the standard Fedora repositories.

Enabling EPEL on RHEL¶

If EPEL is not enabled on your system, you can use the following commands to enable it. For RHEL 5:
For RHEL 6:

Stable Release¶

Salt is packaged separately for the minion and the master. It is necessary only to install the appropriate package for the role the machine will play. Typically, there will be one master and multiple minions. On the salt-master, run this:
On each salt-minion, run this:

Post-installation tasks¶

Master To have the Master start automatically at boot time:
To start the Master:
Minion To have the Minion start automatically at boot time:
To start the Minion:
Now go to the Configuring Salt page.

Solaris¶

Salt was added to the OpenCSW package repository in September of 2012 by Romeo Theriault < romeot@hawaii.edu> at version 0.10.2 of Salt. It has mainly been tested on Solaris 10 (sparc), though it is built for and has been tested minimally on Solaris 10 (x86), Solaris 9 (sparc/x86) and 11 (sparc/x86). (Please let me know if you're using it on these platforms!) Most of the testing has also just focused on the minion, though it has verified that the master starts up successfully on Solaris 10. Comments and patches for better support on these platforms is very welcome. As of version 0.10.4, Solaris is well supported under salt, with all of the following working well:
Salt is dependent on the following additional packages. These will automatically be installed as dependencies of the py_salt package.:

Installation¶

To install Salt from the OpenCSW package repository you first need to install pkgutil assuming you don't already have it installed: On Solaris 10:
On Solaris 9:
Once pkgutil is installed you'll need to edit it's config file /etc/opt/csw/pkgutil.conf to point it at the unstable catalog:
OK, time to install salt.

Minion Configuration¶

Now that salt is installed you can find it's configuration files in /etc/opt/csw/salt/. You'll want to edit the minion config file to set the name of your salt master server:
If you would like to use pkgutil as the default package provider for your Solaris minions, you can do so using the providers option in the minion config file. You can now start the salt minion like so: On Solaris 10:
On Solaris 9:
You should now be able to log onto the salt master and check to see if the salt-minion key is awaiting acceptance:
Accept the key:
Run a simple test against the minion:

Troubleshooting¶

Logs are in /var/log/salt

Ubuntu Installation¶

Add repository¶

The latest packages for Ubuntu are published in the saltstack PPA. If you have the add-apt-repository utility, you can add the repository and import the key in one step:

Alternately, manually add the repository and import the PPA key with these commands:
After adding the repository, update the package management database:

Install packages¶

Install the Salt master, minion, or syndic from the repository with the apt-get command. These examples each install one daemon, but more than one package name may be given at a time:

Post-installation tasks¶

Now go to the Configuring Salt page.

Windows¶

Salt has full support for running the Salt Minion on Windows. There are no plans for the foreseeable future to develop a Salt Master on Windows. For now you must run your Salt Master on a supported operating system to control your Salt Minions on Windows. Many of the standard Salt modules have been ported to work on Windows and many of the Salt States currently work on Windows, as well.

Windows Installer¶

A Salt Minion Windows installer can be found here:
NOTE:
The 64bit installer has been tested on Windows 7 64bit and Windows Server 2008R2 64bit. The 32bit installer has been tested on Windows 2003 Server 32bit. Please file a bug report on our GitHub repo if issues for other platforms are found. The installer asks for 2 bits of information; the master hostname and the minion name. The installer will update the minion config with these options and then start the minion. The salt-minion service will appear in the Windows Service Manager and can be started and stopped there or with the command line program sc like any other Windows service. If the minion won't start, try installing the Microsoft Visual C++ 2008 x64 SP1 redistributable. Allow all Windows updates to run salt-minion smoothly.

Silent Installer option¶

The installer can be run silently by providing the /S option at the command line. The options /master and /minion-name allow for configuring the master hostname and minion name, respectively. Here's an example of using the silent installer:

Setting up a Windows build environment¶

A zip file has been created in the dist/ folder, containing a frozen copy of Python and the dependency libraries, along with Windows executables for each of the Salt scripts.

Building the installer¶

The Salt Windows installer is built with the open-source NSIS compiler. The source for the installer is found in the pkg directory of the Salt repo here: https://github.com/saltstack/salt/blob/develop/pkg/windows/installer/Salt-Minion-Setup.nsi. To create the installer, extract the frozen archive from dist/ into pkg/windows/buildenv/ and run NSIS. The NSIS installer can be found here: http://nsis.sourceforge.net/Main_Page

Testing the Salt minion¶

You should get the following response: {'your minion hostname': True}

Single command bootstrap script¶

On a 64 bit Windows host the following script makes an unattended install of salt, including all dependencies:

You can execute the above command remotely from a Linux host using winexe:
For more info check http://csa-net.dk/salt

Packages management under Windows 2003¶

On windows Server 2003, you need to install optional component "wmi windows installer provider" to have full list of installed packages. If you don't have this, salt-minion can't report some installed softwares.

SUSE Installation¶

With openSUSE 13.1, Salt 0.16.4 has been available in the primary repositories. The devel:language:python repo will have more up to date versions of salt, all package development will be done there.

Installation¶

Salt can be installed using zypper and is available in the standard openSUSE 13.1 repositories.

Stable Release¶

Salt is packaged separately for the minion and the master. It is necessary only to install the appropriate package for the role the machine will play. Typically, there will be one master and multiple minions.

Post-installation tasks openSUSE¶

Master To have the Master start automatically at boot time:
To start the Master:
Minion To have the Minion start automatically at boot time:
To start the Minion:

Post-installation tasks SLES¶

Master To have the Master start automatically at boot time:
To start the Master:
Minion To have the Minion start automatically at boot time:
To start the Minion:

Unstable Release¶

openSUSE¶

For openSUSE Factory run the following as root:
For openSUSE 13.1 run the following as root:
For openSUSE 12.3 run the following as root:
For openSUSE 12.2 run the following as root:
For openSUSE 12.1 run the following as root:
For bleeding edge python Factory run the following as root:

Suse Linux Enterprise¶

For SLE 11 SP3 run the following as root:
For SLE 11 SP2 run the following as root:
Now go to the Configuring Salt page.

Dependencies¶

Salt should run on any Unix-like platform so long as the dependencies are met.

Optional Dependencies¶

Upgrading Salt¶

When upgrading Salt, the master(s) should always be upgraded first. Backwards compatibility for minions running newer versions of salt than their masters is not guaranteed. Whenever possible, backwards compatibility between new masters and old minions will be preserved. Generally, the only exception to this policy is in case of a security vulnerability.

CONFIGURING SALT¶

Salt configuration is very simple. The default configuration for the master will work for most installations and the only requirement for setting up a minion is to set the location of the master in the minion configuration file.
The configuration files will be installed to /etc/salt and are named after the respective components, /etc/salt/master and /etc/salt/minion.

Master Configuration¶

By default the Salt master listens on ports 4505 and 4506 on all interfaces (0.0.0.0). To bind Salt to a specific IP, redefine the "interface" directive in the master configuration file, typically /etc/salt/master, as follows:
After updating the configuration file, restart the Salt master. See the master configuration reference for more details about other configurable options.

Minion Configuration¶

Although there are many Salt Minion configuration options, configuring a Salt Minion is very simple. By default a Salt Minion will try to connect to the DNS name "salt"; if the Minion is able to resolve that name correctly, no configuration is needed. If the DNS name "salt" does not resolve to point to the correct location of the Master, redefine the "master" directive in the minion configuration file, typically /etc/salt/minion, as follows:
After updating the configuration file, restart the Salt minion. See the minion configuration reference for more details about other configurable options.

Running Salt¶

There is also a full troubleshooting guide available.

Key Management¶

Salt uses AES encryption for all communication between the Master and the Minion. This ensures that the commands sent to the Minions cannot be tampered with, and that communication between Master and Minion is authenticated through trusted, accepted keys. Before commands can be sent to a Minion, its key must be accepted on the Master. Run the salt-key command to list the keys known to the Salt Master:
This example shows that the Salt Master is aware of four Minions, but none of the keys has been accepted. To accept the keys and allow the Minions to be controlled by the Master, again use the salt-key command:
The salt-key command allows for signing keys individually or in bulk. The example above, using -A bulk-accepts all pending keys. To accept keys individually use the lowercase of the same option, -a keyname. SEE ALSO:

Sending Commands¶

Communication between the Master and a Minion may be verified by running the test.ping command:
Communication between the Master and all Minions may be tested in a similar way:
Each of the Minions should send a True response as shown above.

What's Next?¶

Understanding targeting is important. From there, depending on the way you wish to use Salt, you should also proceed to learn about States and Execution Modules.

DEVELOPING SALT¶

There is a great need for contributions to Salt and patches are welcome! The goal here is to make contributions clear, make sure there is a trail for where the code has come from, and most importantly, to give credit where credit is due! There are a number of ways to contribute to salt development.

Sending a GitHub pull request¶

This is the preferred method for contributions. Simply create a GitHub fork, commit changes to the fork, and then open up a pull request. The following is an example (from Open Comparison Contributing Docs ) of an efficient workflow for forking, cloning, branching, committing, and sending a pull request for a GitHub repository. First, make a local clone of your GitHub fork of the salt GitHub repo and make edits and changes locally. Then, create a new branch on your clone by entering the following commands:
Choose a name for your branch that describes its purpose. Now commit your changes to this new branch with the following command:
NOTE:
Push your locally-committed changes back up to GitHub:
Now go look at your fork of the salt repo on the GitHub website. The new branch will now be listed under the "Source" tab where it says "Switch Branches". Select the new branch from this list, and then click the "Pull request" button. Put in a descriptive comment, and include links to any project issues related to the pull request. The repo managers will be notified of your pull request and it will be reviewed. If a reviewer asks for changes, just make the changes locally in the same local feature branch, push them to GitHub, then add a comment to the discussion section of the pull request. NOTE:

Keeping Salt Forks in Sync¶

Salt is advancing quickly. It is therefore critical to pull upstream changes from master into forks on a regular basis. Nothing is worse than putting in a days of hard work into a pull request only to have it rejected because it has diverged too far from master. To pull in upstream changes:
To check the log to be sure that you actually want the changes, run the following before merging:
Then to accept the changes and merge into the current branch:
For more info, see GitHub Fork a Repo Guide or Open Comparison Contributing Docs

Posting patches to the mailing list¶

Patches will also be accepted by email. Format patches using git format-patch and send them to the Salt users mailing list. The contributor will then get credit for the patch, and the Salt community will have an archive of the patch and a place for discussion.

Installing Salt for development¶

Clone the repository using:
NOTE:
Create a new virtualenv:
On Arch Linux, where Python 3 is the default installation of Python, use the virtualenv2 command instead of virtualenv. NOTE:
Activate the virtualenv:
Install Salt (and dependencies) into the virtualenv:
NOTE:
NOTE:
NOTE:

Running a self-contained development version¶

During development it is easiest to be able to run the Salt master and minion that are installed in the virtualenv you created above, and also to have all the configuration, log, and cache files contained in the virtualenv as well. Copy the master and minion config files into your virtualenv:
Edit the master config file:
Edit the minion config file:
NOTE:
Start the master and minion, accept the minion's key, and verify your local Salt installation is working:
Running the master and minion in debug mode can be helpful when developing. To do this, add -l debug to the calls to salt-master and salt-minion. If you would like to log to the console instead of to the log file, remove the -d. Once the minion starts, you may see an error like the following:
This means the the path to the socket the minion is using is too long. This is a system limitation, so the only workaround is to reduce the length of this path. This can be done in a couple different ways:
NOTE: The socket path is limited to 107 characters on Solaris and Linux, and 103 characters on BSD-based systems. NOTE:

Installing Salt from the Python Package Index¶

If you are installing using easy_install, you will need to define a USE_SETUPTOOLS environment variable, otherwise dependencies will not be installed:

Editing and previewing the documentation¶

You need sphinx-build command to build the docs. In Debian/Ubuntu this is provided in the python-sphinx package. Sphinx can also be installed to a virtualenv using pip:
Change to salt documentation directory, then:




Once you've updated the documentation, you can run the following command to launch a simple Python HTTP server to see your changes:

Running unit and integration tests¶

Run the test suite with following command:
See here for more information regarding the test suite.

TARGETING¶

For example the command salt web1 apache.signal restart to restart the Apache httpd server specifies the machine web1 as the target and the command will only be run on that one minion. Similarly when using States, the following top file specifies that only the web1 minion should execute the contents of webserver.sls:
There are many ways to target individual minions or groups of minions in Salt:

Matching the minion id¶

Each minion needs a unique identifier. By default when a minion starts for the first time it chooses its FQDN as that identifier. The minion id can be overridden via the minion's id configuration setting. TIP:

Globbing¶

The default matching that Salt utilizes is shell-style globbing around the minion id. This also works for states in the top file. NOTE:
Match all minions:
Match all minions in the example.net domain or any of the example domains:
Match all the webN minions in the example.net domain (web1.example.net, web2.example.net … webN.example.net):
Match the web1 through web5 minions:
Match the web1 and web3 minions:
Match the web-x, web-y, and web-z minions:
NOTE:

Regular Expressions¶

Minions can be matched using Perl-compatible regular expressions (which is globbing on steroids and a ton of caffeine). Match both web1-prod and web1-devel minions:
When using regular expressions in a State's top file, you must specify the matcher as the first option. The following example executes the contents of webserver.sls on the above-mentioned minions.

Lists¶

At the most basic level, you can specify a flat list of minion IDs:

Grains¶

Salt comes with an interface to derive information about the underlying system. This is called the grains interface, because it presents salt with grains of information.
The grains interface is made available to Salt modules and components so that the right salt minion commands are automatically available on the right systems. It is important to remember that grains are bits of information loaded when the salt minion starts, so this information is static. This means that the information in grains is unchanging, therefore the nature of the data is static. So grains information are things like the running kernel, or the operating system. Match all CentOS minions:
Match all minions with 64-bit CPUs, and return number of CPU cores for each matching minion:
Additionally, globs can be used in grain matches, and grains that are nested in a dictionary can be matched by adding a colon for each level that is traversed. For example, the following will match hosts that have a grain called ec2_tags, which itself is a dict with a key named environment, which has a value that contains the word production:

Listing Grains¶

Available grains can be listed by using the 'grains.ls' module:
Grains data can be listed by using the 'grains.items' module:

Grains in the Minion Config¶

Grains can also be statically assigned within the minion configuration file. Just add the option grains and pass options to it:
Then status data specific to your servers can be retrieved via Salt, or used inside of the State system for matching. It also makes targeting, in the case of the example above, simply based on specific data about your deployment.

Grains in /etc/salt/grains¶

If you do not want to place your custom static grains in the minion config file, you can also put them in /etc/salt/grains on the minion. They are configured in the same way as in the above example, only without a top-level grains: key:

Matching Grains in the Top File¶

With correctly setup grains on the Minion, the Top file used in Pillar or during Highstate can be made really efficient. Like for example, you could do:
For this example to work, you would need the grain node_type and the correct value to match on. This simple example is nice, but too much of the code is similar. To go one step further, we can place some Jinja template code into the Top file.
The Jinja code simplified the Top file, and allowed SaltStack to work its magic.

Writing Grains¶

Grains are easy to write. The grains interface is derived by executing all of the "public" functions found in the modules located in the grains package or the custom grains directory. The functions in the modules of the grains must return a Python dict, where the keys in the dict are the names of the grains and the values are the values. Custom grains should be placed in a _grains directory located under the file_roots specified by the master config file. They will be distributed to the minions when state.highstate is run, or by executing the saltutil.sync_grains or saltutil.sync_all functions. Before adding a grain to Salt, consider what the grain is and remember that grains need to be static data. If the data is something that is likely to change, consider using Pillar instead.

Precedence¶

Core grains can be overriden by custom grains. As there are several ways of defining custom grains, there is an order of precedence which should be kept in mind when defining them. The order of evaluation is as follows:
Each successive evaluation overrides the previous ones, so any grains defined in /etc/salt/grains that have the same name as a core grain will override that core grain. Similarly, /etc/salt/minion overrides both core grains and grains set in /etc/salt/grains, and custom grain modules will override any grains of the same name.

Examples of Grains¶

The core module in the grains package is where the main grains are loaded by the Salt minion and provides the principal example of how to write grains: https://github.com/saltstack/salt/blob/develop/salt/grains/core.py

Syncing Grains¶

Syncing grains can be done a number of ways, they are automatically synced when state.highstate is called, or (as noted above) the grains can be manually synced and reloaded by calling the saltutil.sync_grains or saltutil.sync_all functions.

Node groups¶

Nodegroups are declared using a compound target specification. The compound target documentation can be found here. The nodegroups master config file parameter is used to define nodegroups. Here's an example nodegroup configuration within /etc/salt/master:
NOTE:
To match a nodegroup on the CLI, use the -N command-line option:
To match in your top file, make sure to put - match: nodegroup on the line directly following the nodegroup name.

Compound matchers¶

Compound matchers allow very granular minion targeting using any of Salt's matchers. The default matcher is a glob match, just as with CLI and top file matching. To match using anything other than a glob, prefix the match string with the appropriate letter from the table below, followed by an @ sign.

Letter	Match Type	Example
G	Grains glob	G@os:Ubuntu
E	PCRE Minion ID	E@web\d+\.(dev|qa|prod)\.loc
P	Grains PCRE	P@os:(RedHat|Fedora|CentOS)
L	List of minions	L@minion1.example.com,minion3.domain.com or bl*.domain.com
I	Pillar glob	I@pdata:foobar
S	Subnet/IP address	S@192.168.1.0/24 or S@192.168.1.100
R	Range cluster	R@%foo.bar

Matchers can be joined using boolean  and, or, and not operators.

For example, the following string matches all Debian minions with a hostname that begins with webserv, as well as any minions that have a hostname which matches the regular expression web-dc1-srv.*:
That same example expressed in a top file looks like the following:
Note that a leading not is not supported in compound matches. Instead, something like the following must be done:
Excluding a minion based on its ID is also possible:

Batch Size¶

The -b (or --batch-size) option allows commands to be executed on only a specified number of minions at a time. Both percentages and finite numbers are supported.
This will only run test.ping on 10 of the targeted minions at a time and then restart apache on 25% of the minions matching os:RedHat at a time and work through them all until the task is complete. This makes jobs like rolling web server restarts behind a load balancer or doing maintenance on BSD firewalls using carp much easier with salt. The batch system maintains a window of running minions, so, if there are a total of 150 minions targeted and the batch size is 10, then the command is sent to 10 minions, when one minion returns then the command is sent to one additional minion, so that the job is constantly running on 10 minions.

SALT TUTORIALS¶

Introduction¶

Salt Masterless Quickstart¶

Running a masterless salt-minion lets you use salt's configuration management for a single machine. It is also useful for testing out state trees before deploying to a production setup. The only real difference in using a standalone minion is that instead of issuing commands with salt, we use the salt-call command, like this:
NOTE:

Bootstrap Salt Minion¶

First we need to install the salt minion. The salt-bootstrap script makes this incredibly easy for any OS with a Bourne shell. You can use it like this:
Or see the salt-bootstrap documentation for other one liners. Additionally, if you are using Vagrant to test out salt, the salty-vagrant tool will provision the VM for you.

Create State Tree¶

Now we build an example state tree. This is where the configuration is defined. For more in depth directions, see the tutorial.
/srv/salt/top.sls:

/srv/salt/webserver.sls:
The only thing left is to provision our minion using the highstate command. Salt-call also gives us an easy way to give us verbose output:
The --local flag tells the salt-minion to look for the state tree in the local file system. Normally the minion copies the state tree from the master and executes it from there. That's it, good luck!

Basics¶

Salt Bootstrap¶

The Salt Bootstrap script allows for a user to install the Salt Minion or Master on a variety of system distributions and versions. This shell script known as bootstrap-salt.sh runs through a series of checks to determine the operating system type and version. It then installs the Salt binaries using the appropriate methods. The Salt Bootstrap script installs the minimum number of packages required to run Salt. This means that in the event you run the bootstrap to install via package, Git will not be installed. Installing the minimum number of packages helps ensure the script stays as lightweight as possible, assuming the user will install any other required packages after the Salt binaries are present on the system. The script source is available on GitHub: https://github.com/saltstack/salt-bootstrap

Supported Operating Systems¶

NOTE:

Example Usage¶

The Salt Bootstrap script has a wide variety of options that can be passed as well as several ways of obtaining the bootstrap script itself. For example, using curl to install latest git:
If you have certificate issues using curl, try the following:
Using wget to install your distribution's stable packages:
If you have certificate issues using wget try the following:
Install a specific version from git using wget:
If you already have python installed, python 2.6, then it's as easy as:
All python versions should support the following one liner:
On a FreeBSD base system you usually don't have either of the above binaries available. You do have fetch available though:
If all you want is to install a salt-master using latest git:
If you want to install a specific release version (based on the git tags):
Downloading the develop branch (from here standard command line options may be passed):

Command Line Options¶

-h Display the help message and command line options. -v Display script version. -n No colours. -D Show debug output. -c Temporary configuration directory. -k Temporary directory holding the minion keys which will pre-seed the master. -M Also install salt-master. -S Also install salt-syndic. -N Do not install salt-minion. -X Do not start daemons after installation. -C Only run the configuration function. This option automatically bypasses any installation. -P Allow pip based installations. On some distributions the required salt packages or its dependencies are not available as a package for that distribution. Using this flag allows the script to use pip as a last resort method. NOTE:
-F Allow copied files to overwrite existing(config, init.d, etc). -U If set, fully upgrade the system prior to bootstrapping salt. -K If set, keep the temporary files in the temporary directories specified with -c and -k.

Standalone Minion¶

Since the Salt minion contains such extensive functionality it can be useful to run it standalone. A standalone minion can be used to do a number of things:
NOTE:

Telling Salt Call to Run Masterless¶

The salt-call command is used to run module functions locally on a minion instead of executing them from the master. Normally the salt-call command checks into the master to retrieve file server and pillar data, but when running standalone salt-call needs to be instructed to not check the master for this data. To instruct the minion to not look for a master when running salt-call the file_client configuration option needs to be set. By default the file_client is set to remote so that the minion knows that file server and pillar data are to be gathered from the master. When setting the file_client option to local the minion is configured to not gather this data from the master.
Now the salt-call command will not look for a master and will assume that the local system has all of the file ad pillar resources.

Running States Masterless¶

The state system can be easily run without a Salt master, with all needed files local to the minion. To do this the minion configuration file needs to be set up to know how to return file_roots information like the master. The file_roots setting defaults to /srv/salt for the base environment just like on the master:
Now set up the Salt State Tree, top file, and SLS modules in the same way that they would be set up on a master. Now, with the file_client option set to local and an available state tree then calls to functions in the state module will use the information in the file_roots on the minion instead of checking in with the master. Remember that when creating a state tree on a minion there are no syntax or path changes needed, SLS modules written to be used from a master do not need to be modified in any way to work with a minion. This makes it easy to "script" deployments with Salt states without having to set up a master, and allows for these SLS modules to be easily moved into a Salt master as the deployment grows. Now the declared state can now be executed with:
Or the salt-call command can be executed with the --local flag, this makes it unnecessary to change the configuration file:

Opening the Firewall up for Salt¶

The Salt master communicates with the minions using an AES-encrypted ZeroMQ connection. These communications are done over TCP ports 4505 and 4506, which need to be accessible on the master only. This document outlines suggested firewall rules for allowing these incoming connections to the master. NOTE:

RHEL 6 / CentOS 6¶

The lokkit command packaged with some Linux distributions makes opening iptables firewall ports very simple via the command line. Just be careful to not lock out access to the server by neglecting to open the ssh port. lokkit example:
The system-config-firewall-tui command provides a text-based interface to modifying the firewall. system-config-firewall-tui:

openSUSE¶

Salt installs firewall rules in /etc/sysconfig/SuSEfirewall2.d/services/salt. Enable with:
If you have an older package of Salt where the above configuration file is not included, the SuSEfirewall2 command makes opening iptables firewall ports very simple via the command line. SuSEfirewall example:
The firewall module in YaST2 provides a text-based interface to modifying the firewall. YaST2:

iptables¶

Different Linux distributions store their iptables (also known as netfilter) rules in different places, which makes it difficult to standardize firewall documentation. Included are some of the more common locations, but your mileage may vary. Fedora / RHEL / CentOS:
Arch Linux:
Debian Follow these instructions: http://wiki.debian.org/iptables Once you've found your firewall rules, you'll need to add the two lines below to allow traffic on tcp/4505 and tcp/4506:
Ubuntu Salt installs firewall rules in /etc/ufw/applications.d/salt.ufw. Enable with:

pf.conf¶

The BSD-family of operating systems uses packet filter (pf). The following example describes the additions to pf.conf needed to access the Salt master.
Once these additions have been made to the pf.conf the rules will need to be reloaded. This can be done using the pfctl command.

Whitelist communication to Master¶

There are situations where you want to selectively allow Minon traffic from specific hosts or networks into your Salt Master. The first scenario which comes to mind is to prevent unwanted traffic to your Master out of security concerns, but another scenario is to handle Minion upgrades when there are backwards incompatible changes between the installed Salt versions in your environment. Here is an example Linux iptables ruleset to be set on the Master:
NOTE:

Using cron with Salt¶

The Salt Minion can initiate its own highstate using the salt-call command.
This will cause the minion to check in with the master and ensure it is in the correct 'state'.

Use cron to initiate a highstate¶

If you would like the Salt Minion to regularly check in with the master you can use the venerable cron to run the salt-call command.
The above cron entry will run a highstate every day at midnight. NOTE:

Remote execution tutorial¶

Before continuing make sure you have a working Salt installation by following the installation and the configuration instructions.

Order your minions around¶

Now that you have a master and at least one minion communicating with each other you can perform commands on the minion via the salt command. Salt calls are comprised of three main components:
SEE ALSO:

target¶

The target component allows you to filter which minions should run the following function. The default filter is a glob on the minion id. For example:
Targets can be based on minion system information using the Grains system:
SEE ALSO:
Targets can be filtered by regular expression:
Targets can be explicitly specified in a list:
Or Multiple target types can be combined in one command:

function¶

A function is some functionality provided by a module. Salt ships with a large collection of available functions. List all available functions on your minions:
Here are some examples: Show all currently available minions:
Run an arbitrary shell command:
SEE ALSO:

arguments¶

Space-delimited arguments to the function:
Optional, keyword arguments are also supported:
They are always in the form of kwarg=argument.

Pillar Walkthrough¶

NOTE:
The pillar interface inside of Salt is one of the most important components of a Salt deployment. Pillar is the interface used to generate arbitrary data for specific minions. The data generated in pillar is made available to almost every component of Salt and is used for a number of purposes:
Pillar is therefore one of the most important systems when using Salt, this walkthrough is designed to get a simple pillar up and running in a few minutes and then to dive into the capabilities of pillar and where the data is available.

Setting Up Pillar¶

The pillar is already running in Salt by default. The data in the minion's pillars can be seen via the following command:
NOTE:
By default the contents of the master configuration file are loaded into pillar for all minions, this is to enable the master configuration file to be used for global configuration of minions. The pillar is built in a similar fashion as the state tree, it is comprised of sls files and has a top file, just like the state tree. The pillar is stored in a different location on the Salt master than the state tree. The default location for the pillar is in /srv/pillar. NOTE:
To start setting up the pillar, the /srv/pillar directory needs to be present:
Now a simple top file, following the same format as the top file used for states needs to be created: /srv/pillar/top.sls:
This top file associates the data.sls file to all minions. Now the /srv/pillar/data.sls file needs to be populated: /srv/pillar/data.sls:
Now that the file has been saved the minions' pillars will be updated:
The key info should now appear in the returned pillar data.

More Complex Data¶

Pillar files are sls files, just like states, but unlike states they do not need to define formulas, the data can be arbitrary, this example for instance sets up user data with a UID: /srv/pillar/users/init.sls:
NOTE:
The top file will need to be updated to include this sls file: /srv/pillar/top.sls:
Now the data will be available to the minions. To use the pillar data in a state just access the pillar via Jinja: /srv/salt/users/init.sls
This approach allows for users to be safely defined in a pillar and then the user data is applied in an sls file.

Paramaterizing States With Pillar¶

One of the most powerful abstractions in pillar is the ability to parameterize states. Instead of defining macros or functions within the state context the entire state tree can be freely parameterized relative to the minion's pillar. This approach allows for Salt to be very flexible while staying very straightforward. It also means that simple sls formulas used in the state tree can be directly parameterized without needing to refactor the state tree. A simple example is to set up a mapping of package names in pillar for separate Linux distributions: /srv/pillar/pkg/init.sls:
The new pkg sls needs to be added to the top file: /srv/pillar/top.sls:
Now the minions will auto map values based on respective operating systems inside of the pillar, so sls files can be safely parameterized: /srv/salt/apache/init.sls:
Or, if no pillar is available a default can be set as well: NOTE:
/srv/salt/apache/init.sls:
In the above example, if the pillar value pillar['pkgs']['apache'] is not set in the minion's pillar, then the default of httpd will be used. NOTE:

Pillar Makes Simple States Grow Easily¶

One of the design goals of pillar is to make simple sls formulas easily grow into more flexible formulas without refactoring or complicating the states. A simple formula: /srv/salt/edit/vim.sls:
Can be easily transformed into a powerful, parameterized formula: /srv/salt/edit/vim.sls:
Where the vimrc source location can now be changed via pillar: /srv/pillar/edit/vim.sls:
Ensuring that the right vimrc is sent out to the correct minions.

More On Pillar¶

The pillar data is generated on the Salt master and securely distributed to minions. Salt is not restricted to the pillar sls files when defining the pillar but can retrieve data from external sources. This can be useful when information about an infrastructure is stored in a separate location. Reference information on pillar and the external pillar interface can be found in the Salt documentation: Pillar

States¶

How Do I Use Salt States?¶

Simplicity, Simplicity, Simplicity Many of the most powerful and useful engineering solutions are founded on simple principles. Salt States strive to do just that: K.I.S.S. (Keep It Stupidly Simple) The core of the Salt State system is the SLS, or SaLt State file. The SLS is a representation of the state in which a system should be in, and is set up to contain this data in a simple format. This is often called configuration management. NOTE:

It is All Just Data¶

Before delving into the particulars, it will help to understand that the SLS file is just a data structure under the hood. While understanding that the SLS is just a data structure isn't critical for understanding and making use of Salt States, it should help bolster knowledge of where the real power is. SLS files are therefore, in reality, just dictionaries, lists, strings, and numbers. By using this approach Salt can be much more flexible. As one writes more state files, it becomes clearer exactly what is being written. The result is a system that is easy to understand, yet grows with the needs of the admin or developer.

The Top File¶

The example SLS files in the below sections can be assigned to hosts using a file called top.sls. This file is described in-depth here.

Default Data - YAML¶

By default Salt represents the SLS data in what is one of the simplest serialization formats available - YAML. A typical SLS file will often look like this in YAML: NOTE:

This SLS data will ensure that the package named apache is installed, and that the apache service is running. The components can be explained in a simple way. The first line is the ID for a set of data, and it is called the ID Declaration. This ID sets the name of the thing that needs to be manipulated. The second and fourth lines are the start of the State Declarations, so they are using the pkg and service states respectively. The pkg state manages a software package to be installed via the system's native package manager, and the service state manages a system daemon. The third and fifth lines are the function to run. This function defines what state the named package and service should be in. Here, the package is to be installed, and the service should be running. Finally, on line six, is the word require. This is called a Requisite Statement, and it makes sure that the Apache service is only started after a successful installation of the apache package.

Adding Configs and Users¶

When setting up a service like an Apache web server, many more components may need to be added. The Apache configuration file will most likely be managed, and a user and group may need to be set up.
This SLS data greatly extends the first example, and includes a config file, a user, a group and new requisite statement: watch. Adding more states is easy, since the new user and group states are under the Apache ID, the user and group will be the Apache user and group. The require statements will make sure that the user will only be made after the group, and that the group will be made only after the Apache package is installed. Next,the require statement under service was changed to watch, and is now watching 3 states instead of just one. The watch statement does the same thing as require, making sure that the other states run before running the state with a watch, but it adds an extra component. The watch statement will run the state's watcher function for any changes to the watched states. So if the package was updated, the config file changed, or the user uid modified, then the service state's watcher will be run. The service state's watcher just restarts the service, so in this case, a change in the config file will also trigger a restart of the respective service.

Moving Beyond a Single SLS¶

When setting up Salt States in a scalable manner, more than one SLS will need to be used. The above examples were in a single SLS file, but two or more SLS files can be combined to build out a State Tree. The above example also references a file with a strange source - salt://apache/httpd.conf. That file will need to be available as well. The SLS files are laid out in a directory structure on the Salt master; an SLS is just a file and files to download are just files. The Apache example would be laid out in the root of the Salt file server like this:
So the httpd.conf is just a file in the apache directory, and is referenced directly. But when using more than one single SLS file, more components can be added to the toolkit. Consider this SSH example: ssh/init.sls:
ssh/server.sls:
NOTE:
Now our State Tree looks like this:
This example now introduces the include statement. The include statement includes another SLS file so that components found in it can be required, watched or as will soon be demonstrated - extended. The include statement allows for states to be cross linked. When an SLS has an include statement it is literally extended to include the contents of the included SLS files. Note that some of the SLS files are called init.sls, while others are not. More info on what this means can be found in the States Tutorial.

Extending Included SLS Data¶

Sometimes SLS data needs to be extended. Perhaps the apache service needs to watch additional resources, or under certain circumstances a different file needs to be placed. In these examples, the first will add a custom banner to ssh and the second will add more watchers to apache to include mod_python. ssh/custom-server.sls:
python/mod_python.sls:
The custom-server.sls file uses the extend statement to overwrite where the banner is being downloaded from, and therefore changing what file is being used to configure the banner. In the new mod_python SLS the mod_python package is added, but more importantly the apache service was extended to also watch the mod_python package.

Understanding the Render System¶

Since SLS data is simply that (data), it does not need to be represented with YAML. Salt defaults to YAML because it is very straightforward and easy to learn and use. But the SLS files can be rendered from almost any imaginable medium, so long as a renderer module is provided. The default rendering system is the yaml_jinja renderer. The yaml_jinja renderer will first pass the template through the Jinja2 templating system, and then through the YAML parser. The benefit here is that full programming constructs are available when creating SLS files. Other renderers available are yaml_mako and yaml_wempy which each use the Mako or Wempy templating system respectively rather than the jinja templating system, and more notably, the pure Python or py and pydsl renderers. The py renderer allows for SLS files to be written in pure Python, allowing for the utmost level of flexibility and power when preparing SLS data; while the pydsl renderer provides a flexible, domain-specific language for authoring SLS data in Python. NOTE:

Getting to Know the Default - yaml_jinja¶

The default renderer - yaml_jinja, allows for use of the jinja templating system. A guide to the Jinja templating system can be found here: http://jinja.pocoo.org/docs When working with renderers a few very useful bits of data are passed in. In the case of templating engine based renderers, three critical components are available, salt, grains, and pillar. The salt object allows for any Salt function to be called from within the template, and grains allows for the Grains to be accessed from within the template. A few examples: apache/init.sls:
This example is simple. If the os grain states that the operating system is Red Hat, then the name of the Apache package and service needs to be httpd. A more aggressive way to use Jinja can be found here, in a module to set up a MooseFS distributed filesystem chunkserver: moosefs/chunk.sls:
This example shows much more of the available power of Jinja. Multiple for loops are used to dynamically detect available hard drives and set them up to be mounted, and the salt object is used multiple times to call shell commands to gather data.

Introducing the Python and the PyDSL Renderers¶

Sometimes the chosen default renderer might not have enough logical power to accomplish the needed task. When this happens, the Python renderer can be used. Normally a YAML renderer should be used for the majority of SLS files, but an SLS file set to use another renderer can be easily added to the tree. This example shows a very basic Python SLS file: python/django.sls:
This is a very simple example; the first line has an SLS shebang that tells Salt to not use the default renderer, but to use the py renderer. Then the run function is defined, the return value from the run function must be a Salt friendly data structure, or better known as a Salt HighState data structure. Alternatively, using the pydsl renderer, the above example can be written more succinctly as: python/django.sls:
This Python examples would look like this if they were written in YAML:
This example clearly illustrates that; one, using the YAML renderer by default is a wise decision and two, unbridled power can be obtained where needed by using a pure Python SLS.

Running and debugging salt states.¶

Once the rules in an SLS are ready, they should be tested to ensure they work properly. To invoke these rules, simply execute salt '*' state.highstate on the command line. If you get back only hostnames with a : after, but no return, chances are there is a problem with one or more of the sls files. On the minion, use the salt-call command: salt-call state.highstate -l debug to examine the output for errors. This should help troubleshoot the issue. The minions can also be started in the foreground in debug mode: salt-minion -l debug.

Next Reading¶

With an understanding of states, the next recommendation is to become familiar with Salt's pillar interface:

States tutorial, part 1 - Basic Usage¶

The purpose of this tutorial is to demonstrate how quickly you can configure a system to be managed by Salt States. For detailed information about the state system please refer to the full states reference. This tutorial will walk you through using Salt to configure a minion to run the Apache HTTP server and to ensure the server is running. Before continuing make sure you have a working Salt installation by following the installation and the configuration instructions.

Setting up the Salt State Tree¶

States are stored in text files on the master and transferred to the minions on demand via the master's File Server. The collection of state files make up the State Tree. To start using a central state system in Salt, the Salt File Server must first be set up. Edit the master config file ( file_roots) and uncomment the following lines:
NOTE:
Restart the Salt master in order to pick up this change:

Preparing the Top File¶

On the master, in the directory uncommented in the previous step, ( /srv/salt by default), create a new file called top.sls and add the following:
The top file is separated into environments (discussed later). The default environment is base. Under the base environment a collection of minion matches is defined; for now simply specify all hosts ( *).

Create an sls file¶

In the same directory as the top file, create a file named webserver.sls, containing the following:
The first line, called the ID declaration, is an arbitrary identifier. In this case it defines the name of the package to be installed. NOTE:
The second line, called the state declaration, defines which of the Salt States we are using. In this example, we are using the pkg state to ensure that a given package is installed. The third line, called the function declaration, defines which function in the pkg state module to call.

Install the package¶

Next, let's run the state we created. Open a terminal on the master and run:
Our master is instructing all targeted minions to run state.highstate. When a minion executes a highstate call it will download the top file and attempt to match the expressions. When it does match an expression the modules listed for it will be downloaded, compiled, and executed. Once completed, the minion will report back with a summary of all actions taken and all changes made.

Next steps¶

This tutorial focused on getting a simple Salt States configuration working. Part 2 will build on this example to cover more advanced sls syntax and will explore more of the states that ship with Salt.

States tutorial, part 2 - More Complex States, Requisites¶

NOTE:
In the last part of the Salt States tutorial we covered the basics of installing a package. We will now modify our webserver.sls file to have requirements, and use even more Salt States.

Call multiple States¶

You can specify multiple state declarations under an ID declaration. For example, a quick modification to our webserver.sls to also start Apache if it is not running:
Try stopping Apache before running state.highstate once again and observe the output.

Expand the SLS module¶

As you have seen, SLS modules are appended with the file extension .sls and are referenced by name starting at the root of the state tree. An SLS module can be also defined as a directory. Demonstrate that now by creating a directory named webserver and moving and renaming webserver.sls to webserver/init.sls. Your state directory should now look like this:

Require other states¶

We now have a working installation of Apache so let's add an HTML file to customize our website. It isn't exactly useful to have a website without a webserver so we don't want Salt to install our HTML file until Apache is installed and running. Include the following at the bottom of your webserver/init.sls file:
line 9 is the ID declaration. In this example it is the location we want to install our custom HTML file. ( Note: the default location that Apache serves may differ from the above on your OS or distro. /srv/www could also be a likely place to look.) Line 10 the state declaration. This example uses the Salt file state. Line 11 is the function declaration. The managed function will download a file from the master and install it in the location specified. Line 12 is a function arg declaration which, in this example, passes the source argument to the managed function. Line 13 is a requisite declaration. Line 14 is a requisite reference which refers to a state and an ID. In this example, it is referring to the ID declaration from our example in part 1. This declaration tells Salt not to install the HTML file until Apache is installed. Next, create the index.html file and save it in the webserver directory:
Last, call state.highstate again and the minion will fetch and execute the highstate as well as our HTML file from the master using Salt's File Server:
Verify that Apache is now serving your custom HTML.

Next steps¶

In part 3 we will discuss how to use includes, extends and templating to make a more complete State Tree configuration.

States tutorial, part 3 - Templating, Includes, Extends¶

NOTE:
This part of the tutorial will cover more advanced templating and configuration techniques for sls files.

Templating SLS modules¶

SLS modules may require programming logic or inline execution. This is accomplished with module templating. The default module templating system used is Jinja2 and may be configured by changing the renderer value in the master config. All states are passed through a templating system when they are initially read. To make use of the templating system, simply add some templating markup. An example of an sls module with templating markup may look like this:
This templated sls file once generated will look like this:
Here's a more complex example:

Using Grains in SLS modules¶

Often times a state will need to behave differently on different systems. Salt grains objects are made available in the template context. The grains can be used from within sls modules:

Calling Salt modules from templates¶

All of the Salt modules loaded by the minion are available within the templating system. This allows data to be gathered in real time on the target system. It also allows for shell commands to be run easily from within the sls modules. The Salt module functions are also made available in the template context as salt:
Note that for the above example to work, some_group_that_exists must exist before the state file is processed by the templating engine. Below is an example that uses the network.hw_addr function to retrieve the MAC address for eth0:

Advanced SLS module syntax¶

Lastly, we will cover some incredibly useful techniques for more complex State trees.

Include declaration¶

A previous example showed how to spread a Salt tree across several files. Similarly, requisites span multiple files by using an include declaration. For example: python/python-libs.sls:
python/django.sls:

Extend declaration¶

You can modify previous declarations by using an extend declaration. For example the following modifies the Apache tree to also restart Apache when the vhosts file is changed: apache/apache.sls:
apache/mywebsite.sls:

Name declaration¶

You can override the ID declaration by using a name declaration. For example, the previous example is a bit more maintainable if rewritten as follows: apache/mywebsite.sls:

Names declaration¶

Even more powerful is using a names declaration to override the ID declaration for multiple states at once. This often can remove the need for looping in a template. For example, the first example in this tutorial can be rewritten without the loop:

Next steps¶

In part 4 we will discuss how to use salt's file_roots to set up a workflow in which states can be "promoted" from dev, to QA, to production.

States tutorial, part 4¶

NOTE:
This part of the tutorial will show how to use salt's file_roots to set up a workflow in which states can be "promoted" from dev, to QA, to production.

Salt fileserver path inheritance¶

Salt's fileserver allows for more than one root directory per environment, like in the below example, which uses both a local directory and a secondary location shared to the salt master via NFS:
Salt's fileserver collapses the list of root directories into a single virtual environment containing all files from each root. If the same file exists at the same relative path in more than one root, then the top-most match "wins". For example, if /srv/salt/foo.txt and /mnt/salt-nfs/base/foo.txt both exist, then salt://foo.txt will point to /srv/salt/foo.txt.

Environment configuration¶

Configure a multiple-environment setup like so:
Given the path inheritance described above, files within /srv/salt/prod would be available in all environments. Files within /srv/salt/qa would be available in both qa, and dev. Finally, the files within /srv/salt/dev would only be available within the dev environment. Based on the order in which the roots are defined, new files/states can be placed within /srv/salt/dev, and pushed out to the dev hosts for testing. Those files/states can then be moved to the same relative path within /srv/salt/qa, and they are now available only in the dev and qa environments, allowing them to be pushed to QA hosts and tested. Finally, if moved to the same relative path within /srv/salt/prod, the files are now available in all three environments.

Practical Example¶

As an example, consider a simple website, installed to /var/www/foobarcom. Below is a top.sls that can be used to deploy the website: /srv/salt/prod/top.sls:
Using pillar, roles can be assigned to the hosts: /srv/pillar/top.sls:
/srv/pillar/webserver/prod.sls:
/srv/pillar/webserver/qa.sls:
/srv/pillar/webserver/dev.sls:
And finally, the SLS to deploy the website: /srv/salt/prod/webserver/foobarcom.sls:
Given the above SLS, the source for the website should initially be placed in /srv/salt/dev/webserver/src/foobarcom. First, let's deploy to dev. Given the configuration in the top file, this can be done using state.highstate:
However, in the event that it is not desirable to apply all states configured in the top file (which could be likely in more complex setups), it is possible to apply just the states for the foobarcom website, using state.sls:
Once the site has been tested in dev, then the files can be moved from /srv/salt/dev/webserver/src/foobarcom to /srv/salt/qa/webserver/src/foobarcom, and deployed using the following:
Finally, once the site has been tested in qa, then the files can be moved from /srv/salt/qa/webserver/src/foobarcom to /srv/salt/prod/webserver/src/foobarcom, and deployed using the following:
Thanks to Salt's fileserver inheritance, even though the files have been moved to within /srv/salt/prod, they are still available from the same salt:// URI in both the qa and dev environments.

Continue Learning¶

The best way to continue learning about Salt States is to read through the reference documentation and to look through examples of existing state trees. Many pre-configured state trees can be found on Github in the saltstack-formulas collection of repositories. If you have any questions, suggestions, or just want to chat with other people who are using Salt, we have a very active community and we'd love to hear from you. In addition, by continuing to part 5, you can learn about the powerful orchestration of which Salt is capable.

States Tutorial, Part 5 - Orchestration with Salt¶

NOTE:
Orchestration can be accomplished in two distinct ways:

The OverState System¶

Often servers need to be set up and configured in a specific order, and systems should only be set up if systems earlier in the sequence has been set up without any issues. The OverState system can be used to orchestrate deployment in a smooth and reliable way across multiple systems in small to large environments.

The OverState SLS¶

The OverState system is managed by an SLS file named overstate.sls, located in the root of a Salt fileserver environment. The overstate.sls configures an unordered list of stages, each stage defines the minions on which to execute the state, and can define what sls files to run, execute a state.highstate, or execute a function. Here's a sample overstate.sls:
Given the above setup, the OverState will be carried out as follows:
Any failure in the above steps would cause the requires to fail, preventing the dependent stages from executing.

Using Functions with OverState¶

In the above example, you'll notice that the stages lacking an sls entry run a state.highstate. As mentioned earlier, it is also possible to execute other functions in a stage. This functionality was added in version 0.15.0. Running a function is easy:
The list of function arguments are defined after the declared function. So, the above stage would run pkg.install http. Requisites only function properly if the given function supports returning a custom return code.

Executing an OverState¶

Since the OverState is a Runner, it is executed using the salt-run command. The runner function for the OverState is state.over.
The function will by default look in the root of the base environment (as defined in file_roots) for a file called overstate.sls, and then execute the stages defined within that file. Different environments and paths can be used as well, by adding them as positional arguments:
The above would run an OverState using the dev fileserver environment, with the stages defined in /root/other-overstate.sls. WARNING:
NOTE:

The Orchestrate Runner¶

New in version 0.17.0. As noted above in the introduction, the Orchestrate Runner (originally called the state.sls runner) offers all the functionality of the OverState, but with a couple advantages:
The Orchestrate Runner was added with the intent to eventually deprecate the OverState system, however the OverState will still be maintained for the foreseeable future.

Configuration Syntax¶

The configuration differs slightly from that of the OverState, and more closely resembles the configuration schema used for states. To execute a state, use salt.state:
To execute a function, use salt.function:

Triggering a Highstate¶

Wheras with the OverState, a Highstate is run by simply omitting an sls or function argument, with the Orchestrate Runner the Highstate must explicitly be requested by using highstate: True:

Executing the Orchestrate Runner¶

The Orchestrate Runner can be executed using the state.orchestrate runner function. state.orch also works, for those that would like to type less. Assuming that your base environment is located at /srv/salt, and you have placed a configuration file in /srv/salt/orchestration/webserver.sls, then the following could both be used:
Changed in version 2014.1.1: The runner function was renamed to state.orchestrate. In versions 0.17.0 through 2014.1.0, state.sls must be used. This was renamed to avoid confusion with the state.sls execution function.

More Complex Orchestration¶

Many states/functions can be configured in a single file, which when combined with the full suite of requisites, can be used to easily configure complex orchestration tasks. Additionally, the states/functions will be executed in the order in which they are defined, unless prevented from doing so by any requisites, as is the default in SLS files since 0.17.0.
Given the above setup, the orchestration will be carried out as follows:

Understanding State Ordering¶

NOTE:
Salt's state system is built to deliver all of the power of configuration management systems without sacrificing simplicity. This tutorial is made to help users understand in detail just how the order is defined for state executions in Salt. This tutorial is written to represent the behavior of Salt as of version 0.17.0.

Compiler Basics¶

To understand ordering in depth some very basic knowledge about the state compiler is very helpful. No need to worry though, this is very high level!

High Data and Low Data¶

When defining Salt Formulas in YAML the data that is being represented is referred to by the compiler as High Data. When the data is initially loaded into the compiler it is a single large python dictionary, this dictionary can be viewed raw by running:
This "High Data" structure is then compiled down to "Low Data". The Low Data is what is matched up to create individual executions in Salt's configuration management system. The low data is an ordered list of single state calls to execute. Once the low data is compiled the evaluation order can be seen. The low data can be viewed by running:
NOTE:
As an example, a state written thusly:
Will have High Data which looks like this represented in json:
The subsequent Low Data will look like this:
This tutorial discusses the Low Data evaluation and the state runtime.

Ordering Layers¶

Salt defines 2 order interfaces which are evaluated in the state runtime and defines these orders in a number of passes.

Definition Order¶

NOTE:
The top level of ordering is the Definition Order. The Definition Order is the order in which states are defined in salt formulas. This is very straightforward on basic states which do not contain include statements or a top file, as the states are just ordered from the top of the file, but the include system starts to bring in some simple rules for how the Definitiion Order is defined. Looking back at the "Low Data" and "High Data" shown above, the order key has been transparently added to the data to enable the Definition Order.

The Include Statement¶

Basically, if there is an include statement in a formula, then the formulas which are included will be run BEFORE the contents of the formula which is including them. Also, the include statement is a list, so they will be loaded in the order in which they are included. In the following case: foo.sls
bar.sls
baz.sls
In the above case if state.sls foo were called then the formulas will be loaded in the following order:

The order Flag¶

The Definition Order happens transparently in the background, but the ordering can be explicitly overridden using the order flag in states:
This order flag will over ride the definition order, this makes it very simple to create states that are always executed first, last or in specific stages, a great example is defining a number of package repositories that need to be set up before anything else, or final checks that need to be run at the end of a state run by using order: last or order: -1. When the order flag is explicitly set the Definition Order system will omit setting an order for that state and directly use the order flag defined.

Lexicographical Fall-back¶

Salt states were written to ALWAYS execute in the same order. Before the introduction of Definition Order in version 0.17.0 everything was ordered lexicographically according to the name of the state, then function then id. This is the way Salt has always ensured that states always run in the same order regardless of where they are deployed, the addition of the Definition Order method mealy makes this finite ordering easier to follow. The lexicographical ordering is still applied but it only has any effect when two order statements collide. This means that if multiple states are assigned the same order number that they will fall back to lexicographical ordering to ensure that every execution still happens in a finite order. NOTE:

Requisite Ordering¶

Salt states are fully declarative, in that they are written to declare the state in which a system should be. This means that components can require that other components have been set up successfully. Unlike the other ordering systems, the Requisite system in Salt is evaluated at runtime. The requisite system is also built to ensure that the ordering of execution never changes, but is always the same for a given set of states. This is accomplished by using a runtime that processes states in a completely predictable order instead of using an event loop based system like other declarative configuration management systems.

Runtime Requisite Evaluation¶

The requisite system is evaluated as the components are found, and the requisites are always evaluated in the same order. This explanation will be followed by an example, as the raw explanation may be a little dizzying at first as it creates a linear dependency evaluation sequence. The "Low Data" is an ordered list or dictionaries, the state runtime evaluates each dictionary in the order in which they are arranged in the list. When evaluating a single dictionary it is checked for requisites, requisites are evaluated in order, require then watch then prereq. NOTE:
Each requisite contains an ordered list of requisites, these requisites are looked up in the list of dictionaries and then executed. Once all requisites have been evaluated and executed then the requiring state can safely be run (or not run if requisites have not been met). This means that the requisites are always evaluated in the same order, again ensuring one of the core design principals of Salt's State system to ensure that execution is always finite is intact.

Simple Runtime Evaluation Example¶

Given the above "Low Data" the states will be evaluated in the following order:

Best Practice¶

The best practice in Salt is to choose a method and stick with it, official states are written using requisites for all associations since requisites create clean, traceable dependency trails and make for the most portable formulas. To accomplish something similar to how classical imperative systems function all requisites can be omitted and the failhard option then set to True in the master configuration, this will stop all state runs at the first instance of a failure. In the end, using requisites creates very tight and fine grained states, not using requisites makes full sequence runs and while slightly easier to write, and gives much less control over the executions.

Advanced Topics¶

SaltStack Walkthrough¶

Welcome!¶

Welcome to SaltStack! I am excited that you are interested in Salt and starting down the path to better infrastructure management. I developed (and am continuing to develop) Salt with the goal of making the best software available to manage computers of almost any kind. I hope you enjoy working with Salt and that the software can solve your real world needs!
NOTE:

Getting Started¶

What is Salt?¶

Salt is a different approach to infrastructure management, it is founded on the idea that high speed communication with large numbers of systems can open up new capabilities. This approach makes Salt a powerful multitasking system that can solve many specific problems in an infrastructure. The backbone of Salt is the remote execution engine, which creates a high speed, secure and bi-directional communication net for groups of systems. On top of this communication system Salt provides an extremely fast, flexible and easy to use configuration management system called Salt States. This unique approach to management makes for a transparent control system that is not only amazingly easy to set up and use, but also capable of solving very complex problems in infrastructures; as will be explored in this walk through. Salt is being used today by some of the largest infrastructures in the world and has a proven ability to scale to astounding proportions without modification. With the proven ability to scale out well beyond many tens of thousands of servers, Salt has also proven to be an excellent choice for small deployments as well, lowering compute and management overhead for infrastructures as small as just a few systems.

Installing Salt¶

SaltStack has been made to be very easy to install and get started. Setting up Salt should be as easy as installing Salt via distribution packages on Linux or via the Windows installer. The installation documents cover specific platform installation in depth.

Starting Salt¶

Salt functions on a master/minion topology. A master server acts as a central control bus for the clients (called minions), and the minions connect back to the master.

Setting Up the Salt Master¶

Turning on the Salt Master is easy, just turn it on! The default configuration is suitable for the vast majority of installations. The Salt master can be controlled by the local Linux/Unix service manager: On Systemd based platforms (OpenSuse, Fedora):
On Upstart based systems (Ubuntu, older Fedora/RHEL):
On SysV Init systems (Debian, Gentoo etc.):
Or the master can be started directly on the command line:
The Salt Master can also be started in the foreground in debug mode, thus greatly increasing the command output:
The Salt Master needs to bind to 2 TCP network ports on the system, these ports are 4505 and 4506. For more in depth information on firewalling these ports, the firewall tutorial is available here.

Setting up a Salt Minion¶

NOTE:
The Salt Minion only needs to be aware of one piece of information to run, the network location of the master. By default the minion will look for the DNS name salt for the master, making the easiest approach to set internal DNS to resolve the name salt back to the Salt Master IP. Otherwise the minion configuration file will need to be edited, edit the configuration option master to point to the DNS name or the IP of the Salt Master: NOTE:
/etc/salt/minion:
Now that the master can be found, start the minion in the same way as the master; with the platform init system, or via the command line directly: As a daemon:
In the foreground in debug mode:
Now that the minion is started it will generate cryptographic keys and attempt to connect to the master. The next step is to venture back to the master server and accept the new minion's public key. When the minion is started, it will generate an id value, unless it has been generated on a previous run and cached in the configuration directory ( /etc/salt by default). This is the name by which the minion will attempt to authenticate to the master. The following steps are attempted, in order to try to find a value that is not localhost:
If none of the above are able to produce an id which is not localhost, then a sorted list of IP addresses on the minion (excluding any within 127.0.0.0/8) is inspected. The first publicly-routable IP address is used, if there is one. Otherwise, the first privately-routable IP address is used. If all else fails, then localhost is used as a fallback. NOTE:

Using salt-key¶

Salt authenticates minions using public key encryption and authentication. For a minion to start accepting commands from the master the minion keys need to be accepted. The salt-key command is used to manage all of the keys on the master. To list the keys that are on the master run a salt-key list command:
The keys that have been rejected, accepted and pending acceptance are listed. The easiest way to accept the minion key is to accept all pending keys:
NOTE:

Sending the First Commands¶

Now that the minion is connected to the master and authenticated, the master can start to command the minion. Salt commands allow for a vast set of functions to be executed and for specific minions and groups of minions to be targeted for execution. This makes the salt command very powerful, but the command is also very usable, and easy to understand. The salt command is comprised of command options, target specification, the function to execute, and arguments to the function. A simple command to start with looks like this:
The * is the target, which specifies all minions, and test.ping tells the minion to run the test.ping function. The result of running this command will be the master instructing all of the minions to execute test.ping in parallel and return the result. This is not an actual ICMP ping, but rather a simple function which returns True. Using test.ping is a good way of confirming that a minion is connected. NOTE:

Getting to Know the Functions¶

Salt comes with a vast library of functions available for execution, and Salt functions are self documenting. To see what functions are available on the minions execute the sys.doc function:
This will display a very large list of available functions and documentation on them, this documentation is also available here. These functions cover everything from shelling out to package management to manipulating database servers. They comprise a powerful system management API which is the backbone to Salt configuration management and many other aspects of Salt. NOTE:

Helpful Functions to Know¶

The cmd module contains functions to shell out on minions, such as cmd.run and cmd.run_all:
The pkg functions automatically map local system package managers to the same salt functions. This means that pkg.install will install packages via yum on Red Hat based systems, apt on Debian systems, etc.:
NOTE:
The network.interfaces function will list all interfaces on a minion, along with their IP addresses, netmasks, MAC addresses, etc:

salt-call¶

The examples so far have described running commands from the Master using the salt command, but when troubleshooting it can be more beneficial to login to the minion directly and use salt-call. Doing so allows you to see the minion log messages specific to the command you are running (which are not part of the return data you see when running the command from the Master using salt), making it unnecessary to tail the minion log. More information on salt-call and how to use it can be found here.

Grains¶

Salt uses a system called Grains to build up static data about minions. This data includes information about the operating system that is running, CPU architecture and much more. The grains system is used throughout Salt to deliver platform data to many components and to users. Grains can also be statically set, this makes it easy to assign values to minions for grouping and managing. A common practice is to assign grains to minions to specify what the role or roles a minion might be. These static grains can be set in the minion configuration file or via the grains.setval function.

Targeting¶

Salt allows for minions to be targeted based on a wide range of criteria. The default targeting system uses globular expressions to match minions, hence if there are minions named larry1, larry2, curly1 and curly2, a glob of larry* will match larry1 and larry2, and a glob of *1 will match larry1 and curly1. Many other targeting systems can be used other than globs, these systems include:
The concepts of targets are used on the command line with salt, but also function in many other areas as well, including the state system and the systems used for ACLs and user permissions.

Passing in Arguments¶

Many of the functions available accept arguments, these arguments can be passed in on the command line:
This example passes the argument vim to the pkg.install function, since many functions can accept more complex input then just a string the arguments are parsed through YAML, allowing for more complex data to be sent on the command line:
In this case Salt translates the string 'foo: bar' into the dictionary "{'foo': 'bar'}" NOTE:

Salt States¶

Now that the basics are covered the time has come to evaluate States. Salt States, or the State System is the component of Salt made for configuration management. The State system is a fully functional configuration management system which has been designed to be exceptionally powerful while still being simple to use, fast, lightweight, deterministic and with salty levels of flexibility. The state system is already available with a basic salt setup, no additional configuration is required, states can be set up immediately. NOTE:

The First SLS Formula¶

The state system is built on sls formulas, these formulas are built out in files on Salt's file server. To make a very basic sls formula open up a file under /srv/salt named vim.sls and get vim installed: /srv/salt/vim.sls:
Now install vim on the minions by calling the sls directly:
This command will invoke the state system and run the named sls which was just created, vim. Now, to beef up the vim sls formula, a vimrc can be added: /srv/salt/vim.sls:
Now the desired vimrc needs to be copied into the Salt file server to /srv/salt/vimrc, in Salt everything is a file, so no path redirection needs to be accounted for. The vimrc file is placed right next to the vim.sls file. The same command as above can be executed to all the vim sls formulas and now include managing the file. NOTE:

Adding Some Depth¶

Obviously maintaining sls formulas right in the root of the file server will not scale out to reasonably sized deployments. This is why more depth is required. Start by making an nginx formula a better way, make an nginx subdirectory and add an init.sls file: /srv/salt/nginx/init.sls:
A few things are introduced in this sls formula, first is the service statement which ensures that the nginx service is running, but the nginx service can't be started unless the package is installed, hence the require. The require statement makes sure that the required component is executed before and that it results in success. NOTE:
Now this new sls formula has a special name, init.sls, when an sls formula is named init.sls it inherits the name of the directory path that contains it, so this formula can be referenced via the following command:
Now that subdirectories can be used the vim.sls formula can be cleaned up, but to make things more flexible (and to illustrate another point of course), move the vim.sls and vimrc into a new subdirectory called edit and change the vim.sls file to reflect the change: /srv/salt/edit/vim.sls:
The only change in the file is fixing the source path for the vimrc file. Now the formula is referenced as edit.vim because it resides in the edit subdirectory. Now the edit subdirectory can contain formulas for emacs, nano, joe or any other editor that may need to be deployed.

Next Reading¶

Two walkthroughs are specifically recommended at this point. First, a deeper run through States, followed by an explanation of Pillar.
An understanding of Pillar is extremely helpful in using States.

Getting Deeper Into States¶

Two more in-depth States tutorials exist, which delve much more deeply into States functionality.
These tutorials include much more in depth information including templating sls formulas etc.

So Much More!¶

This concludes the initial Salt walkthrough, but there are many more things to learn still! These documents will cover important core aspects of Salt:
A few more tutorials are also available:
This still is only scratching the surface, many components such as the reactor and event systems, extending Salt, modular components and more are not covered here. For an overview of all Salt features and documentation, look at the Table of Contents.

MinionFS Backend Walkthrough¶

New in version 2014.1.0: (Hydrogen) Sometimes, you might need to propagate files that are generated on a minion. Salt already has a feature to send files from a minion to the master:
This command will store the file, including its full path, under cachedir /master/minions/minion-id/files. With the default cachedir the example file above would be stored as /var/cache/salt/master/minions/minion-id/files/path/to/the/file. NOTE:
Since it is not a good idea to expose the whole cachedir, MinionFS should be used to send these files to other minions.

Simple Configuration¶

To use the minionfs backend only two configuration changes are required on the master. The fileserver_backend option needs to contain a value of minion and file_recv needs to be set to true:
These changes require a restart of the master, then new requests for the salt://minion-id/ protocol will send files that are pushed by cp.push from minion-id to the master. NOTE:
NOTE:

Commandline Example¶

Lets assume that we are going to generate SSH keys on a minion called minion-source and put the public part in ~/.ssh/authorized_keys of root user of a minion called minion-destination. First, lets make sure that /root/.ssh exists and has the right permissions:
We create an RSA key pair without a passphrase [*]:
and we send the public part to the master to be available to all minions:
now it can be seen by everyone:
Lets copy that as the only authorized key to minion-destination:
Or we can use a more elegant and salty way to add an SSH key:

[*]

Yes, that was the actual key on my server, but the server is already destroyed.

Automatic Updates / Frozen Deployments¶

New in version 0.10.3.d. Salt has support for the Esky application freezing and update tool. This tool allows one to build a complete zipfile out of the salt scripts and all their dependencies - including shared objects / DLLs.

Getting Started¶

To build frozen applications, you'll need a suitable build environment for each of your platforms. You should probably set up a virtualenv in order to limit the scope of Q/A. This process does work on Windows. Follow the directions at https://github.com/saltstack/salt-windows-install for details on installing Salt in Windows. Only the 32-bit Python and dependencies have been tested, but they have been tested on 64-bit Windows. You will need to install esky and bbfreeze from Pypi in order to enable the bdist_esky command in setup.py.

Building and Freezing¶

Once you have your tools installed and the environment configured, you can then python setup.py bdist to get the eggs prepared. After that is done, run python setup.py bdist_esky to have Esky traverse the module tree and pack all the scripts up into a redistributable. There will be an appropriately versioned salt-VERSION.zip in dist/ if everything went smoothly.

Windows¶

You will need to add C:\Python27\lib\site-packages\zmq to your PATH variable. This helps bbfreeze find the zmq dll so it can pack it up.

Using the Frozen Build¶

Unpack the zip file in your desired install location. Scripts like salt-minion and salt-call will be in the root of the zip file. The associated libraries and bootstrapping will be in the directories at the same level. (Check the Esky documentation for more information) To support updating your minions in the wild, put your builds on a web server that your minions can reach. salt.modules.saltutil.update() will trigger an update and (optionally) a restart of the minion service under the new version.

Gotchas¶

My Windows minion isn't responding¶

The process dispatch on Windows is slower than it is on *nix. You may need to add '-t 15' to your salt calls to give them plenty of time to return.

Windows and the Visual Studio Redist¶

You will need to install the Visual C++ 2008 32-bit redistributable on all Windows minions. Esky has an option to pack the library into the zipfile, but OpenSSL does not seem to acknowledge the new location. If you get a no OPENSSL_Applink error on the console when trying to start your frozen minion, you have forgotten to install the redistributable.

Mixed Linux environments and Yum¶

The Yum Python module doesn't appear to be available on any of the standard Python package mirrors. If you need to support RHEL/CentOS systems, you should build on that platform to support all your Linux nodes. Also remember to build your virtualenv with --system-site-packages so that the yum module is included.

Automatic (Python) module discovery¶

Automatic (Python) module discovery does not work with the late-loaded scheme that Salt uses for (Salt) modules. You will need to explicitly add any misbehaving modules to the freezer_includes in Salt's setup.py. Always check the zipped application to make sure that the necessary modules were included.

Multi Master Tutorial¶

As of Salt 0.16.0, the ability to connect minions to multiple masters has been made available. The multi-master system allows for redundancy of Salt masters and facilitates multiple points of communication out to minions. When using a multi-master setup, all masters are running hot, and any active master can be used to send commands out to the minions. In 0.16.0, the masters do not share any information, keys need to be accepted on both masters, and shared files need to be shared manually or use tools like the git fileserver backend to ensure that the file_roots are kept consistent.

Summary of Steps¶

Prepping a Redundant Master¶

The first task is to prepare the redundant master. There is only one requirement when preparing a redundant master, which is that masters share the same private key. When the first master was created, the master's identifying key was generated and placed in the master's pki_dir. The default location of the key is /etc/salt/pki/master/master.pem. Take this key and copy it to the same location on the redundant master. Assuming that no minions have yet been connected to the new redundant master, it is safe to delete any existing key in this location and replace it. NOTE:
Once the new key is in place, the redundant master can be safely started.

Configure Minions¶

Since minions need to be master-aware, the new master needs to be added to the minion configurations. Simply update the minion configurations to list all connected masters:
Now the minion can be safely restarted. Now the minions will check into the original master and also check into the new redundant master. Both masters are first-class and have rights to the minions.

Sharing Files Between Masters¶

Salt does not automatically share files between multiple masters. A number of files should be shared or sharing of these files should be strongly considered.

Minion Keys¶

Minion keys can be accepted the normal way using salt-key on both masters. Keys accepted, deleted, or rejected on one master will NOT be automatically managed on redundant masters; this needs to be taken care of by running salt-key on both masters or sharing the /etc/salt/pki/master/{minions,minions_pre,minions_rejected} directories between masters. NOTE:

File_Roots¶

The file_roots contents should be kept consistent between masters. Otherwise state runs will not always be consistent on minions since instructions managed by one master will not agree with other masters. The recommended way to sync these is to use a fileserver backend like gitfs or to keep these files on shared storage.

Pillar_Roots¶

Pillar roots should be given the same considerations as file_roots.

Master Configurations¶

While reasons may exist to maintain separate master configurations, it is wise to remember that each master maintains independent control over minions. Therefore, access controls should be in sync between masters unless a valid reason otherwise exists to keep them inconsistent. These access control options include but are not limited to:

Preseed Minion with Accepted Key¶

In some situations, it is not convenient to wait for a minion to start before accepting its key on the master. For instance, you may want the minion to bootstrap itself as soon as it comes online. You may also want to to let your developers provision new development machines on the fly. There is a general four step process to do this:

Pick a name for the key, such as the minion's id.

It is necessary that the public key file has the same name as your minion id. This is how Salt matches minions with their keys. Also note that the pki folder could be in a different location, depending on your OS or if specified in the master config file.
There is no single method to get the keypair to your minion. The difficulty is finding a distribution method which is secure.

You will want to place the minion keys before starting the salt-minion daemon:
Once in place, you should be able to start salt-minion and run salt-call state.highstate or any other salt commands that require master authentication.

Bootstrapping Salt on Linux EC2 with Cloud-Init¶

Salt is a great tool for remote execution and configuration management, however you will still need to bootstrap the daemon when spinning up a new node. One option is to create and save a custom AMI, but this creates another resource to maintain and document. A better method for Linux machines uses Canonical's CloudInit to run a bootstrap script during an EC2 Instance initialization. Cloud-init takes the user_data string passed into a new AWS instance and runs it in a manner similar to rc.local. The bootstrap script needs to:
Here is a sample script:
First the script adds the saltstack ppa and installs the package. Then we copy over the minion config template and tell it where to find the master. You will have to replace [salt_master_fqdn] with something that resolves to your Salt master.

Used With Boto¶

Boto will accept a string for user data which can be used to pass our bootstrap script. If the script is saved to a file, you can read it into a string:

Additional Notes¶

Sometime in the future the ppa will include and install an upstart file. In the meantime, you can use the bootstrap to build one. It may also be useful to set the node's role during this phase. One option would be saving the node's role to a file and then using a custom Grain to select it.

Salt Bootstrap¶

The Salt Bootstrap script allows for a user to install the Salt Minion or Master on a variety of system distributions and versions. This shell script known as bootstrap-salt.sh runs through a series of checks to determine the operating system type and version. It then installs the Salt binaries using the appropriate methods. The Salt Bootstrap script installs the minimum number of packages required to run Salt. This means that in the event you run the bootstrap to install via package, Git will not be installed. Installing the minimum number of packages helps ensure the script stays as lightweight as possible, assuming the user will install any other required packages after the Salt binaries are present on the system. The script source is available on GitHub: https://github.com/saltstack/salt-bootstrap

Supported Operating Systems¶

NOTE:

Example Usage¶

The Salt Bootstrap script has a wide variety of options that can be passed as well as several ways of obtaining the bootstrap script itself. For example, using curl to install latest git:
If you have certificate issues using curl, try the following:
Using wget to install your distribution's stable packages:
If you have certificate issues using wget try the following:
Install a specific version from git using wget:
If you already have python installed, python 2.6, then it's as easy as:
All python versions should support the following one liner:
On a FreeBSD base system you usually don't have either of the above binaries available. You do have fetch available though:
If all you want is to install a salt-master using latest git:
If you want to install a specific release version (based on the git tags):
Downloading the develop branch (from here standard command line options may be passed):

Command Line Options¶

-h Display the help message and command line options. -v Display script version. -n No colours. -D Show debug output. -c Temporary configuration directory. -k Temporary directory holding the minion keys which will pre-seed the master. -M Also install salt-master. -S Also install salt-syndic. -N Do not install salt-minion. -X Do not start daemons after installation. -C Only run the configuration function. This option automatically bypasses any installation. -P Allow pip based installations. On some distributions the required salt packages or its dependencies are not available as a package for that distribution. Using this flag allows the script to use pip as a last resort method. NOTE:
-F Allow copied files to overwrite existing(config, init.d, etc). -U If set, fully upgrade the system prior to bootstrapping salt. -K If set, keep the temporary files in the temporary directories specified with -c and -k.

GitFS Backend Walkthrough¶

While the default location of the salt state tree is on the Salt master, in /srv/salt, the master can create a bridge to external resources for files. One of these resources is the ability for the master to directly pull files from a git repository and serve them to minions. NOTE:
The gitfs backend hooks into any number of remote git repositories and caches the data from the repository on the master. This makes distributing a state tree to multiple masters seamless and automated. Salt's file server also has a concept of environments, when using the gitfs backend, Salt translates git branches and tags into environments, making environment management very simple. Just merging a QA or staging branch up to a production branch can be all that is required to make those file changes available to Salt.

Simple Configuration¶

To use the gitfs backend only two configuration changes are required on the master. The fileserver_backend option needs to be set with a value of git:
To configure what fileserver backends will be searched for requested files. Now the gitfs system needs to be configured with a remote:
NOTE:
These changes require a restart of the master, then the git repo will be cached on the master and new requests for the salt:// protocol will send files found in the remote git repository via the master. NOTE:

Multiple Remotes¶

The gitfs_remotes option can accept a list of git remotes, the remotes are then searched in order for the requested file. A simple scenario can illustrate this behavior. Assuming that the gitfs_remotes option specifies three remotes:
NOTE:
NOTE:
Assume that each repository contains some files:
The repositories will be searched for files by the master in the order in which they are defined in the configuration, Therefore the remote git://github.com/example/first.git will be searched first, if the requested file is found then it is served and no further searching is executed. This means that if the file salt://haproxy/init.sls is requested then it will be pulled from the git://github.com/example/second.git git repo. If salt://haproxy/haproxy.conf is requested then it will be pulled from the third repo.

Serving from a Subdirectory¶

The gitfs_root option gives the ability to serve files from a subdirectory within the repository. The path is defined relative to the root of the repository. With this repository structure:
Configuration and files can be accessed normally with:

Multiple Backends¶

Sometimes it may make sense to use multiple backends. For instance, if sls files are stored in git, but larger files need to be stored directly on the master. The logic used for multiple remotes is also used for multiple backends. If the fileserver_backend option contains multiple backends:
Then the roots backend (the default backend of files in /srv/salt) will be searched first for the requested file, then if it is not found on the master the git remotes will be searched.

Branches, environments and top.sls files¶

As stated above, when using the gitfs backend, branches will be mapped to environments using the branch name as identifier. There is an exception to this rule thought: the master branch is implicitly mapped to the base environment. Therefore, for a typical base, qa, dev setup, you'll have to create the following branches:
Also, top.sls files from different branches will be merged into one big file at runtime. Since this could lead to hardly manageable configurations, the recommended setup is to have the top.sls file only in your master branch, and use environment-specific branches for states definitions.

GitFS Remotes over SSH¶

In order to configure a gitfs_remotes repository over SSH transport the git+ssh URL form must be used.
The private key used to connect to the repository must be located in ~/.ssh/id_rsa for the user running the salt-master. NOTE:

Using Git as an External Pillar Source¶

Git repositories can also be used to provide Pillar data, using the External Pillar system. To define a git external pillar, you can add a section like the following to your master config file:
The <branch> param is the branch containing the pillar SLS tree, and the <repo> param is the URI for the repository. The below example would add the master branch of the specified repo as an external pillar source.
More information on the git external pillar can be found here.

Why aren't my custom modules/states/etc. syncing to my Minions?¶

In versions 0.16.3 and older, when using the git fileserver backend, certain versions of GitPython may generate errors when fetching, which Salt fails to catch. While not fatal to the fetch process, these interrupt the fileserver update that takes place before custom types are synced, and thus interrupt the sync itself. Try disabling the git fileserver backend in the master config, restarting the master, and attempting the sync again. This issue is worked around in Salt 0.16.4 and newer.

The MacOS X (Maverick) Developer Step By Step Guide To Salt Installation¶

This document provides a step by step guide to installing a salt cluster (one master, and one minion running on a local VM) on Mac OS X to start playing with salt. It is aimed at developers, so it may be a little too slow for experienced admins. At the end of it, you will have installed a bare Nginx server on a minion using the master. The official (Linux) walkthrough can be found here.

The 5 Cent Salt Intro¶

Since you're here you've probably already heard about Salt, so you already know Salt lets you configure and run commands on hordes of servers easily. Here's a brief overview of a Salt cluster:
NOTE:

[1]

Salt also works with "masterless" configuration where a minion is autonomous (in which case salt can be seen as a local configuration tool), or in "multiple master" configuration. See the documentation for more on that.

Before Digging In, The Architecture Of The Salt Cluster¶

Salt Master¶

The "Salt master" server is going to be the Mac OS machine, directly. Commands will be run from a terminal app, so Salt will need to be installed on the Mac. This is going to be more convenient for toying around with configuration files.

Salt Minion¶

We'll only have one "Salt minion" server. It is going to be running on a Virtual Machine running on the Mac, using VirtualBox. It will run an Ubuntu distribution.

Step 1 - Configuring The Salt Master On Your Mac¶

official documentation Because Salt has a lot of dependencies that are not built in Mac OS X, we will use Homebrew to install Salt. Homebrew is a package manager for Mac, it's great, use it (for this tutorial at least!). Some people spend a lot of time installing libs by hand to better understand dependencies, and then realize how useful a package manager is once they're configuring a brand new machine and have to do it all over again. It also lets you uninstall things easily. NOTE:
TIP:

Install Homebrew¶

Install Homebrew here http://brew.sh/ Or just type
Now type the following commands in your terminal (you may want to type brew doctor after each to make sure everything's fine):
NOTE:

Install Salt¶

you should now have everything ready to launch this command:
NOTE:
Now type python in a terminal then, import salt. There should be no errors. Now exit the Python terminal using exit().

Create The Master Configuration¶

If the default /etc/salt/master configuration file was not created, copy-paste it from here: http://docs.saltstack.com/ref/configuration/examples.html#configuration-examples-master NOTE:
Salt Master configuration changes. The Salt master needs a few customization to be able to run on Mac OS X:
In the /etc/salt/master file, change max_open_files to 8192 (or just add the line: max_open_files: 8192 (no quote) if it doesn't already exists). You should now be able to launch the Salt master:
There should be no errors when running the above command. NOTE:
Now that the master is set, let's configure a minion on a VM.

Step 2 - Configuring The Minion VM¶

The Salt minion is going to run on a Virtual Machine. There are a lot of software options that let you run virtual machines on a mac, But for this tutorial we're going to use VirtualBox. In addition to virtualBox, we will use Vagrant, which allows you to create the base VM configuration. Vagrant lets you build ready to use VM images, starting from an OS image and customizing it using "provisioners". In our case, we'll use it to:

Install VirtualBox¶

Go get it here: https://www.virtualBox.org/wiki/Downloads (click on VirtualBox for OS X hosts => x86/amd64)

Install Vagrant¶

Go get it here: http://downloads.vagrantup.com/ and choose the latest version (1.3.5 at time of writing), then the .dmg file. double-click to install it. Make sure the vagrant command is found when run in the terminal. Type vagrant. It should display a list of commands.

Create The Minion VM Folder¶

Create a folder in which you will store your minion's VM. In this tutorial, it's going to be a minion folder in the $home directory.

Initialize Vagrant¶

From the minion folder, type
This command creates a default Vagrantfile configuration file. This configuration file will be used to pass configuration parameters to the Salt provisioner in Step 3.

Import Precise64 Ubuntu Box¶

NOTE:

Modify the Vagrantfile¶

Modify ./minion/Vagrantfile to use th precise64 box. Change the config.vm.box line to:
Uncomment the line creating a host-only IP. This is the ip of your minion (you can change it to something else if that IP is already in use):
At this point you should have a VM that can run, although there won't be much in it. Let's check that.

Checking The VM¶

From the $home/minion folder type:
A log showing the VM booting should be present. Once it's done you'll be back to the terminal:
The VM should respond to your ping request. Now log inside the VM in ssh using Vagrant again:
You should see the shell prompt changing to something similar to vagrant@precise64:~$ meaning you're inside the VM. From there enter the following:
NOTE:
It's now time to connect the VM to the salt master

Step 3 - Connecting Master and Minion¶

Creating The Minion Configuration File¶

Create the /etc/salt/minion file. In that file, put the following lines, giving the ID for this minion, and the IP of the master:
Minions authenticate with the master using keys. Keys are generated automatically if you don't provide one, and you can accept them later on. But this requires you to accept the minion key every time you destroy and recreate a minion (which could be quite often). A better way is to create those keys in advance, feed them to the minion, and authorize them once.

Preseed minion keys¶

From the minion folder on your Mac run:
This should create two files: minion1.pem, and minion1.pub. Since those files have been created by sudo, but will be used by vagrant, you need to change ownership:
Then copy the .pub file into the list of accepted minions:

Modify Vagrantfile to Use Salt Provisioner¶

Let's now modify the Vagrantfile used to provision the Salt VM. Add the following section in the Vagrantfile (note: it should be at the same indentation level as the other properties):
Now destroy the vm and recreate it from the /minion folder:
If everything is fine you should see the following message:

Checking Master-Minion Communication¶

To make sure the master and minion are talking to each other, enter the following:
You should see your minion answering the ping. It's now time to do some configuration.

Step 4 - Configure Services to Install On the Minion¶

In this step we'll use the Salt master to instruct our minion to install Nginx.

Checking the system's original state¶

First, make sure that an HTTP server is not installed on our minion. When opening a browser directed at http://192.168.33.10/ You should get an error saying the site cannot be reached.

Initialize the top.sls file¶

System configuration is done in the /srv/salt/top.sls file (and subfiles/folders), and then applied by running the state.highstate command to have the Salt master give orders so minions will update their instructions and run the associated commands. First Create an empty file on your Salt master (Mac OS X machine):
When the file is empty, or if no configuration is found for our minion an error is reported:
Should return an error stating: "No Top file or external nodes data matches found".

Create The Nginx Configuration¶

Now is finally the time to enter the real meat of our server's configuration. For this tutorial our minion will be treated as a web server that needs to have Nginx installed. Insert the following lines into the /srv/salt/top.sls file (which should current be empty).
Now create a /srv/salt/bin/nginx.sls file containing the following:

Check Minion State¶

Finally run the state.highstate command again:
You should see a log showing that the Nginx package has been installed and the service configured. To prove it, open your browser and navigate to http://192.168.33.10/, you should see the standard Nginx welcome page. Congratulations!

Where To Go From Here¶

A full description of configuration management within Salt (sls files among other things) is available here: http://docs.saltstack.com/index.html#configuration-management

Writing Salt Tests¶

NOTE:
Salt comes with a powerful integration and unit test suite. The test suite allows for the fully automated run of integration and/or unit tests from a single interface. The integration tests are surprisingly easy to write and can be written to be either destructive or non-destructive.

Gettign Set Up For Tests¶

To walk through adding an integration test, start by getting the latest development code and the test system from github: NOTE:

Now that a fresh checkout is available run the test suite

Destructive vs Non-destructive¶

Since Salt is used to change the settings and behavior of systems often the best approach to run tests is to make actual changes to an underlying system. This is where the concept of destructive integration tests comes into play. Tests can be written to alter the system they are running on. This capability is what fills in the gap needed to properly test aspects of system management like package installation. To write a destructive test import and use the destructiveTest decorator for the test method:

Automated Test Runs¶

SaltStack maintains a Jenkins server which can be viewed at http://jenkins.saltstack.com. The tests executed from this Jenkins server create fresh virtual machines for each test run, then execute the destructive tests on the new clean virtual machine. This allows for the execution of tests across supported platforms.

Salt Cloud¶

Salt as a Cloud Controller¶

In Salt 0.14.0 advanced cloud control systems were introduced, allowing for private cloud vms to be managed directly with Salt. This system is generally referred to as Salt Virt. The Salt Virt system already exists and is installed within Salt itself, this means that beyond setting up Salt no additional salt code needs to be deployed. The main goal of Salt Virt is the facilitate a very fast and simple cloud. A cloud that can scale and a fully featured cloud. Salt Virt comes with the ability to set up and manage complex virtual machine networking, powerful image and disk management, as well as virtual machine migration, migration with and without shared storage. This means that Salt Virt can be used to create a cloud from a blade center and a SAN, but can also create a cloud out of a swarm of Linux Desktops without a single shared storage system. Salt Virt can make clouds from truly commodity hardware, but can also stand up the power of specialized hardware as well.

Setting up Hypervisors¶

The first step to set up the hypervisors involves getting the correct software installed and setting up the hypervisor network interfaces.

Installing Hypervisor Software¶

Salt Virt is made to be hypervisor agnostic, but currently the only fully implemented hypervisor is KVM via libvirt. The required software for a hypervisor is libvirt and kvm. For advanced features install libguestfs or qemu-nbd. NOTE:
This sls will set up the needed software for a hypervisor, and run the routines to set up the libvirt pki keys. NOTE:

Hypervisor Network Setup¶

The hypervisors will need to be running a network bridge to serve up network devices for virtual machines, this formula will set up a standard bridge on a hypervisor connecting the bridge to eth0:

Virtual Machine Network Setup¶

Salt Virt comes with a system to model the network interfaces used by the deployed virtual machines, by default a single interface is created for the deployed virtual machine and is bridged to br0. To get going with the default networking setup ensure that the bridge interface named br0 exists on the hypervisor and is bridged to an active network device. NOTE:

Libvirt State¶

One of the challenges of deploying a libvirt based cloud is the distribution of libvirt certificates. These certificates allow for virtual machine migration. Salt comes with a system used to auto deploy these certificates. Salt manages the signing authority key and generates keys for libvirt clients on the master, signs them with the certificate authority and uses pillar to distribute them. This is managed via the libvirt state. Simply execute this formula on the minion to ensure that the certificate is in place and up to date: NOTE:

Getting Virtual Machine Images Ready¶

Salt Virt, requires that virtual machine images be provided as these are not generated on the fly. Generating these virtual machine images differs greatly based on the underlying platform. Virtual machine images can be manually created using KVM and running through the installer, but this process is not recommended since it is very manual and prone to errors. Virtual Machine generation applications are available for many platforms:
Once virtual machines images are available the easiest way to make them available to Salt Virt is to place them in the Salt file server. Just copy an image into /srv/salt and it can now be used by Salt Virt. For purposes of this demo, the file name centos.img will be used.

Existing Virtual Machine Images¶

Many existing Linux distributions distribute virtual machine images which can be used with Salt Virt. Please be advised that NONE OF THESE IMAGES ARE SUPPORTED BY SALTSTACK.

CentOS¶

These images have been prepared for OpenNebula but should work without issue with Salt Virt, only the raw qcow image file is needed: http://wiki.centos.org/Cloud/OpenNebula

Fedora Linux¶

Images for Fedora Linux can be found here: http://cloud.fedoraproject.org

Ubuntu Linux¶

Images for Ubuntu Linux can be found here: http://cloud-images.ubuntu.com/

Using Salt Virt¶

With hypervisors set up and virtual machine images ready, Salt can start issuing cloud commands. Start by running a Salt Virt hypervisor info command:
This will query what the running hypervisor stats are and display information for all configured hypervisors. This command will also validate that the hypervisors are properly configured. Now that hypervisors are available a virtual machine can be provisioned. The virt.init routine will create a new virtual machine:
This command assumes that the CentOS virtual machine image is sitting in the root of the Salt fileserver. Salt Virt will now select a hypervisor to deploy the new virtual machine on and copy the virtual machine image down to the hypervisor. Once the VM image has been copied down the new virtual machine will be seeded. Seeding the VMs involves setting pre-authenticated Salt keys on the new VM and if needed, will install the Salt Minion on the new VM before it is started. NOTE:
Now that the new VM has been prepared, it can be seen via the virt.query command:
This command will return data about all of the hypervisors and respective virtual machines. Now that the new VM is booted it should have contacted the Salt Master, a test.ping will reveal if the new VM is running.

Migrating Virtual Machines¶

Salt Virt comes with full support for virtual machine migration, and using the libvirt state in the above formula makes migration possible. A few things need to be available to support migration. Many operating systems turn on firewalls when originally set up, the firewall needs to be opened up to allow for libvirt and kvm to cross communicate and execution migration routines. On Red Hat based hypervisors in particular port 16514 needs to be opened on hypervisors:
NOTE:
Salt also needs an additional flag to be turned on as well. The virt.tunnel option needs to be turned on. This flag tells Salt to run migrations securely via the libvirt TLS tunnel and to use port 16514. Without virt.tunnel libvirt tries to bind to random ports when running migrations. To turn on virt.tunnel simple apply it to the master config file:
Once the master config has been updated, restart the master and send out a call to the minions to refresh the pillar to pick up on the change:
Now, migration routines can be run! To migrate a VM, simply run the Salt Virt migrate routine:

VNC Consoles¶

Salt Virt also sets up VNC consoles by default, allowing for remote visual consoles to be oped up. The information from a virt.query routine will display the vnc console port for the specific vms:
The line Graphics: vnc - hyper6:5900 holds the key. First the port named, in this case 5900, will need to be available in the hypervisor's firewall. Once the port is open, then the console can be easily opened via vncviewer:
By default there is no VNC security set up on these ports, which suggests that keeping them firewalled and mandating that SSH tunnels be used to access these VNC interfaces. Keep in mind that activity on a VNC interface that is accessed can be viewed by any other user that accesses that same VNC interface, and any other user logging in can also operate with the logged in user on the virtual machine.

Conclusion¶

Now with Salt Virt running, new hypervisors can be seamlessly added just by running the above states on new bare metal machines, and these machines will be instantly available to Salt Virt.

Halite¶

Installing and Configuring Halite¶

In this tutorial, we'll walk through installing and setting up Halite. As of 2013-10-12, a packaged version of Halite is not available. In addition, the current version of Halite is considered pre-alpha and is supported only in Salt 0.17 or greater. Additional information is available on GitHub: https://github.com/saltstack/halite Before beginning this tutorial, ensure that the salt-master is installed. To install the salt-master, please review the installation documentation: http://docs.saltstack.com/topics/installation/index.html NOTE:

Installing Halite Via Package¶

On CentOS, RHEL, or Fedora:
NOTE:

Installing Halite Using pip¶

To begin the installation of Halite from PyPi, you'll need to install pip. The Salt package, as well as the bootstrap, do not install pip by default. On CentOS, RHEL, or Fedora:
On Debian:
Once you have pip installed, use it to install halite:
Depending on the webserver you want to run halite through, you'll need to install that piece as well. On RHEL based distros, use one of the following:


On Debian based distributions:

Configuring Halite Permissions¶

Configuring Halite access permissions is easy. By default, you only need to ensure that the @runner group is configured. In the /etc/salt/master file, uncomment and modify the following lines:
NOTE:
Halite uses the runner manage.status to get the status of minions, so runner permissions are required. As you can see in this example, the root user has been configured. If you aren't running Halite as the root user, you'll need to modify this value. For example:
Currently Halite allows, but does not require, any wheel modules.

Configuring Halite Settings¶

Once you've configured the permissions for Halite, you'll need to set up the Halite settings in the /etc/salt/master file. Halite supports CherryPy, Paste and Gevent out of the box. To configure cherrypy, add the following to the bottom of your /etc/salt/master file:
If you wish to use paste:
To use gevent:
The "cherrypy" and "gevent" servers require the certpath and keypath files to run tls/ssl. The .crt file holds the public cert and the .key file holds the private key. Whereas the "paste" server requires a single .pem file that contains both the cert and key. This can be created simply by concatenating the .crt and .key files. If you want to use a self-signed cert, you can create one using the Salt.tls module: NOTE:

You can also use salt-call to create a self-signed cert.
When using self-signed certs, browsers will need approval before accepting the cert. If the web application page has been cached with a non-HTTPS version of the app, then the browser cache will have to be cleared before it will recognize and prompt to accept the self-signed certificate.

Starting Halite¶

Once you've configured the halite section of your /etc/salt/master, you can restart the salt-master service, and your halite instance will be available. Depending on your configuration, the instance will be available either at http://localhost:8080/app, http://domain:8080/app, or http://123.456.789.012:8080/app . NOTE:
All logs relating to halite are logged to the default /var/log/salt/master file.

Running Your Halite Instance Through Nginx¶

Running Your Halite Instance Through Apache¶

ACCESS CONTROL SYSTEM¶

New in version 0.10.4. Salt maintains a standard system used to open granular control to non administrative users to execute Salt commands. The access control system has been applied to all systems used to configure access to non administrative control interfaces in Salt.These interfaces include, the peer system, the external auth system and the client acl system. The access control system mandated a standard configuration syntax used in all of the three aforementioned systems. While this adds functionality to the configuration in 0.10.4, it does not negate the old configuration. Now specific functions can be opened up to specific minions from specific users in the case of external auth and client ACLs, and for specific minions in the case of the peer system. The access controls are manifested using matchers in these configurations:
In the above example, fred is able to send commands only to minions which match the specified glob target. This can be expanded to include other functions for other minions based on standard targets.
The above allows for all minions to be hit by test.ping by dave, and adds a few functions that dave can execute on other minions. It also allows steve unrestricted access to salt commands.

EXTERNAL AUTHENTICATION SYSTEM¶

Salt 0.10.4 comes with a fantastic new way to open up running Salt commands to users. This system allows for Salt itself to pass through authentication to any authentication system (The Unix PAM system was the first) to determine if a user has permission to execute a Salt command. The external authentication system allows for specific users to be granted access to execute specific functions on specific minions. Access is configured in the master configuration file, and uses the new access control system:
So, the above allows the user thatch to execute functions in the test and network modules on the minions that match the web* target. User steve is given unrestricted access to minion commands. NOTE:
To allow access to wheel modules or runner modules the following @ syntax must be used:
The external authentication system can then be used from the command line by any user on the same system as the master with the -a option:
The system will ask the user for the credentials required by the authentication system and then publish the command.

Tokens¶

With external authentication alone the authentication credentials will be required with every call to Salt. This can be alleviated with Salt tokens. The tokens are short term authorizations and can be easily created by just adding a -T option when authenticating:
Now a token will be created that has a expiration of, by default, 12 hours. This token is stored in a file named .salt_token in the active user's home directory. Once the token is created, it is sent with all subsequent communications. The user authentication does not need to be entered again until the token expires. The token expiration time can be set in the Salt master config file.

PILLAR OF SALT¶

Pillar is an interface for Salt designed to offer global values that can be distributed to all minions. Pillar data is managed in a similar way as the Salt State Tree. Pillar was added to Salt in version 0.9.8 NOTE:

Declaring the Master Pillar¶

The Salt Master server maintains a pillar_roots setup that matches the structure of the file_roots used in the Salt file server. Like the Salt file server the pillar_roots option in the master config is based on environments mapping to directories. The pillar data is then mapped to minions based on matchers in a top file which is laid out in the same way as the state top file. Salt pillars can use the same matcher types as the standard top file. The configuration for the pillar_roots in the master config file is identical in behavior and function as file_roots:
This example configuration declares that the base environment will be located in the /srv/pillar directory. The top file used matches the name of the top file used for States, and has the same structure: /srv/pillar/top.sls
This further example shows how to use other standard top matching types (grain matching is used in this example) to deliver specific salt pillar data to minions with different os grains:
/srv/pillar/packages.sls
Now this data can be used from within modules, renderers, State SLS files, and more via the shared pillar dict:

Note that you cannot just list key/value-information in top.sls.

Pillar namespace flattened¶

The separate pillar files all share the same namespace. Given a top.sls of:
a packages.sls file of:
and a services.sls file of:
Then a request for the bind pillar will only return 'named'; the 'bind9' value is not available. It is better to structure your pillar files with more hierarchy. For example your package.sls file could look like:

Including Other Pillars¶

New in version 0.16.0. Pillar SLS files may include other pillar files, similar to State files. Two syntaxes are available for this purpose. The simple form simply includes the additional pillar as if it were part of the same file:
The full include form allows two additional options -- passing default values to the templating engine for the included pillar file as well as an optional key under which to nest the results of the included pillar:
With this form, the included file (users.sls) will be nested within the 'users' key of the compiled pillar. Additionally, the 'sudo' value will be available as a template variable to users.sls.

Viewing Minion Pillar¶

Once the pillar is set up the data can be viewed on the minion via the pillar module, the pillar module comes with two functions, pillar.items and and pillar.raw. pillar.items will return a freshly reloaded pillar and pillar.raw will return the current pillar without a refresh:
NOTE:

Pillar get Function¶

New in version 0.14.0. The pillar.get function works much in the same way as the get method in a python dict, but with an enhancement: nested dict components can be extracted using a : delimiter. If a structure like this is in pillar:
Extracting it from the raw pillar in an sls formula or file template is done this way:
Now, with the new pillar.get function the data can be safely gathered and a default can be set, allowing the template to fall back if the value is not available:
This makes handling nested structures much easier. NOTE:

Refreshing Pillar Data¶

When pillar data is changed on the master the minions need to refresh the data locally. This is done with the saltutil.refresh_pillar function.
This function triggers the minion to asynchronously refresh the pillar and will always return None.

Targeting with Pillar¶

Pillar data can be used when targeting minions. This allows for ultimate control and flexibility when targeting minions.
Like with Grains, it is possible to use globbing as well as match nested values in Pillar, by adding colons for each level that is being traversed. The below example would match minions with a pillar named foo, which is a dict containing a key bar, with a value beginning with baz:

Master Config In Pillar¶

For convenience the data stored in the master configuration file is made available in all minion's pillars. This makes global configuration of services and systems very easy but may not be desired if sensitive data is stored in the master configuration. To disable the master config from being added to the pillar set pillar_opts to False:

MASTER TOPS SYSTEM¶

In 0.10.4 the external_nodes system was upgraded to allow for modular subsystems to be used to generate the top file data for a highstate run on the master. The old external_nodes option has been removed. The master tops system contains a number of subsystems that are loaded via the Salt loader interfaces like modules, states, returners, runners, etc. Using the new master_tops option is simple:
for Cobbler or:
for Reclass. It's also possible to create custom master_tops modules. These modules must go in a subdirectory called tops in the extension_modules directory. The extension_modules directory is not defined by default (the default /srv/salt/_modules will NOT work as of this release) Custom tops modules are written like any other execution module, see the source for the two modules above for examples of fully functional ones. Below is a degenerate example: /etc/salt/master:
/srv/salt/modules/tops/customtop.py: salt minion state.show_top should then display something like:

JOB MANAGEMENT¶

New in version 0.9.7. Since Salt executes jobs running on many systems, Salt needs to be able to manage jobs running on many systems. As of Salt 0.9.7, the capability was added for more advanced job management.

The Minion proc System¶

The Salt Minions now maintain a proc directory in the Salt cachedir, the proc directory maintains files named after the executed job ID. These files contain the information about the current running jobs on the minion and allow for jobs to be looked up. This is located in the proc directory under the cachedir, with a default configuration it is under /var/cache/salt/proc.

Functions in the saltutil Module¶

Salt 0.9.7 introduced a few new functions to the saltutil module for managing jobs. These functions are:
These functions make up the core of the back end used to manage jobs at the minion level.

The jobs Runner¶

A convenience runner front end and reporting system has been added as well. The jobs runner contains functions to make viewing data easier and cleaner. The jobs runner contains a number of functions...

active¶

The active function runs saltutil.running on all minions and formats the return data about all running jobs in a much more usable and compact format. The active function will also compare jobs that have returned and jobs that are still running, making it easier to see what systems have completed a job and what systems are still being waited on.

lookup_jid¶

When jobs are executed the return data is sent back to the master and cached. By default is is cached for 24 hours, but this can be configured via the keep_jobs option in the master configuration. Using the lookup_jid runner will display the same return data that the initial job invocation with the salt command would display.

list_jobs¶

Before finding a historic job, it may be required to find the job id. list_jobs will parse the cached execution data and display all of the job data for jobs that have already, or partially returned.

SALT SCHEDULING¶

In Salt versions greater than 0.12.0, the scheduling system allows incremental executions on minions or the master. The schedule system exposes the execution of any execution function on minions or any runner on the master. Scheduling is enabled via the schedule option on either the master or minion config files, or via a minion's pillar data. NOTE:
Specify maxrunning to ensure that there are no more than N copies of a particular routine running. Use this for jobs that may be long-running and could step on each other or otherwise double execute. The default for maxrunning is 1. States are executed on the minion, as all states are. You can pass positional arguments are provide a yaml dict of named arguments.

States¶

Highstates¶

To set up a highstate to run on a minion every 60 minutes set this in the minion config or pillar:
Time intervals can be specified as seconds, minutes, hours, or days.

Runners¶

Runner executions can also be specified on the master within the master configuration file:
The above configuration will execute the state.over runner every 3 hours, 30 minutes and 35 seconds, or every 12,635 seconds.

Scheduler With Returner¶

The scheduler is also useful for tasks like gathering monitoring data about a minion, this schedule option will gather status data and send it to a mysql returner database:
Since specifying the returner repeatedly can be tiresome, the schedule_returner option is available to specify one or a list of global returners to be used by the minions when scheduling.

RUNNING THE SALT MASTER/MINION AS AN UNPRIVILEGED USER¶

While the default setup runs the master and minion as the root user, it is generally wise to run the master as an unprivileged user. As of Salt 0.9.10 it is possible to run Salt as as a non-root user. This can be done by setting the user parameter in the master configuration file. and restarting the salt-master service. The minion has it's own user parameter as well, but running the minion as an unprivileged user will keep it from making changes to things like users, installed packages, etc. unless access controls (sudo, etc.) are setup on the minion to permit the non-root user to make the needed changes. In order to allow Salt to successfully run as a non-root user, ownership and permissions need to be set such that the desired user can read from and write to the following directories (and their subdirectories, where applicable):
Ownership can be easily changed with chown, like so:
WARNING:

TROUBLESHOOTING¶

The intent of the troubleshooting section is to introduce solutions to a number of common issues encountered by users and the tools that are available to aid in developing States and Salt code.

Troubleshooting the Salt Master¶

If your Salt master is having issues such as minions not returning data, slow execution times, or a variety of other issues the Salt master troubleshooting page contains details on troubleshooting the most common issues encountered.

Troubleshooting the Salt Minion¶

In the event that your Salt minion is having issues a variety of solutions and suggestions are available at the Salt minion troubleshooting page.

Running in the Foreground¶

A great deal of information is available via the debug logging system, if you are having issues with minions connecting or not starting run the minion and/or master in the foreground:
Anyone wanting to run Salt daemons via a process supervisor such as monit, runit, or supervisord, should omit the -d argument to the daemons and run them in the foreground.

What Ports do the Master and Minion Need Open?¶

No ports need to be opened up on each minion. For the master, TCP ports 4505 and 4506 need to be open. If you've put both your Salt master and minion in debug mode and don't see an acknowledgment that your minion has connected, it could very well be a firewall. You can check port connectivity from the minion with the nc command:
There is also a firewall configuration document that might help as well. If you've enabled the right TCP ports on your operating system or Linux distribution's firewall and still aren't seeing connections, check that no additional access control system such as SELinux or AppArmor is blocking Salt.

Using salt-call¶

The salt-call command was originally developed for aiding in the development of new Salt modules. Since then, many applications have been developed for running any Salt module locally on a minion. These range from the original intent of salt-call, development assistance, to gathering more verbose output from calls like state.highstate. When creating your state tree, it is generally recommended to invoke state.highstate with salt-call. This displays far more information about the highstate execution than calling it remotely. For even more verbosity, increase the loglevel with the same argument as salt-minion:
The main difference between using salt and using salt-call is that salt-call is run from the minion, and it only runs the selected function on that minion. By contrast, salt is run from the master, and requires you to specify the minions on which to run the command using salt's targeting system.

Too many open files¶

The salt-master needs at least 2 sockets per host that connects to it, one for the Publisher and one for response port. Thus, large installations may, upon scaling up the number of minions accessing a given master, encounter:
The solution to this would be to check the number of files allowed to be opened by the user running salt-master (root by default):
And modify that value to be at least equal to the number of minions x 2. This setting can be changed in limits.conf as the nofile value(s), and activated upon new a login of the specified user. So, an environment with 1800 minions, would need 1800 x 2 = 3600 as a minimum.

Salt Master Stops Responding¶

There are known bugs with ZeroMQ versions less than 2.1.11 which can cause the Salt master to not respond properly. If you're running a ZeroMQ version greater than or equal to 2.1.9, you can work around the bug by setting the sysctls net.core.rmem_max and net.core.wmem_max to 16777216. Next, set the third field in net.ipv4.tcp_rmem and net.ipv4.tcp_wmem to at least 16777216. You can do it manually with something like:
Or with the following Salt state:

Salt and SELinux¶

Currently there are no SELinux policies for Salt. For the most part Salt runs without issue when SELinux is running in Enforcing mode. This is because when the minion executes as a daemon the type context is changed to initrc_t. The problem with SELinux arises when using salt-call or running the minion in the foreground, since the type context stays unconfined_t. This problem is generally manifest in the rpm install scripts when using the pkg module. Until a full SELinux Policy is available for Salt the solution to this issue is to set the execution context of salt-call and salt-minion to rpm_exec_t:
This works well, because the rpm_exec_t context has very broad control over other types.

Red Hat Enterprise Linux 5¶

Salt requires Python 2.6 or 2.7. Red Hat Enterprise Linux 5 and its variants come with Python 2.4 installed by default. When installing on RHEL 5 from the EPEL repository this is handled for you. But, if you run Salt from git, be advised that its dependencies need to be installed from EPEL and that Salt needs to be run with the python26 executable.

Common YAML Gotchas¶

An extensive list of YAML idiosyncrasies has been compiled.

Live Python Debug Output¶

If the minion or master seems to be unresponsive, a SIGUSR1 can be passed to the processes to display where in the code they are running. If encountering a situation like this, this debug information can be invaluable. First make sure the master of minion are running in the foreground:
Then pass the signal to the master or minion when it seems to be unresponsive:
Also under BSD and Mac OS X in addition to SIGUSR1 signal, debug subroutine set up for SIGINFO which has an advantage of being sent by Ctrl+T shortcut. When filing an issue or sending questions to the mailing list for a problem with an unresponsive daemon this information can be invaluable.

Salt 0.16.x minions cannot communicate with a 0.17.x master¶

As of release 0.17.1 you can no longer run different versions of Salt on your Master and Minion servers. This is due to a protocol change for security purposes. The Salt team will continue to attempt to ensure versions are as backwards compatible as possible.

TROUBLESHOOTING THE SALT MASTER¶

Running in the Foreground¶

A great deal of information is available via the debug logging system, if you are having issues with minions connecting or not starting run the master in the foreground:
Anyone wanting to run Salt daemons via a process supervisor such as monit, runit, or supervisord, should omit the -d argument to the daemons and run them in the foreground.

What Ports does the Master Need Open?¶

For the master, TCP ports 4505 and 4506 need to be open. If you've put both your Salt master and minion in debug mode and don't see an acknowledgment that your minion has connected, it could very well be a firewall interfering with the connection. See our firewall configuration page for help opening the firewall on various platforms. If you've opened the correct TCP ports and still aren't seeing connections, check that no additional access control system such as SELinux or AppArmor is blocking Salt.

Too many open files¶

The salt-master needs at least 2 sockets per host that connects to it, one for the Publisher and one for response port. Thus, large installations may, upon scaling up the number of minions accessing a given master, encounter:
The solution to this would be to check the number of files allowed to be opened by the user running salt-master (root by default):
If this value is not equal to at least twice the number of minions, then it will need to be raised. For example, in an environment with 1800 minions, the nofile limit should be set to no less than 3600. This can be done by creating the file /etc/security/limits.d/99-salt.conf, with the following contents:
Replace root with the user under which the master runs, if different. If your master does not have an /etc/security/limits.d directory, the lines can simply be appended to /etc/security/limits.conf. As with any change to resource limits, it is best to stay logged into your current shell and open another shell to run ulimit -n again and verify that the changes were applied correctly. Additionally, if your master is running upstart, it may be necessary to specify the nofile limit in /etc/default/salt-master if upstart isn't respecting your resource limits:
NOTE:

Salt Master Stops Responding¶

There are known bugs with ZeroMQ versions less than 2.1.11 which can cause the Salt master to not respond properly. If you're running a ZeroMQ version greater than or equal to 2.1.9, you can work around the bug by setting the sysctls net.core.rmem_max and net.core.wmem_max to 16777216. Next, set the third field in net.ipv4.tcp_rmem and net.ipv4.tcp_wmem to at least 16777216. You can do it manually with something like:
Or with the following Salt state:

Live Python Debug Output¶

If the master seems to be unresponsive, a SIGUSR1 can be passed to the salt-master threads to display what piece of code is executing. This debug information can be invaluable in tracking down bugs. To pass a SIGUSR1 to the master, first make sure the minion is running in the foreground. Stop the service if it is running as a daemon, and start it in the foreground like so:
Then pass the signal to the master when it seems to be unresponsive:
When filing an issue or sending questions to the mailing list for a problem with an unresponsive daemon, be sure to include this information if possible.

Commands Time Out or Do Not Return Output¶

Depending on your OS (this is most common on Ubuntu due to apt-get) you may sometimes encounter times where your highstate, or other long running commands do not return output. This is most commonly due to the timeout being reached. By default the timeout is set to 5 seconds. The timeout value can easily be increased by modifying the timeout line within your /etc/salt/master configuration file.

Passing the -c Option to Salt Returns a Permissions Error¶

Using the -c option with the Salt command modifies the configuration directory. When the configuratio file is read it will still base data off of the root_dir setting. This can result in unintended behavior if you are expecting files such as /etc/salt/pki to be pulled from the location specified with -c. Modify the root_dir setting to address this behavior.

TROUBLESHOOTING THE SALT MINION¶

Running in the Foreground¶

A great deal of information is available via the debug logging system, if you are having issues with minions connecting or not starting run the minion in the foreground:
Anyone wanting to run Salt daemons via a process supervisor such as monit, runit, or supervisord, should omit the -d argument to the daemons and run them in the foreground.

What Ports does the Minion Need Open?¶

No ports need to be opened on the minion, as it makes outbound connections to the master. If you've put both your Salt master and minion in debug mode and don't see an acknowledgment that your minion has connected, it could very well be a firewall interfering with the connection. See our firewall configuration page for help opening the firewall on various platforms. If you have netcat installed, you can check port connectivity from the minion with the nc command:
The Nmap utility can also be used to check if these ports are open:
If you've opened the correct TCP ports and still aren't seeing connections, check that no additional access control system such as SELinux or AppArmor is blocking Salt.

Using salt-call¶

The salt-call command was originally developed for aiding in the development of new Salt modules. Since then, many applications have been developed for running any Salt module locally on a minion. These range from the original intent of salt-call, development assistance, to gathering more verbose output from calls like state.highstate. When initially creating your state tree, it is generally recommended to invoke state.highstate from the minion with salt-call. This displays far more information about the highstate execution than calling it remotely. For even more verbosity, increase the loglevel with the same argument as salt-minion:
The main difference between using salt and using salt-call is that salt-call is run from the minion, and it only runs the selected function on that minion. By contrast, salt is run from the master, and requires you to specify the minions on which to run the command using salt's targeting system.

Live Python Debug Output¶

If the minion seems to be unresponsive, a SIGUSR1 can be passed to the process to display what piece of code is executing. This debug information can be invaluable in tracking down bugs. To pass a SIGUSR1 to the minion, first make sure the minion is running in the foreground. Stop the service if it is running as a daemon, and start it in the foreground like so:
Then pass the signal to the minion when it seems to be unresponsive:
When filing an issue or sending questions to the mailing list for a problem with an unresponsive daemon, be sure to include this information if possible.

YAML IDIOSYNCRASIES¶

One of Salt's strengths, the use of existing serialization systems for representing SLS data, can also backfire. YAML is a general purpose system and there are a number of things that would seem to make sense in an sls file that cause YAML issues. It is wise to be aware of these issues. While reports or running into them are generally rare they can still crop up at unexpected times.

Spaces vs Tabs¶

YAML uses spaces, period. Do not use tabs in your SLS files! If strange errors are coming up in rendering SLS files, make sure to check that no tabs have crept in! In Vim, after enabling search highlighting with: :set hlsearch, you can check with the following key sequence in normal mode(you can hit ESC twice to be sure): /, Ctrl-v, Tab, then hit Enter. Also, you can convert tabs to 2 spaces by these commands in Vim: :set tabstop=2 expandtab and then :retab.

Indentation¶

The suggested syntax for YAML files is to use 2 spaces for indentation, but YAML will follow whatever indentation system that the individual file uses. Indentation of two spaces works very well for SLS files given the fact that the data is uniform and not deeply nested.

Nested Dicts (key=value)¶

When dicts are more deeply nested, they no longer follow the same indentation logic. This is rarely something that comes up in Salt, since deeply nested options like these are discouraged when making State modules, but some do exist. A good example of this can be found in the context and default options from the file.managed state:
Notice that while the indentation is two spaces per level, for the values under the context and defaults options there is a four-space indent. If only two spaces are used to indent, then the information will not be loaded correctly. If using a double indent is not desirable, then a deeply-nested dict can be declared with curly braces:

True/False, Yes/No, On/Off¶

PyYAML will load these values as boolean True or False. Un-capitalized versions will also be loaded as booleans ( true, false, yes, no, on, and off). This can be especially problematic when constructing Pillar data. Make sure that your Pillars which need to use the string versions of these values are enclosed in quotes.

Integers are Parsed as Integers¶

NOTE: This has been fixed in salt 0.10.0, as of this release passing an integer that is preceded by a 0 will be correctly parsed When passing integers into an SLS file, they are passed as integers. This means that if a state accepts a string value and an integer is passed, that an integer will be sent. The solution here is to send the integer as a string. This is best explained when setting the mode for a file:
Salt manages this well, since the mode is passed as 644, but if the mode is zero padded as 0644, then it is read by YAML as an integer and evaluated as an octal value, 0644 becomes 420. Therefore, if the file mode is preceded by a 0 then it needs to be passed as a string:

YAML does not like Double Short Decs¶

If I can find a way to make YAML accept "Double Short Decs" then I will, since I think that double short decs would be awesome. So what is a "Double Short Dec"? It is when you declare a multiple short decs in one ID. Here is a standard short dec, it works great:
The short dec means that there are no arguments to pass, so it is not required to add any arguments, and it can save space. YAML though, gets upset when declaring multiple short decs, for the record... THIS DOES NOT WORK:
Similarly declaring a short dec in the same ID dec as a standard dec does not work either... ALSO DOES NOT WORK:
The correct way is to define them like this:
Alternatively, they can be defined the "old way", or with multiple "full decs":

YAML support only plain ASCII¶

According to YAML specification, only ASCII characters can be used. Within double-quotes, special characters may be represented with C-style escape sequences starting with a backslash ( \ ). Examples:
List of usable Unicode characters will help you to identify correct numbers. Python can also be used to discover the Unicode number for a character:
This shell command can find wrong characters in your SLS files:

Underscores stripped in Integer Definitions¶

If a definition only includes numbers and underscores, it is parsed by YAML as an integer and all underscores are stripped. To ensure the object becomes a string, it should be surrounded by quotes. More information here. Here's an example:

Automatic datetime conversion¶

If there is a value in a YAML file formatted 2014-01-20 14:23:23 or similar, YAML will automatically convert this to a Python datetime object. These objects are not msgpack serializable, and so may break core salt functionality. If values such as these are needed in a salt YAML file (specifically a configuration file), they should be formatted with surrounding strings to force YAML to serialize them as strings:

COMMUNITY¶

Join the Salt! There are many ways to participate in and communicate with the Salt community. Salt has an active IRC channel and a mailing list.

Mailing List¶

Join the salt-users mailing list. It is the best place to ask questions about Salt and see whats going on with Salt development! The Salt mailing list is hosted by Google Groups. It is open to new members. https://groups.google.com/forum/#!forum/salt-users

IRC¶

The #salt IRC channel is hosted on the popular Freenode network. You can use the Freenode webchat client right from your browser. Logs of the IRC channel activity are being collected courtesy of Moritz Lenz. If you wish to discuss the development of Salt itself join us in #salt-devel.

Follow on Github¶

The Salt code is developed via Github. Follow Salt for constant updates on what is happening in Salt development: https://github.com/saltstack/salt

Blogs¶

SaltStack Inc. keeps a blog with recent news and advancements: http://www.saltstack.com/blog/ Thomas Hatch also shares news and thoughts on Salt and related projects in his personal blog The Red45: http://red45.wordpress.com/

Example Salt States¶

The official salt-states repository is: https://github.com/saltstack/salt-states A few examples of salt states from the community:

Follow on ohloh¶

https://www.ohloh.net/p/salt

Other community links¶

Hack the Source¶

If you want to get involved with the development of source code or the documentation efforts, please review the hacking section!

SALT BASED PROJECTS¶

A number of unofficial open source projects, based on Salt, or written to enhance Salt have been created.

Salt Sandbox¶

Created by Aaron Bull Schaefer, aka "elasticdog". https://github.com/elasticdog/salt-sandbox Salt Sandbox is a multi-VM Vagrant-based Salt development environment used for creating and testing new Salt state modules outside of your production environment. It's also a great way to learn firsthand about Salt and its remote execution capabilities. Salt Sandbox will set up three separate virtual machines:
These VMs can be used in conjunction to segregate and test your modules based on node groups, top file environments, grain values, etc. You can even test modules on different Linux distributions or release versions to better match your production infrastructure.

SALT EVENT SYSTEM¶

Salt 0.9.10 introduced the Salt Event System. This system is used to fire off events enabling third party applications or external processes to react to behavior within Salt. The event system is comprised of a few components, the event sockets which publish events, and the event library which can listen to events and send events into the salt system.

Listening for Events¶

The event system is accessed via the event library and can only be accessed by the same system user that Salt is running as. To listen to events a SaltEvent object needs to be created and then the get_event function needs to be run. The SaltEvent object needs to know the location that the Salt Unix sockets are kept. In the configuration this is the sock_dir option. The sock_dir option defaults to "/var/run/salt/master" on most systems. The following code will check for a single event:
Events will also use a "tag". A "tag" allows for events to be filtered. By default all events will be returned, but if only authentication events are desired, then pass the tag "auth". Also, the get_event method has a default poll time assigned of 5 seconds, to change this time set the "wait" option. This example will only listen for auth events and will wait for 10 seconds instead of the default 5.
Instead of looking for a single event, the iter_events method can be used to make a generator which will continually yield salt events. The iter_events method also accepts a tag, but not a wait time:

Firing Events¶

It is possible to fire events on either the minion's local bus, or to fire events intended for the master. To fire a local event from the minion, on the command line:
To fire an event to be sent to the master, from the minion:
If a process is listening on the minion, it may be useful for a user on the master to fire an event to it:

Firing Events From Code¶

Events can be very useful when writing execution modules, in order to inform various processes on the master when a certain task has taken place. In Salt versions previous to 0.17.0, the basic code looks like:
In Salt version 0.17.0, the ability to send a payload with a more complex data structure than a string was added. When using this interface, a Python dictionary should be sent instead.
It should be noted that this code can be used in 3rd party applications as well. So long as the salt-minion process is running, the minion socket can be used:
So long as the salt-master process is running, the master socket can be used:
This allows 3rd party applications to harness the power of the Salt event bus programmatically, without having to make other calls to Salt. A 3rd party process can listen to the event bus on the master, and another 3rd party process can fire events to the process on the master, which Salt will happily pass along.

THE SALT MINE¶

Granted, it took a while for this name to be used in Salt, but version 0.15.0 introduces a new system to Salt called the Salt Mine. The Salt Mine is used to bridge the gap between setting static variables and gathering live data. The Salt mine is used to collect arbitrary data from minions and store it on the master. This data is then made available to all minions via the mine module. The data is gathered on the minion and sent back to the master where only the most recent data is maintained (if long term data is required use returners or the external job cache).

Mine Functions¶

To enable the Salt Mine the mine_functions option needs to be applied to a minion. This option can be applied via the minion's configuration file, or the minion's pillar. The mine_functions option dictates what functions are being executed and allows for arguments to be passed in:

Mine Interval¶

The Salt Mine functions are executed when the minion starts and at a given interval by the scheduler. The default interval is every 60 minutes and can be adjusted for the minion via the mine_interval option:

SALT CLOUD DOCUMENTATION¶

Cloud Actions¶

Once a VM has been created, there are a number of actions that can be performed on it. The "reboot" action can be used across all providers, but all other actions are specific to the cloud provider. In order to perform an action, you may specify it from the command line, including the name(s) of the VM to perform the action on:
Or you may specify a map which includes all VMs to perform the action on:
The following is a list of actions currently supported by salt-cloud:

Getting Started With AWS EC2¶

Amazon EC2 is a very widely used public cloud platform and one of the core platforms Salt Cloud has been built to support. Previously, the suggested provider for AWS EC2 was the aws provider. This has been deprecated in favor of the ec2 provider. Configuration using the old aws provider will still function, but that driver is no longer in active development.

Access Credentials¶

The id and key settings may be found in the Security Credentials area of the AWS Account page: https://portal.aws.amazon.com/gp/aws/securityCredentials Both are located in the Access Credentials area of the page, under the Access Keys tab. The id setting is labeled Access Key ID, and the key setting is labeled Secret Access Key.

Key Pairs¶

In order to create an instance with Salt installed and configured, a key pair will need to be created. This can be done in the EC2 Management Console, in the Key Pairs area. These key pairs are unique to a specific region. Keys in the us-east-1 region can be configured at: https://console.aws.amazon.com/ec2/home?region=us-east-1#s=KeyPairs Keys in the us-west-1 region can be configured at https://console.aws.amazon.com/ec2/home?region=us-west-1#s=KeyPairs ...and so on. When creating a key pair, the browser will prompt to download a pem file. This file must be placed in a directory accessable by Salt Cloud, with permissions set to either 0400 or 0600.

Security Groups¶

An instance on EC2 needs to belong to a security group. Like key pairs, these are unique to a specific region. These are also configured in the EC2 Management Console. Security groups for the us-east-1 region can be configured at: https://console.aws.amazon.com/ec2/home?region=us-east-1#s=SecurityGroups ...and so on. A security group defines firewall rules which an instance will adhere to. If the salt-master is configured outside of EC2, the security group must open the SSH port (usually port 22) in order for Salt Cloud to install Salt.

IAM Profile¶

Amazon EC2 instances support the concept of an instance profile, which is a logical container for the IAM role. At the time that you launch an EC2 instance, you can associate the instance with an instance profile, which in turn corresponds to the IAM role. Any software that runs on the EC2 instance is able to access AWS using the permissions associated with the IAM role. Scaffolding the profile is a 2 steps configurations:
Once the profile is created, you can use the PROFILE_NAME to configure your cloud profiles.

Cloud Profiles¶

Set up an initial profile at /etc/salt/cloud.profiles:
The profile can be realized now with a salt command:
This will create an instance named ami.example.com in EC2. The minion that is installed on this instance will have an id of ami.example.com. If the command was executed on the salt-master, its Salt key will automatically be signed on the master. Once the instance has been created with salt-minion installed, connectivity to it can be verified with Salt:

Required Settings¶

The following settings are always required for EC2:

Optional Settings¶

EC2 allows a location to be set for servers to be deployed in. Availability zones exist inside regions, and may be added to increase specificity.
EC2 instances can have a public or private IP, or both. When an instance is deployed, Salt Cloud needs to log into it via SSH to run the deploy script. By default, the public IP will be used for this. If the salt-cloud command is run from another EC2 instance, the private IP should be used.
Many EC2 instances do not allow remote access to the root user by default. Instead, another user must be used to run the deploy script using sudo. Some common usernames include ec2-user (for Amazon Linux), ubuntu (for Ubuntu instances), admin (official Debian) and bitnami (for images provided by Bitnami).
Multiple usernames can be provided, in which case Salt Cloud will attempt to guess the correct username. This is mostly useful in the main configuration file:
Multiple security groups can also be specified in the same fashion:
Block device mappings enable you to specify additional EBS volumes or instance store volumes when the instance is launched. This setting is also available on each cloud profile. Note that the number of instance stores varies by instance type. If more mappings are provided than are supported by the instance type, mappings will be created in the order provided and additional mappings will be ignored. Consult the AWS documentation for a listing of the available instance stores, device names, and mount points.
You can also use block device mappings to change the size of the root device at the provisioing time. For example, assuming the root device is '/dev/sda', you can set its size to 100G by using the following configuration.
Tags can be set once an instance has been launched.

Modify EC2 Tags¶

One of the features of EC2 is the ability to tag resources. In fact, under the hood, the names given to EC2 instances by salt-cloud are actually just stored as a tag called Name. Salt Cloud has the ability to manage these tags:

Rename EC2 Instances¶

As mentioned above, EC2 instances are named via a tag. However, renaming an instance by renaming its tag will cause the salt keys to mismatch. A rename function exists which renames both the instance, and the salt keys.

EC2 Termination Protection¶

EC2 allows the user to enable and disable termination protection on a specific instance. An instance with this protection enabled cannot be destroyed.

Rename on Destroy¶

When instances on EC2 are destroyed, there will be a lag between the time that the action is sent, and the time that Amazon cleans up the instance. During this time, the instance still retails a Name tag, which will cause a collision if the creation of an instance with the same name is attempted before the cleanup occurs. In order to avoid such collisions, Salt Cloud can be configured to rename instances when they are destroyed. The new name will look something like:
In order to enable this, add rename_on_destroy line to the main configuration file:

Listing Images¶

Normally, images can be queried on a cloud provider by passing the --list-images argument to Salt Cloud. This still holds true for EC2:
However, the full list of images on EC2 is extremely large, and querying all of the available images may cause Salt Cloud to behave as if frozen. Therefore, the default behavior of this option may be modified, by adding an owner argument to the provider configuration:
The possible values for this setting are amazon, aws-marketplace, self, <AWS account ID> or all. The default setting is amazon. Take note that all and aws-marketplace may cause Salt Cloud to appear as if it is freezing, as it tries to handle the large amount of data. It is also possible to perform this query using different settings without modifying the configuration files. To do this, call the avail_images function directly:

EC2 Images¶

The following are lists of available AMI images, generally sorted by OS. These lists are on 3rd-party websites, are not managed by Salt Stack in any way. They are provided here as a reference for those who are interested, and contain no warranty (express or implied) from anyone affiliated with Salt Stack. Most of them have never been used, much less tested, by the Salt Stack team.

show_image¶

This is a function that describes an AMI on EC2. This will give insight as to the defaults that will be applied to an instance using a particular AMI.

show_instance¶

This action is a thin wrapper around --full-query, which displays details on a single instance only. In an environment with several machines, this will save a user from having to sort through all instance data, just to examine a single instance.

ebs_optimized¶

This argument enables switching of the EbsOptimized setting which default to 'false'. Indicates whether the instance is optimized for EBS I/O. This optimization provides dedicated throughput to Amazon EBS and an optimized configuration stack to provide optimal Amazon EBS I/O performance. This optimization isn't available with all instance types. Additional usage charges apply when using an EBS-optimized instance. This setting can be added to the profile or map file for an instance. If set to True, this setting will enable an instance to be EbsOptimized
This can also be set as a cloud provider setting in the EC2 cloud configuration:

del_root_vol_on_destroy¶

This argument overrides the default DeleteOnTermination setting in the AMI for the EBS root volumes for an instance. Many AMIs contain 'false' as a default, resulting in orphaned volumes in the EC2 account, which may unknowingly be charged to the account. This setting can be added to the profile or map file for an instance. If set, this setting will apply to the root EBS volume
This can also be set as a cloud provider setting in the EC2 cloud configuration:

del_all_vols_on_destroy¶

This argument overrides the default DeleteOnTermination setting in the AMI for the not-root EBS volumes for an instance. Many AMIs contain 'false' as a default, resulting in orphaned volumes in the EC2 account, which may unknowingly be charged to the account. This setting can be added to the profile or map file for an instance. If set, this setting will apply to any (non-root) volumes that were created by salt-cloud using the 'volumes' setting. The volumes will not be deleted under the following conditions * If a volume is detached before terminating the instance * If a volume is created without this setting and attached to the instance
This can also be set as a cloud provider setting in the EC2 cloud configuration:
The setting for this may be changed on all volumes of an existing instance using one of the following commands:
The setting for this may be changed on a volume on an existing instance using one of the following commands:

EC2 Termination Protection¶

EC2 allows the user to enable and disable termination protection on a specific instance. An instance with this protection enabled cannot be destroyed. The EC2 driver adds a show_term_protect action to the regular EC2 functionality.

Alternate Endpoint¶

Normally, EC2 endpoints are build using the region and the service_url. The resulting endpoint would follow this pattern:
This results in an endpoint that looks like:
There are other projects that support an EC2 compatibility layer, which this scheme does not account for. This can be overridden by specifying the endpoint directly in the main cloud configuration file:

Volume Management¶

The EC2 driver has several functions and actions for management of EBS volumes.

Creating Volumes¶

A volume may be created, independent of an instance. A zone must be specified. A size or a snapshot may be specified (in GiB). If neither is given, a default size of 10 GiB will be used. If a snapshot is given, the size of the snapshot will be used.

Attaching Volumes¶

Unattached volumes may be attached to an instance. The following values are required; name or instance_id, volume_id and device.

Show a Volume¶

The details about an existing volume may be retrieved.

Detaching Volumes¶

An existing volume may be detached from an instance.

Deleting Volumes¶

A volume that is not attached to an instance may be deleted.

Managing Key Pairs¶

The EC2 driver has the ability to manage key pairs.

Creating a Key Pair¶

A key pair is required in order to create an instance. When creating a key pair with this function, the return data will contain a copy of the private key. This private key is not stored by Amazon, and will not be obtainable past this point, and should be stored immediately.

Show a Key Pair¶

This function will show the details related to a key pair, not including the private key itself (which is not stored by Amazon).

Delete a Key Pair¶

This function removes the key pair from Amazon.

Getting Started With Azure¶

New in version 2014.1.0. Azure is a cloud service by Microsoft providing virtual machines, SQL services, media services, and more. This document describes how to use Salt Cloud to create a virtual machine on Azure, with Salt installed. You can find more information about Azure at http://www.windowsazure.com/.

Dependencies¶

Configuration¶

Set up the provider config at /etc/salt/cloud.providers.d/azure.conf:
The certificate used must be generated by the user. OpenSSL can be used to create the management certificates. Two certificates are needed: a .cer file, which is uploaded to Azure, and a .pem file, which is stored locally. To create the .pem file, execute the following command:
To create the .cer file, execute the following command:
After you creating these files, the .cer file will need to be uploaded to Azure via the "Upload" action of the "Settings" tab of the management portal.

Cloud Profiles¶

Set up an initial profile at /etc/salt/cloud.profiles:
These options are described in more detail below. Once configured, the profile can be realized with a salt command:
This will create an salt minion instance named newinstance in Azure. If the command was executed on the salt-master, its Salt key will automatically be signed on the master. Once the instance has been created with salt-minion installed, connectivity to it can be verified with Salt:

Profile Options¶

The following options are currently available for Azure.

provider¶

The name of the provider as configured in /etc/salt/cloud.providers.d/azure.conf.

image¶

The name of the image to use to create a VM. Available images can be viewed using the following command:

size¶

The name of the size to use to create a VM. Available sizes can be viewed using the following command:

location¶

The name of the location to create a VM in. Available locations can be viewed using the following command:

ssh_username¶

The user to use to log into the newly-created VM to install Salt.

ssh_password¶

The password to use to log into the newly-created VM to install Salt.

slot¶

The environment to which the hosted service is deployed. Valid values are staging or production. When set to production, the resulting URL of the new VM will be <vm_name>.cloudapp.net. When set to staging, the resulting URL will contain a generated hash instead.

media_link¶

This is the URL of the container that will store the disk that this VM uses. Currently, this container must already exist. If a VM has previously been created in the associated account, a container should already exist. In the web interface, go into the Storage area and click one of the available storage selections. Click the Containers link, and then copy the URL from the container that will be used. It generally looks like:

Show Instance¶

This action is a thin wrapper around --full-query, which displays details on a single instance only. In an environment with several machines, this will save a user from having to sort through all instance data, just to examine a single instance.

Writing Cloud Provider Modules¶

Salt Cloud runs on a module system similar to the main Salt project. The modules inside saltcloud exist in the salt/cloud/clouds directory of the salt source. There are two basic types of cloud modules. If a cloud provider is supported by libcloud, then using it is the fastest route to getting a module written. The Apache Libcloud project is located at: http://libcloud.apache.org/ Not every cloud provider is supported by libcloud. Additionally, not every feature in a supported cloud provider is necessary supported by libcloud. In either of these cases, a module can be created which does not rely on libcloud.

All Modules¶

The following functions are required by all modules, whether or not they are based on libcloud.

The __virtual__() Function¶

This function determines whether or not to make this cloud module available upon execution. Most often, it uses get_configured_provider() to determine if the necessary configuration has been set up. It may also check for necessary imports, to decide whether to load the module. In most cases, it will return a True or False value. If the name of the driver used does not match the filename, then that name should be returned instead of True. An example of this may be seen in the Azure module: https://github.com/saltstack/salt/blob/develop/salt/cloud/clouds/msazure.py

The get_configured_provider() Function¶

This function uses config.is_provider_configured() to determine wither all required information for this driver has been configured. The last value in the list of required settings should be followed by a comma.

Libcloud Based Modules¶

Writing a cloud module based on libcloud has two major advantages. First of all, much of the work has already been done by the libcloud project. Second, most of the functions necessary to Salt have already been added to the Salt Cloud project.

The create() Function¶

The most important function that does need to be manually written is the create() function. This is what is used to request a virtual machine to be created by the cloud provider, wait for it to become available, and then (optionally) log in and install Salt on it. A good example to follow for writing a cloud provider module based on libcloud is the module provided for Linode: https://github.com/saltstack/salt/blob/develop/salt/cloud/clouds/linode.py The basic flow of a create() function is as follows:
At various points throughout this function, events may be fired on the Salt event bus. Four of these events, which are described below, are required. Other events may be added by the user, where appropriate. When the create() function is called, it is passed a data structure called vm_. This dict contains a composite of information describing the virtual machine to be created. A dict called __opts__ is also provided by Salt, which contains the options used to run Salt Cloud, as well as a set of configuration and environment variables. The first thing the create() function must do is fire an event stating that it has started the create process. This event is tagged salt/cloud/<vm name>/creating. The payload contains the names of the VM, profile and provider. A set of kwargs is then usually created, to describe the parameters required by the cloud provider to request the virtual machine. An event is then fired to state that a virtual machine is about to be requested. It is tagged as salt/cloud/<vm name>/requesting. The payload contains most or all of the parameters that will be sent to the cloud provider. Any private information (such as passwords) should not be sent in the event. After a request is made, a set of deploy kwargs will be generated. These will be used to install Salt on the target machine. Windows options are supported at this point, and should be generated, even if the cloud provider does not currently support Windows. This will save time in the future if the provider does eventually decide to support Windows. An event is then fired to state that the deploy process is about to begin. This event is tagged salt/cloud/<vm name>/deploying. The payload for the event will contain a set of deploy kwargs, useful for debugging purposed. Any private data, including passwords and keys (including public keys) should be stripped from the deploy kwargs before the event is fired. If any Windows options have been passed in, the salt.utils.cloud.deploy_windows() function will be called. Otherwise, it will be assumed that the target is a Linux or Unix machine, and the salt.utils.cloud.deploy_script() will be called. Both of these functions will wait for the target machine to become available, then the necessary port to log in, then a successful login that can be used to install Salt. Minion configuration and keys will then be uploaded to a temporary directory on the target by the appropriate function. On a Windows target, the Windows Minion Installer will be run in silent mode. On a Linux/Unix target, a deploy script (bootstrap-salt.sh, by default) will be run, which will auto-detect the operating system, and install Salt using its native package manager. These do not need to be handled by the developer in the cloud module. After the appropriate deploy function completes, a final event is fired which describes the virtual machine that has just been created. This event is tagged salt/cloud/<vm name>/created. The payload contains the names of the VM, profile and provider. Finally, a dict (queried from the provider) which describes the new virtual machine is returned to the user. Because this data is not fired on the event bus it can, and should, return any passwords that were returned by the cloud provider. In some cases (for example, Rackspace), this is the only time that the password can be queried by the user; post-creation queries may not contain password information (depending upon the provider).

The libcloudfuncs Functions¶

A number of other functions are required for all cloud providers. However, with libcloud-based modules, these are all provided for free by the libcloudfuncs library. The following two lines set up the imports:
And then a series of declarations will make the necessary functions available within the cloud module.
If necessary, these functions may be replaced by removing the appropriate declaration line, and then adding the function as normal. These functions are required for all cloud modules, and are described in detail in the next section.

Non-Libcloud Based Modules¶

In some cases, using libcloud is not an option. This may be because libcloud has not yet included the necessary driver itself, or it may be that the driver that is included with libcloud does not contain all of the necessary features required by the developer. When this is the case, some or all of the functions in libcloudfuncs may be replaced. If they are all replaced, the libcloud imports should be absent from the Salt Cloud module. A good example of a non-libcloud provider is the Digital Ocean module: https://github.com/saltstack/salt/blob/develop/salt/cloud/clouds/digital_ocean.py

The create() Function¶

The create() function must be created as described in the libcloud-based module documentation.

The get_size() Function¶

This function is only necessary for libcloud-based modules, and does not need to exist otherwise.

The get_image() Function¶

This function is only necessary for libcloud-based modules, and does not need to exist otherwise.

The avail_locations() Function¶

This function returns a list of locations available, if the cloud provider uses multiple data centers. It is not necessary if the cloud provider only uses one data center. It is normally called using the --list-locations option.

The avail_images() Function¶

This function returns a list of images available for this cloud provider. There are not currently any known cloud providers that do not provide this functionality, though they may refer to images by a different name (for example, "templates"). It is normally called using the --list-images option.

The avail_sizes() Function¶

This function returns a list of sizes available for this cloud provider. Generally, this refers to a combination of RAM, CPU and/or disk space. This functionality may not be present on some cloud providers. For example, the Parallels module breaks down RAM, CPU and disk space into separate options, whereas in other providers, these options are baked into the image. It is normally called using the --list-sizes option.

The script() Function¶

This function builds the deploy script to be used on the remote machine. It is likely to be moved into the salt.utils.cloud library in the near future, as it is very generic and can usually be copied wholesale from another module. An excellent example is in the Azure driver.

The destroy() Function¶

This function irreversably destroys a virtual machine on the cloud provider. Before doing so, it should fire an event on the Salt event bus. The tag for this event is salt/cloud/<vm name>/destroying. Once the virtual machine has been destroyed, another event is fired. The tag for that event is salt/cloud/<vm name>/destroyed. This function is normally called with the -d options:

The list_nodes() Function¶

This function returns a list of nodes available on this cloud provider, using the following fields:
No other fields should be returned in this function, and all of these fields should be returned, even if empty. The private_ips and public_ips fields should always be of a list type, even if empty, and the other fields should always be of a str type. This function is normally called with the -Q option:

The list_nodes_full() Function¶

All information available about all nodes should be returned in this function. The fields in the list_nodes() function should also be returned, even if they would not normally be provided by the cloud provider. This is because some functions both within Salt and 3rd party will break if an expected field is not present. This function is normally called with the -F option:

The list_nodes_select() Function¶

This function returns only the fields specified in the query.selection option in /etc/salt/cloud. Because this function is so generic, all of the heavy lifting has been moved into the salt.utils.cloud library. A function to call list_nodes_select() still needs to be present. In general, the following code can be used as-is:
However, depending on the cloud provider, additional variables may be required. For instance, some modules use a conn object, or may need to pass other options into list_nodes_full(). In this case, be sure to update the function appropriately:
This function is normally called with the -S option:

The show_instance() Function¶

This function is used to display all of the information about a single node that is available from the cloud provider. The simplest way to provide this is usually to call list_nodes_full(), and return just the data for the requested node. It is normally called as an action:

Actions and Functions¶

Extra functionality may be added to a cloud provider in the form of an --action or a --function. Actions are performed against a cloud instance/virtual machine, and functions are performed against a cloud provider.

Actions¶

Actions are calls that are performed against a specific instance or virtual machine. The show_instance action should be available in all cloud modules. Actions are normally called with the -a option:
Actions must accept a name as a first argument, may optionally support any number of kwargs as appropriate, and must accept an argument of call, with a default of None. Before performing any other work, an action should normally verify that it has been called correctly. It may then perform the desired feature, and return useful information to the user. A basic action looks like:
Please note that generic kwargs, if used, are passed through to actions as kwargs and not **kwargs. An example of this is seen in the Functions section.

Functions¶

Functions are called that are performed against a specific cloud provider. An optional function that is often useful is show_image, which describes an image in detail. Functions are normally called with the -f option:
A function may accept any number of kwargs as appropriate, and must accept an argument of call with a default of None. Before performing any other work, a function should normally verify that it has been called correctly. It may then perform the desired feature, and return useful information to the user. A basic function looks like:
Take note that generic kwargs are passed through to functions as kwargs and not **kwargs.

Core Configuration¶

A number of core configuration options and some options that are global to the VM profiles can be set in the cloud configuration file. By default this file is located at /etc/salt/cloud.

Minion Configuration¶

The default minion configuration is set up in this file. This is where the minions that are created derive their configuration.
This is the location in particular to specify the location of the salt master.

New Cloud Configuration Syntax¶

The data specific to interacting with public clouds is set up here. ATTENTION: Since version 0.8.7 a new cloud provider configuration syntax was implemented. It will allow for multiple configurations of the same cloud provider where only minor details can change, for example, the region for an EC2 instance. While the old format is still supported and automatically migrated every time salt-cloud configuration is parsed, a choice was made to warn the user or even exit with an error if both formats are mixed.

Migrating Configurations¶

If you wish to migrate, there are several alternatives. Since the old syntax was mainly done on the main cloud configuration file, see the next before and after migration example.



Notice that it's not longer required to name a cloud provider's configuration after it's provider, it can be an alias, though, an additional configuration key is added, provider. This allows for multiple configuration for the same cloud provider to coexist. While moving towards an improved and extensible configuration handling regarding the cloud providers, --providers-config, which defaults to /etc/salt/cloud.providers, was added to the cli parser. It allows for the cloud providers configuration to be provided in a different file, and/or even any matching file on a sub-directory, cloud.providers.d/*.conf which is relative to the providers configuration file(with the above configuration file as an example, /etc/salt/cloud.providers.d/*.conf). So, using the example configuration above, after migration in /etc/salt/cloud.providers or /etc/salt/cloud.providers.d/aws-migrated.conf:
Notice that on this last migrated example, it no longer includes the providers starting key. While migrating the cloud providers configuration, if the provider alias(from the above example my-aws-migrated-config) changes from what you had(from the above example aws), you will also need to change the provider configuration key in the defined profiles.



This new configuration syntax even allows you to have multiple cloud configurations under the same alias, for example:
Notice the dash and indentation on the above example. Having multiple entries for a configuration alias also makes the provider key on any defined profile to change, see the example:
Notice that because of the multiple entries, one has to be explicit about the provider alias and name, from the above example, production-config:aws. This new syntax also changes the interaction with the salt-cloud binary. --list-location, --list-images and --list-sizes which needs a cloud provider as an argument. Since 0.8.7 the argument used should be the configured cloud provider alias. If the provider alias only as a single entry, use <provider-alias>. If it has multiple entries, <provider-alias>:<provider-name> should be used.

Cloud Configurations¶

Rackspace¶

Rackspace cloud requires two configuration options:



NOTE: With the new providers configuration syntax you would have provider: rackspace-config instead of provider: rackspace on a profile configuration.

Amazon AWS¶

A number of configuration options are required for Amazon AWS:



NOTE: With the new providers configuration syntax you would have provider: my-aws-quick-start or provider: my-aws-default instead of provider: aws on a profile configuration.

Linode¶

Linode requires a single API key, but the default root password also needs to be set:



NOTE: With the new providers configuration syntax you would have provider: my-linode-config instead of provider: linode on a profile configuration. The password needs to be 8 characters and contain lowercase, uppercase and numbers.

Joyent Cloud¶

The Joyent cloud requires three configuration parameters. The user name and password that are used to log into the Joyent system, and the location of the private ssh key associated with the Joyent account. The ssh key is needed to send the provisioning commands up to the freshly created virtual machine,



NOTE: With the new providers configuration syntax you would have provider: my-joyent-config instead of provider: joyent on a profile configuration.

GoGrid¶

To use Salt Cloud with GoGrid log into the GoGrid web interface and create an API key. Do this by clicking on "My Account" and then going to the API Keys tab. The GOGRID.apikey and the GOGRID.sharedsecret configuration parameters need to be set in the configuration file to enable interfacing with GoGrid:



NOTE: With the new providers configuration syntax you would have provider: my-gogrid-config instead of provider: gogrid on a profile configuration.

OpenStack¶

OpenStack configuration differs between providers, and at the moment several options need to be specified. This module has been officially tested against the HP and the Rackspace implementations, and some examples are provided for both.

If you have an API key for your provider, it may be specified instead of a password:


If you have an API key for your provider, it may be specified instead of a password:
NOTE: With the new providers configuration syntax you would have provider: my-openstack-hp-config or provider: my-openstack-rackspace-config instead of provider: openstack on a profile configuration. You will certainly need to configure the user, tenant and either password or apikey. If your OpenStack instances only have private IP addresses and a CIDR range of private addresses are not reachable from the salt-master, you may set your preference to have Salt ignore it. Using the old could configurations syntax:
Using the new syntax:
For in-house Openstack Essex installation, libcloud needs the service_type :

Digital Ocean¶

Using Salt for Digital Ocean requires a client_key and an api_key. These can be found in the Digital Ocean web interface, in the "My Settings" section, under the API Access tab.



NOTE: With the new providers configuration syntax you would have provider: my-digitalocean-config instead of provider: digital_ocean on a profile configuration.

Parallels¶

Using Salt with Parallels requires a user, password and url. These can be obtained from your cloud provider.



NOTE: With the new providers configuration syntax you would have provider: my-parallels-config instead of provider: parallels on a profile configuration.

IBM SmartCloud Enterprise¶

In addition to a username and password, the IBM SCE module requires an SSH key, which is currently configured inside IBM's web interface. A location is also required to create instances, but not to query their cloud. This is important, because you need to use salt-cloud --list-locations (with the other options already set) in order to find the name of the location that you want to use.



NOTE: With the new providers configuration syntax you would have provider: my-imbsce-config instead of provider: ibmsce on a profile configuration.

Saltify¶

The Saltify driver is a new, experimental driver for installing Salt on existing machines (virtual or bare metal). Because it does not use an actual cloud provider, it needs no configuration in the main cloud config file. However, it does still require a profile to be set up, and is most useful when used inside a map file. The key parameters to be set are ssh_host, ssh_username and either ssh_keyfile or ssh_password. These may all be set in either the profile or the map. An example configuration might use the following in cloud.profiles:
And in the map file:

Extending Profiles and Cloud Providers Configuration¶

As of 0.8.7, the option to extend both the profiles and cloud providers configuration and avoid duplication was added. The extends feature works on the current profiles configuration, but, regarding the cloud providers configuration, only works in the new syntax and respective configuration files, ie, /etc/salt/salt/cloud.providers or /etc/salt/cloud.providers.d/*.conf.

Extending Profiles¶

Some example usage on how to use extends with profiles. Consider /etc/salt/salt/cloud.profiles containing:
The above configuration, once parsed would generate the following profiles data:
Pretty cool right?

Extending Providers¶

Some example usage on how to use extends within the cloud providers configuration. Consider /etc/salt/salt/cloud.providers containing:
The above configuration, once parsed would generate the following providers data:

OS Support for Cloud VMs¶

Salt Cloud works primarily by executing a script on the virtual machines as soon as they become available. The script that is executed is referenced in the cloud profile as the script. In older versions, this was the os argument. This was changed in 0.8.2. A number of legacy scripts exist in the deploy directory in the saltcloud source tree. The preferred method is currently to use the salt-bootstrap script. A stable version is included with each release tarball starting with 0.8.4. The most updated version can be found at: https://github.com/saltstack/salt-bootstrap If you do not specify a script argument, this script will be used at the default. If the Salt Bootstrap script does not meet your needs, you may write your own. The script should be written in bash and is a Jinja template. Deploy scripts need to execute a number of functions to do a complete salt setup. These functions include:
A good, well commented, example of this process is the Fedora deployment script: https://github.com/saltstack/salt-cloud/blob/master/saltcloud/deploy/Fedora.sh A number of legacy deploy scripts are included with the release tarball. None of them are as functional or complete as Salt Bootstrap, and are still included for academic purposes.

Other Generic Deploy Scripts¶

If you want to be assured of always using the latest Salt Bootstrap script, there are a few generic templates available in the deploy directory of your saltcloud source tree:
These are example scripts which were designed to be customized, adapted, and refit to meet your needs. One important use of them is to pass options to the salt-bootstrap script, such as updating to specific git tags.

Post-Deploy Commands¶

Once a minion has been deployed, it has the option to run a salt command. Normally, this would be the state.highstate command, which would finish provisioning the VM. Another common option is state.sls, or for just testing, test.ping. This is configured in the main cloud config file:
This is currently considered to be experimental functionality, and may not work well with all providers. If you experience problems with Salt Cloud hanging after Salt is deployed, consider using Startup States instead: http://docs.saltstack.org/en/latest/ref/states/startup.html

Skipping the Deploy Script¶

For whatever reason, you may want to skip the deploy script altogether. This results in a VM being spun up much faster, with absolutely no configuration. This can be set from the command line:
Or it can be set from the main cloud config file:
Or it can be set from the provider's configuration:
Or even on the VM's profile settings:
The default for deploy is True. In the profile, you may also set the script option to None:
This is the slowest option, since it still uploads the None deploy script and executes it.

Updating Salt Bootstrap¶

Salt Bootstrap can be updated automatically with salt-cloud:
Bear in mind that this updates to the latest (unstable) version, so use with caution.

Keeping /tmp/ Files¶

When Salt Cloud deploys an instance, it uploads temporary files to /tmp/ for salt-bootstrap to put in place. After the script has run, they are deleted. To keep these files around (mostly for debugging purposes), the --keep-tmp option can be added:
For those wondering why /tmp/ was used instead of /root/, this had to be done for images which require the use of sudo, and therefore do not allow remote root logins, even for file transfers (which makes /root/ unavailable).

Deploy Script Arguments¶

Custom deploy scripts are unlikely to need custom arguments to be passed to them, but salt-bootstrap has been extended quite a bit, and this may be necessary. script_args can be specified in either the profile or the map file, to pass arguments to the deploy script:
This has also been tested to work with pipes, if needed:

Getting Started With Digital Ocean¶

Digital Ocean is a public cloud provider that specializes in Linux instances.

Dependencies¶

The Digital Ocean driver requires no special dependencies outside of Salt.

Configuration¶

Using Salt for Digital Ocean requires a client_key and an api_key. These can be found in the Digital Ocean web interface, in the "My Settings" section, under the API Access tab.

Profiles¶

Cloud Profiles¶

Set up an initial profile at /etc/salt/cloud.profiles or in the /etc/salt/cloud.profiles.d/ directory:
Sizes can be obtained using the --list-sizes option for the salt-cloud command:
Images can be obtained using the --list-images option for the salt-cloud command:
NOTE:
NOTE:

Feature Matrix¶

A number of features are available in most cloud providers, but not all are available everywhere. This may be because the feature isn't supported by the cloud provider itself, or it may only be that the feature has not yet been added to Salt Cloud. In a handful of cases, it is because the feature does not make sense for a particular cloud provider (Saltify, for instance). This matrix shows which features are available in which cloud providers, as far as Salt Cloud is concerned. This is not a comprehensive list of all features available in all cloud providers, and shoult not be used to make business decisions concerning choosing a cloud provider. In most cases, adding support for a feature to Salt Cloud requires only a little effort.

Legacy Drivers¶

Both AWS and Rackspace are listed as "Legacy". This is because those drivers have been replaced by other drivers, which are generally the prerferred method for working with those providers. The EC2 driver should be used instead of the AWS driver, when possible. The OpenStack driver should be used instead of the Rackspace driver, unless the user is dealing with instances in "the old cloud" in Rackspace.

Note for Developers¶

When adding new features to a particular cloud provider, please make sure to add the feature to this table. Additionally, if you notice a feature that is not properly listed here, pull requests to fix them is appreciated.

Standard Features¶

These are features that are available for almost every provider.

AWS (Legacy)

CloudStack

Digital Ocean

EC2

GoGrid

IBM SCE

JoyEnt

Linode

OpenStack

Parallels

Rackspace (Legacy)

Saltify

Softlayer

Softlayer Hardware

Query

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Full Query

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Selective Query

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

List Sizes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

List Images

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

List Locations

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

create

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

destroy

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Actions¶

These are features that are performed on a specific instance, and require an instance name to be passed in. For example:

Actions

AWS (Legacy)

CloudStack

Digital Ocean

EC2

GoGrid

IBM SCE

JoyEnt

Linode

OpenStack

Parallels

Rackspace (Legacy)

Saltify

Softlayer

Softlayer Hardware

attach_volume

Yes

create_attach_volumes

Yes

Yes

del_tags

Yes

Yes

delvol_on_destroy

Yes

detach_volume

Yes

disable_term_protect

Yes

Yes

enable_term_protect

Yes

Yes

get_tags

Yes

Yes

keepvol_on_destroy

Yes

list_keypairs

Yes

rename

Yes

Yes

set_tags

Yes

Yes

show_delvol_on_destroy

Yes

show_instance

Yes

Yes

Yes

Yes

Yes

show_term_protect

Yes

start

Yes

Yes

Yes

Yes

stop

Yes

Yes

Yes

Yes

take_action

Yes

Functions¶

These are features that are performed against a specific cloud provider, and require the name of the provider to be passed in. For example:

Functions

AWS (Legacy)

CloudStack

Digital Ocean

EC2

GoGrid

IBM SCE

JoyEnt

Linode

OpenStack

Parallels

Rackspace (Legacy)

Saltify

Softlayer

Softlayer Hardware

block_device_mappings

Yes

create_keypair

Yes

create_volume

Yes

delete_key

Yes

delete_keypair

Yes

delete_volume

Yes

get_image

Yes

Yes

Yes

get_ip

Yes

get_key

Yes

get_keyid

Yes

get_keypair

Yes

get_networkid

Yes

get_node

Yes

get_password

Yes

get_size

Yes

Yes

get_spot_config

Yes

get_subnetid

Yes

iam_profile

Yes

Yes

import_key

Yes

key_list

Yes

keyname

Yes

Yes

list_availability_zones

Yes

list_custom_images

Yes

list_keys

Yes

list_vlans

Yes

Yes

rackconnect

Yes

reboot

Yes

Yes

reformat_node

Yes

securitygroup

Yes

Yes

securitygroupid

Yes

show_image

Yes

Yes

show_key

Yes

show_keypair

Yes

Yes

show_volume

Yes

Cloud Functions¶

Cloud functions work much the same way as cloud actions, except that they don't perform an operation on a specific instance, and so do not need a machine name to be specified. However, since they perform an operation on a specific cloud provider, that provider must be specified.

Getting Started With Google Compute Engine¶

Google Compute Engine (GCE) is Google-infrastructure as a service that lets you run your large-scale computing workloads on virtual machines. This document covers how to use Salt Cloud to provision and manage your virtual machines hosted within Google's infrastructure. You can find out more about GCE and other Google Cloud Platform services at https://cloud.google.com.

Dependencies¶

Google Compute Engine Setup¶

Configuration¶

Set up the cloud config at /etc/salt/cloud:

Cloud Profiles¶

Set up an initial profile at /etc/salt/cloud.profiles:
The profile can be realized now with a salt command:
This will create an salt minion instance named gce-instance in GCE. If the command was executed on the salt-master, its Salt key will automatically be signed on the master. Once the instance has been created with salt-minion installed, connectivity to it can be verified with Salt:

GCE Specific Settings¶

Consult the sample profile below for more information about GCE specific settings. Some of them are mandatory and are properly labeled below but typically also include a hard-coded default.
GCE instances do not allow remote access to the root user by default. Instead, another user must be used to run the deploy script using sudo.

Single instance details¶

This action is a thin wrapper around --full-query, which displays details on a single instance only. In an environment with several machines, this will save a user from having to sort through all instance data, just to examine a single instance.

Destroy, persistent disks, and metadata¶

As noted in the provider configuration, it's possible to force the boot persistent disk to be deleted when you destroy the instance. The way that this has been implemented is to use the instance metadata to record the cloud profile used when creating the instance. When destroy is called, if the instance contains a salt-cloud-profile key, it's value is used to reference the matching profile to determine if delete_boot_pd is set to True. Be aware that any GCE instances created with salt cloud will contain this custom salt-cloud-profile metadata entry.

List various resources¶

It's also possible to list several GCE resources similar to what can be done with other providers. The following commands can be used to list GCE zones (locations), machine types (sizes), and images.

Getting Started With GoGrid¶

GoGrid is a public cloud provider supporting Linux and Windows.

Dependencies¶

The GoGrid driver for Salt Cloud requires Libcloud 0.13.2 or higher to be installed.

Configuration¶

To use Salt Cloud with GoGrid log into the GoGrid web interface and create an API key. Do this by clicking on "My Account" and then going to the API Keys tab. The apikey and the sharedsecret configuration parameters need to be set in the configuration file to enable interfacing with GoGrid:

Profiles¶

Cloud Profiles¶

Set up an initial profile at /etc/salt/cloud.profiles or in the /etc/salt/cloud.profiles.d/ directory:
Sizes can be obtained using the --list-sizes option for the salt-cloud command:
Images can be obtained using the --list-images option for the salt-cloud command:

Getting Started With Joyent¶

Joyent is a public cloud provider supporting SmartOS, Linux, FreeBSD and Windows.

Dependencies¶

The Joyent driver for Salt Cloud requires Libcloud 0.13.2 or higher to be installed.

Configuration¶

The Joyent cloud requires three configuration parameters. The user name and password that are used to log into the Joyent system, and the location of the private ssh key associated with the Joyent account. The ssh key is needed to send the provisioning commands up to the freshly created virtual machine.

Profiles¶

Cloud Profiles¶

Set up an initial profile at /etc/salt/cloud.profiles or in the /etc/salt/cloud.profiles.d/ directory:
Sizes can be obtained using the --list-sizes option for the salt-cloud command:
Images can be obtained using the --list-images option for the salt-cloud command:

Getting Started With Linode¶

Linode is a public cloud provider with a focus on Linux instances.

Dependencies¶

The Linode driver for Salt Cloud requires Libcloud 0.13.2 or higher to be installed.

Configuration¶

Linode requires a single API key, but the default root password for new instances also needs to be set:
The password needs to be 8 characters and contain lowercase, uppercase and numbers.

Profiles¶

Cloud Profiles¶

Set up an initial profile at /etc/salt/cloud.profiles or in the /etc/salt/cloud.profiles.d/ directory:
Sizes can be obtained using the --list-sizes option for the salt-cloud command:
Images can be obtained using the --list-images option for the salt-cloud command:

Cloud Map File¶

A number of options exist when creating virtual machines. They can be managed directly from profiles and the command line execution, or a more complex map file can be created. The map file allows for a number of virtual machines to be created and associated with specific profiles. Map files have a simple format, specify a profile and then a list of virtual machines to make from said profile:
This map file can then be called to roll out all of these virtual machines. Map files are called from the salt-cloud command with the -m option:
Remember, that as with direct profile provisioning the -P option can be passed to create the virtual machines in parallel:
A map file can also be enforced to represent the total state of a cloud deployment by using the --hard option. When using the hard option any vms that exist but are not specified in the map file will be destroyed:
Be careful with this argument, it is very dangerous! In fact, it is so dangerous that in order to use it, you must explicitly enable it in the main configuration file.
A map file can include grains and minion configuration options:
A map file may also be used with the various query options:
...or with the delete option:

Miscellaneous Salt Cloud Options¶

This page describes various miscellaneous options available in Salt Cloud

Deploy Script Arguments¶

Custom deploy scripts are unlikely to need custom arguments to be passed to them, but salt-bootstrap has been extended quite a bit, and this may be necessary. script_args can be specified in either the profile or the map file, to pass arguments to the deploy script:
This has also been tested to work with pipes, if needed:

Sync After Install¶

Salt allows users to create custom modules, grains and states which can be synchronised to minions to extend Salt with further functionality. This option will inform Salt Cloud to synchronise your custom modules, grains, states or all these to the minion just after it has been created. For this to happen, the following line needs to be added to the main cloud configuration file:
The available options for this setting are:

Setting up New Salt Masters¶

It has become increasingly common for users to set up multi-hierarchal infrastructures using Salt Cloud. This sometimes involves setting up an instance to be a master in addition to a minion. With that in mind, you can now lay down master configuration on a machine by specifying master options in the profile or map file.
This will cause Salt Cloud to generate master keys for the instance, and tell salt-bootstrap to install the salt-master package, in addition to the salt-minion package. The default master configuration is usually appropriate for most users, and will not be changed unless specific master configuration has been added to the profile or map:

Delete SSH Keys¶

When Salt Cloud deploys an instance, the SSH pub key for the instance is added to the known_hosts file for the user that ran the salt-cloud command. When an instance is deployed, a cloud provider generally recycles the IP address for the instance. When Salt Cloud attempts to deploy an instance using a recycled IP address that has previously been accessed from the same machine, the old key in the known_hosts file will cause a conflict. In order to mitigate this issue, Salt Cloud can be configured to remove old keys from the known_hosts file when destroying the node. In order to do this, the following line needs to be added to the main cloud configuration file:

Keeping /tmp/ Files¶

When Salt Cloud deploys an instance, it uploads temporary files to /tmp/ for salt-bootstrap to put in place. After the script has run, they are deleted. To keep these files around (mostly for debugging purposes), the --keep-tmp option can be added:
For those wondering why /tmp/ was used instead of /root/, this had to be done for images which require the use of sudo, and therefore do not allow remote root logins, even for file transfers (which makes /root/ unavailable).

Hide Output From Minion Install¶

By default Salt Cloud will stream the output from the minion deploy script directly to STDOUT. Although this can been very useful, in certain cases you may wish to switch this off. The following config option is there to enable or disable this output:

Connection Timeout¶

There are several stages when deploying Salt where Salt Cloud needs to wait for something to happen. The VM getting it's IP address, the VM's SSH port is available, etc. If you find that the Salt Cloud defaults are not enough and your deployment fails because Salt Cloud did not wait log enough, there are some settings you can tweak.
You can tweak these settings globally, per cloud provider, or event per profile definition.

wait_for_ip_timeout¶

The amount of time Salt Cloud should wait for a VM to start and get an IP back from the cloud provider. Default: 5 minutes.

wait_for_ip_interval¶

The amount of time Salt Cloud should sleep while querying for the VM's IP. Default: 5 seconds.

ssh_connect_timeout¶

The amount of time Salt Cloud should wait for a successful SSH connection to the VM. Default: 5 minutes.

wait_for_passwd_timeout¶

The amount of time until an ssh connection can be established via password or ssh key. Default 15 seconds.

wait_for_fun_timeout¶

Some cloud drivers check for an available IP or a successful SSH connection using a function, namely, SoftLayer and SoftLayer-HW. So, the amount of time Salt Cloud should retry such functions before failing. Default: 5 minutes.

wait_for_spot_timeout¶

The amount of time Salt Cloud should wait before an EC2 Spot instance is available. This setting is only available for the EC2 cloud driver.

Getting Started With OpenStack¶

OpenStack is one the most popular cloud projects. It's an open source project to build public and/or private clouds. You can use Salt Cloud to launch OpenStack instances.

Using nova client to get information from OpenStack¶

One of the best ways to get information about OpenStack is using the novaclient python package (available in pypi as python-novaclient). The client configuration is a set of environment variables that you can get from the Dashboard. Log in and then go to Project -> Access & security -> API Access and download the "OpenStack RC file". Then:
In the nova endpoints output you can see the information about compute_region and compute_name.

Compute Region¶

It depends on the OpenStack cluster that you are using. Please, have a look at the previous sections.

Authentication¶

The user and password is the same user as is used to log into the OpenStack Dashboard.

Profiles¶

Here is an example of a profile:
size can be one of the options listed in the output of nova flavor-list. image can be one of the options listed in the output of nova image-list.

Getting Started With Parallels¶

Parallels Cloud Server is a product by Parallels that delivers a cloud hosting solution. The PARALLELS module for Salt Cloud enables you to manage instances hosted by a provider using PCS. Further information can be found at: http://www.parallels.com/products/pcs/

Access Credentials¶

The user, password and url will be provided to you by your cloud provider. These are all required in order for the PARALLELS driver to work.

Cloud Profiles¶

Set up an initial profile at /etc/salt/cloud.profiles or /etc/salt/cloud.profiles.d/parallels.conf:



The profile can be realized now with a salt command:
This will create an instance named myubuntu on the cloud provider. The minion that is installed on this instance will have an id of myubuntu. If the command was executed on the salt-master, its Salt key will automatically be signed on the master. Once the instance has been created with salt-minion installed, connectivity to it can be verified with Salt:

Required Settings¶

The following settings are always required for PARALLELS:

Optional Settings¶

Unlike other cloud providers in Salt Cloud, Parallels does not utilize a size setting. This is because Parallels allows the end-user to specify a more detailed configuration for their instances, than is allowed by many other cloud providers. The following options are available to be used in a profile, with their default settings listed.

VM Profiles¶

Salt cloud designates virtual machines inside the profile configuration file. The profile configuration file defaults to /etc/salt/cloud.profiles and is a yaml configuration. The syntax for declaring profiles is simple:
A few key pieces of information need to be declared and can change based on the public cloud provider. A number of additional parameters can also be inserted:
The image must be selected from available images. Similarly, sizes must be selected from the list of sizes. To get a list of available images and sizes use the following command:
Some parameters can be specified in the main Salt cloud configuration file and then are applied to all cloud profiles. For instance if only a single cloud provider is being used then the provider option can be declared in the Salt cloud configuration file.

Multiple Configuration Files¶

In addition to /etc/salt/cloud.profiles, profiles can also be specified in any file matching cloud.profiles.d/*conf which is a sub-directory relative to the profiles configuration file(with the above configuration file as an example, /etc/salt/cloud.profiles.d/*.conf). This allows for more extensible configuration, and plays nicely with various configuration management tools as well as version control systems.

Larger Example¶

Getting Started With Rackspace¶

Rackspace is a major public cloud platform which may be configured using either the rackspace or the openstack driver, depending on your needs. Please note that the rackspace driver is only intended for 1st gen instances, aka, "the old cloud" at Rackspace. It is required for 1st gen instances, but will not work with OpenStack-based instances. Unless you explicitly have a reason to use it, it is highly recommended that you use the openstack driver instead.



The settings that follow are for using Rackspace with the openstack driver, and will not work with the rackspace driver.

Compute Region¶

Rackspace currently has six compute regions which may be used:
Note: Currently the LON region is only avaiable with a UK account, and UK accounts cannot access other regions

Authentication¶

The user is the same user as is used to log into the Rackspace Control Panel. The tenant and apikey can be found in the API Keys area of the Control Panel. The apikey will be labeled as API Key (and may need to be generated), and tenant will be labeled as Cloud Account Number. An initial profile can be configured in /etc/salt/cloud.profiles or /etc/salt/cloud.profiles.d/rackspace.conf:
To instantiate a machine based on this profile:
This will create a virtual machine at Rackspace with the name myinstance. This operation may take several minutes to complete, depending on the current load at the Rackspace data center. Once the instance has been created with salt-minion installed, connectivity to it can be verified with Salt:

RackConnect Environments¶

Rackspace offers a hybrid hosting configuration option called RackConnect that allows you to use a physical firewall appliance with your cloud servers. When this service is in use the public_ip assigned by nova will be replaced by a NAT ip on the firewall. For salt-cloud to work properly it must use the newly assigned "access ip" instead of the Nova assigned public ip. You can enable that capability by adding this to your profiles:

Managed Cloud Environments¶

Rackspace offers a managed service level of hosting. As part of the managed service level you have the ability to choose from base of lamp installations on cloud server images. The post build process for both the base and the lamp installations used Chef to install things such as the cloud monitoring agent and the cloud backup agent. It also takes care of installing the lamp stack if selected. In order to prevent the post installation process from stomping over the bootstrapping you can add the below to your profiles.

First and Next Generation Images¶

Rackspace provides two sets of virtual machine images, first and next generation. As of 0.8.9 salt-cloud will default to using the next generation images. To force the use of first generation images, on the profile configuration please add:

Using the Salt Modules for Cloud¶

In addition to the salt-cloud command, Salt Cloud can be called from Salt, in a variety of different ways. Most users will be interested in either the execution module or the state module, but it is also possible to call Salt Cloud as a runner. Because the actual work will be performed on a remote minion, the normal Salt Cloud configuration must exist on any target minion that needs to execute a Salt Cloud command. Because Salt Cloud now supports breaking out configuration into individual files, the configuration is easily managed using Salt's own file.managed state function. For example, the following directories allow this configuration to be managed easily:

Minion Keys¶

Keep in mind that when creating minions, Salt Cloud will create public and private minion keys, upload them to the minion, and place the public key on the machine that created the minion. It will not attempt to place any public minion keys on the master, unless the minion which was used to create the instance is also the Salt Master. This is because granting arbitrary minions access to modify keys on the master is a serious security risk, and must be avoided.

Execution Module¶

The cloud module is available to use from the command line. At the moment, almost every standard Salt Cloud feature is available to use. The following commands are available:

list_images¶

This command is designed to show images that are available to be used to create an instance using Salt Cloud. In general they are used in the creation of profiles, but may also be used to create an instance directly (see below). Listing images requires a provider to be configured, and specified:

list_sizes¶

This command is designed to show sizes that are available to be used to create an instance using Salt Cloud. In general they are used in the creation of profiles, but may also be used to create an instance directly (see below). This command is not available for all cloud providers; see the provider-specific documentation for details. Listing sizes requires a provider to be configured, and specified:

list_locations¶

This command is designed to show locations that are available to be used to create an instance using Salt Cloud. In general they are used in the creation of profiles, but may also be used to create an instance directly (see below). This command is not available for all cloud providers; see the provider-specific documentation for details. Listing locations requires a provider to be configured, and specified:

query¶

This command is used to query all configured cloud providers, and display all instances associated with those accounts. By default, it will run a standard query, returning the following fields:
This command may also be used to perform a full query or a select query, as described below. The following usages are available:

full_query¶

This command behaves like the query command, but lists all information concerning each instance as provided by the cloud provider, in addition to the fields returned by the query command.

select_query¶

This command behaves like the query command, but only returned select fields as defined in the /etc/salt/cloud configuration file. A sample configuration for this section of the file might look like:
This configuration would only return the id and key_name fields, for those cloud providers that support those two fields. This would be called using the following command:

profile¶

This command is used to create an instance using a profile that is configured on the target minion. Please note that the profile must be configured before this command can be used with it.
Please note that the execution module does not run in parallel mode. Using multiple minions to create instances can effectively perform parallel instance creation.

create¶

This command is similar to the profile command, in that it is used to create a new instance. However, it does not require a profile to be pre-configured. Instead, all of the options that are normally configured in a profile are passed directly to Salt Cloud to create the instance:
Please note that the execution module does not run in parallel mode. Using multiple minions to create instances can effectively perform parallel instance creation.

destroy¶

This command is used to destroy an instance or instances. This command will search all configured providers and remove any instance(s) which matches the name(s) passed in here. The results of this command are non-reversable and should be used with caution.

action¶

This command implements both the action and the function commands used in the standard salt-cloud command. If one of the standard action commands is used, an instance name must be provided. If one of the standard function commands is used, a provider configuration must be named.
The actions available are largely dependant upon the module for the specific cloud provider. The following actions are available for all cloud providers:

State Module¶

A subset of the execution module is available through the cloud state module. Not all functions are currently included, because there is currently insufficient code for them to perform statefully. For example, a command to create an istance may be issued with a series of options, but those options cannot currently be statefully managed. Additional states to manage these options will be released at a later time.

cloud.present¶

This state will ensure that an instance is present inside a particular cloud provider. Any option that is normally specified in the cloud.create execution module and function may be declared here, but only the actual presence of the instance will be managed statefully.

cloud.profile¶

This state will ensure that an instance is present inside a particular cloud provider. This function calls the cloud.profile execution module and function, but as with cloud.present, only the actual presence of the instance will be managed statefully.

cloud.absent¶

This state will ensure that an instance (identified by name) does not exist in any of the cloud providers configured on the target minion. Please note that this state is non-reversable and may be considered especially destructive when issued as a cloud state.

Runner Module¶

The cloud runner module is executed on the master, and performs actions using the configuration and Salt modules on the master itself. This means that any public minion keys will also be properly accepted by the master. Using the functions in the runner module is no different than using those in the execution module, outside of the behavior described in the above paragraph. The following functions are available inside the runner:
Outside of the standard usage of salt-run itself, commands are executed as usual:

CloudClient¶

The execution, state and runner modules ultimately all use the CloudClient library that ships with Salt. To use the CloudClient library locally (either on the master or a minion), create a client object and issue a command against it:

Getting Started With SoftLayer¶

SoftLayer is a public cloud provider, and baremetal hardware hosting provider.

Dependencies¶

The SoftLayer driver for Salt Cloud requires the softlayer package, which is available at PyPi: https://pypi.python.org/pypi/SoftLayer This package can be installed using pip or easy_install:

Configuration¶

Set up the cloud config at /etc/salt/cloud.providers:

Access Credentials¶

The user setting is the same user as is used to log into the SoftLayer Administration area. The apikey setting is found inside the Admin area after logging in:

Profiles¶

Cloud Profiles¶

Set up an initial profile at /etc/salt/cloud.profiles:
Most of the above items are required; optional items are specified below.

image¶

Images to build an instance can be found using the --list-images option:
The setting used will be labeled as template.

cpu_number¶

This is the number of CPU cores that will be used for this instance. This number may be dependent upon the image that is used. For instance:
Note that the template (meaning, the image option) for both of these is the same, but the names suggests how many CPU cores are supported.

ram¶

This is the amount of memory, in megabytes, that will be allocated to this instance.

disk_size¶

The amount of disk space that will be allocated to this image, in megabytes.

local_disk¶

When true the disks for the computing instance will be provisioned on the host which it runs, otherwise SAN disks will be provisioned.

hourly_billing¶

When true the computing instance will be billed on hourly usage, otherwise it will be billed on a monthly basis.

domain¶

The domain name that will be used in the FQDN (Fully Qualified Domain Name) for this instance. The domain setting will be used in conjunction with the instance name to form the FQDN.

location¶

Images to build an instance can be found using the --list-locations option:

max_net_speed¶

Specifies the connection speed for the instance's network components. This setting is optional. By default, this is set to 10.

public_vlan¶

If it is necessary for an instance to be created within a specific frontend VLAN, the ID for that VLAN can be specified in either the provider or profile configuration. This ID can be queried using the list_vlans function, as described below. This setting is optional.

private_vlan¶

If it is necessary for an instance to be created within a specific backend VLAN, the ID for that VLAN can be specified in either the provider or profile configuration. This ID can be queried using the list_vlans function, as described below. This setting is optional.

private_network¶

If a server is to only be used internally, meaning it does not have a public VLAN associated with it, this value would be set to True. This setting is optional. The default is False.

private_ssh¶

Whether to run the deploy script on the server using the public IP address or the private IP address. If set to True, Salt Cloud will attempt to SSH into the new server using the private IP address. The default is False. This settiong is optional.

global_identifier¶

When creating an instance using a custom template, this option is set to the corresponding value obtained using the list_custom_images function. This option will not be used if an image is set, and if an image is not set, it is required. The profile can be realized now with a salt command:
Using the above configuration, this will create myserver.example.com. Once the instance has been created with salt-minion installed, connectivity to it can be verified with Salt:

Cloud Profiles¶

Set up an initial profile at /etc/salt/cloud.profiles:
Most of the above items are required; optional items are specified below.

image¶

Images to build an instance can be found using the --list-images option:
A list of id`s and names will be provided. The `name will describe the operating system and architecture. The id will be the setting to be used in the profile.

size¶

Sizes to build an instance can be found using the --list-sizes option:
A list of id`s and names will be provided. The `name will describe the speed and quantity of CPU cores, and the amount of memory that the hardware will contain. The id will be the setting to be used in the profile.

hdd¶

There are currently two sizes of hard disk drive (HDD) that are available for hardware instances on SoftLayer:
The hdd setting in the profile will be either 19 or 1267. Other sizes may be added in the future.

location¶

Locations to build an instance can be found using the --list-images option:
A list of IDs and names will be provided. The location will describe the location in human terms. The id will be the setting to be used in the profile.

domain¶

The domain name that will be used in the FQDN (Fully Qualified Domain Name) for this instance. The domain setting will be used in conjunction with the instance name to form the FQDN.

vlan¶

If it is necessary for an instance to be created within a specific VLAN, the ID for that VLAN can be specified in either the provider or profile configuration. This ID can be queried using the list_vlans function, as described below.

port_speed¶

Specifies the speed for the instance's network port. This setting refers to an ID within the SoftLayer API, which sets the port speed. This setting is optional. The default is 273, or, 100 Mbps Public & Private Networks. The following settings are available:

bandwidth¶

Specifies the network bandwidth available for the instance. This setting refers to an ID within the SoftLayer API, which sets the bandwidth. This setting is optional. The default is 248, or, 5000 GB Bandwidth. The following settings are available:

Actions¶

The following actions are currently supported by the SoftLayer Salt Cloud driver.

show_instance¶

This action is a thin wrapper around --full-query, which displays details on a single instance only. In an environment with several machines, this will save a user from having to sort through all instance data, just to examine a single instance.

Functions¶

The following functions are currently supported by the SoftLayer Salt Cloud driver.

list_vlans¶

This function lists all VLANs associated with the account, and all known data from the SoftLayer API concerning those VLANs.
The id returned in this list is necessary for the vlan option when creating an instance.

list_custom_images¶

This function lists any custom templates associated with the account, that can be used to create a new instance.
The globalIdentifier returned in this list is necessary for the global_identifier option when creating an image using a custom template.

Optional Products for SoftLayer HW¶

The softlayer_hw provider supports the ability to add optional products, which are supported by SoftLayer's API. These products each have an ID associated with them, that can be passed into Salt Cloud with the optional_products option:
These values can be manually obtained by looking at the source of an order page on the SoftLayer web interface. For convenience, many of these values are listed here:

Public Secondary IP Addresses¶

Primary IPv6 Addresses¶

Public Static IPv6 Addresses¶

OS-Specific Addon¶

Control Panel Software¶

Database Software¶

Anti-Virus & Spyware Protection¶

Insurance¶

Monitoring¶

Notification¶

Advanced Monitoring¶

Response¶

Intrusion Detection & Protection¶

Hardware & Software Firewalls¶

Troubleshooting Salt Cloud¶

This page describes various steps for troubleshooting problems that may arise while using Salt Cloud.

Generic Troubleshooting Steps¶

This section describes a set of instructions that are useful to a large number of situations, and are likely to solve most issues that arise.

Debug Mode¶

Frequently, running Salt Cloud in debug mode will reveal information about a deployment which would otherwise not be obvious:
Keep in mind that a number of messages will appear that look at first like errors, but are in fact intended to give developers factual information to assist in debugging. A number of messages that appear will be for cloud providers that you do not have configured; in these cases, the message usually is intended to confirm that they are not configured.

Salt Bootstrap¶

By default, Salt Cloud uses the Salt Bootstrap script to provision instances: This script is packaged with Salt Cloud, but may be updated without updating the Salt package:

The Bootstrap Log¶

If the default deploy script was used, there should be a file in the /tmp/ directory called bootstrap-salt.log. This file contains the full output from the deployment, including any errors that may have occurred.

Keeping Temp Files¶

Salt Cloud uploads minion-specific files to instances once they are available via SSH, and then executes a deploy script to put them into the correct place and install Salt. The --keep-tmp option will instruct Salt Cloud not to remove those files when finished with them, so that the user may inspect them for problems:
By default, Salt Cloud will create a directory on the target instance called /tmp/.saltcloud/. This directory should be owned by the user that is to execute the deploy script, and should have permissions of 0700. Most cloud providers are configured to use root as the default initial user for deployment, and as such, this directory and all files in it should be owned by the root user. The /tmp/.saltcloud/ directory should the following files:

Unprivileged Primary Users¶

Some providers, most notably EC2, are configured with a different primary user. Some common examples are ec2-user, ubuntu, fedora and bitnami. In these cases, the /tmp/.saltcloud/ directory and all files in it should be owned by this user. Some providers, such as EC2, are configured to not require these users to provide a password when using the sudo command. Because it is more secure to require sudo users to provide a password, other providers are configured that way. If this instance is required to provide a password, it needs to be configured in Salt Cloud. A password for sudo to use may be added to either the provider configuration or the profile configuration:

/tmp/ is Mounted as noexec¶

It is more secure to mount the /tmp/ directory with a noexec option. This is uncommon on most cloud providers, but very common in private environments. To see if the /tmp/ directory is mounted this way, run the following command:
The if the output of this command includes a line that looks like this, then the /tmp/ directory is mounted as noexec:
If this is the case, then the deploy_command will need to be changed in order to run the deploy script through the sh command, rather than trying to execute it directly. This may be specified in either the provider or the profile config:
Please note that by default, Salt Cloud will place its files in a directory called /tmp/.saltcloud/. This may be also be changed in the provider or profile configuration:
If this directory is changed, then the deploy_command need to be changed in order to reflect the tmp_dir configuration.

Executing the Deploy Script Manually¶

If all of the files needed for deployment were successfully uploaded to the correct locations, and contain the correct permissions and ownerships, the deploy script may be executed manually in order to check for other issues:

Spinning up Windows Minions¶

It is possible to use Salt Cloud to spin up Windows instances, and then install Salt on them. This functionality is available on all cloud providers that are supported by Salt Cloud. However, it may not necessarily be available on all Windows images.

Requirements¶

Salt Cloud makes use of smbclient and winexe to set up the Windows Salt Minion installer. smbclient may be part of either the samba package, or its own smbclient package, depending on the distribution. winexe is less commonly available in distribution-specific repositories. However, it is currently being built for various distributions in 3rd party channels:
Additionally, a copy of the Salt Minion Windows installer must be present on the system on which Salt Cloud is running. This installer may be downloaded from saltstack.com:

Firewall Settings¶

Because Salt Cloud makes use of smbclient and winexe, port 445 must be open on the target image. This port is not generally open by default on a standard Windows distribution, and care must be taken to use an image in which this port is open, or the Windows firewall is disabled.

Configuration¶

Configuration is set as usual, with some extra configuration settings. The location of the Windows installer on the machine that Salt Cloud is running on must be specified. This may be done in any of the regular configuration files (main, providers, profiles, maps). For example: Setting the installer in /etc/salt/cloud.providers:
The default Windows user is Administrator, and the default Windows password is blank.

Install Salt Cloud¶

Salt Cloud is now part of Salt proper. It was merged in as of Salt version 2014.1.0. Salt Cloud depends on apache-libcloud. Libcloud can be installed via pip with pip install apache-libcloud.

Installing Salt Cloud for development¶

Installing Salt for development enables Salt Cloud development as well, just make sure apache-libcloud is installed as per above paragraph. See these instructions: Installing Salt for development. Salt cloud is a public cloud provisioning tool. Salt cloud is made to integrate Salt into cloud providers in a clean way so that minions on public cloud systems can be quickly and easily modeled and provisioned. Salt cloud allows for cloud based minions to be managed via virtual machine maps and profiles. This means that individual cloud VMs can be created, or large groups of cloud VMs can be created at once or managed. Virtual machines created with Salt cloud install salt on the target virtual machine and assign it to the specified master. This means that virtual machines can be provisioned and then potentially never logged into. While Salt Cloud has been made to work with Salt, it is also a generic cloud management platform and can be used to manage non Salt centric clouds.

GETTING STARTED¶

Some quick guides covering getting started with each of the various cloud providers.

CORE CONFIGURATION¶

The core configuration of Salt cloud is handled in the cloud configuration file. This file is comprised of global configurations for interfacing with cloud providers.

WINDOWS CONFIGURATION¶

Salt Cloud may be used to spin up a Windows minion, and then install the Salt Minion client on that instance. At this time, Salt Cloud itself still needs to be run from a Linux or Unix machine.

USING SALT CLOUD¶

Salt cloud works via profiles and maps. Simple profiles for cloud VMs are defined and can be used directly, or a map can be defined specifying a large group of virtual machines to create.
Once a VM has been deployed, a number of actions may be available to perform on it, depending on the specific cloud provider.
Depending on your cloud provider, a number of functions may also be available which do not require a VM to be specified.

MISCELLANEOUS OPTIONS¶

TROUBLESHOOTING STEPS¶

EXTENDING SALT CLOUD¶

Salt Cloud extensions work in a way similar to Salt modules. Therefore extending Salt cloud to manage more public cloud providers and operating systems is easy.

USING SALT CLOUD FROM SALT¶

Several Salt Cloud modules exist within Salt itself in order to manage cloud instances using Salt's own powerful feature set.

FEATURE COMPARISON¶

A table is available which compares various features available across all supported cloud providers.

LEGACY RELEASES¶

Changed in version 2014.1.0: (Hydrogen) Release notes will be part of Salt's main release notes starting with Salt's 2014.1.0 (Hydrogen) release.

REFERENCE¶

VIRTUAL MACHINE DISK PROFILES¶

Salt Virt allows for the disks created for deployed virtual machines to be finely configured. The configuration is a simple data structure which is read from the config.option function, meaning that the configuration can be stored in the minion config file, the master config file, or the minion's pillar. This configuration option is called virt.disk. The default virt.disk data structure looks like this:
NOTE:
This configuration sets up a disk profile called default. The default profile creates a single system disk on the virtual machine.

Define More Profiles¶

Many environments will require more complex disk profiles and may require more than one profile, this can be easily accomplished:
This configuration allows for one of three profiles to be selected, allowing virtual machines to be created with different storage needs of the deployed vm.

SALT VIRT - THE SALTSTACK CLOUD CONTROLLER¶

The Salt Virt cloud controller capability was initial added to Salt in version 0.14.0 as an alpha technology. The initial Salt Virt system supports core cloud operations:
Many features are currently under development to enhance the capabilities of the Salt Virt systems. NOTE:

Salt Virt Tutorial¶

A tutorial about how to get Salt Virt up and running has been added to the tutorial section: Cloud Controller Tutorial

The Salt Virt Runner¶

The point of interaction with the cloud controller is the virt runner. The virt runner comes with routines to execute specific virtual machine routines. Reference documentation for the virt runner is available with the runner module documentation: Virt Runner Reference

Based on Live State Data¶

The Salt Virt system is based on using Salt to query live data about hypervisors and then using the data gathered to make decisions about cloud operations. This means that no external resources are required to run Salt Virt, and that the information gathered about the cloud is live and accurate.

VIRTUAL MACHINE NETWORK PROFILES¶

Salt Virt allows for the network devices created for deployed virtual machines to be finely configured. The configuration is a simple data structure which is read from the config.option function, meaning that the configuration can be stored in the minion config file, the master config file, or the minion's pillar. This configuration option is called virt.nic. By default the virt.nic option is empty but defaults to a data structure which looks like this:
NOTE:
This configuration sets up a network profile called default. The default profile creates a single Ethernet device on the virtual machine that is bridged to the hypervisor's br0 interface. This default setup does not require setting up the virt.nic configuration, and is the reason why a default install only requires setting up the br0 bridge device on the hypervisor.

Define More Profiles¶

Many environments will require more complex network profiles and may require more than one profile, this can be easily accomplished:
This configuration allows for one of six profiles to be selected, allowing virtual machines to be created which attach to different network depending on the needs of the deployed vm.

SALT SSH¶

NOTE:
NOTE:
In version 0.17.0 of Salt a new transport system was introduced, the ability to use SSH for Salt communication. This addition allows for Salt routines to be executed on remote systems entirely through ssh, bypassing the need for a Salt Minion to be running on the remote systems and the need for a Salt Master. NOTE:
Salt SSH is very easy to use, simply set up a basic roster file of the systems to connect to and run salt-ssh commands in a similar way as standard salt commands.

Salt SSH Roster¶

The roster system in Salt allows for remote minions to be easily defined. NOTE:
Simply create the roster file, the default location is /etc/salt/roster:
This is a very basic roster file where a Salt ID is being assigned to an IP address. A more elaborate roster can be created:
NOTE:

Calling Salt SSH¶

The salt-ssh command can be easily executed in the same was as a salt command:
Commands with salt-ssh follow the same syntax as the salt command. The standard salt functions are available! The output is the same as salt and many of the same flags are available. Please see http://docs.saltstack.com/ref/cli/salt-ssh.html for all of the available options.

Raw Shell Calls¶

By default salt-ssh runs Salt execution modules on the remote system, but salt-ssh can also execute raw shell commands:

States Via Salt SSH¶

The Salt State system can also be used with salt-ssh. The state system abstracts the same interface to the user in salt-ssh as it does when using standard salt. The intent is that Salt Formulas defined for standard salt will work seamlessly with salt-ssh and vice-versa. The standard Salt States walkthroughs function by simply replacing salt commands with salt-ssh.

Targeting with Salt SSH¶

Due to the fact that the targeting approach differs in salt-ssh, only glob and regex targets are supported as of this writing, the remaining target systems still need to be implemented.

Configuring Salt SSH¶

Salt SSH takes its configuration from a master configuration file. Normally, this file is in /etc/salt/master. If one wishes to use a customized configuration file, the -c option to Salt SSH facilitates passing in a directory to look inside for a configuration file named master.

Running Salt SSH as non-root user¶

By default, Salt read all the configuration from /etc/salt/. If you are running Salt SSH with a regular user you have to modify some paths or you will get "Permission denied" messages. You have to modify two parameters: pki_dir and cachedir. Those should point to a full path writable for the user. It's recommed not to modify /etc/salt for this purpose. Create a private copy of /etc/salt for the user and run the command with -c /new/config/path.

SALT ROSTERS¶

Salt rosters are plugable systems added in Salt 0.17.0 to facilitate the salt-ssh system. The roster system was created because salt-ssh needs a means to identify which systems need to be targeted for execution. NOTE:
Since the roster system is pluggable, it can be easily augmented to attach to any existing systems to gather information about what servers are presently available and should be attached to by salt-ssh. By default the roster file is located at /etc/salt/roster.

How Rosters Work¶

The roster system compiles a data structure internally refered to as targets. The targets is a list of target systems and attributes about how to connect to said systems. The only requirement for a roster module in Salt is to return the targets data structure.

Targets Data¶

The information which can be stored in a roster target is the following:

RUNNING THE TESTS¶

There are requirements, in addition to Salt's requirements, which needs to be installed in order to run the test suite. Install one of the lines below, depending on the relevant Python version:
NOTE:
Once all require requirements are set, use tests/runtests.py to run the tests, see --help for more info. And alternative way of invoking the tests is available in setup.py, run the tests with the following command:
Examples:

Running The Tests In A Docker Container¶

If the runtests.py binary supports the --docked option flag, you can choose to execute the tests suite under the provided docker container. You need to have your docker properly configured on your system and the containers need to have access to the internet. Here's a simple usage example:
You can also provide the full docker container repository:
The SaltStack team is creating some containers which will have the necessary dependencies pre-installed allowing you, for example, to run the destructive tests without making a single destructive change to your system, or, to run the tests suite under a different distribution than the one you're currently using. You can see the current list of test suite images on our docker repository. If you wish to provide your own docker container, you can submit pull requests against our docker salt test containers repository.

WRITING TESTS¶

Salt uses a test platform to verify functionality of components in a simple way. Two testing systems exist to enable testing salt functions in somewhat real environments. The two subsystems available are integration tests and unit tests. Salt uses the python standard library unittest2 system for testing.

Integration Tests¶

The integration tests start up a number of salt daemons to test functionality in a live environment. These daemons include 2 salt masters, 1 syndic and 2 minions. This allows for the syndic interface to be tested and master/minion communication to be verified. All of the integration tests are executed as live salt commands sent through the started daemons.
Integration tests are particularly good at testing modules, states and shell commands.

Unit Tests¶

Direct unit tests are also available, these tests are good for internal functions.

INTEGRATION TESTS¶

The Salt integration tests come with a number of classes and methods which allow for components to be easily tested. These classes are generally inherited from and provide specific methods for hooking into the running integration test environment created by the integration tests. It is noteworthy that since integration tests validate against a running environment that they are generally the preferred means to write tests. The integration system is all located under tests/integration in the Salt source tree.

Integration Classes¶

The integration classes are located in tests/integration/__init__.py and can be extended therein. There are three classes available to extend:

ModuleCase¶

Used to define executions run via the master to minions and to call single modules and states. The available methods are as follows:

SyndicCase¶

Used to execute remote commands via a syndic, only used to verify the capabilities of the Syndic. The available methods are as follows:

ShellCase¶

Shell out to the scripts which ship with Salt. The available methods are as follows:

Examples¶

Module Example via ModuleCase Class¶

Import the integration module, this module is already added to the python path by the test execution. Inherit from the integration.ModuleCase class. The tests that execute against salt modules should be placed in the tests/integration/modules directory so that they will be detected by the test system. Now the workhorse method run_function can be used to test a module:
ModuleCase can also be used to test states, when testing states place the test module in the tests/integration/states directory. The state_result and the run_state methods are the workhorse here:
The above example also demonstrates using the integration files and the integration state tree. The variable integration.FILES will point to the directory used to store files that can be used or added to to help enable tests that require files. The location integration.TMP can also be used to store temporary files that the test system will clean up when the execution finishes. The integration state tree can be found at tests/integration/files/file/base. This is where the referenced host.present sls file resides.

Shell Example via ShellCase¶

Validating the shell commands can be done via shell tests. Here are some examples:
This example verifies that the salt-key command executes and returns as expected by making use of the run_key method. All shell tests should be placed in the tests/integraion/shell directory.

WRITING UNIT TESTS¶

Introduction¶

Like many software projects, Salt has two broad-based testing approaches -- integration testing and unit testing. While integration testing focuses on the interaction between components in a sandboxed environment, unit testing focuses on the singular implementation of individual functions.

Preparing to Write a Unit Test¶

Unit tests live in: tests/unit/. Most commonly, the following imports are necessary to create a unit test:
If you need mock support to your tests, please also import:

A Simple Example¶

Let's assume that we're testing a very basic function in an imaginary Salt execution module. Given a module called fib.py that has a function called 'calculate(num_of_results)', which given a 'num_of_results', produces a list of sequential Fibonacci numbers of that length. A unit test to test this function might be commonly placed in a file called tests/unit/modules/fib_test.py. The convention is to place unit tests for Salt execution modules in test/unit/modules/ and to name the tests module suffixed with _test.py. Tests are grouped around test cases, which are logically grouped sets of tests against a piece of functionality in the tested software. Test cases are created as Python classes in the unit test module. To return to our example, here's how we might write the skeleton for testing fib.py:
At this point, the test can now be run, either individually or as a part of a full run of the test runner. To ease development, a single test can be executed:
This will produce output indicating the success or failure of the tests in given test case. For more detailed results, one can also include a flag to increase verbosity:
To review the results of a particular run, take a note of the log location given in the output for each test:

Evaluating Truth¶

A longer discussion on the types of assertions one can make can be found by reading Python's documentation on unit testing.

Tests Using Mock Objects¶

In many cases, the very purpose of a Salt module is to interact with some external system, whether it be to control a database, manipulate files on a filesystem or many other examples. In these varied cases, it's necessary to design a unit test which can test the function whilst replacing functions which might actually call out to external systems. One might think of this as "blocking the exits" for code under tests and redirecting the calls to external systems with our own code which produces known results during the duration of the test. To achieve this behavior, Salt makes heavy use of the MagicMock package. To understand how one might integrate Mock into writing a unit test for Salt, let's imagine a scenario in which we're testing an execution module that's designed to operate on a database. Furthermore, let's imagine two separate methods, here presented in pseduo-code in an imaginary execution module called 'db.py.
Here, let's imagine that we want to create a unit test for the create_user function. In doing so, we want to avoid any calls out to an external system and so while we are running our unit tests, we want to replace the actual interaction with a database with a function that can capture the parameters sent to it and return pre-defined values. Therefore, our task is clear -- to write a unit test which tests the functionality of create_user while also replacing 'execute_query' with a mocked function. To begin, we set up the skeleton of our class much like we did before, but with additional imports for MagicMock:

Modifying __salt__ In Place¶

At times, it becomes necessary to make modifications to a module's view of functions in its own __salt__ dictionary. Luckily, this process is quite easy. Below is an example that uses MagicMock's patch functionality to insert a function into __salt__ that's actually a MagicMock instance.

REACTOR SYSTEM¶

Salt version 0.11.0 introduced the reactor system. The premise behind the reactor system is that with Salt's events and the ability to execute commands, a logic engine could be put in place to allow events to trigger actions, or more accurately, reactions. This system binds sls files to event tags on the master. These sls files then define reactions. This means that the reactor system has two parts. First, the reactor option needs to be set in the master configuration file. The reactor option allows for event tags to be associated with sls reaction files. Second, these reaction files use highdata (like the state system) to define reactions to be executed.

Event System¶

A basic understanding of the event system is required to understand reactors. The event system is a local ZeroMQ PUB interface which fires salt events. This event bus is an open system used for sending information notifying Salt and other systems about operations. The event system fires events with a very specific criteria. Every event has a tag. Event tags allow for fast top level filtering of events. In addition to the tag, each event has a data structure. This data structure is a dict, which contains information about the event.

Mapping Events to Reactor SLS Files¶

Reactor SLS files and event tags are associated in the master config file. By default this is /etc/salt/master, or /etc/salt/master.d/reactor.conf. In the master config section 'reactor:' is a list of event tags to be matched and each event tag has a list of reactor SLS files to be run.
Reactor sls files are similar to state and pillar sls files. They are by default yaml + Jinja templates and are passed familar context variables. They differ because of the addtion of the tag and data variables.
Here is a simple reactor sls:
This simple reactor file uses Jinja to further refine the reaction to be made. If the id in the event data is mysql1 (in other words, if the name of the minion is mysql1) then the following reaction is defined. The same data structure and compiler used for the state system is used for the reactor system. The only difference is that the data is matched up to the salt command API and the runner system. In this example, a command is published to the mysql1 minion with a function of state.highstate. Similarly, a runner can be called:
This example will execute the state.overstate runner and initiate an overstate execution.

Fire an event¶

To fire an event from a minion call event.fire_master
After this is called, any reactor sls files matching event tag foo will execute with {{ data['data']['overstate'] }} equal to 'refresh'. See salt.modules.event for more information.

Knowing what event is being fired¶

Knowing exactly which event is being fired and what data is has for use in the sls files can be challenging. The easiest way to see exactly what's going on is to use the eventlisten.py script. This script is not part of packages but is part of the source. If the master process is using the default socket, no additional options will be required. Otherwise, you will need to specify the socket location. Example usage:
Example output:

Understanding the Structure of Reactor Formulas¶

While the reactor system uses the same data structure as the state system, this data does not translate the same way to operations. In state files formula information is mapped to the state functions, but in the reactor system information is mapped to a number of available subsystems on the master. These systems are the LocalClient and the Runners. The state declaration field takes a reference to the function to call in each interface. So to trigger a salt-run call the state declaration field will start with runner, followed by the runner function to call. This means that a call to what would be on the command line salt-run manage.up will be runner.manage.up. An example of this in a reactor formula would look like this:
If the runner takes arguments then they can be specified as well:
Executing remote commands maps to the LocalClient interface which is used by the salt command. This interface more specifically maps to the cmd_async method inside of the LocalClient class. This means that the arguments passed are being passed to the cmd_async method, not the remote method. A field starts with cmd to use the LocalClient subsystem. The result is, to execute a remote command, a reactor fomular would look like this:
The arg option takes a list of arguments as they would be presented on the command line, so the above declaration is the same as running this salt command:
Use the expr_form argument to specify a matcher:
An interesting trick to pass data from the Reactor script to state.highstate or state.sls is to pass it as inline Pillar data since both functions take a keyword argument named pillar. The following example uses Salt's Reactor to listen for the event that is fired when the key for a new minion is accepted on the master using salt-key. /etc/salt/master.d/reactor.conf:
The Reactor then fires a state.sls command targeted to the HAProxy servers and passes the ID of the new minion from the event to the state file via inline Pillar. Note, the Pillar data will need to be passed as a string since that is how it is passed at the CLI. That string will be parsed as YAML on the minion (same as how it works at the CLI). /srv/salt/haproxy/react_new_minion.sls:
The above command is equivalent to the following command at the CLI:
Finally, that data is available in the state file using the normal Pillar lookup syntax. The following example is grabbing web server names and IP addresses from Salt Mine. If this state is invoked from the Reactor then the custom Pillar value from above will be available and the new minion will be added to the pool but with the disabled flag so that HAProxy won't yet direct traffic to it. /srv/salt/haproxy/refresh_pool.sls:

A complete example¶

In this example, we're going to assume that we have a group of servers that will come online at random and need to have keys automatically accepted. We'll also add that we don't want all servers being automatically accepted. For this example, we'll assume that all hosts that have an id that starts with 'ink' will be automatically accepted and have state.highstate executed. On top of thise, we're going to add that a host coming up that was replaced (meaning a new key) will also be accepted. Our master configuration will be rather simple. All minions that attempte to authenticate will match the tag of salt/auth. When it comes to the minion key being accepted, we get a more refined tag that includes the minion id, which we can use for matching. /etc/salt/master.d/reactor.conf:
In this sls file, we say that if the key was rejected we will delete the key on the master and then also tell the master to ssh in to the minion and tell it to restart the minion, since a minion process will die if the key is rejected. We also say that if the key is pending and the id starts with ink we will accept the key. A minion that is waiting on a pending key will retry authentication authentication every ten second by default. /srv/reactor/auth-pending.sls:
No if statements are needed here because we already limited this action to just Ink servers in the master configuration. /srv/reactor/auth-complete.sls:

SALT FORMULAS¶

Formulas are pre-written Salt States. They are as open-ended as Salt States themselves and can be used for tasks such as installing a package, configuring and starting a service, setting up users or permissions, and many other common tasks. NOTE:
All official Salt Formulas are found as separate Git repositories in the "saltstack-formulas" organization on GitHub: https://github.com/saltstack-formulas As an example, quickly install and configure the popular memcached server using sane defaults simply by including the memcached-formula repository into an existing Salt States tree.

Installation¶

Each Salt Formula is an individual Git repository designed as a drop-in addition to an existing Salt State tree. Formulas can be installed in the following ways.

Adding a Formula as a GitFS remote¶

One design goal of Salt's GitFS fileserver backend was to facilitate reusable States so this is a quick and natural way to use Formulas. SEE ALSO:

Adding a Formula directory manually¶

Since Formulas are simply directories they can be copied onto the local file system by using Git to clone the repository or by downloading and expanding a tarball or zip file of the directory.

Usage¶

Each Formula is intended to be immediately usable with sane defaults without any additional configuration. Many formulas are also configurable by including data in Pillar; see the pillar.example file in each Formula repository for available options.

Including a Formula in an existing State tree¶

Formula may be included in an existing sls file. This is often useful when a state you are writing needs to require or extend a state defined in the formula. Here is an example of a state that uses the epel-formula in a require declaration which directs Salt to not install the python26 package until after the EPEL repository has also been installed:

Including a Formula from a Top File¶

Some Formula perform completely standalone installations that are not referenced from other state files. It is usually cleanest to include these Formula directly from a Top File. For example the easiest way to set up an OpenStack deployment on a single machine is to include the openstack-standalone-formula directly from a top.sls file:
Quickly deploying OpenStack across several dedicated machines could also be done directly from a Top File and may look something like this:

Configuring Formula using Pillar¶

Salt Formulas are designed to work out of the box with no additional configuration. However, many Formula support additional configuration and customization through Pillar. Examples of available options can be found in a file named pillar.example in the root directory of each Formula repository.

Modifying default Formula behavior¶

Remember that Formula are regular Salt States and can be used with all Salt's normal mechanisms for determining execution order. Formula can be required from other States with require declarations, they can be modified using extend, they can made to watch other states with watch_in, they can be used as templates for other States with use. Don't be shy to read through the source for each Formula!

Reporting problems & making additions¶

Each Formula is a separate repository on GitHub. If you encounter a bug with a Formula please file an issue in the respective repository! Send fixes and additions as a pull request. Add tips and tricks to the repository wiki.

Writing Formulas¶

Each Formula is a separate repository in the saltstack-formulas organization on GitHub. NOTE:

Repository structure¶

A basic Formula repository should have the following layout:
SEE ALSO:

README.rst¶

The README should detail each available .sls file by explaining what it does, whether it has any dependencies on other formulas, whether it has a target platform, and any other installation or usage instructions or tips. A sample skeleton for the README.rst file:

CHANGELOG.rst¶

The CHANGELOG.rst file should detail the individual versions, their release date and a set of bullet points for each version highlighting the overall changes in a given version of the formula. A sample skeleton for the CHANGELOG.rst file: CHANGELOG.rst:

map.jinja¶

It is useful to have a single source for platform-specific or other parameterized information that can be reused throughout a Formula. See " conventions-formula-parameterization" below for more information. Such a file should be named map.jinja and live alongside the state files. The following is an example from the MySQL Formula that has been slightly modified to be more readable and less terse. In essence, it is a simple dictionary that serves as a lookup table. The grains.filter_by function then does a lookup on that table using the os_family grain (by default) and sets the result to a variable that can be used throughout the formula. SEE ALSO:
map.jinja:
The above example is used to help explain how the mapping works. In most map files you will see the following structure:
The merge keyword specifies the location of a dictionary in Pillar that can be used to override values returned from the lookup table. If the value exists in Pillar it will take precedence, otherwise merge will be ignored. This is useful when software or configuration files is installed to non-standard locations. For example, the following Pillar would replace the config value from the call above.
Any of the values defined above can be fetched for the current platform in any state file using the following syntax:

SLS files¶

Each state in a Formula should use sane defaults (as much as is possible) and use Pillar to allow for customization. The root state, in particular, and most states in general, should strive to do no more than the basic expected thing and advanced configuration should be put in child states build on top of the basic states. For example, the root Apache should only install the Apache httpd server and make sure the httpd service is running. It can then be used by more advanced states:

Platform agnostic¶

Each Salt Formula must be able to be run without error on any platform. If the formula is not applicable to a platform it should do nothing. See the epel-formula for an example. Any platform-specific states must be wrapped in conditional statements:
A handy method for using platform-specific values is to create a lookup table using the filter_by() function:

Configuration and parameterization¶

Each Formula should strive for sane defaults that can then be customized using Pillar. Pillar lookups must use the safe get() and must provide a default value:
Any default values used in the Formula must also be documented in the pillar.example file in the root of the repository. Comments should be used liberally to explain the intent of each configuration value. In addition, users should be able copy-and-paste the contents of this file into their own Pillar to make any desired changes.

Scripting¶

Remember that both State files and Pillar files can easily call out to Salt execution modules and have access to all the system grains as well.
Jinja macros are generally discouraged in favor of adding functions to existing Salt modules or adding new modules. An example of this is the filter_by() function.

Versioning¶

Formula are versioned according to Semantic Versioning, http://semver.org/.
Formula versions are tracked using Git tags as well as the VERSION file in the formula repository. The VERSION file should contain the currently released version of the particular formula.

Testing Formulas¶

Salt Formulas are tested by running each .sls file via state.sls and checking the output for success or failure. This is done for each supported platform.

SALT CONVENTIONS¶

Salt Formulas¶

Formulas are pre-written Salt States. They are as open-ended as Salt States themselves and can be used for tasks such as installing a package, configuring and starting a service, setting up users or permissions, and many other common tasks. NOTE:
All official Salt Formulas are found as separate Git repositories in the "saltstack-formulas" organization on GitHub: https://github.com/saltstack-formulas As an example, quickly install and configure the popular memcached server using sane defaults simply by including the memcached-formula repository into an existing Salt States tree.

Installation¶

Each Salt Formula is an individual Git repository designed as a drop-in addition to an existing Salt State tree. Formulas can be installed in the following ways.

Adding a Formula as a GitFS remote¶

One design goal of Salt's GitFS fileserver backend was to facilitate reusable States so this is a quick and natural way to use Formulas. SEE ALSO:

Adding a Formula directory manually¶

Since Formulas are simply directories they can be copied onto the local file system by using Git to clone the repository or by downloading and expanding a tarball or zip file of the directory.

Usage¶

Each Formula is intended to be immediately usable with sane defaults without any additional configuration. Many formulas are also configurable by including data in Pillar; see the pillar.example file in each Formula repository for available options.

Including a Formula in an existing State tree¶

Formula may be included in an existing sls file. This is often useful when a state you are writing needs to require or extend a state defined in the formula. Here is an example of a state that uses the epel-formula in a require declaration which directs Salt to not install the python26 package until after the EPEL repository has also been installed:

Including a Formula from a Top File¶

Some Formula perform completely standalone installations that are not referenced from other state files. It is usually cleanest to include these Formula directly from a Top File. For example the easiest way to set up an OpenStack deployment on a single machine is to include the openstack-standalone-formula directly from a top.sls file:
Quickly deploying OpenStack across several dedicated machines could also be done directly from a Top File and may look something like this:

Configuring Formula using Pillar¶

Salt Formulas are designed to work out of the box with no additional configuration. However, many Formula support additional configuration and customization through Pillar. Examples of available options can be found in a file named pillar.example in the root directory of each Formula repository.

Modifying default Formula behavior¶

Remember that Formula are regular Salt States and can be used with all Salt's normal mechanisms for determining execution order. Formula can be required from other States with require declarations, they can be modified using extend, they can made to watch other states with watch_in, they can be used as templates for other States with use. Don't be shy to read through the source for each Formula!

Reporting problems & making additions¶

Each Formula is a separate repository on GitHub. If you encounter a bug with a Formula please file an issue in the respective repository! Send fixes and additions as a pull request. Add tips and tricks to the repository wiki.

Writing Formulas¶

Each Formula is a separate repository in the saltstack-formulas organization on GitHub. NOTE:

Repository structure¶

A basic Formula repository should have the following layout:
SEE ALSO:

README.rst¶

The README should detail each available .sls file by explaining what it does, whether it has any dependencies on other formulas, whether it has a target platform, and any other installation or usage instructions or tips. A sample skeleton for the README.rst file:

CHANGELOG.rst¶

The CHANGELOG.rst file should detail the individual versions, their release date and a set of bullet points for each version highlighting the overall changes in a given version of the formula. A sample skeleton for the CHANGELOG.rst file: CHANGELOG.rst:

map.jinja¶

It is useful to have a single source for platform-specific or other parameterized information that can be reused throughout a Formula. See " conventions-formula-parameterization" below for more information. Such a file should be named map.jinja and live alongside the state files. The following is an example from the MySQL Formula that has been slightly modified to be more readable and less terse. In essence, it is a simple dictionary that serves as a lookup table. The grains.filter_by function then does a lookup on that table using the os_family grain (by default) and sets the result to a variable that can be used throughout the formula. SEE ALSO:
map.jinja:
The above example is used to help explain how the mapping works. In most map files you will see the following structure:
The merge keyword specifies the location of a dictionary in Pillar that can be used to override values returned from the lookup table. If the value exists in Pillar it will take precedence, otherwise merge will be ignored. This is useful when software or configuration files is installed to non-standard locations. For example, the following Pillar would replace the config value from the call above.
Any of the values defined above can be fetched for the current platform in any state file using the following syntax:

SLS files¶

Each state in a Formula should use sane defaults (as much as is possible) and use Pillar to allow for customization. The root state, in particular, and most states in general, should strive to do no more than the basic expected thing and advanced configuration should be put in child states build on top of the basic states. For example, the root Apache should only install the Apache httpd server and make sure the httpd service is running. It can then be used by more advanced states:

Platform agnostic¶

Each Salt Formula must be able to be run without error on any platform. If the formula is not applicable to a platform it should do nothing. See the epel-formula for an example. Any platform-specific states must be wrapped in conditional statements:
A handy method for using platform-specific values is to create a lookup table using the filter_by() function:

Configuration and parameterization¶

Each Formula should strive for sane defaults that can then be customized using Pillar. Pillar lookups must use the safe get() and must provide a default value:
Any default values used in the Formula must also be documented in the pillar.example file in the root of the repository. Comments should be used liberally to explain the intent of each configuration value. In addition, users should be able copy-and-paste the contents of this file into their own Pillar to make any desired changes.

Scripting¶

Remember that both State files and Pillar files can easily call out to Salt execution modules and have access to all the system grains as well.
Jinja macros are generally discouraged in favor of adding functions to existing Salt modules or adding new modules. An example of this is the filter_by() function.

Versioning¶

Formula are versioned according to Semantic Versioning, http://semver.org/.
Formula versions are tracked using Git tags as well as the VERSION file in the formula repository. The VERSION file should contain the currently released version of the particular formula.

Testing Formulas¶

Salt Formulas are tested by running each .sls file via state.sls and checking the output for success or failure. This is done for each supported platform.

SaltStack Packaging Guide¶

Since Salt provides a powerful toolkit for system management and automation, the package can be spit into a number of sub-tools. While packaging Salt as a single package containing all components is perfectly acceptable, the split packages should follow this convention.

Source Files¶

Release packages should always be built from the source tarball distributed via pypi. Release packages should NEVER use a git checkout as the source for distribution.

Single Package¶

Shipping Salt as a single package, where the minion, master and all tools are together is perfectly acceptable and practiced by distributions such as FreeBSD.

Split Package¶

Salt Should always be split in a standard way, with standard dependencies, this lowers cross distribution confusion about what components are going to be shipped with specific packages. These packages can be defined from the Salt Source as of Salt 0.17.0:

Salt Common¶

The salt-common or salt package should contain the files provided by the salt python package, or all files distributed from the salt/ directory in the source distribution packages. The documentation contained under the doc/ directory can be a part of this package but splitting out a doc package is preferred. Since salt-call is the entry point to utilize the libs and is useful for all salt packages it is included in the salt-common package.

Name¶

Files¶

Depends¶

Salt Master¶

The salt-master package contains the applicable scripts, related man pages and init information for the given platform.

Name¶

Files¶

Depends¶

Salt Syndic¶

The Salt Syndic package can be rolled completely into the Salt Master package. Platforms which start services as part of the package deployment need to maintain a separate salt-syndic package (primarily Debian based platforms). The Syndic may optionally not depend on the anything more than the Salt Master since the master will bring in all needed dependencies, but fall back to the platform specific packaging guidelines.

Name¶

Files¶

Depends¶

Salt Minion¶

The Minion is a standalone package and should not be split beyond the salt-minion and salt-common packages.

Name¶

Files¶

Depends¶

Salt SSH¶

Since Salt SSH does not require the same dependencies as the minion and master, it should be split out.

Name¶

Files¶

Depends¶

Salt Doc¶

The documentation package is very distribution optional. A completely split package will split out the documentation, but some platform conventions do not prefer this. If the documentation is not split out, it should be included with the Salt Common package.

Name¶

Files¶

Optional Depends¶

Salt Release Process¶

The goal for Salt projects is to cut a new feature release every four to six weeks. This document outlines the process for these releases, and the subsequent bug fix releases which follow.

Feature Release Process¶

When a new release is ready to be cut, the person responsible for cutting the release will follow the following steps (written using the 0.16 release as an example):

Maintenance and Bugfix Releases¶

Once a release has been cut, regular cherry-picking sessions should begin to cherry-pick any bugfixes from the develop branch to the release branch (e.g. 0.16). Once major bugs have been fixes and cherry-picked, a bugfix release can be cut:

Salt Coding Style¶

Salt is developed with a certain coding style, while the style is dominantly PEP 8 it is not completely PEP 8. It is also noteworthy that a few development techniques are also employed which should be adhered to. In the end, the code is made to be "Salty". Most importantly though, we will accept code that violates the coding style and KINDLY ask the contributor to fix it, or go ahead and fix the code on behalf of the contributor. Coding style is NEVER grounds to reject code contributions, and is never grounds to talk down to another member of the community (There are no grounds to treat others without respect, especially people working to improve Salt)!!

Linting¶

Most Salt style conventions are codified in Salt's .pylintrc file. This file is found in the root of the Salt project and can be passed as an argument to the pylint program as follows: pylint --rcfile=/path/to/salt/.pylintrc salt/dir/to/lint

Strings¶

Salt follows a few rules when formatting strings:

Single Quotes¶

In Salt, all strings use single quotes unless there is a good reason not to. This means that docstrings use single quotes, standard strings use single quotes etc.:

Formatting Strings¶

All strings which require formatting should use the .format string method:
Make sure to use indices or identifiers in the format brackets, since empty brackets are not supported by python 2.6. Please do NOT use printf formatting.

Docstring Conventions¶

Docstrings should always add a newline, docutils takes care of the new line and it makes the code cleaner and more vertical: GOOD:
BAD:
When adding a new function or state, where possible try to use a versionadded directive to denote when the function or state was added.
If you are uncertain what version should be used, either consult a core developer in IRC or bring this up when opening your pull request and a core developer will add the proper version once your pull request has been merged. Bugfixes will be available in a bugfix release (i.e. 0.17.1, the first bugfix release for 0.17.0), while new features are held for feature releases, and this will affect what version number should be used in the versionadded directive. Similar to the above, when an existing function or state is modified (for example, when an argument is added), then under the explanation of that new argument a versionadded directive should be used to note the version in which the new argument was added. If an argument's function changes significantly, the versionchanged directive can be used to clarify this:

Imports¶

Salt code prefers importing modules and not explicit functions. This is both a style and functional preference. The functional preference originates around the fact that the module import system used by pluggable modules will include callable objects (functions) that exist in the direct module namespace. This is not only messy, but may unintentionally expose code python libs to the Salt interface and pose a security problem. To say this more directly with an example, this is GOOD:
This on the other hand is DISCOURAGED:
The time when this is changed is for importing exceptions, generally directly importing exceptions is preferred: This is a good way to import exceptions:

Absolute Imports¶

Although absolute imports seems like an awesome idea, please do not use it. Extra care would be necessary all over salt's code in order for absolute imports to work as supposed. Believe it, it has been tried before and, as a tried example, by renaming salt.modules.sysmod to salt.modules.sys, all other salt modules which needed to import sys would have to also import absolute_import, which should be avoided.

Vertical is Better¶

When writing Salt code, vertical code is generally preferred. This is not a hard rule but more of a guideline. As PEP 8 specifies, Salt code should not exceed 79 characters on a line, but it is preferred to separate code out into more newlines in some cases for better readability:
Where there are more line breaks, this is also apparent when constructing a function with many arguments, something very common in state functions for instance:
NOTE:

Indenting¶

Some confusion exists in the python world about indenting things like function calls, the above examples use 8 spaces when indenting comma-delimited constructs. The confusion arises because the pep8 program INCORRECTLY flags this as wrong, where PEP 8, the document, cites only using 4 spaces here as wrong, as it doesn't differentiate from a new indent level. Right:
WRONG:
Lining up the indent is also correct:
This also applies to function calls and other hanging indents. pep8 and Flake8 (and, by extension, the vim plugin Syntastic) will complain about the double indent for hanging indents. This is a known conflict between pep8 (the script) and the actual PEP 8 standard. It is recommended that this particular warning be ignored with the following lines in ~/.config/flake8:
Make sure your Flake8/pep8 are up to date. The first three errors are ignored by default and are present here to keep the behavior the same. This will also work for pep8 without the Flake8 wrapper -- just replace all instances of 'flake8' with 'pep8', including the filename.

Code Churn¶

Many pull requests have been submitted that only churn code in the name of PEP 8. Code churn is a leading source of bugs and is strongly discouraged. While style fixes are encouraged they should be isolated to a single file per commit, and the changes should be legitimate, if there are any questions about whether a style change is legitimate please reference this document and the official PEP 8 ( http://www.python.org/dev/peps/pep-0008/) document before changing code. Many claims that a change is PEP 8 have been invalid, please double check before committing fixes.

SALTSTACK PACKAGING GUIDE¶

Since Salt provides a powerful toolkit for system management and automation, the package can be spit into a number of sub-tools. While packaging Salt as a single package containing all components is perfectly acceptable, the split packages should follow this convention.

Source Files¶

Release packages should always be built from the source tarball distributed via pypi. Release packages should NEVER use a git checkout as the source for distribution.

Single Package¶

Shipping Salt as a single package, where the minion, master and all tools are together is perfectly acceptable and practiced by distributions such as FreeBSD.

Split Package¶

Salt Should always be split in a standard way, with standard dependencies, this lowers cross distribution confusion about what components are going to be shipped with specific packages. These packages can be defined from the Salt Source as of Salt 0.17.0:

Salt Common¶

The salt-common or salt package should contain the files provided by the salt python package, or all files distributed from the salt/ directory in the source distribution packages. The documentation contained under the doc/ directory can be a part of this package but splitting out a doc package is preferred. Since salt-call is the entry point to utilize the libs and is useful for all salt packages it is included in the salt-common package.

Name¶

Files¶

Depends¶

Salt Master¶

The salt-master package contains the applicable scripts, related man pages and init information for the given platform.

Name¶

Files¶

Depends¶

Salt Syndic¶

The Salt Syndic package can be rolled completely into the Salt Master package. Platforms which start services as part of the package deployment need to maintain a separate salt-syndic package (primarily Debian based platforms). The Syndic may optionally not depend on the anything more than the Salt Master since the master will bring in all needed dependencies, but fall back to the platform specific packaging guidelines.

Name¶

Files¶

Depends¶

Salt Minion¶

The Minion is a standalone package and should not be split beyond the salt-minion and salt-common packages.

Name¶

Files¶

Depends¶

Salt SSH¶

Since Salt SSH does not require the same dependencies as the minion and master, it should be split out.

Name¶

Files¶

Depends¶

Salt Doc¶

The documentation package is very distribution optional. A completely split package will split out the documentation, but some platform conventions do not prefer this. If the documentation is not split out, it should be included with the Salt Common package.

Name¶

Files¶

Optional Depends¶

SALT RELEASE PROCESS¶

The goal for Salt projects is to cut a new feature release every four to six weeks. This document outlines the process for these releases, and the subsequent bug fix releases which follow.

Feature Release Process¶

When a new release is ready to be cut, the person responsible for cutting the release will follow the following steps (written using the 0.16 release as an example):

Maintenance and Bugfix Releases¶

Once a release has been cut, regular cherry-picking sessions should begin to cherry-pick any bugfixes from the develop branch to the release branch (e.g. 0.16). Once major bugs have been fixes and cherry-picked, a bugfix release can be cut:

SALT CODING STYLE¶

Salt is developed with a certain coding style, while the style is dominantly PEP 8 it is not completely PEP 8. It is also noteworthy that a few development techniques are also employed which should be adhered to. In the end, the code is made to be "Salty". Most importantly though, we will accept code that violates the coding style and KINDLY ask the contributor to fix it, or go ahead and fix the code on behalf of the contributor. Coding style is NEVER grounds to reject code contributions, and is never grounds to talk down to another member of the community (There are no grounds to treat others without respect, especially people working to improve Salt)!!

Linting¶

Most Salt style conventions are codified in Salt's .pylintrc file. This file is found in the root of the Salt project and can be passed as an argument to the pylint program as follows: pylint --rcfile=/path/to/salt/.pylintrc salt/dir/to/lint

Strings¶

Salt follows a few rules when formatting strings:

Single Quotes¶

In Salt, all strings use single quotes unless there is a good reason not to. This means that docstrings use single quotes, standard strings use single quotes etc.:

Formatting Strings¶

All strings which require formatting should use the .format string method:
Make sure to use indices or identifiers in the format brackets, since empty brackets are not supported by python 2.6. Please do NOT use printf formatting.

Docstring Conventions¶

Docstrings should always add a newline, docutils takes care of the new line and it makes the code cleaner and more vertical: GOOD:
BAD:
When adding a new function or state, where possible try to use a versionadded directive to denote when the function or state was added.
If you are uncertain what version should be used, either consult a core developer in IRC or bring this up when opening your pull request and a core developer will add the proper version once your pull request has been merged. Bugfixes will be available in a bugfix release (i.e. 0.17.1, the first bugfix release for 0.17.0), while new features are held for feature releases, and this will affect what version number should be used in the versionadded directive. Similar to the above, when an existing function or state is modified (for example, when an argument is added), then under the explanation of that new argument a versionadded directive should be used to note the version in which the new argument was added. If an argument's function changes significantly, the versionchanged directive can be used to clarify this:

Imports¶

Salt code prefers importing modules and not explicit functions. This is both a style and functional preference. The functional preference originates around the fact that the module import system used by pluggable modules will include callable objects (functions) that exist in the direct module namespace. This is not only messy, but may unintentionally expose code python libs to the Salt interface and pose a security problem. To say this more directly with an example, this is GOOD:
This on the other hand is DISCOURAGED:
The time when this is changed is for importing exceptions, generally directly importing exceptions is preferred: This is a good way to import exceptions:

Absolute Imports¶

Although absolute imports seems like an awesome idea, please do not use it. Extra care would be necessary all over salt's code in order for absolute imports to work as supposed. Believe it, it has been tried before and, as a tried example, by renaming salt.modules.sysmod to salt.modules.sys, all other salt modules which needed to import sys would have to also import absolute_import, which should be avoided.

Vertical is Better¶

When writing Salt code, vertical code is generally preferred. This is not a hard rule but more of a guideline. As PEP 8 specifies, Salt code should not exceed 79 characters on a line, but it is preferred to separate code out into more newlines in some cases for better readability:
Where there are more line breaks, this is also apparent when constructing a function with many arguments, something very common in state functions for instance:
NOTE:

Indenting¶

Some confusion exists in the python world about indenting things like function calls, the above examples use 8 spaces when indenting comma-delimited constructs. The confusion arises because the pep8 program INCORRECTLY flags this as wrong, where PEP 8, the document, cites only using 4 spaces here as wrong, as it doesn't differentiate from a new indent level. Right:
WRONG:
Lining up the indent is also correct:
This also applies to function calls and other hanging indents. pep8 and Flake8 (and, by extension, the vim plugin Syntastic) will complain about the double indent for hanging indents. This is a known conflict between pep8 (the script) and the actual PEP 8 standard. It is recommended that this particular warning be ignored with the following lines in ~/.config/flake8:
Make sure your Flake8/pep8 are up to date. The first three errors are ignored by default and are present here to keep the behavior the same. This will also work for pep8 without the Flake8 wrapper -- just replace all instances of 'flake8' with 'pep8', including the filename.

Code Churn¶

Many pull requests have been submitted that only churn code in the name of PEP 8. Code churn is a leading source of bugs and is strongly discouraged. While style fixes are encouraged they should be isolated to a single file per commit, and the changes should be legitimate, if there are any questions about whether a style change is legitimate please reference this document and the official PEP 8 ( http://www.python.org/dev/peps/pep-0008/) document before changing code. Many claims that a change is PEP 8 have been invalid, please double check before committing fixes.

SALTSTACK GIT POLICY¶

The SaltStack team follows a git policy to maintain stability and consistency with the repository. The git policy has been developed to encourage contributions and make contributing to Salt as easy as possible. Code contributors to SaltStack projects DO NOT NEED TO READ THIS DOCUMENT, because all contributions come into SaltStack via a single gateway to make it as easy as possible for contributors to give us code. The primary rule of git management in SaltStack is to make life easy on contributors and developers to send in code. Simplicity is always a goal!

New Code Entry¶

All new SaltStack code is posted to the develop branch, this is the single point of entry. The only exception here is when a bugfix to develop cannot be cleanly merged into a release branch and the bugfix needs to be rewritten for the release branch.

Release Branching¶

SaltStack maintains two types of releases, Feature Releases and Point Releases. A feature release is managed by incrementing the first or second release point number, so 0.10.5 -> 0.11.0 signifies a feature release and 0.11.0 -> 0.11.1 signifies a point release, also a hypothetical 0.42.7 -> 1.0.0 would also signify a feature release.

Feature Release Branching¶

Each feature release is maintained in a dedicated git branch derived from the last applicable release commit on develop. All file changes relevant to the feature release will be completed in the develop branch prior to the creation of the feature release branch. The feature release branch will be named after the relevant numbers to the feature release, which constitute the first two numbers. This means that the release branch for the 0.11.0 series is named 0.11. A feature release branch is created with the following command:

Point Releases¶

Each point release is derived from its parent release branch. Constructing point releases is a critical aspect of Salt development and is managed by members of the core development team. Point releases comprise bug and security fixes which are cherry picked from develop onto the aforementioned release branch. At the time when a core developer accepts a pull request a determination needs to be made if the commits in the pull request need to be backported to the release branch. Some simple criteria are used to make this determination:
Determining when a point release is going to be made is up to the project leader (Thomas Hatch). Generally point releases are made every 1-2 weeks or if there is a security fix they can be made sooner. The point release is only designated by tagging the commit on the release branch with release number using the existing convention (version 0.11.1 is tagged with v0.11.1). From the tag point a new source tarball is generated and published to PyPI, and a release announcement is made.

SALT DEVELOPMENT GUIDELINES¶

Deprecating Code¶

Salt should remain backwards compatible, though sometimes, this backwards compatibility needs to be broken because a specific feature and/or solution is no longer necessary or required. At first one might think, let me change this code, it seems that it's not used anywhere else so it should be safe to remove. Then, once there's a new release, users complain about functionality which was removed and they where using it, etc. This should, at all costs, be avoided, and, in these cases, that specific code should be deprecated. Depending on the complexity and usage of a specific piece of code, the deprecation time frame should be properly evaluated. As an example, a deprecation warning which is shown for 2 major releases, for example 0.17.0 and 2014.1.0, gives users enough time to stop using the deprecated code and adapt to the new one. For example, if you're deprecating the usage of a keyword argument to a function, that specific keyword argument should remain in place for the full deprecation time frame and if that keyword argument is used, a deprecation warning should be shown to the user. To help in this deprecation task, salt provides salt.utils.warn_until. The idea behind this helper function is to show the deprecation warning until salt reaches the provided version. Once that provided version is equaled salt.utils.warn_until will raise a RuntimeError making salt stop its execution. This stoppage is unpleasant and will remind the developer that the deprecation limit has been reached and that the code can then be safely removed. Consider the following example:
Consider that the current salt release is 0.16.0. Whenever foo is passed a value different from None that warning will be shown to the user. This will happen in versions 0.16.2 to 2014.1.0, after which a RuntimeError will be raised making us aware that the deprecated code should now be removed.

Dunder Dictionaries¶

Salt provides several special "dunder" dictionaries as a convenience for Salt development. These include __opts__, __context__, __salt__, and others. This document will describe each dictionary and detail where they exist and what information and/or functionality they provide.

__opts__¶

Available in¶

The __opts__ dictionary contains all of the options passed in the configuration file for the master or minion. NOTE:
The configuration file data made available in the __opts__ dictionary is the configuration data relative to the running daemon. If the modules are loaded and executed by the master, then the master configuration data is available, if the modules are executed by the minion, then the minion configuration is available. Any additional information passed into the respective configuration files is made available

__salt__¶

Available in¶

__salt__ contains the execution module functions. This allows for all functions to be called as they have been set up by the salt loader.

__grains__¶

Available in¶

The __grains__ dictionary contains the grains data generated by the minion that is currently being worked with. In execution modules, state modules and returners this is the grains of the minion running the calls, when generating the external pillar the __grains__ is the grains data from the minion that the pillar is being generated for.

__pillar__¶

Available in¶

The __pillar__ dictionary contains the pillar for the respective minion.

__context__¶

__context__ exists in state modules and execution modules. During a state run the __context__ dictionary persists across all states that are run and then is destroyed when the state ends. When running an execution module __context__ persists across all module executions until the modules are refreshed; such as when saltutils.sync_all or state.highstate are executed. A great place to see how to use __context__ is in the cp.py module in salt/modules/cp.py. The fileclient authenticates with the master when it is instantiated and then is used to copy files to the minion. Rather than create a new fileclient for each file that is to be copied down, one instance of the fileclient is instantiated in the __context__ dictionary and is reused for each file. Here is an example from salt/modules/cp.py:
NOTE:

External Pillars¶

Salt provides a mechanism for generating pillar data by calling external pillar interfaces. This document will describe an outline of an ext_pillar module.

Location¶

Salt expects to find your ext_pillar module in the same location where it looks for other python modules. If the extension_modules option in your Salt master configuration is set, Salt will look for a pillar directory under there and load all the modules it finds. Otherwise, it will look in your Python site-packages salt/pillar directory.

Configuration¶

The external pillars that are called when a minion refreshes its pillars is controlled by the ext_pillar option in the Salt master configuration. You can pass a single argument, a list of arguments or a dictionary of arguments to your pillar:

The Module¶

Imports and Logging¶

Import modules your external pillar module needs. You should first include generic modules that come with stock Python:
And then start logging. This is an idiomatic way of setting up logging in Salt:
Finally, load modules that are specific to what you are doing. You should catch import errors and set a flag that the the __virtual__ function can use later.

Options¶

If you define an __opts__ dictionary, it will be merged into the __opts__ dictionary handed to the ext_pillar function later. This is a good place to put default configuration items. The convention is to name things modulename.option.

Initialization¶

If you define an __init__ function, it will be called with the following signature:
Note: The __init__ function is ran every time a particular minion causes the external pillar to be called, so don't put heavy initialization code here. The __init__ functionality is a side-effect of the Salt loader, so it may not be as useful in pillars as it is in other Salt items.

__virtual__¶

If you define a __virtual__ function, you can control whether or not this module is visible. If it returns False then Salt ignores this module. If it returns a string, then that string will be how Salt identifies this external pillar in its ext_pillar configuration. If this function does not exist, then the name Salt's ext_pillar will use to identify this module is its conventional name in Python. This is useful to write modules that can be installed on all Salt masters, but will only be visible if a particular piece of software your module requires is installed.

ext_pillar¶

This is where the real work of an external pillar is done. If this module is active and has a function called ext_pillar, whenever a minion updates its pillar this function is called. How it is called depends on how it is configured in the Salt master configuration. The first argument is always the current pillar dictionary, this contains pillar items that have already been added, starting with the data from pillar_roots, and then from any already-ran external pillars. Using our example above:
In the example_a case, pillar will contain the items from the pillar_roots, in example_b pillar will contain that plus the items added by example_a, and in example_c pillar will contain that plus the items added by example_b. In all three cases, id will contain the ID of the minion making the pillar request. This function should return a dictionary, the contents of which are merged in with all of the other pillars and returned to the minion. Note: this function is called once for each minion that fetches its pillar data.
You shouldn't just add items to pillar and return that, since that will cause Salt to merge data that already exists. Rather, just return the items you are adding or changing. You could, however, use pillar in your module to make some decision based on pillar data that already exists. This function has access to some useful globals:

Example configuration¶

As an example, if you wanted to add external pillar via the cmd_json external pillar, add something like this to your master config:

Logging Internals¶

TODO

Modular Systems¶

When first working with Salt, it is not always clear where all of the modular components are and what they do. Salt comes loaded with more modular systems than many users are aware of, making Salt very easy to extend in many places. The most commonly used modular systems are execution modules and states. But the modular systems extend well beyond the more easily exposed components and are often added to Salt to make the complete system more flexible.

Execution Modules¶

Execution modules make up the core of the functionality used by Salt to interact with client systems. The execution modules create the core system management library used by all Salt systems, including states, which interact with minion systems. Execution modules are completely open ended in their execution. They can be used to do anything required on a minion, from installing packages to detecting information about the system. The only restraint in execution modules is that the defined functions always return a JSON serializable object. For a list of all built in execution modules, click here For information on writing execution modules, see this page.

State Modules¶

State modules are used to define the state interfaces used by Salt States. These modules are restrictive in that they must follow a number of rules to function properly. NOTE:

Auth¶

The auth module system allows for external authentication routines to be easily added into Salt. The auth function needs to be implemented to satisfy the requirements of an auth module. Use the pam module as an example.

Fileserver¶

The fileserver module system is used to create fileserver backends used by the Salt Master. These modules need to implement the functions used in the fileserver subsystem. Use the gitfs module as an example.

Grains¶

Grain modules define extra routines to populate grains data. All defined public functions will be executed and MUST return a Python dict object. The dict keys will be added to the grains made available to the minion.

Output¶

The output modules supply the outputter system with routines to display data in the terminal. These modules are very simple and only require the output function to execute. The default system outputter is the nested module.

Pillar¶

Used to define optional external pillar systems. The pillar generated via the filesystem pillar is passed into external pillars. This is commonly used as a bridge to database data for pillar, but is also the backend to the libvirt state used to generate and sign libvirt certificates on the fly.

Renderers¶

Renderers are the system used to render sls files into salt highdata for the state compiler. They can be as simple as the py renderer and as complex as stateconf and pydsl.

Returners¶

Returners are used to send data from minions to external sources, commonly databases. A full returner will implement all routines to be supported as an external job cache. Use the redis returner as an example.

Runners¶

Runners are purely master-side execution sequences. These range from simple reporting to orchestration engines like the overstate.

Tops¶

Tops modules are used to convert external data sources into top file data for the state system.

Wheel¶

The wheel system is used to manage master side management routines. These routines are primarily intended for the API to enable master configuration.

Package Providers¶

This page contains guidelines for writing package providers.

Package Functions¶

One of the most important features of Salt is package management. There is no shortage of package managers, so in the interest of providing a consistent experience in pkg states, there are certain functions that should be present in a package provider. Note that these are subject to change as new features are added or existing features are enhanced.

list_pkgs¶

This function should declare an empty dict, and then add packages to it by calling pkg_resource.add_pkg, like so:
The last thing that should be done before returning is to execute pkg_resource.sort_pkglist. This function does not presently do anything to the return dict, but will be used in future versions of Salt.
list_pkgs returns a dictionary of installed packages, with the keys being the package names and the values being the version installed. Example return data:

latest_version¶

Accepts an arbitrary number of arguments. Each argument is a package name. The return value for a package will be an empty string if the package is not found or if the package is up-to-date. The only case in which a non-empty string is returned is if the package is available for new installation (i.e. not already installed) or if there is an upgrade available. If only one argument was passed, this function return a string, otherwise a dict of name/version pairs is returned. This function must also accept **kwargs, in order to receive the fromrepo and repo keyword arguments from pkg states. Where supported, these arguments should be used to find the install/upgrade candidate in the specified repository. The fromrepo kwarg takes precedence over repo, so if both of those kwargs are present, the repository specified in fromrepo should be used. However, if repo is used instead of fromrepo, it should still work, to preserve backwards compatibility with older versions of Salt.

version¶

Like latest_version, accepts an arbitrary number of arguments and returns a string if a single package name was passed, or a dict of name/value pairs if more than one was passed. The only difference is that the return values are the currently-installed versions of whatever packages are passed. If the package is not installed, an empty string is returned for that package.

upgrade_available¶

Deprecated and destined to be removed. For now, should just do the following:

install¶

The following arguments are required and should default to None:
The first thing that this function should do is call pkg_resource.parse_targets (see below). This function will convert the SLS input into a more easily parsed data structure. pkg_resource.parse_targets may need to be modified to support your new package provider, as it does things like parsing package metadata which cannot be done for every package management system.
Two values will be returned to the install function. The first of them will be a dictionary. The keys of this dictionary will be package names, though the values will differ depending on what kind of installation is being done:
The second return value will be a string with two possible values: repository or file. The install function can use this value (if necessary) to build the proper command to install the targeted package(s). Both before and after the installing the target(s), you should run list_pkgs to obtain a list of the installed packages. You should then return the output of salt.utils.compare_dicts()

remove¶

Removes the passed package and return a list of the packages removed.

Package Repo Functions¶

There are some functions provided by pkg which are specific to package repositories, and not to packages themselves. When writing modules for new package managers, these functions should be made available as stated below, in order to provide compatibility with the pkgrepo state. All repo functions should accept a basedir option, which defines which directory repository configuration should be found in. The default for this is dictated by the repo manager that is being used, and rarely needs to be changed.

list_repos¶

Lists the repositories that are currently configured on this system.
Returns a dictionary, in the following format:

get_repo¶

Displays all local configuration for a specific repository.
The information is formatted in much the same way as list_repos, but is specific to only one repo.

del_repo¶

Removes the local configuration for a specific repository. Requires a repo argument, which must match the locally configured name. This function returns a string, which informs the user as to whether or not the operation was a success.

mod_repo¶

Modify the local configuration for one or more option for a configured repo. This is also the way to create new repository configuration on the local system; if a repo is specified which does not yet exist, it will be created. The options specified for this function are specific to the system; please refer to the documentation for your specific repo manager for specifics.

Low-Package Functions¶

In general, the standard package functions as describes above will meet your needs. These functions use the system's native repo manager (for instance, yum or the apt tools). In most cases, the repo manager is actually separate from the package manager. For instance, yum is usually a front-end for rpm, and apt is usually a front-end for dpkg. When possible, the package functions that use those package managers directly should do so through the low package functions. It is normal and sane for pkg to make calls to lowpkgs, but lowpkg must never make calls to pkg. This is affects functions which are required by both pkg and lowpkg, but the technique in pkg is more performant than what is available to lowpkg. When this is the case, the lowpkg function that requires that technique must still use the lowpkg version.

list_pkgs¶

Returns a dict of packages installed, including the package name and version. Can accept a list of packages; if none are specified, then all installed packages will be listed.
Example output:

verify¶

Many (but not all) package management systems provide a way to verify that the files installed by the package manager have or have not changed. This function accepts a list of packages; if none are specified, all packages will be included.
Example output:

file_list¶

Lists all of the files installed by all packages specified. If not packages are specified, then all files for all known packages are returned.
This function does not return which files belong to which packages; all files are returned as one giant list (hence the file_list function name. However, This information is still returned inside of a dict, so that it can provide any errors to the user in a sane manner.

file_dict¶

Lists all of the files installed by all packages specified. If not packages are specified, then all files for all known packages are returned.
Unlike file_list, this function will break down which files belong to which packages. It will also return errors in the same manner as file_list.

TRANSLATING DOCUMENTATION¶

If you wish to help translate the Salt documentation to your language, please head over to the Transifex website and signup for an account. Once registered, head over to the Salt Translation Project, and either click on Request Language if you can't find yours, or, select the language for which you wish to contribute and click Join Team. Transifex provides some useful reading resources on their support domain, namely, some useful articles directed to translators.

Building A Localized Version of the Documentation¶

While you're working on your translation on Transifex, you might want to have a look at how it's rendering.

Install The Transifex Client¶

To interact with the Transifex web service you will need to install the transifex-client:

Configure The Transifex Client¶

Once installed, you will need to set it up on your computer. We created a script to help you with that:

Download Remote Translations¶

There's a little script which simplifies the download process of the translations(which isn't that complicated in the first place). So, let's assume you're translating pt_PT, Portuguese(Portugal). To download the translations, execute from the doc/ directory of your Salt checkout:
To download pt_PT, Portuguese(Portugal) and nl, Dutch, you can use the helper script directly:

Build Localized Documentation¶

After the download process finishes, which might take a while, the next step is to build a localized version of the documentation. Following the pt_PT example above:

View Localized Documentation¶

Open your browser, point it to the local documentation path and check the localized output you've just build.

COMMUNITY PROJECTS THAT USE SALT¶

Below is a list of repositories that show real world Salt applications that you can use to get started. Please note that these projects do not adhere to any standards and express a wide variety of ideas and opinions on how an action can be completed with Salt. https://github.com/terminalmage/djangocon2013-sls https://github.com/jesusaurus/hpcs-salt-state https://github.com/gravyboat/hungryadmin-sls

SALT PROXY MINION DOCUMENTATION¶

Proxy minions are a developing Salt feature that enables controlling devices that, for whatever reason, cannot run a standard salt-minion. Examples include network gear that has an API but runs a proprietary OS, devices with limited CPU or memory, or devices that could run a minion, but for security reasons, will not. Proxy minions are not an "out of the box" feature. Because there are an infinite number of controllable devices, you will most likely have to write the interface yourself. Fortunately, this is only as difficult as the actual interface to the proxied device. Devices that have an existing Python module (PyUSB for example) would be relatively simple to interface. Code to control a device that has an HTML REST-based interface should be easy. Code to control your typical housecat would be excellent source material for a PhD thesis. Salt proxy-minions provide the 'plumbing' that allows device enumeration and discovery, control, status, remote execution, and state management.

Getting Started¶

The following diagram may be helpful in understanding the structure of a Salt installation that includes proxy-minions: [image] The key thing to remember is the left-most section of the diagram. Salt's nature is to have a minion connect to a master, then the master may control the minion. However, for proxy minions, the target device cannot run a minion, and thus must rely on a separate minion to fire up the proxy-minion and make the initial and persistent connection. After the proxy minion is started and initiates its connection to the 'dumb' device, it connects back to the salt-master and ceases to be affiliated in any way with the minion that started it. To create support for a proxied device one needs to create four things:

Configuration parameters on the master¶

Proxy minions require no configuration parameters in /etc/salt/master. Salt's Pillar system is ideally suited for configuring proxy-minions. Proxies can either be designated via a pillar file in pillar_roots, or through an external pillar. External pillars afford the opportunity for interfacing with a configuration management system, database, or other knowledgeable system that that may already contain all the details of proxy targets. To use static files in pillar_roots, pattern your files after the following examples, which are based on the diagram above: /srv/salt/pillar/top.sls
/srv/salt/pillar/networkswitches.sls
/srv/salt/pillar/reallydumbdevices.sls
/srv/salt/pillar/smsgateway.sls
Note the contents of each minioncontroller key may differ widely based on the type of device that the proxy-minion is managing. In the above example
Because of the way pillar works, each of the salt-minions that fork off the proxy minions will only see the keys specific to the proxies it will be handling. In other words, from the above example, only minioncontroller1 will see the connection information for dumbdevices 1, 2, and 3. Minioncontroller2 will see configuration data for dumbdevices 4, 5, and 6, and minioncontroller3 will be privy to dumbdevice7. Also, in general, proxy-minions are lightweight, so the machines that run them could conceivably control a large number of devices. The example above is just to illustrate that it is possible for the proxy services to be spread across many machines if necessary, or intentionally run on machines that need to control devices because of some physical interface (e.g. i2c and serial above). Another reason to divide proxy services might be security. In more secure environments only certain machines may have a network path to certain devices. Now our salt-minions know if they are supposed to spawn a proxy-minion process to control a particular device. That proxy-minion process will initiate a connection back to the master to enable control.

Proxytypes¶

A proxytype is a Python class called 'Proxyconn' that encapsulates all the code necessary to interface with a device. Proxytypes are located inside the salt.proxy module. At a minimum a proxytype object must implement the following methods: proxytype(self): Returns a string with the name of the proxy type. proxyconn(self, **kwargs): Provides the primary way to connect and communicate with the device. Some proxyconns instantiate a particular object that opens a network connection to a device and leaves the connection open for communication. Others simply abstract a serial connection or even implement endpoints to communicate via REST over HTTP. id(self, opts): Returns a unique, unchanging id for the controlled device. This is the "name" of the device, and is used by the salt-master for targeting and key authentication. Optionally, the class may define a shutdown(self, opts) method if the controlled device should be informed when the minion goes away cleanly. It is highly recommended that the test.ping execution module also be defined for a proxytype. The code for ping should contact the controlled device and make sure it is really available. Here is an example proxytype used to interface to Juniper Networks devices that run the Junos operating system. Note the additional library requirements--most of the "hard part" of talking to these devices is handled by the jnpr.junos, jnpr.junos.utils and jnpr.junos.cfg modules.
Grains are data about minions. Most proxied devices will have a paltry amount of data as compared to a typical Linux server. Because proxy-minions are started by a regular minion, they inherit a sizeable number of grain settings which can be useful, especially when targeting (PYTHONPATH, for example). All proxy minions set a grain called 'proxy'. If it is present, you know the minion is controlling another device. To add more grains to your proxy minion for a particular device, create a file in salt/grains named [proxytype].py and place inside it the different functions that need to be run to collect the data you are interested in. Here's an example:

The __proxyenabled__ directive¶

Salt states and execution modules, by and large, cannot "automatically" work with proxied devices. Execution modules like pkg or sqlite3 have no meaning on a network switch or a housecat. For a state/execution module to be available to a proxy-minion, the __proxyenabled__ variable must be defined in the module as an array containing the names of all the proxytypes that this module can support. The array can contain the special value * to indicate that the module supports all proxies. If no __proxyenabled__ variable is defined, then by default, the state/execution module is unavailable to any proxy. Here is an excerpt from a module that was modified to support proxy-minions:
And then in salt.proxy.junos we find
The Junos API layer lacks the ability to do a traditional 'ping', so the example simply checks the connection object field that indicates if the ssh connection was successfully made to the device.

LOGGING¶

The salt project tries to get the logging to work for you and help us solve any issues you might find along the way. If you want to get some more information on the nitty-gritty of salt's logging system, please head over to the logging development document, if all you're after is salt's logging configurations, please continue reading.

Available Configuration Settings¶

log_file¶

The log records can be sent to a regular file, local path name, or network location. Remote logging works best when configured to use rsyslogd(8) (e.g.: file:///dev/log), with rsyslogd(8) configured for network logging. The format for remote addresses is: <file|udp|tcp>://<host|socketpath>:<port-if-required>/<log-facility>. Default: Dependent of the binary being executed, for example, for salt-master, /var/log/salt/master. Examples:

log_level¶

Default: warning The level of log record messages to send to the console. One of all, garbage, trace, debug, info, warning, error, critical, quiet.

log_level_logfile¶

Default: warning The level of messages to send to the log file. One of all, garbage, trace, debug, info, warning, error, critical, quiet.

log_datefmt¶

Default: %H:%M:%S The date and time format used in console log messages. Allowed date/time formatting can be seen on time.strftime.

log_datefmt_logfile¶

Default: %Y-%m-%d %H:%M:%S The date and time format used in log file messages. Allowed date/time formatting can be seen on time.strftime.

log_fmt_console¶

Default: [%(levelname)-8s] %(message)s The format of the console logging messages. Allowed formatting options can be seen on the LogRecord attributes.

log_fmt_logfile¶

Default: %(asctime)s,%(msecs)03.0f [%(name)-17s][%(levelname)-8s] %(message)s The format of the log file logging messages. Allowed formatting options can be seen on the LogRecord attributes.

log_granular_levels¶

Default: {} This can be used to control logging levels more specifically. The example sets the main salt library at the 'warning' level, but sets salt.modules to log at the debug level:

External Logging Handlers¶

Besides the internal logging handlers used by salt, there are some external which can be used, see the external logging handlers document.

EXTERNAL LOGGING HANDLERS¶

logstash_mod
sentry_mod

Logstash Logging Handler¶

New in version 0.17.0. This module provides some Logstash logging handlers.

UDP Logging Handler¶

In order to setup the datagram handler for Logstash, please define on the salt configuration file:
On the Logstash configuration file you need something like:
Please read the UDP input configuration page for additional information.

ZeroMQ Logging Handler¶

In order to setup the ZMQ handler for Logstash, please define on the salt configuration file:
On the Logstash configuration file you need something like:
Please read the ZeroMQ input configuration page for additional information.

Log Level¶

Both the logstash_udp_handler and the logstash_zmq_handler configuration sections accept an additional setting log_level. If not set, the logging level used will be the one defined for log_level in the global configuration file section.

HWM¶

The high water mark for the ZMQ socket setting. Only applicable for the logstash_zmq_handler.

Sentry Logging Handler¶

New in version 0.17.0. This module provides a Sentry logging handler.
Configuring the python Sentry client, Raven, should be done under the sentry_handler configuration key. At the bare minimum, you need to define the DSN. As an example:
More complex configurations can be achieved, for example:
All the client configuration keys are supported, please see the Raven client documentation. The default logging level for the sentry handler is ERROR. If you wish to define a different one, define log_level under the sentry_handler configuration key:
The available log levels are those also available for the salt cli tools and configuration; salt --help should give you the required information.

Threaded Transports¶

Raven's documents rightly suggest using its threaded transport for critical applications. However, don't forget that if you start having troubles with Salt after enabling the threaded transport, please try switching to a non-threaded transport to see if that fixes your problem.

LOGSTASH LOGGING HANDLER¶

New in version 0.17.0. This module provides some Logstash logging handlers.

UDP Logging Handler¶

In order to setup the datagram handler for Logstash, please define on the salt configuration file:
On the Logstash configuration file you need something like:
Please read the UDP input configuration page for additional information.

ZeroMQ Logging Handler¶

In order to setup the ZMQ handler for Logstash, please define on the salt configuration file:
On the Logstash configuration file you need something like:
Please read the ZeroMQ input configuration page for additional information.

Log Level¶

Both the logstash_udp_handler and the logstash_zmq_handler configuration sections accept an additional setting log_level. If not set, the logging level used will be the one defined for log_level in the global configuration file section.

HWM¶

The high water mark for the ZMQ socket setting. Only applicable for the logstash_zmq_handler.

SENTRY LOGGING HANDLER¶

New in version 0.17.0. This module provides a Sentry logging handler.
Configuring the python Sentry client, Raven, should be done under the sentry_handler configuration key. At the bare minimum, you need to define the DSN. As an example:
More complex configurations can be achieved, for example:
All the client configuration keys are supported, please see the Raven client documentation. The default logging level for the sentry handler is ERROR. If you wish to define a different one, define log_level under the sentry_handler configuration key:
The available log levels are those also available for the salt cli tools and configuration; salt --help should give you the required information.

Threaded Transports¶

Raven's documents rightly suggest using its threaded transport for critical applications. However, don't forget that if you start having troubles with Salt after enabling the threaded transport, please try switching to a non-threaded transport to see if that fixes your problem.

INTRODUCTION TO EXTENDING SALT¶

Salt is made to be used, and made to be extended. The primary goal of Salt is to provide a foundation which can be used to solve problems without assuming what those problems might be. One of the greatest benefit of developing Salt has been the vast array of ways in which people have wanted to use it, while the original intention was as a communication layer for a cloud controller Salt has been extended to facilitate so much more.

Client API¶

The primary interface used to extend Salt, is to simply use it. Salt executions can be called via the Salt client API, making programming master side solutions with Salt is easy. SEE ALSO:

Adding Loadable Plugins¶

Salt is comprised of a core platform that loads many types of easy to write plugins. The idea is to enable all of the breaking points in the Salt processes to have a point of pluggable interaction. This means that all of the main features of Salt can be extended, modified or used. The breaking points and helping interfaces span from convenience master side executions to manipulating the flow of how data is handled by Salt.

Minion Execution Modules¶

The minion execution modules or just modules are the core to what Salt is and does. These modules are found in: https://github.com/saltstack/salt/blob/develop/salt/modules These modules are what is called by the Salt command line and the salt client API. Adding modules is done by simply adding additional Python modules to the modules directory and restarting the minion.

Grains¶

Salt grains, or "grains of truth" are bits of static information that are generated when the minion starts. This information is useful when determining what package manager to default to, or where certain configuration files are stored on the minion. The Salt grains are the interface used for auto detection and dynamic assignment of execution modules and types to specific Salt minions. The code used to generate the Salt grains can be found here: https://github.com/saltstack/salt/blob/develop/salt/grains

States¶

Salt supports state enforcement, this makes Salt a high speed and very efficient solution for system configuration management. States can be easily added to Salt by dropping a new state module in: https://github.com/saltstack/salt/blob/develop/salt/states

Renderers¶

Salt states are controlled by simple data structures, these structures can be abstracted in a number of ways. While the default is to be in a YAML file wrapped in a jinja template, any abstraction can be used. This means that any format that can be dreamed is possible, so long as a renderer is written for it. The existing renderers can be found here: https://github.com/saltstack/salt/blob/develop/salt/renderers

Returners¶

The Salt commands all produce a return value, that return value is sent to the Salt master by default, but it can be sent anywhere. The returner interface makes it programmatically possible for the information to be sent to anything from an SQL or NoSQL database, to a custom application made to use Salt. The existing returners can be found here: https://github.com/saltstack/salt/blob/develop/salt/returners

Runners¶

Sometimes a certain application can be made to execute and run from the existing Salt command line. This is where the Salt runners come into play. The Salt Runners what is called by the Salt-run command and are meant to act as a generic interface for encapsulating master side executions. Existing Salt runners are located here: https://github.com/saltstack/salt/blob/develop/salt/runners

EXECUTION MODULES¶

Salt execution modules are the functions called by the salt command. NOTE:
SEE ALSO:

Modules Are Easy to Write!¶

Salt modules are amazingly simple to write. Just write a regular Python module or a regular Cython module and place it a directory called _modules/ within the file_roots specified by the master config file, and they will be synced to the minions when state.highstate is run, or by executing the saltutil.sync_modules or saltutil.sync_all functions. Any custom modules which have been synced to a minion, that are named the same as one of Salt's default set of modules, will take the place of the default module with the same name. Note that a module's default name is its filename (i.e. foo.py becomes module foo), but that its name can be overridden by using a __virtual__ function. Since Salt modules are just Python/Cython modules, there are no restraints on what you can put inside of a Salt module. If a Salt module has errors and cannot be imported, the Salt minion will continue to load without issue and the module with errors will simply be omitted. If adding a Cython module the file must be named <modulename>.pyx so that the loader knows that the module needs to be imported as a Cython module. The compilation of the Cython module is automatic and happens when the minion starts, so only the *.pyx file is required.

Cross Calling Modules¶

All of the Salt modules are available to each other, and can be "cross called". This means that, when creating a module, functions in modules that already exist can be called. The variable __salt__ is packed into the modules after they are loaded into the Salt minion. This variable is a Python dictionary of all of the Salt functions, laid out in the same way that they are made available to the Salt command. Salt modules can be cross called by accessing the value in the __salt__ dict:
This code will call the Salt cmd module's run function and pass the argument bar.

Preloaded Modules Data¶

When interacting with modules often it is nice to be able to read information dynamically about the minion, or load in configuration parameters for a module. Salt allows for different types of data to be loaded into the modules by the minion, as of this writing Salt loads information gathered from the Salt Grains system and from the minion configuration file.

Grains Data¶

The Salt minion detects information about the system when started. This allows for modules to be written dynamically with respect to the underlying hardware and operating system. This information is referred to as Salt Grains, or "grains of salt". The Grains system was introduced to replace Facter, since relying on a Ruby application from a Python application was both slow and inefficient. Grains support replaces Facter in all Salt releases after 0.8 The values detected by the Salt Grains on the minion are available in a dict named __grains__ and can be accessed from within callable objects in the Python modules. To see the contents of the grains dict for a given system in your deployment run the grains.items() function:
To use the __grains__ dict simply call it as a Python dict from within your code, an excellent example is available in the Grains module: salt.modules.grains.

Module Configuration¶

Since parameters for configuring a module may be desired, Salt allows for configuration information stored in the main minion config file to be passed to the modules. Since the minion configuration file is a YAML document, arbitrary configuration data can be passed in the minion config that is read by the modules. It is strongly recommended that the values passed in the configuration file match the module. This means that a value intended for the test module should be named test.<value>. Configuration also requires that default configuration parameters need to be loaded as well. This can be done simply by adding the __opts__ dict to the top level of the module. The test module contains usage of the module configuration, and the default configuration file for the minion contains the information and format used to pass data to the modules. salt.modules.test, conf/minion.

Printout Configuration¶

Since module functions can return different data, and the way the data is printed can greatly change the presentation, Salt has a printout configuration. When writing a module the __outputter__ dict can be declared in the module. The __outputter__ dict contains a mapping of function name to Salt Outputter.
This will ensure that the text outputter is used.

Virtual Modules¶

Sometimes a module should be presented in a generic way. A good example of this can be found in the package manager modules. The package manager changes from one operating system to another, but the Salt module that interfaces with the package manager can be presented in a generic way. The Salt modules for package managers all contain a __virtual__ function which is called to define what systems the module should be loaded on. The __virtual__ function is used to return either a string or False. If False is returned then the module is not loaded, if a string is returned then the module is loaded with the name of the string. This means that the package manager modules can be presented as the pkg module regardless of what the actual module is named. The package manager modules are the best example of using the __virtual__ function. Some examples:

Documentation¶

Salt modules are self documenting, the sys.doc() function will return the documentation for all available modules:
This function simply prints out the docstrings found in the modules; when writing Salt modules, please follow the formatting conventions for docstrings as they appear in the other modules.

Adding Documentation to Salt Modules¶

Since life is much better with documentation, it is strongly suggested that all Salt modules have documentation added. Any Salt modules submitted for inclusion in the main distribution of Salt will be required to have documentation. Documenting Salt modules is easy! Just add a Python docstring to the function.
Now when the sys.doc call is executed the docstring will be cleanly returned to the calling terminal.

Add Module metadata¶

Add information about the module using the following field lists:
The maintainer field is a comma-delimited list of developers who help maintain this module. The maturity field indicates the level of quality and testing for this module. Standard labels will be determined. The depends field is a comma-delimited list of modules that this module depends on. The platform field is a comma-delimited list of platforms that this module is known to run on.

How Functions are Read¶

In Salt, Python callable objects contained within a module are made available to the Salt minion for use. The only exception to this rule is a callable object with a name starting with an underscore _.

Objects Loaded Into the Salt Minion¶

Objects NOT Loaded into the Salt Minion¶

NOTE:

Useful Decorators for Modules¶

Sometimes when writing modules for large scale deployments you run into some small things that end up severely complicating the code. To alleviate some of this pain Salt has some useful decorators for use within modules!

Depends Decorator¶

When writing custom modules there are many times where some of the module will work on all hosts, but some functions require (for example) a service to be installed. Instead of trying to wrap much of the code in large try/except blocks you can use a simple decorator to do this. If the dependencies passed to the decorator don't exist, then the salt minion will remove those functions from the module on that host. If a "fallback_function" is defined, it will replace the function instead of removing it

Examples of Salt Modules¶

The existing Salt modules should be fairly easy to read and understand, the goal of the main distribution's Salt modules is not only to build a set of functions for Salt, but to stand as examples for building out more Salt modules. The existing modules can be found here: https://github.com/saltstack/salt/blob/develop/salt/modules The most simple module is the test module, it contains the simplest Salt function, test.ping:

FULL LIST OF BUILTIN EXECUTION MODULES¶

salt.modules.pkg¶

pkg is a virtual module that is fulfilled by one of the following modules:

aliases
alternatives
apache
aptpkg
archive
at
augeas_cfg
aws_sqs
bluez
brew
bridge
bsd_shadow
cassandra
chocolatey
cloud
cmdmod
composer
config
cp
cron
daemontools
darwin_sysctl
data
ddns
debconfmod
debian_ip
debian_service
dig
disk
djangomod
dnsmasq
dnsutil
dockerio
dpkg
ebuild
eix
eselect
event
extfs
file
freebsd_sysctl
freebsdjail
freebsdkmod
freebsdpkg
freebsdports
freebsdservice
gem
gentoo_service
gentoolkitmod
git
glance
gnomedesktop
grains
groupadd
grub_legacy
guestfs
hg
hosts
htpasswd
img
iptables
key
keyboard
keystone
kmod
launchctl
layman
ldapmod
linux_acl
linux_lvm
linux_sysctl
localemod
locate
logrotate
lvs
lxc
mac_group
mac_user
makeconf
match
mdadm
memcached
mine
modjk
mongodb
monit
moosefs
mount
munin
mysql
netbsd_sysctl
netbsdservice
network
nfs3
nginx
nova
npm
omapi
openbsdpkg
openbsdservice
openstack_config
osxdesktop
pacman
pagerduty
pam
parted
pecl
pillar
pip
pkg_resource
pkgin
pkgng
pkgutil	Utilities to support packages.
portage_config
postgres
poudriere
powerpath
ps
publish
puppet
pw_group
pw_user
qemu_img
qemu_nbd
quota
rabbitmq
rbenv
rdp
reg
ret
rh_ip
rh_service
riak
rpm	Mock out specified imports
rvm
s3
saltcloudmod
saltutil
seed
selinux
service
shadow
smartos_imgadm
smartos_vmadm
smf
solaris_group
solaris_shadow
solaris_user
solarispkg
solr
sqlite3
ssh
state
status
supervisord
svn
sysbench
sysmod
system
systemd
test
timezone
tls
tomcat
upstart
useradd
virt
virtualenv_mod
win_autoruns
win_disk
win_dns_client
win_file
win_firewall
win_groupadd
win_ip
win_network
win_ntp
win_path
win_pkg
win_repo
win_servermanager
win_service
win_shadow
win_status
win_system
win_timezone
win_useradd
xapi
xmpp
yumpkg
zcbuildout
zfs	Mock out specified imports
zpool
zypper

salt.modules.aliases¶

Manage the information in the aliases file

salt.modules.alternatives¶

Support for Alternatives system

salt.modules.apache¶

Support for Apache

salt.modules.aptpkg¶

Support for APT (Advanced Packaging Tool)

salt.modules.archive¶

A module to wrap archive calls

salt.modules.at¶

Wrapper module for at(1) Also, a 'tag' feature has been added to more easily tag jobs.

salt.modules.augeas_cfg¶

Manages configuration files via augeas This module requires the augeas Python module. WARNING:

salt.modules.aws_sqs¶

Support for the Amazon Simple Queue Service.

salt.modules.bluez¶

Support for Bluetooth (using BlueZ in Linux). The following packages are required packages for this module:

salt.modules.brew¶

Homebrew for Mac OS X

salt.modules.bridge¶

Module for gathering and managing bridging information

salt.modules.bsd_shadow¶

Manage the password database on BSD systems

salt.modules.cassandra¶

Cassandra NoSQL Database Module

salt.modules.chocolatey¶

A dead simple module wrapping calls to the Chocolatey package manager ( http://chocolatey.org) New in version 2014.1.0: (Hydrogen)

salt.modules.cloud¶

Salt-specific interface for calling Salt Cloud directly

salt.modules.cmdmod¶

A module for shelling out Keep in mind that this module is insecure, in that it can give whomever has access to the master root execution access to all salt minions

salt.modules.composer¶

Use composer to install PHP dependencies for a directory

salt.modules.config¶

Return config information

salt.modules.cp¶

Minion side functions for salt-cp

salt.modules.cron¶

Work with cron

salt.modules.daemontools¶

daemontools service module. This module will create daemontools type service watcher. This module is compatible with the service states, so it can be used to maintain services using the provider argument:

salt.modules.darwin_sysctl¶

Module for viewing and modifying sysctl parameters

salt.modules.data¶

Manage a local persistent data structure that can hold any arbitrary data specific to the minion

salt.modules.ddns¶

Support for RFC 2136 dynamic DNS updates.

salt.modules.debconfmod¶

Support for Debconf

salt.modules.debian_ip¶

The networking module for Debian based distros

salt.modules.debian_service¶

Service support for Debian systems (uses update-rc.d and /sbin/service)

salt.modules.dig¶

Compendium of generic DNS utilities

salt.modules.disk¶

Module for gathering disk information

salt.modules.djangomod¶

Manage Django sites

salt.modules.dnsmasq¶

Module for managing dnqmasq

salt.modules.dnsutil¶

Compendium of generic DNS utilities

salt.modules.dockerio¶

Management of dockers¶

New in version 2014.1.0. NOTE:

General notes¶

Installation prerequisites¶

Prerequisite pillar configuration for authentication¶

you can define multiple registries blocks for them to be aggregated, their id just must finish with -docker-registries:
Would be the equivalent to:

Registry dialog methods¶

Docker management¶

Image management¶

You have those methods:

Container management¶

You have those methods:

Runtime execution within a specific already existing and running container¶

You have those methods:

salt.modules.dpkg¶

Support for DEB packages

salt.modules.ebuild¶

Support for Portage
For now all package names MUST include the package category, i.e. 'vim' will not work, 'app-editors/vim' will.

salt.modules.eix¶

Support for Eix

salt.modules.eselect¶

Support for eselect, Gentoo's configuration and management tool.

salt.modules.event¶

Use the Salt Event System to fire events from the master to the minion and vice-versa.

salt.modules.extfs¶

Module for managing ext2/3/4 file systems

salt.modules.file¶

Manage information about regular files, directories, and special files on the minion, set/read user, group, mode, and data


















































Forward slashes and single quotes will be escaped automatically in the before and after patterns. CLI Example:

salt.modules.freebsd_sysctl¶

Module for viewing and modifying sysctl parameters

salt.modules.freebsdjail¶

The jail module for FreeBSD

salt.modules.freebsdkmod¶

Module to manage FreeBSD kernel modules

salt.modules.freebsdpkg¶

Remote package support using pkg_add(1) WARNING:
This module acts as the default package provider for FreeBSD 9 and older. If you need to use pkgng on a FreeBSD 9 system, you will need to override the pkg provider by setting the providers parameter in your Minion config file, in order to use pkgng.
More information on pkgng support can be found in the documentation for the pkgng module. This module will respect the PACKAGEROOT and PACKAGESITE environment variables, if set, but these values can also be overridden in several ways:

salt.modules.freebsdports¶

Install software from the FreeBSD ports(7) system New in version 2014.1.0: (Hydrogen) This module allows you to install ports using BATCH=yes to bypass configuration prompts. It is recommended to use the the ports state to install ports, but it it also possible to use this module exclusively from the command line.

salt.modules.freebsdservice¶

The service module for FreeBSD

salt.modules.gem¶

Manage ruby gems.

salt.modules.gentoo_service¶

Top level package command wrapper, used to translate the os detected by grains to the correct service manager

salt.modules.gentoolkitmod¶

Support for Gentoolkit

salt.modules.git¶

Support for the Git SCM

salt.modules.glance¶

Module for handling openstack glance calls.

salt.modules.gnomedesktop¶

GNOME implementations

salt.modules.grains¶

Return/control aspects of the grains data

salt.modules.groupadd¶

Manage groups on Linux and OpenBSD

salt.modules.grub_legacy¶

Support for GRUB Legacy

salt.modules.guestfs¶

Interact with virtual machine images via libguestfs

salt.modules.hg¶

Support for the Mercurial SCM

salt.modules.hosts¶

Manage the information in the hosts file

salt.modules.htpasswd¶

Support for htpasswd command The functions here will load inside the webutil module. This allows other functions that don't use htpasswd to use the webutil module name.

salt.modules.img¶

Virtual machine image management tools

salt.modules.iptables¶

Support for iptables

salt.modules.key¶

Functions to view the minion's public key information

salt.modules.keyboard¶

Module for managing keyboards on POSIX-like systems.

salt.modules.keystone¶

Module for handling openstack keystone calls.

salt.modules.kmod¶

Module to manage Linux kernel modules

salt.modules.launchctl¶

Module for the management of MacOS systems that use launchd/launchctl

salt.modules.layman¶

Support for Layman

salt.modules.ldapmod¶

Salt interface to LDAP commands
WARNING:

salt.modules.linux_acl¶

Support for Linux File Access Control Lists

salt.modules.linux_lvm¶

Support for Linux LVM2

salt.modules.linux_sysctl¶

Module for viewing and modifying sysctl parameters

salt.modules.localemod¶

Module for managing locales on POSIX-like systems.

salt.modules.locate¶

Module for using the locate utilities

salt.modules.logrotate¶

Module for managing logrotate.

salt.modules.lvs¶

Support for LVS (Linux Virtual Server)

salt.modules.lxc¶

Control Linux Containers via Salt

salt.modules.mac_group¶

Manage groups on Mac OS 10.7+

salt.modules.mac_user¶

Manage users on Mac OS 10.7+

salt.modules.makeconf¶

Support for modifying make.conf under Gentoo

salt.modules.match¶

The match module allows for match routines to be run and determine target specs

salt.modules.mdadm¶

Salt module to manage RAID arrays with mdadm

salt.modules.memcached¶

Module for Management of Memcached Keys¶

New in version 2014.1.0: (Hydrogen)

salt.modules.mine¶

The function cache system allows for data to be stored on the master so it can be easily read by other minions

salt.modules.modjk¶

Control Modjk via the Apache Tomcat "Status" worker ( http://tomcat.apache.org/connectors-doc/reference/status.html) Below is an example of the configuration needed for this module. This configuration data can be placed either in grains or pillar. If using grains, this can be accomplished statically or via a grain module. If using pillar, the yaml configuration can be placed directly into a pillar SLS file, making this both the easier and more dynamic method of configuring this module.

salt.modules.mongodb¶

Module to provide MongoDB functionality to Salt

salt.modules.monit¶

Monit service module. This module will create a monit type service watcher.

salt.modules.moosefs¶

Module for gathering and managing information about MooseFS

salt.modules.mount¶

Salt module to manage unix mounts and the fstab file

salt.modules.munin¶

Run munin plugins/checks from salt and format the output as data.

salt.modules.mysql¶

Module to provide MySQL compatibility to salt.
NOTE:

Changed in version 2014.1.0: (Hydrogen) charset connection argument added. This is a MySQL charset, not a python one Changed in version 0.16.2: Connection arguments from the minion config file can be overridden on the CLI by using the arguments defined here. Additionally, it is now possible to setup a user with no password.

salt.modules.netbsd_sysctl¶

Module for viewing and modifying sysctl parameters

salt.modules.netbsdservice¶

The service module for NetBSD

salt.modules.network¶

Module for gathering and managing network information

salt.modules.nfs3¶

Module for managing NFS version 3.

salt.modules.nginx¶

Support for nginx

salt.modules.nova¶

Module for handling OpenStack Nova calls.

salt.modules.npm¶

Manage and query NPM packages.

salt.modules.omapi¶

This module interacts with an ISC DHCP Server via OMAPI. server_ip and server_port params may be set in the minion config or pillar:

salt.modules.openbsdpkg¶

Package support for OpenBSD

salt.modules.openbsdservice¶

The service module for OpenBSD

salt.modules.openstack_config¶

Modify, retrieve, or delete values from OpenStack configuration files.

salt.modules.osxdesktop¶

Mac OS X implementations of various commands in the "desktop" interface

salt.modules.pacman¶

A module to wrap pacman calls, since Arch is the best ( https://wiki.archlinux.org/index.php/Arch_is_the_best)

salt.modules.pagerduty¶

Module for Firing Events via PagerDuty New in version 2014.1.0: (Hydrogen)

salt.modules.pam¶

Support for pam

salt.modules.parted¶

Module for managing partitions on POSIX-like systems. Some functions may not be available, depending on your version of parted. Check the manpage for parted(8) for more information, or the online docs at: http://www.gnu.org/software/parted/manual/html_chapter/parted_2.html In light of parted not directly supporting partition IDs, some of this module has been written to utilize sfdisk instead. For further information, please reference the man page for sfdisk(8).

salt.modules.pecl¶

Manage PHP pecl extensions.

salt.modules.pillar¶

Extract the pillar data for this minion

salt.modules.pip¶

Install Python packages with pip to either the system or a virtualenv

salt.modules.pkg_resource¶

Resources needed by pkg providers

salt.modules.pkgin¶

Package support for pkgin based systems, inspired from freebsdpkg module

salt.modules.pkgng¶

Support for pkgng, the new package manager for FreeBSD WARNING:
This module provides an interface to pkg(8). It acts as the default package provider for FreeBSD 10 and newer. For FreeBSD hosts which have been upgraded to use pkgng, you will need to override the pkg provider by setting the providers parameter in your Minion config file, in order to use this module to manage packages, like so:

salt.modules.pkgutil¶

Pkgutil support for Solaris

salt.modules.portage_config¶

Configure portage(5)

salt.modules.postgres¶

Module to provide Postgres compatibility to salt.

salt.modules.poudriere¶

Support for poudriere

salt.modules.powerpath¶

powerpath support. Assumes RedHat

salt.modules.ps¶

A salt interface to psutil, a system and process library. See http://code.google.com/p/psutil.

salt.modules.publish¶

Publish a command from a minion to a target

salt.modules.puppet¶

Execute puppet routines

salt.modules.pw_group¶

Manage groups on FreeBSD

salt.modules.pw_user¶

Manage users with the useradd command

salt.modules.qemu_img¶

Qemu-img Command Wrapper¶

The qemu img command is wrapped for specific functions

salt.modules.qemu_nbd¶

Qemu Command Wrapper¶

The qemu system comes with powerful tools, such as qemu-img and qemu-nbd which are used here to build up kvm images.

salt.modules.quota¶

Module for managing quotas on POSIX-like systems.

salt.modules.rabbitmq¶

Module to provide RabbitMQ compatibility to Salt. Todo: A lot, need to add cluster support, logging, and minion configuration data.

salt.modules.rbenv¶

Manage ruby installations with rbenv. New in version 0.16.0.

salt.modules.rdp¶

Manage RDP Service on Windows servers

salt.modules.reg¶

Manage the registry on Windows

salt.modules.ret¶

Module to integrate with the returner system and retrieve data sent to a salt returner

salt.modules.rh_ip¶

The networking module for RHEL/Fedora based distros

salt.modules.rh_service¶

Service support for RHEL-based systems, including support for both upstart and sysvinit

salt.modules.riak¶

Riak Salt Module¶

Author: David Boucha < boucha@gmail.com>

salt.modules.rpm¶

Support for rpm

salt.modules.rvm¶

Manage ruby installations and gemsets with RVM, the Ruby Version Manager.

salt.modules.s3¶

Connection module for Amazon S3

salt.modules.saltcloudmod¶

Control a salt cloud system

salt.modules.saltutil¶

The Saltutil module is used to manage the state of the salt minion itself. It is used to manage minion modules as well as automate updates to the salt minion.

salt.modules.seed¶

Virtual machine image management tools

salt.modules.selinux¶

Execute calls on selinux NOTE:

salt.modules.service¶

The default service module, if not otherwise specified salt will fall back to this basic module

salt.modules.shadow¶

Manage the shadow file

salt.modules.smartos_imgadm¶

Module for running imgadm command on SmartOS

salt.modules.smartos_vmadm¶

Module for managing VMs on SmartOS

salt.modules.smf¶

Service support for Solaris 10 and 11, should work with other systems that use SMF also. (e.g. SmartOS)

salt.modules.solaris_group¶

Manage groups on Solaris

salt.modules.solaris_shadow¶

Manage the password database on Solaris systems

salt.modules.solaris_user¶

Manage users with the useradd command

salt.modules.solarispkg¶

Package support for Solaris

salt.modules.solr¶

Apache Solr Salt Module¶

Author: Jed Glazner Version: 0.2.1 Modified: 12/09/2011 This module uses HTTP requests to talk to the apache solr request handlers to gather information and report errors. Because of this the minion doesn't necessarily need to reside on the actual slave. However if you want to use the signal function the minion must reside on the physical solr host. This module supports multi-core and standard setups. Certain methods are master/slave specific. Make sure you set the solr.type. If you have questions or want a feature request please ask.

Coming Features in 0.3¶

Override these in the minion config¶

Required Options for DIH¶

salt.modules.sqlite3¶

Support for SQLite3

salt.modules.ssh¶

Manage client ssh components

salt.modules.state¶

Control the state system on the minion

salt.modules.status¶

Module for returning various status data about a minion. These data can be useful for compiling into stats later.

salt.modules.supervisord¶

Provide the service module for system supervisord or supervisord in a virtualenv

salt.modules.svn¶

Subversion SCM

salt.modules.sysbench¶

The 'sysbench' module is used to analyse the performance of the minions, right from the master! It measures various system parameters such as CPU, Memory, FileI/O, Threads and Mutex.

salt.modules.sysmod¶

The sys module provides information about the available functions on the minion

salt.modules.system¶

Support for reboot, shutdown, etc

salt.modules.systemd¶

Provide the service module for systemd

salt.modules.test¶

Module for running arbitrary tests

salt.modules.timezone¶

Module for managing timezone on POSIX-like systems.

salt.modules.tls¶

A salt module for SSL/TLS. Can create a Certificate Authority (CA) or use Self-Signed certificates.

salt.modules.tomcat¶

Support for Tomcat This module uses the manager webapp to manage Apache tomcat webapps If the manager webapp is not configured some of the functions won't work The following grains/pillar should be set:
and also configure a user in the conf/tomcat-users.xml file:
Notes:

salt.modules.upstart¶

Module for the management of upstart systems. The Upstart system only supports service starting, stopping and restarting. Currently (as of Ubuntu 12.04) there is no tool available to disable Upstart services (like update-rc.d). This[1] is the recommended way to disable an Upstart service. So we assume that all Upstart services that have not been disabled in this manner are enabled. But this is broken because we do not check to see that the dependent services are enabled. Otherwise we would have to do something like parse the output of "initctl show-config" to determine if all service dependencies are enabled to start on boot. For example, see the "start on" condition for the lightdm service below[2]. And this would be too hard. So we wait until the upstart developers have solved this problem. :) This is to say that an Upstart service that is enabled may not really be enabled. Also, when an Upstart service is enabled, should the dependent services be enabled too? Probably not. But there should be a notice about this, at least. [1] http://upstart.ubuntu.com/cookbook/#disabling-a-job-from-automatically-starting [2] example upstart configuration file:
WARNING:

salt.modules.useradd¶

Manage users with the useradd command

salt.modules.virt¶

Work with virtual machines managed by libvirt

salt.modules.virtualenv¶

Create virtualenv environments

salt.modules.win_autoruns¶

Module for listing programs that automatically run on startup (very alpha...not tested on anything but my Win 7x64)

salt.modules.win_disk¶

Module for gathering disk information on Windows

salt.modules.win_dns_client¶

Module for configuring DNS Client on Windows systems

salt.modules.win_file¶

Manage information about files on the minion, set/read user, group data

salt.modules.win_firewall¶

Module for configuring Windows Firewall

salt.modules.win_groupadd¶

Manage groups on Windows

salt.modules.win_ip¶

The networking module for Windows based systems

salt.modules.win_network¶

Module for gathering and managing network information

salt.modules.win_ntp¶

Management of NTP servers on Windows New in version 2014.1.0: (Hydrogen)

salt.modules.win_path¶

Manage the Windows System PATH Note that not all Windows applications will rehash the PATH environment variable, Only the ones that listen to the WM_SETTINGCHANGE message http://support.microsoft.com/kb/104011

salt.modules.win_pkg¶

A module to manage software on Windows

salt.modules.win_repo¶

Module to manage Windows software repo on a Standalone Minion
Place all Windows package files in the 'win_repo' directory.

salt.modules.win_servermanager¶

Manage Windows features via the ServerManager powershell module

salt.modules.win_service¶

Windows Service module.

salt.modules.win_shadow¶

Manage the shadow file

salt.modules.win_status¶

Module for returning various status data about a minion. These data can be useful for compiling into stats later.

salt.modules.win_system¶

Support for reboot, shutdown, etc

salt.modules.win_timezone¶

Module for managing timezone on Windows systems.

salt.modules.win_useradd¶

Manage Windows users with the net user command NOTE: This currently only works with local user accounts, not domain accounts

salt.modules.xapi¶

This module (mostly) uses the XenAPI to manage Xen virtual machines. Big fat warning: the XenAPI used in this file is the one bundled with Xen Source, NOT XenServer nor Xen Cloud Platform. As a matter of fact it will fail under those platforms. From what I've read, little work is needed to adapt this code to XS/XCP, mostly playing with XenAPI version, but as XCP is not taking precedence on Xen Source on many platforms, please keep compatibility in mind. Useful documentation: . http://downloads.xen.org/Wiki/XenAPI/xenapi-1.0.6.pdf

salt.modules.xmpp¶

Module for Sending Messages via XMPP (a.k.a. Jabber) New in version 2014.1.0: (Hydrogen)

salt.modules.yumpkg¶

Support for YUM

salt.modules.zcbuildout¶

Management of zc.buildout¶

This module is inspired from minitage's buildout maker New in version Boron. NOTE:

General notes¶

You have those following methods:

salt.modules.zfs¶

Module for running ZFS command

salt.modules.zpool¶

Module for running ZFS zpool command

salt.modules.zypper¶

Package support for openSUSE via the zypper package manager

RETURNERS¶

By default the return values of the commands sent to the Salt minions are returned to the salt-master. But since the commands executed on the Salt minions are detached from the call on the Salt master, anything at all can be done with the results data. This is where the returner interface comes in. Returners are modules called in addition to returning the data to the Salt master. The returner interface allows the return data to be sent to any system that can receive data. This means that return data can be sent to a Redis server, a MongoDB server, a MySQL server, or any system! SEE ALSO:

Using Returners¶

All commands will return the command data back to the master. Adding more returners will ensure that the data is also sent to the specified returner interfaces. Specifying what returners to use is done when the command is invoked:
This command will ensure that the redis_return returner is used. It is also possible to specify multiple returners:
In this scenario all three returners will be called and the data from the test.ping command will be sent out to the three named returners.

Writing a Returner¶

A returner is a module which contains a returner function, the returner function must accept a single argument. this argument is the return data from the called minion function. So if the minion function test.ping is called the value of the argument will be True. A simple returner is implemented here:
This simple example of a returner set to send the data to a redis server serializes the data as json and sets it in redis. You can place your custom returners in a _returners directory within the file_roots specified by the master config file. These custom returners are distributed when state.highstate is run, or by executing the saltutil.sync_returners or saltutil.sync_all functions. Any custom returners which have been synced to a minion, that are named the same as one of Salt's default set of returners, will take the place of the default returner with the same name. Note that a returner's default name is its filename (i.e. foo.py becomes returner foo), but that its name can be overridden by using a __virtual__ function. A good example of this can be found in the redis returner, which is named redis_return.py but is loaded as simply redis:

Examples¶

The collection of built-in Salt returners can be found here: https://github.com/saltstack/salt/blob/develop/salt/returners

FULL LIST OF BUILTIN RETURNER MODULES¶

carbon_return
cassandra_return
couchdb_return
local
memcache_return
mongo_future_return
mongo_return
mysql
postgres
redis_return
sentry_return
smtp_return
sqlite3_return
syslog_return

salt.returners.carbon_return¶

Take data from salt and "return" it into a carbon receiver Add the following configuration to your minion configuration files:

salt.returners.cassandra_return¶

Return data to a Cassandra ColumnFamily Here's an example Keyspace / ColumnFamily setup that works with this returner:
Required python modules: pycassa

salt.returners.couchdb_return¶

Simple returner for CouchDB. Optional configuration settings are listed below, along with sane defaults. couchdb.db: 'salt' couchdb.url: ' http://salt:5984/'

salt.returners.local¶

The local returner is used to test the returner interface, it just prints the return data to the console to verify that it is being passed properly

salt.returners.memcache_return¶

Return data to a memcache server To enable this returner the minion will need the python client for memcache installed and the following values configured in the minion or master config, these are the defaults:
python2-memcache uses 'localhost' and '11211' as syntax on connection.

salt.returners.mongo_future_return¶

Return data to a mongodb server Required python modules: pymongo This returner will send data from the minions to a MongoDB server. To configure the settings for your MongoDB server, add the following lines to the minion config files:
This mongo returner is being developed to replace the default mongodb returner in the future and should not be considered API stable yet.

salt.returners.mongo_return¶

Return data to a mongodb server Required python modules: pymongo This returner will send data from the minions to a MongoDB server. To configure the settings for your MongoDB server, add the following lines to the minion config files:

salt.returners.mysql¶

Return data to a mysql server
To enable this returner the minion will need the python client for mysql installed and the following values configured in the minion or master config, these are the defaults:
Use the following mysql database schema:
Required python modules: MySQLdb

salt.returners.postgres¶

Return data to a postgresql server
To enable this returner the minion will need the psycopg2 installed and the following values configured in the minion or master config:
Running the following commands as the postgres user should create the database correctly:
Required python modules: psycopg2

salt.returners.redis_return¶

Return data to a redis server To enable this returner the minion will need the python client for redis installed and the following values configured in the minion or master config, these are the defaults:

salt.returners.sentry_return¶

Salt returner that report execution results back to sentry. The returner will inspect the payload to identify errors and flag them as such. Pillar need something like:
and http://pypi.python.org/pypi/raven installed The tags list (optional) specifies grains items that will be used as sentry tags, allowing tagging of events in the sentry ui.

salt.returners.smtp_return¶

Return salt data via email The following fields can be set in the minion conf file:
There are a few things to keep in mind:

salt.returners.sqlite3¶

Insert minion return data into a sqlite3 database
Sqlite3 is a serverless database that lives in a single file. In order to use this returner the database file must exist, have the appropriate schema defined, and be accessible to the user whom the minion process is running as. This returner requires the following values configured in the master or minion config:
Use the commands to create the sqlite3 database and tables:

salt.returners.syslog_return¶

Return data to the host operating system's syslog facility Required python modules: syslog, json The syslog returner simply reuses the operating system's syslog facility to log return data

FILE STATE BACKUPS¶

In 0.10.2 a new feature was added for backing up files that are replaced by the file.managed and file.recurse states. The new feature is called the backup mode. Setting the backup mode is easy, but it can be set in a number of places. The backup_mode can be set in the minion config file:
Or it can be set for each file:

Backed-up Files¶

The files will be saved in the minion cachedir under the directory named file_backup. The files will be in the location relative to where they were under the root filesystem and be appended with a timestamp. This should make them easy to browse.

Interacting with Backups¶

Starting with version 0.17.0, it will be possible to list, restore, and delete previously-created backups.

Listing¶

The backups for a given file can be listed using file.list_backups:

Restoring¶

Restoring is easy using file.restore_backup, just pass the path and the numeric id found with file.list_backups:
The existing file will be backed up, just in case, as can be seen if file.list_backups is run again:
NOTE:

Deleting¶

Deleting backups can be done using mod: file.delete_backup <salt.modules.file.delete_backup>:

EXTENDING EXTERNAL SLS DATA¶

Sometimes a state defined in one SLS file will need to be modified from a separate SLS file. A good example of this is when an argument needs to be overwritten or when a service needs to watch an additional state.

The Extend Declaration¶

The standard way to extend is via the extend declaration. The extend declaration is a top level declaration like include and encapsulates ID declaration data included from other SLS files. A standard extend looks like this:
A few critical things happened here, first off the SLS files that are going to be extended are included, then the extend dec is defined. Under the extend dec 2 IDs are extended, the apache ID's file state is overwritten with a new name and source. Than the ssh server is extended to watch the banner file in addition to anything it is already watching.

Extend is a Top Level Declaration¶

This means that extend can only be called once in an sls, if if is used twice then only one of the extend blocks will be read. So this is WRONG:

The Requisite in Statement¶

Since one of the most common things to do when extending another SLS is to add states for a service to watch, or anything for a watcher to watch, the requisite in statement was added to 0.9.8 to make extending the watch and require lists easier. The ssh-server extend statement above could be more cleanly defined like so:

Rules to Extend By¶

There are a few rules to remember when extending states:

FAILHARD GLOBAL OPTION¶

Normally, when a state fails Salt continues to execute the remainder of the defined states and will only refuse to execute states that require the failed state. But the situation may exist, where you would want all state execution to stop if a single state execution fails. The capability to do this is called failing hard.

State Level Failhard¶

A single state can have a failhard set, this means that if this individual state fails that all state execution will immediately stop. This is a great thing to do if there is a state that sets up a critical config file and setting a require for each state that reads the config would be cumbersome. A good example of this would be setting up a package manager early on:
In this situation, the yum repo is going to be configured before other states, and if it fails to lay down the config file, than no other states will be executed.

Global Failhard¶

It may be desired to have failhard be applied to every state that is executed, if this is the case, then failhard can be set in the master configuration file. Setting failhard in the master configuration file will result in failing hard when any minion gathering states from the master have a state fail. This is NOT the default behavior, normally Salt will only fail states that require a failed state. Using the global failhard is generally not recommended, since it can result in states not being executed or even checked. It can also be confusing to see states failhard if an admin is not actively aware that the failhard has been set. To use the global failhard set failhard: True in the master configuration file.

HIGHSTATE DATA STRUCTURE DEFINITIONS¶

The Salt State Tree¶

Include declaration¶

Example:

Module reference¶

ID declaration¶

NOTE:

Extend declaration¶

Extend declarations are useful for adding-to or overriding parts of a state declaration that is defined in another SLS file. In the following contrived example, the shown mywebsite.sls file is include -ing and extend -ing the apache.sls module in order to add a watch declaration that will restart Apache whenever the Apache configuration file, mywebsite changes.
SEE ALSO:

State declaration¶

Requisite declaration¶

Requisite reference¶

Function declaration¶

Function arg declaration¶

For example in the following state declaration user, group, and mode are passed as arguments to the managed function in the file state module:

Name declaration¶

Overriding name is useful for a variety of scenarios. For example, avoiding clashing ID declarations. The following two state declarations cannot both have /etc/motd as the ID declaration:
Another common reason to override name is if the ID declaration is long and needs to be referenced in multiple places. In the example below it is much easier to specify mywebsite than to specify /etc/apache2/sites-available/mywebsite.com multiple times:

Names declaration¶

For example, given the following state declaration:
Once converted into the lowstate data structure the above state declaration will be expanded into the following three state declarations:

Large example¶

Here is the layout in yaml using the names of the highdata structure components.

INCLUDE AND EXCLUDE¶

Salt sls files can include other sls files and exclude sls files that have been otherwise included. This allows for an sls file to easily extend or manipulate other sls files.

Include¶

When other sls files are included, everything defined in the included sls file will be added to the state run. When including define a list of sls formulas to include:
The include statement will include sls formulas from the same environment that the including sls formula is in. But the environment can be explicitly defined in the configuration to override the running environment, therefore if an sls formula needs to be included from an external environment named "dev" the following syntax is used:

Relative Include¶

In Salt 0.16.0 the capability to include sls formulas which are relative to the running sls formula was added, simply precede the formula name with a .:

Exclude¶

The exclude statement, added in Salt 0.10.3 allows an sls to hard exclude another sls file or a specific id. The component is excluded after the high data has been compiled, so nothing should be able to override an exclude. Since the exclude can remove an id or an sls the type of component to exclude needs to be defined. an exclude statement that verifies that the running highstate does not contain the http sls and the /etc/vimrc id would look like this:

STATE ENFORCEMENT¶

Salt offers an optional interface to manage the configuration or "state" of the Salt minions. This interface is a fully capable mechanism used to enforce the state of systems from a central manager. The Salt state system is made to be accurate, simple, and fast. And like the rest of the Salt system, Salt states are highly modular.

State management¶

State management, also frequently called software configuration management (SCM), is a program that puts and keeps a system into a predetermined state. It installs software packages, starts or restarts services, or puts configuration files in place and watches them for changes. Having a state management system in place allows you to easily and reliably configure and manage a few servers or a few thousand servers. It allows you to keep that configuration under version control. Salt States is an extension of the Salt Modules that we discussed in the previous remote execution tutorial. Instead of calling one-off executions the state of a system can be easily defined and then enforced.

Understanding the Salt State System Components¶

The Salt state system is comprised of a number of components. As a user, an understanding of the SLS and renderer systems are needed. But as a developer, an understanding of Salt states and how to write the states is needed as well. NOTE:

Salt SLS System¶

SLS File Layout¶

SLS files are laid out in the Salt file server. A simple layout can look like this:
This example shows the core concepts of file layout. The top file is a key component and is used with Salt matchers to match SLS states with minions. The .sls files are states. The rest of the files are seen by the Salt master as just files that can be downloaded. The states are translated into dot notation, so the ssh.sls file is seen as the ssh state, the users/admin.sls file is seen as the users.admin states. The init.sls files are translated to be the state name of the parent directory, so the salt/init.sls file translates to the Salt state. The plain files are visible to the minions, as well as the state files. In Salt, everything is a file; there is no "magic translation" of files and file types. This means that a state file can be distributed to minions just like a plain text or binary file.

SLS Files¶

The Salt state files are simple sets of data. Since the SLS files are just data they can be represented in a number of different ways. The default format is yaml generated from a Jinja template. This allows for the states files to have all the language constructs of Python and the simplicity of yaml. State files can then be complicated Jinja templates that translate down to yaml, or just plain and simple yaml files! The State files are constructed data structures in a simple format. The format allows for many real activates to be expressed in very little text, while maintaining the utmost in readability and usability. Here is an example of a Salt State:
This short stanza will ensure that vim is installed, Salt is installed and up to date, the salt-master and salt-minion daemons are running and the Salt minion configuration file is in place. It will also ensure everything is deployed in the right order and that the Salt services are restarted when the watched file updated.

The Top File¶

The top file is the mapping for the state system. The top file specifies which minions should have which modules applied and which environments they should draw the states from. The top file works by specifying the environment, containing matchers with lists of Salt states sent to the matching minions:
This simple example uses the base environment, which is built into the default Salt setup, and then all minions will have the modules salt, users and users.admin since '*' will match all minions. Then the regular expression matcher will match all minions' with an id matching saltmaster.* and add the salt.master state.

Renderer System¶

The Renderer system is a key component to the state system. SLS files are representations of Salt "high data" structures. All Salt cares about when reading an SLS file is the data structure that is produced from the file. This allows Salt states to be represented by multiple types of files. The Renderer system can be used to allow different formats to be used for SLS files. The available renderers can be found in the renderers directory in the Salt source code: https://github.com/saltstack/salt/blob/develop/salt/renderers By default SLS files are rendered using Jinja as a templating engine, and yaml as the serialization format. Since the rendering system can be extended simply by adding a new renderer to the renderers directory, it is possible that any structured file could be used to represent the SLS files. In the future XML will be added, as well as many other formats.

Reloading Modules¶

Some salt states require specific packages to be installed in order for the module to load, as an example the pip state module requires the pip package for proper name and version parsing. On most of the common cases, salt is clever enough to transparently reload the modules, for example, if you install a package, salt reloads modules because some other module or state might require just that package which was installed. On some edge-cases salt might need to be told to reload the modules. Consider the following state file which we'll call pep8.sls:
The above example installs pip using easy_install from setuptools and installs pep8 using pip, which, as told earlier, requires pip to be installed system-wide. Let's execute this state:
The execution output would be something like:
If we executed the state again the output would be:
Since we installed pip using cmd, salt has no way to know that a system-wide package was installed. On the second execution, since the required pip package was installed, the state executed perfectly. To those thinking, could not salt reload modules on every state step since it already does for some cases? It could, but it should not since it would greatly slow down state execution. So how do we solve this edge-case? reload_modules! reload_modules is a boolean option recognized by salt on all available states which, does exactly what it tells use, forces salt to reload it's modules once that specific state finishes. The fixed state file would now be:
Let's run it, once:
And it's output now is:

STATE SYSTEM LAYERS¶

The Salt state system is comprised of multiple layers. While using Salt does not require an understanding of the state layers, a deeper understanding of how Salt compiles and manages states can be very beneficial.

Function Call¶

The lowest layer of functionality in the state system is the direct state function call. State executions are executions of single state functions at the core. These individual functions are defined in state modules and can be called directly via the state.single command.

Low Chunk¶

The low chunk is the bottom of the Salt state compiler. This is a data representation of a single function call. The low chunk is sent to the state caller and used to execute a single state function. A single low chunk can be executed manually via the state.low command.
The passed data reflects what the state execution system gets after compiling the data down from sls formulas.

Low State¶

The Low State layer is the list of low chunks "evaluated" in order. To see what the low state looks like for a highstate, run:
This will display the raw lowstate in the order which each low chunk will be evaluated. The order of evaluation is not necessarily the order of execution, since requisites are evaluated at runtime. Requisite execution and evaluation is finite; this means that the order of execution can be ascertained with 100% certainty based on the order of the low state.

High Data¶

High data is the data structure represented in YAML via SLS files. The High data structure is created by merging the data components rendered inside sls files (or other render systems). The High data can be easily viewed by executing the state.show_highstate or state.show_sls functions. Since this data is a somewhat complex data structure, it may be easier to read using the json, yaml, or pprint outputters:

SLS¶

Above "High Data", the logical layers are no longer technically required to be executed, or to be executed in a hierarchy. This means that how the High data is generated is optional and very flexible. The SLS layer allows for many mechanisms to be used to render sls data from files or to use the fileserver backend to generate sls and file data from external systems. The SLS layer can be called directly to execute individual sls formulas. NOTE:
To call a single SLS formula named edit.vim, execute state.sls:

HighState¶

Calling SLS directly logically assigns what states should be executed from the context of the calling minion. The Highstate layer is used to allow for full contextual assignment of what is executed where to be tied to groups of, or individual, minions entirely from the master. This means that the environment of a minion, and all associated execution data pertinent to said minion, can be assigned from the master without needing to execute or configure anything on the target minion. This also means that the minion can independently retrieve information about its complete configuration from the master. To execute the High State call state.highstate:

OverState¶

The overstate layer expresses the highest functional layer of Salt's automated logic systems. The Overstate allows for stateful and functional orchestration of routines from the master. The overstate defines in data execution stages which minions should execute states, or functions, and in what order using requisite logic.

THE ORCHESTRATE RUNNER¶

NOTE:

ORDERING STATES¶

The way in which configuration management systems are executed is a hotly debated topic in the configuration management world. Two major philosophies exist on the subject, to either execute in an imperative fashion where things are executed in the order in which they are defined, or in a declarative fashion where dependencies need to be mapped between objects. Imperative ordering is finite and generally considered easier to write, but declarative ordering is much more powerful and flexible but generally considered more difficult to create. Salt has been created to get the best of both worlds. States are evaluated in a finite order, which guarantees that states are always executed in the same order, and the states runtime is declarative, making Salt fully aware of dependencies via the requisite system.

State Auto Ordering¶

Salt always executes states in a finite manner, meaning that they will always execute in the same order regardless of the system that is executing them. But in Salt 0.17.0, the state_auto_order option was added. This option makes states get evaluated in the order in which they are defined in sls files. The evaluation order makes it easy to know what order the states will be executed in, but it is important to note that the requisite system will override the ordering defined in the files, and the order option described below will also override the order in which states are defined in sls files. If the classic ordering is preferred (lexicographic), then set state_auto_order to False in the master configuration file.

Requisite Statements¶

NOTE:
Often when setting up states any single action will require or depend on another action. Salt allows for the building of relationships between states with requisite statements. A requisite statement ensures that the named state is evaluated before the state requiring it. There are three types of requisite statements in Salt, require, watch and prereq. These requisite statements are applied to a specific state declaration:
In this example, the require requisite is used to declare that the file /etc/httpd/conf/httpd.conf should only be set up if the pkg state executes successfully. The requisite system works by finding the states that are required and executing them before the state that requires them. Then the required states can be evaluated to see if they have executed correctly. Require statements can refer to the following requisite types: pkg, file, sls In addition to state declarations such as pkg, file, etc., sls type requisites are also recognized, and essentially allow 'chaining' of states. This provides a mechanism to ensure the proper sequence for complex state formulas, especially when the discrete states are split or groups into separate sls files:
In this example, the httpd sevice running state will not be applied (i.e., the httpd service will not be started) unless both the https package is installed AND the network state is satisfied. NOTE:

Multiple Requisites¶

The requisite statement is passed as a list, allowing for the easy addition of more requisites. Both requisite types can also be separately declared:
In this example, the httpd service is only going to be started if the package, user, group and file are executed successfully.

The Require Requisite¶

The foundation of the requisite system is the require requisite. The require requisite ensures that the required state(s) are executed before the requiring state. So, if a state is declared that sets down a vimrc, then it would be pertinent to make sure that the vimrc file would only be set down if the vim package has been installed:
In this case, the vimrc file will only be applied by Salt if and after the vim package is installed.

The Watch Requisite¶

The watch requisite is more advanced than the require requisite. The watch requisite executes the same logic as require (therefore if something is watched it does not need to also be required) with the addition of executing logic if the required states have changed in some way. The watch requisite checks to see if the watched states have returned any changes. If the watched state returns changes, and the watched states execute successfully, then the watching state will execute a function that reacts to the changes in the watched states. Perhaps an example can better explain the behavior:
In this example, the redis service will only be started if the file /etc/redis.conf is applied, and the file is only applied if the package is installed. This is normal require behavior, but if the watched file changes, or the watched package is installed or upgraded, then the redis service is restarted. NOTE:

Watch and the mod_watch Function¶

The watch requisite is based on the mod_watch function. Python state modules can include a function called mod_watch which is then called if the watch call is invoked. When mod_watch is called depends on the execution of the watched state, which:
When reacting, in the case of the service module the underlying service is restarted. In the case of the cmd state the command is executed. The mod_watch function for the service state looks like this:
The watch requisite only works if the state that is watching has a mod_watch function written. If watch is set on a state that does not have a mod_watch function (like pkg), then the listed states will behave only as if they were under a require statement. Also notice that a mod_watch may accept additional keyword arguments, which, in the sls file, will be taken from the same set of arguments specified for the state that includes the watch requisite. This means, for the earlier service.running example above, the service can be set to reload instead of restart like this:

The Order Option¶

Before using the order option, remember that the majority of state ordering should be done with a requisite declaration, and that a requisite declaration will override an order option, so a state with order option should not require or required by other states. The order option is used by adding an order number to a state declaration with the option order:
By adding the order option to 1 this ensures that the vim package will be installed in tandem with any other state declaration set to the order 1. Any state declared without an order option will be executed after all states with order options are executed. But this construct can only handle ordering states from the beginning. Certain circumstances will present a situation where it is desirable to send a state to the end of the line. To do this, set the order to last:

OVERSTATE SYSTEM¶

NOTE:

STATE PROVIDERS¶

New in version 0.9.8. Salt predetermines what modules should be mapped to what uses based on the properties of a system. These determinations are generally made for modules that provide things like package and service management. Sometimes in states, it may be necessary to use an alternative module to provide the needed functionality. For instance, an older Arch Linux system may not be running systemd, so instead of using the systemd service module, you can revert to the default service module:
In this instance, the basic service module (which manages sysvinit-based services) will replace the systemd module which is used by default on Arch Linux. However, if it is necessary to make this override for most or every service, it is better to just override the provider in the minion config file, as described in the section below.

Setting a Provider in the Minion Config File¶

Sometimes, when running Salt on custom Linux spins, or distribution that are derived from other distributions, Salt does not successfully detect providers. The providers which are most likely to be affected by this are:
When something like this happens, rather than specifying the provider manually in each state, it easier to use the providers parameter in the minion config file to set the provider. If you end up needing to override a provider because it was not detected, please let us know! File an issue on the issue tracker, and provide the output from the grains.items function, taking care to sanitize any sensitive information. Below are tables that should help with deciding which provider to use if one needs to be overridden.

Provider: pkg¶

Execution Module	Used for
apt	Debian/Ubuntu-based distros which use apt-get(8) for package management
brew	Mac OS software management using Homebrew
ebuild	Gentoo-based systems (utilizes the portage python module as well as emerge(1))
freebsdpkg	FreeBSD-based OSes using pkg_add(1)
openbsdpkg	OpenBSD-based OSes using pkg_add(1)
pacman	Arch Linux-based distros using pacman(8)
pkgin	NetBSD-based OSes using pkgin(1)
pkgng	FreeBSD-based OSes using pkg(8)
pkgutil	Solaris-based OSes using OpenCSW's pkgutil(1)
solarispkg	Solaris-based OSes using pkgadd(1M)
win_pkg	Windows
yumpkg	RedHat-based distros and derivatives (wraps yum(8))
zypper	SUSE-based distros using zypper(8)

Provider: service¶

Execution Module	Used for
debian_service	Debian (non-systemd)
freebsdservice	FreeBSD-based OSes using service(8)
gentoo_service	Gentoo Linux using sysvinit and rc-update(8)
launchctl	Mac OS hosts using launchctl(1)
netbsdservice	NetBSD-based OSes
openbsdservice	OpenBSD-based OSes
rh_service	RedHat-based distros and derivatives using service(8) and chkconfig(8). Supports both pure sysvinit and mixed sysvinit/upstart systems.
service	Fallback which simply wraps sysvinit scripts
smf	Solaris-based OSes which use SMF
systemd	Linux distros which use systemd
upstart	Ubuntu-based distros using upstart
win_service	Windows

Provider: user¶

Execution Module	Used for
useradd	Linux, NetBSD, and OpenBSD systems using useradd(8), userdel(8), and usermod(8)
pw_user	FreeBSD-based OSes using pw(8)
solaris_user	Solaris-based OSes using useradd(1M), userdel(1M), and usermod(1M)
win_useradd	Windows

Provider: group¶

Execution Module	Used for
groupadd	Linux, NetBSD, and OpenBSD systems using groupadd(8), groupdel(8), and groupmod(8)
pw_group	FreeBSD-based OSes using pw(8)
solaris_group	Solaris-based OSes using groupadd(1M), groupdel(1M), and groupmod(1M)
win_groupadd	Windows

Arbitrary Module Redirects¶

The provider statement can also be used for more powerful means, instead of overwriting or extending the module used for the named service an arbitrary module can be used to provide certain functionality.
In this example, the state is being instructed to use a custom module to invoke commands. Arbitrary module redirects can be used to dramatically change the behavior of a given state.

REQUISITES¶

The Salt requisite system is used to create relationships between states. The core idea being that, when one state is dependent somehow on another, that inter-dependency can be easily defined. Requisites come in two types. Direct requisites, and requisite_ins. The relationships are directional, so a requisite statement makes the requiring state declaration depend on the required state declaration:
So in this example, the file /etc/vimrc depends on the vim package. Requisite_in statements are the opposite, instead of saying "I depend on something", requisite_ins say "Someone depends on me":
So here, with a requisite_in, the same thing is accomplished, but just from the other way around. The vim package is saying "/etc/vimrc depends on me". In the end, a single dependency map is created and everything is executed in a finite and predictable order. NOTE:

Requisite and Requisite in types¶

There are three requisite statements that can be used in Salt. the require, watch and use requisites. Each requisite also has a corresponding requisite_in: require_in, watch_in and use_in. All of the requisites define specific relationships and always work with the dependency logic defined above.

Require¶

The most basic requisite statement is require. The behavior of require is simple. Make sure that the dependent state is executed before the depending state, and if the dependent state fails, don't run the depending state. So in the above examples the file /etc/vimrc will only be applied after the vim package is installed and only if the vim package is installed successfully.

Require an entire sls file¶

As of Salt 0.16.0, it is possible to require an entire sls file. Do this by first including the sls file and then setting a state to require the included sls file.

Watch¶

The watch statement does everything the require statement does, but with a little more. The watch statement looks into the state modules for a function called mod_watch. If this function is not available in the corresponding state module, then watch does the same thing as require. If the mod_watch function is in the state module, then the watched state is checked to see if it made any changes to the system, if it has, then mod_watch is called. Perhaps the best example of using watch is with a service.running state. When a service watches a state, then the service is reloaded/restarted when the watched state changes:

Prereq¶

The prereq requisite is a powerful requisite added in 0.16.0. This requisite allows for actions to be taken based on the expected results of a state that has not yet been executed. In more practical terms, a service can be shut down because the prereq knows that underlying code is going to be updated and the service should be off-line while the update occurs. The motivation to add this requisite was to allow for routines to remove a system from a load balancer while code is being updated. The prereq checks if the required state expects to have any changes by running the single state with test=True. If the pre-required state returns changes, then the state requiring it will execute.
In this case the apache server will only be shutdown if the site-code state expects to deploy fresh code via the file.recurse call, and the site-code deployment will only be executed if the graceful-down run completes successfully.

Use¶

The use requisite is used to inherit the arguments passed in another id declaration. This is useful when many files need to have the same defaults.
The use statement was developed primarily for the networking states but can be used on any states in Salt. This made sense for the networking state because it can define a long list of options that need to be applied to multiple network interfaces. The use statement does not inherit the requisites arguments of the targeted state. This means also a chain of use requisites would not inherit inherited options.

Require In¶

The require_in requisite is the literal reverse of require. If a state declaration needs to be required by another state declaration then require_in can accommodate it, so these two sls files would be the same in the end: Using require
Using require_in
The require_in statement is particularly useful when assigning a require in a separate sls file. For instance it may be common for httpd to require components used to set up PHP or mod_python, but the HTTP state does not need to be aware of the additional components that require it when it is set up: http.sls
php.sls
mod_python.sls
Now the httpd server will only start if php or mod_python are first verified to be installed. Thus allowing for a requisite to be defined "after the fact".

Watch In¶

Watch in functions the same as require in, but applies a watch statement rather than a require statement to the external state declaration.

Prereq In¶

The prereq_in requisite in follows the same assignment logic as the require_in requisite in. The prereq_in call simply assigns prereq to the state referenced. The above example for prereq can be modified to function in the same way using prereq_in:

STARTUP STATES¶

Sometimes it may be desired that the salt minion execute a state run when it is started. This alleviates the need for the master to initiate a state run on a new minion and can make provisioning much easier. As of Salt 0.10.3 the minion config reads options that allow for states to be executed at startup. The options are startup_states, sls_list and top_file. The startup_states option can be passed one of a number of arguments to define how to execute states. The available options are:

Examples:¶

Execute state.highstate when starting the minion:
Execute the sls files edit.vim and hyper:

STATE TESTING¶

Executing a Salt state run can potentially change many aspects of a system and it may be desirable to first see what a state run is going to change before applying the run. Salt has a test interface to report on exactly what will be changed, this interface can be invoked on any of the major state run functions:
The test run is mandated by adding the test=True option to the states. The return information will show states that will be applied in yellow and the result is reported as None.

Default Test¶

If the value test is set to True in the minion configuration file then states will default to being executed in test mode. If this value is set then states can still be run by calling test=False:

THE TOP FILE¶

The top file is used to map what SLS modules get loaded onto what minions via the state system. The top file creates a few general abstractions. First it maps what nodes should pull from which environments, next it defines which matches systems should draw from.

Environments¶

NOTE:
The environments in the top file corresponds with the environments defined in the file_roots variable. In a simple, single environment setup you only have the base environment, and therefore only one state tree. Here is a simple example of file_roots in the master configuration:
This means that the top file will only have one environment to pull from, here is a simple, single environment top file:
This also means that /srv/salt has a state tree. But if you want to use multiple environments, or partition the file server to serve more than just the state tree, then the file_roots option can be expanded:
Then our top file could reference the environments:
In this setup we have state trees in three of the four environments, and no state tree in the base environment. Notice that the targets for the minions specify environment data. In Salt the master determines who is in what environment, and many environments can be crossed together. For instance, a separate global state tree could be added to the base environment if it suits your deployment:
In this setup all systems will pull the global SLS from the base environment, as well as pull from their respective environments. If you assign only one SLS to a system, as in this example, a shorthand is also available:
NOTE:
Remember, that since everything is a file in Salt, the environments are primarily file server environments, this means that environments that have nothing to do with states can be defined and used to distribute other files. A clean and recommended setup for multiple environments would look like this:
Then only place state trees in the dev, qa and prod environments, leaving the base environment open for generic file transfers. Then the top.sls file would look something like this:

Other Ways of Targeting Minions¶

In addition to globs, minions can be specified in top files a few other ways. Some common ones are compound matches and node groups. Here is a slightly more complex top file example, showing the different types of matches you can perform:
In this example top.sls, all minions get the ldap-client, networking and salt.minion states. Any minion with an id matching the salt-master* glob will get the salt.master state. Any minion with ids matching the regular expression ^(memcache|web).(qa|prod).loc$ will get the nagios.mon.web and apache.server states. All Ubuntu minions will receive the repos.ubuntu state, while all RHEL and CentOS minions will receive the repos.epel state. The minions foo, bar, and baz will receive the database state. Any minion with a pillar named somekey, having a value of abc will receive the xyz state. Finally, minions with ids matching the nag1* glob or with a grain named role equal to monitoring will receive the nagios.server state.

How Top Files Are Compiled¶

As mentioned earlier, the top files in the different environments are compiled into a single set of data. The way in which this is done follows a few rules, which are important to understand when arranging top files in different environments. The examples below all assume that the file_roots are set as in the above multi-environment example.
/srv/salt/base/top.sls:
/srv/salt/dev/top.sls:
NOTE:

/srv/salt/dev/top.sls:
/srv/salt/qa/top.sls:

/srv/salt/dev/top.sls:
/srv/salt/qa/top.sls:
NOTE:

SLS TEMPLATE VARIABLE REFERENCE¶

The template engines available to sls files and file templates come loaded with a number of context variables. These variables contain information and functions to assist in the generation of templates. See each variable below for its availability -- not all variables are available in all templating contexts.

Salt¶

The salt variable is available to abstract the salt library functions. This variable is a python dictionary containing all of the functions available to the running salt minion. It is available in all salt templates.

Opts¶

The opts variable abstracts the contents of the minion's configuration file directly to the template. The opts variable is a dictionary. It is available in all templates.
The config.get function also searches for values in the opts dictionary.

Pillar¶

The pillar dictionary can be referenced directly, and is available in all templates:
Using the pillar.get function via the salt variable is generally recommended since a default can be safely set in the event that the value is not available in pillar and dictionaries can be traversed directly:

Grains¶

The grains dictionary makes the minion's grains directly available, and is available in all templates:
The grains.get function can be used to traverse deeper grains and set defaults:

env¶

The env variable is available in only in sls files when gathering the sls from an environment.

sls¶

The sls variable contains the sls reference value, and is only available in the actual SLS file (not in any files referenced in that SLS). The sls reference value is the value used to include the sls in top files or via the include option.

STATE MODULES¶

State Modules are the components that map to actual enforcement and management of Salt states.

States are Easy to Write!¶

State Modules should be easy to write and straightforward. The information passed to the SLS data structures will map directly to the states modules. Mapping the information from the SLS data is simple, this example should illustrate:
Therefore this SLS data can be directly linked to a module, function and arguments passed to that function. This does issue the burden, that function names, state names and function arguments should be very human readable inside state modules, since they directly define the user interface.

Using Custom State Modules¶

Place your custom state modules inside a _states directory within the file_roots specified by the master config file. These custom state modules can then be distributed in a number of ways. Custom state modules are distributed when state.highstate is run, or by executing the saltutil.sync_states or saltutil.sync_all functions. Any custom states which have been synced to a minion, that are named the same as one of Salt's default set of states, will take the place of the default state with the same name. Note that a state's default name is its filename (i.e. foo.py becomes state foo), but that its name can be overridden by using a __virtual__ function.

Cross Calling Modules¶

As with Execution Modules, State Modules can also make use of the __salt__ and __grains__ data. It is important to note that the real work of state management should not be done in the state module unless it is needed. A good example is the pkg state module. This module does not do any package management work, it just calls the pkg execution module. This makes the pkg state module completely generic, which is why there is only one pkg state module and many backend pkg execution modules. On the other hand some modules will require that the logic be placed in the state module, a good example of this is the file module. But in the vast majority of cases this is not the best approach, and writing specific execution modules to do the backend work will be the optimal solution.

Return Data¶

A State Module must return a dict containing the following keys/values:

Test State¶

All states should check for and support test being passed in the options. This will return data about what changes would occur if the state were actually run. An example of such a check could look like this:
Make sure to test and return before performing any real actions on the minion.

Watcher Function¶

If the state being written should support the watch requisite then a watcher function needs to be declared. The watcher function is called whenever the watch requisite is invoked and should be generic to the behavior of the state itself. The watcher function should accept all of the options that the normal state functions accept (as they will be passed into the watcher function). A watcher function typically is used to execute state specific reactive behavior, for instance, the watcher for the service module restarts the named service and makes it useful for the watcher to make the service react to changes in the environment. The watcher function also needs to return the same data that a normal state function returns.

Mod_init Interface¶

Some states need to execute something only once to ensure that an environment has been set up, or certain conditions global to the state behavior can be predefined. This is the realm of the mod_init interface. A state module can have a function called mod_init which executes when the first state of this type is called. This interface was created primarily to improve the pkg state. When packages are installed the package metadata needs to be refreshed, but refreshing the package metadata every time a package is installed is wasteful. The mod_init function for the pkg state sets a flag down so that the first, and only the first, package installation attempt will refresh the package database (the package database can of course be manually called to refresh via the refresh option in the pkg state). The mod_init function must accept the Low State Data for the given executing state as an argument. The low state data is a dict and can be seen by executing the state.show_lowstate function. Then the mod_init function must return a bool. If the return value is True, then the mod_init function will not be executed again, meaning that the needed behavior has been set up. Otherwise, if the mod_init function returns False, then the function will be called the next time. A good example of the mod_init function is found in the pkg state module:
The mod_init function in the pkg state accepts the low state data as low and then checks to see if the function being called is going to install packages, if the function is not going to install packages then there is no need to refresh the package database. Therefore if the package database is prepared to refresh, then return True and the mod_init will not be called the next time a pkg state is evaluated, otherwise return False and the mod_init will be called next time a pkg state is evaluated.

FULL LIST OF BUILTIN STATE MODULES¶

alias
alternatives
apt	High-Level Interface for working with apt.
archive
augeas
aws_sqs
cloud
cmd	A generic class to build line-oriented command interpreters.
composer
cron
ddns
debconfmod
disk
dockerio
eselect
file
gem
git
gnomedesktop
grains
group
hg
host
iptables
keyboard
keystone
kmod
layman
libvirt	Mock out specified imports
locale	Locale support.
lvm
lvs_server
lvs_service
makeconf
mdadm
memcached
modjk_worker
module
mongodb_database
mongodb_user
mount
mysql_database
mysql_grants
mysql_user
network
npm
ntp
openstack_config
pagerduty
pecl
pip_state
pkg
pkgng
pkgrepo
portage_config
ports
postgres_database
postgres_group
postgres_user
powerpath
process
quota
rabbitmq_cluster
rabbitmq_plugin
rabbitmq_policy
rabbitmq_user
rabbitmq_vhost
rbenv
rdp
reg
rvm
saltmod
selinux
service
ssh_auth
ssh_known_hosts
stateconf
status
supervisord
svn
sysctl
timezone
tomcat
user	Hook to allow user-specified customization code to run.
virtualenv_mod
win_dns_client
win_firewall
win_network
win_path
win_servermanager
win_system
xmpp
zcbuildout

salt.states.alias¶

Configuration of email aliases¶

The mail aliases file can be managed to contain definitions for specific email aliases:

salt.states.alternatives¶

Configuration of the alternatives system¶

Control the alternatives system

salt.states.apt¶

Package management operations specific to APT- and DEB-based systems¶

salt.states.archive¶

Archive states.

salt.states.augeas¶

Configuration management using Augeas¶

New in version 0.17.0. This state requires the augeas Python module. Augeas can be used to manage configuration files. Currently only the set command is supported via this state. The augeas module also has support for get, match, remove, etc. WARNING:
Usage examples:
A prefix can also be set, to avoid redundancy:

salt.states.aws_sqs¶

Manage SQS Queues¶

Create and destroy SQS queues. Be aware that this interacts with Amazon's services, and so may incur charges. This module uses the awscli tool provided by Amazon. This can be downloaded from pip. Also check the documentation for awscli for configuration information.

salt.states.cloud¶

Using states instead of maps to deploy clouds¶

New in version 2014.1.0: (Hydrogen) Use this minion to spin up a cloud instance:

salt.states.cmd¶

Execution of arbitrary commands¶

The cmd state module manages the enforcement of executed commands, this state can tell a command to run under certain circumstances. A simple example to execute a command:
Only run if another execution failed, in this case truncate syslog if there is no disk space:
Note that when executing a command or script, the state (i.e., changed or not) of the command is unknown to Salt's state system. Therefore, by default, the cmd state assumes that any command execution results in a changed state. This means that if a cmd state is watched by another state then the state that's watching will always be executed due to the changed state in the cmd state. Many state functions in this module now also accept a stateful argument. If stateful is specified to be true then it is assumed that the command or script will determine its own state and communicate it back by following a simple protocol described below:
cmd.wait is not restricted to watching only cmd states. For example it can also watch a git state for changes

Should I use cmd.run or cmd.wait?¶

These two states are often confused. The important thing to remember about them is that cmd.run states are run each time the SLS file that contains them is applied. If it is more desirable to have a command that only runs after some other state changes, then cmd.wait does just that. cmd.wait is designed to watch other states, and is executed when the state it is watching changes. Example:

How do I create a environment from a pillar map?¶

The map that comes from a pillar cannot be directly consumed by the env option. To use it one must convert it to a list. Example:

salt.states.composer¶

Installation of Composer Packages¶

These states manage the installed packages for composer for PHP. Note that either composer is installed and accessible via a bin directory or you can pass the location of composer in the state.

salt.states.cron¶

Management of cron, the Unix command scheduler¶

Cron declarations require a number of parameters. The following are the parameters used by Salt to define the various timing values for a cron job:
WARNING:
A long time ago (before 2014.2), when making changes to an existing cron job, the name declaration is the parameter used to uniquely identify the job, so if an existing cron that looks like this:
Is changed to this:
Then the existing cron will be updated, but if the cron command is changed, then a new cron job will be added to the user's crontab. The current behavior is still relying on that mechanism, but you can also specify an identifier to identify your crontabs:
And, some months later, you modify it:
The old date > /tmp/crontest will be replaced by superscript > /tmp/crontest. Additionally, Salt also supports running a cron every x minutes very similarly to the Unix convention of using */5 to have a job run every five minutes. In Salt, this looks like:
The job will now run every 5 minutes. Additionally, the temporal parameters (minute, hour, etc.) can be randomized by using random instead of using a specific value. For example, by using the random keyword in the minute parameter of a cron state, the same cron job can be pushed to hundreds or thousands of hosts, and they would each use a randomly-generated minute. This can be helpful when the cron job accesses a network resource, and it is not desirable for all hosts to run the job concurrently.
New in version 0.16.0. Since Salt assumes a value of * for unspecified temporal parameters, adding a parameter to the state and setting it to random will change that value from * to a randomized numeric value. However, if that field in the cron entry on the minion already contains a numeric value, then using the random keyword will not modify it.

salt.states.ddns¶

Dynamic DNS updates¶

Ensure a DNS record is present or absent utilizing RFC 2136 type dynamic updates. Requires dnspython module.

salt.states.debconfmod¶

Management of debconf selections¶

The debconfmod state module manages the enforcement of debconf selections, this state can set those selections prior to package installation.

Available Functions¶

The debconfmod state has two functions, the set and set_file functions

NOTE:

salt.states.disk¶

Disk monitoring state Monitor the state of disk resources

salt.states.dockerio¶

Manage Docker containers¶

Docker is a lightweight, portable, self-sufficient software container wrapper. The base supported wrapper type is LXC, cgroups, and the Linux Kernel. WARNING:
NOTE:

Available Functions¶

NOTE:

salt.states.eselect¶

Management of Gentoo configuration using eselect¶

A state module to manage Gentoo configuration via eselect

salt.states.file¶

Operations on regular files, special files, directories, and symlinks¶

Salt States can aggressively manipulate files on a system. There are a number of ways in which files can be managed. Regular files can be enforced with the managed function. This function downloads files from the salt master and places them on the target system. The downloaded files can be rendered as a jinja, mako, or wempy template, adding a dynamic component to file management. An example of file.managed which makes use of the jinja templating system would look like this:
NOTE:
If using a template, any user-defined template variables in the file defined in source must be passed in using the defaults and/or context arguments. The general best practice is to place default values in defaults, with conditional overrides going into context, as seen above. The source parameter can be specified as a list. If this is done, then the first file to be matched will be the one that is used. This allows you to have a default file on which to fall back if the desired file does not exist on the salt fileserver. Here's an example:
NOTE:
The source parameter can also specify a file in another Salt environment. In this example foo.conf in the dev environment will be used instead.
WARNING:
Special files can be managed via the mknod function. This function will create and enforce the permissions on a special file. The function supports the creation of character devices, block devices, and fifo pipes. The function will create the directory structure up to the special file if it is needed on the minion. The function will not overwrite or operate on (change major/minor numbers) existing special files with the exception of user, group, and permissions. In most cases the creation of some special files require root permisisons on the minion. This would require that the minion to be run as the root user. Here is an example of a character device:
Here is an example of a block device:
Here is an example of a fifo pipe:
Directories can be managed via the directory function. This function can create and enforce the permissions on a directory. A directory statement will look like this:
If you need to enforce user and/or group ownership or permissions recursively on the directory's contents, you can do so by adding a recurse directive:
As a default, mode will resolve to dir_mode and file_mode, to specify both directory and file permissions, use this form:
Symlinks can be easily created; the symlink function is very simple and only takes a few arguments:
Recursive directory management can also be set via the recurse function. Recursive directory management allows for a directory on the salt master to be recursively copied down to the minion. This is a great tool for deploying large code and configuration systems. A state using recurse would look something like this:
A more complex recurse example:

salt.states.gem¶

Installation of Ruby modules packaged as gems¶

A state module to manage rubygems. Gems can be set up to be installed or removed. This module will use RVM if it is installed. In that case, you can specify what ruby version and gemset to target.

salt.states.git¶

Interaction with Git repositories¶

Important: Before using git over ssh, make sure your remote host fingerprint exists in "~/.ssh/known_hosts" file. To avoid requiring password authentication, it is also possible to pass private keys to use explicitly.

salt.states.gnomedesktop¶

Configuration of the GNOME desktop¶

Control the GNOME settings

salt.states.grains¶

Manage grains on the minion¶

This state allows for grains to be set. Grains set or altered this way are stored in the 'grains' file on the minions, by default at: /etc/salt/grains Note: This does NOT override any grains set in the minion file.

salt.states.group¶

Management of user groups¶

The group module is used to create and manage unix group settings, groups can be either present or absent:

salt.states.hg¶

Interaction with Mercurial repositories¶

Before using hg over ssh, make sure the remote host fingerprint already exists in ~/.ssh/known_hosts, and the remote host has this host's public key.

salt.states.host¶

Management of addresses and names in hosts file¶

The /etc/hosts file can be managed to contain definitions for specific hosts:
Or using the "names:" directive, you can put several names for the same IP. (Do not try one name with space-separated values).
NOTE: changing the name(s) in the present() function does not cause an update to remove the old entry.

salt.states.iptables¶

Management of iptables¶

This is an iptables-specific module designed to manage Linux firewalls. It is expected that this state module, and other system-specific firewall states, may at some point be deprecated in favor of a more generic firewall state.

salt.states.keyboard¶

Management of keyboard layouts¶

The keyboard layout can be managed for the system:
Or it can be managed for XOrg:

salt.states.keystone¶

Management of Keystone users¶

salt.states.kmod¶

Loading and unloading of kernel modules¶

The Kernel modules on a system can be managed cleanly with the kmod state module:

salt.states.layman¶

Management of Gentoo Overlays using layman¶

A state module to manage Gentoo package overlays via layman

salt.states.libvirt¶

Manage libvirt certificates¶

This state uses the external pillar in the master to call for the generation and signing of certificates for systems running libvirt:

salt.states.locale¶

Management of languages/locales ==============================+ The locale can be managed for the system:

salt.states.lvm¶

Management of Linux logical volumes¶

A state module to manage LVMs

salt.states.lvs_server¶

Management of LVS(Linux Virtual Server) Real Server.¶

This lvs_server module is used to add and manage LVS Real Server in the specified service. Server can be set as either absent or present.

salt.states.lvs_service¶

Management of LVS(Linux Virtual Server) Service.¶

This lvs_service module is used to create and manage LVS Service. Service can be set as either absent or present.

salt.states.makeconf¶

Management of Gentoo make.conf¶

A state module to manage Gentoo's make.conf file

salt.states.mdadm¶

Managing software RAID with mdadm¶

A state module for creating or destroying software RAID devices.

salt.states.memcached¶

States for Management of Memcached Keys¶

New in version 2014.1.0: (Hydrogen)

salt.states.modjk_worker¶

Manage modjk workers¶

Send commands to a modjk load balancer via the peer system. This module can be used with the prereq requisite to remove/add the worker from the load balancer before deploying/restarting service. Mandatory Settings:

salt.states.module¶

Execution of Salt modules from within states¶

These states allow individual execution module calls to be made via states. To call a single module function use a module.run state:
Note that this example is probably unnecessary to use in practice, since the mine_functions and mine_interval config parameters can be used to schedule updates for the mine (see here for more info). It is sometimes desirable to trigger a function call after a state is executed, for this the module.wait state can be used:
All arguments are passed through to the module function being executed. However, due to how the state system works, if a module function accepts an argument called, name, then m_name must be used to specify that argument, to avoid a collision with the name argument. For example:

salt.states.mongodb_database¶

Management of Mongodb databases Only deletion is supported, creation doesn't make sense and can be done using mongodb_user.present

salt.states.mongodb_user¶

Management of Mongodb users¶

salt.states.mount¶

Mounting of filesystems¶

Mount any type of mountable filesystem with the mounted function:

salt.states.mysql_database¶

Management of MySQL databases (schemas)¶

The mysql_database module is used to create and manage MySQL databases. Databases can be set as either absent or present.

salt.states.mysql_grants¶

Management of MySQL grants (user permissions)¶

The mysql_grants module is used to grant and revoke MySQL permissions. The name you pass in purely symbolic and does not have anything to do with the grant itself. The database parameter needs to specify a 'priv_level' in the same specification as defined in the MySQL documentation:

salt.states.mysql_user¶

Management of MySQL users¶

New in version 0.16.2: Authentication overrides have been added. The MySQL authentication information specified in the minion config file can be overidden in states using the following arguments: connection_host, connection_port, connection_user, connection_pass, connection_db, connection_unix_socket, connection_default_file and connection_charset.

salt.states.network¶

Configuration of network interfaces¶

The network module is used to create and manage network settings, interfaces can be set as either managed or ignored. By default all interfaces are ignored unless specified. Please note that only Redhat and Debian style networking is currently supported. This module will therefore only work on RH/CentOS/Fedora and Debian/Ubuntu.

salt.states.npm¶

Installation of NPM Packages¶

These states manage the installed packages for node.js using the Node Package Manager (npm). Note that npm must be installed for these states to be available, so npm states should include a requisite to a pkg.installed state for the package which provides npm (simply npm in most cases). Example:

salt.states.ntp¶

Management of NTP servers¶

New in version 2014.1.0: (Hydrogen) This state is used to manage NTP servers. Currently only Windows is supported.

salt.states.openstack_config¶

Manage OpenStack configuration file settings.

salt.states.pagerduty¶

Create an Event in PagerDuty¶

New in version 2014.1.0: (Hydrogen) This state is useful for creating events on the PagerDuty service during state runs.

salt.states.pecl¶

Installation of PHP Extensions Using pecl¶

These states manage the installed pecl extensions. Note that php-pear must be installed for these states to be available, so pecl states should include a requisite to a pkg.installed state for the package which provides pecl ( php-pear in most cases). Example:

salt.states.pip_state¶

Installation of Python Packages Using pip¶

These states manage system installed python packages. Note that pip must be installed for these states to be available, so pip states should include a requisite to a pkg.installed state for the package which provides pip ( python-pip in most cases). Example:

salt.states.pkg¶

Installation of packages using OS package managers such as yum or apt-get¶

Salt can manage software packages via the pkg state module, packages can be set up to be installed, latest, removed and purged. Package management declarations are typically rather simple:
A more involved example involves pulling from a custom repository. Note that the pkgrepo has a require_in clause. This is necessary and can not be replaced by a require clause in the pkg.

salt.states.pkgng¶

Manage package remote repo using FreeBSD pkgng¶

Salt can manage the URL pkgng pulls packages from. ATM the state and module are small so use cases are typically rather simple:

salt.states.pkgrepo¶

Management of package repos¶

Package repositories can be managed with the pkgrepo state:


NOTE:

salt.states.portage_config¶

Management of Portage package configuration on Gentoo¶

A state module to manage Portage configuration on Gentoo

salt.states.ports¶

Manage software from FreeBSD ports New in version 2014.1.0: (Hydrogen) NOTE:

salt.states.postgres_database¶

Management of PostgreSQL databases¶

The postgres_database module is used to create and manage Postgres databases. Databases can be set as either absent or present

salt.states.postgres_group¶

Management of PostgreSQL groups (roles)¶

The postgres_group module is used to create and manage Postgres groups.

salt.states.postgres_user¶

Management of PostgreSQL users (roles)¶

The postgres_users module is used to create and manage Postgres users.

salt.states.powerpath¶

Powerpath configuration support¶

Allows configuration of EMC Powerpath. Currently only addition/deletion of licenses is supported.

salt.states.process¶

Process Management¶

Ensure a process matching a given pattern is absent.

salt.states.quota¶

Management of POSIX Quotas¶

The quota can be managed for the system:

salt.states.rabbitmq_cluster¶

Manage RabbitMQ Clusters¶

Example:

salt.states.rabbitmq_plugin¶

Manage RabbitMQ Plugins¶

New in version 2014.1.0: (Hydrogen) Example:

salt.states.rabbitmq_policy¶

Manage RabbitMQ Policies¶

Example:

salt.states.rabbitmq_user¶

Manage RabbitMQ Users¶

Example:

salt.states.rabbitmq_vhost¶

Manage RabbitMQ Virtual Hosts¶

Example:

salt.states.rbenv¶

Managing Ruby installations with rbenv¶

This module is used to install and manage ruby installations with rbenv. Different versions of ruby can be installed, and uninstalled. Rbenv will be installed automatically the first time it is needed and can be updated later. This module will not automatically install packages which rbenv will need to compile the versions of ruby. If rbenv is run as the root user then it will be installed to /usr/local/rbenv, otherwise it will be installed to the users ~/.rbenv directory. To make rbenv available in the shell you may need to add the rbenv/shims and rbenv/bin directories to the users PATH. If you are installing as root and want other users to be able to access rbenv then you will need to add RBENV_ROOT to their environment. This is how a state configuration could look like:

salt.states.rdp¶

Manage RDP Service on Windows servers

salt.states.reg¶

Manage the registry on Windows

salt.states.rvm¶

Managing Ruby installations and gemsets with Ruby Version Manager (RVM)¶

This module is used to install and manage ruby installations and gemsets with RVM, the Ruby Version Manager. Different versions of ruby can be installed and gemsets created. RVM itself will be installed automatically if it's not present. This module will not automatically install packages that RVM depends on or ones that are needed to build ruby. If you want to run RVM as an unprivileged user (recommended) you will have to create this user yourself. This is how a state configuration could look like:

salt.states.saltmod¶

Control the Salt command interface¶

The Salt state is used to control the salt command interface. This state is intended for use primarily from the state runner from the master. The salt.state declaration can call out a highstate or a list of sls:

salt.states.selinux¶

Management of SELinux rules¶

If SELinux is available for the running system, the mode can be managed and booleans can be set.
NOTE:

salt.states.service¶

Starting or restarting of services and daemons¶

Services are defined as system daemons typically started with system init or rc scripts, services can be defined as running or dead.
The service can also be set to be started at runtime via the enable option:
By default if a service is triggered to refresh due to a watch statement the service is by default restarted. If the desired behaviour is to reload the service, then set the reload value to True:

salt.states.ssh_auth¶

Control of entries in SSH authorized_key files¶

The information stored in a user's SSH authorized key file can be easily controlled via the ssh_auth state. Defaults can be set by the enc, options, and comment keys. These defaults can be overridden by including them in the name. Since the YAML specification limits the length of simple keys to 1024 characters, and since SSH keys are often longer than that, you may have to use a YAML 'explicit key', as demonstrated in the second example below.

salt.states.ssh_known_hosts¶

Control of SSH known_hosts entries¶

Manage the information stored in the known_hosts files.

salt.states.stateconf¶

Stateconf System¶

The stateconf system is intended for use only with the stateconf renderer. This State module presents the set function. This function does not execute any functionality, but is used to interact with the stateconf renderer.

salt.states.status¶

Minion status monitoring Maps to the status execution module.

salt.states.supervisord¶

Interaction with the Supervisor daemon¶

salt.states.svn¶

Manage SVN repositories¶

Manage repositiry checkouts via the svn vcs system:

salt.states.sysctl¶

Configuration of the Linux kernel using sysctrl¶

Control the kernel sysctl system.

salt.states.timezone¶

Management of timezones¶

The timezone can be managed for the system:
The system and the hardware clock are not necessarily set to the same time. By default, the hardware clock is set to localtime, meaning it is set to the same time as the system clock. If utc is set to True, then the hardware clock will be set to UTC, and the system clock will be an offset of that.
The Ubuntu community documentation contains an explanation of this setting, as it applies to systems that dual-boot with Windows. This is explained in greater detail here.

salt.states.tomcat¶

This state uses the manager webapp to manage Apache tomcat webapps This state requires the manager webapp to be enabled The following grains/pillar should be set:
and also configure a user in the conf/tomcat-users.xml file:
Notes:

salt.states.user¶

Management of user accounts¶

The user module is used to create and manage user settings, users can be set as either absent or present

salt.states.virtualenv¶

Setup of Python virtualenv sandboxes¶

salt.states.win_dns_client¶

Module for configuring DNS Client on Windows systems

salt.states.win_firewall¶

State for configuring Windows Firewall

salt.states.win_network¶

Configuration of network interfaces on Windows hosts¶

New in version 2014.1.0: (Hydrogen) This module provides the network state(s) on Windows hosts. DNS servers, IP addresses and default gateways can currently be managed. Below is an example of the configuration for an interface that uses DHCP for both DNS servers and IP addresses:
NOTE:
Static DNS and IP addresses can be configured like so:
NOTE:
Optionally, if you are setting a static IP address, you can also specify the default gateway using the gateway parameter:

salt.states.win_path¶

Manage the Windows System PATH

salt.states.win_servermanager¶

Manage Windows features via the ServerManager powershell module

salt.states.win_system¶

Management of Windows system information¶

New in version 2014.1.0: (Hydrogen) This state is used to manage system information such as the computer name and description.

salt.states.xmpp¶

Sending Messages over XMPP¶

New in version 2014.1.0: (Hydrogen) This state is useful for firing messages during state runs, using the XMPP protocol

salt.states.zcbuildout¶

Management of zc.buildout¶

This module is inspired from minitage's buildout maker ( https://github.com/minitage/minitage/blob/master/src/minitage/core/makers/buildout.py) New in version Boron. NOTE:

Available Functions¶

RENDERERS¶

The Salt state system operates by gathering information from simple data structures. The state system was designed in this way to make interacting with it generic and simple. This also means that state files (SLS files) can be one of many formats. By default SLS files are rendered as Jinja templates and then parsed as YAML documents. But since the only thing the state system cares about is raw data, the SLS files can be any structured format that can be dreamed up. Currently there is support for Jinja + YAML, Mako + YAML, Wempy + YAML, Jinja + json Mako + json and Wempy + json. But renderers can be written to support anything. This means that the Salt states could be managed by XML files, HTML files, puppet files, or any format that can be translated into the data structure used by the state system.

Multiple Renderers¶

When deploying a state tree a default renderer is selected in the master configuration file with the renderer option. But multiple renderers can be used inside the same state tree. When rendering SLS files Salt checks for the presence of a Salt specific shebang line. The shebang line syntax was chosen because it is familiar to the target audience, the systems admin and systems engineer. The shebang line directly calls the name of the renderer as it is specified within Salt. One of the most common reasons to use multiple renderers in to use the Python or py renderer:
The first line is a shebang that references the py renderer.

Composing Renderers¶

A renderer can be composed from other renderers by connecting them in a series of pipes( |). In fact, the default Jinja + YAML renderer is implemented by combining a YAML renderer and a Jinja renderer. Such renderer configuration is specified as: jinja | yaml. Other renderer combinations are possible, here's a few examples:
And here's a contrived example sls file using the jinja | mako | yaml renderer:
For backward compatibility, jinja | yaml can also be written as yaml_jinja, and similarly, the yaml_mako, yaml_wempy, json_jinja, json_mako, and json_wempy renderers are all supported as well. Keep in mind that not all renderers can be used alone or with any other renderers. For example, the template renderers shouldn't be used alone as their outputs are just strings, which still need to be parsed by another renderer to turn them into highstate data structures. Also, for example, it doesn't make sense to specify yaml | jinja either, because the output of the yaml renderer is a highstate data structure(a dict in Python), which cannot be used as the input to a template renderer. Therefore, when combining renderers, you should know what each renderer accepts as input and what it returns as output.

Writing Renderers¶

Writing a renderer is easy, all that is required is that a Python module is placed in the rendered directory and that the module implements the render function. The render function will be passed the path of the SLS file. In the render function, parse the passed file and return the data structure derived from the file. You can place your custom renderers in a _renderers directory within the file_roots specified by the master config file. These custom renderers are distributed when state.highstate is run, or by executing the saltutil.sync_renderers or saltutil.sync_all functions. Any custom renderers which have been synced to a minion, that are named the same as one of Salt's default set of renderers, will take the place of the default renderer with the same name.

Examples¶

The best place to find examples of renderers is in the Salt source code. The renderers included with Salt can be found here: https://github.com/saltstack/salt/blob/develop/salt/renderers Here is a simple YAML renderer example:

FULL LIST OF BUILTIN RENDERER MODULES¶

jinja
json	JSON (JavaScript Object Notation) <http://json.org> is a subset of JavaScript syntax (ECMA-262 3rd edition) used as a lightweight data interchange format.
mako	Mock out specified imports
py
pydsl
stateconf
wempy
yaml	Mock out specified imports

salt.renderers.jinja¶

Jinja in States¶

The most basic usage of Jinja in state files is using control structures to wrap conditional or redundant state elements:
In this example, the first if block will only be evaluated on minions that aren't running FreeBSD, and the second block changes the file name based on the os grain. Writing if-else blocks can lead to very redundant state files however. In this case, using pillars, or using a previously defined variable might be easier:
Using a variable set by the template, the for loop will iterate over the list of MOTD files to update, adding a state block for each file.

Passing Variables¶

It is also possible to pass additional variable context directly into a template, using the defaults and context mappings of the file.managed state:
The template will receive a variable message, which would be accessed in the template using {{ message }}. If the operating system is FreeBSD, the value of the variable message would be Bar, otherwise it is the default Foo

Include and Import¶

Includes and imports can be used to share common, reusable state configuration between state files and between files.
This would import the test template variable or macro, not the test state element, from the file lib.sls. In the case that the included file performs checks again grains, or something else that requires context, passing the context into the included file is required:

Variable and block Serializers¶

Salt allows one to serialize any variable into json or yaml or python. For example this variable:
with this template:
will be rendered has:
Strings and variables can be deserialized with load_yaml and load_json tags and filters. It allows one to manipulate data directly in templates, easily:
will be rendered has:

Template Serializers¶

Salt implements import_yaml and import_json tags. They work like the import tag, except that the document is also deserialized. Imagine you have a generic state file in which you have the complete data of your infrastucture:
But you don't want to expose everything to a minion. This state file:
will be rendered has:

Macros¶

Macros are helpful for eliminating redundant code, however stripping whitespace from the template block, as well as contained blocks, may be necessary to emulate a variable return from the macro.

This would define a macro that would return a string of the full package name, depending on the packaging system's naming convention. The whitespace of the macro was eliminated, so that the macro would return a string without line breaks, using whitespace control.

Template Inheritance¶

Template inheritance works fine from state files and files. The search path starts at the root of the state tree or pillar.

Filters¶

Saltstack extends builtin filters with his custom filters:

Jinja in Files¶

Jinja can be used in the same way in managed files:


As an example, configuration was pulled from the file context and from an external template file. NOTE:

salt.renderers.json¶

salt.renderers.mako¶

salt.renderers.py¶

Pure python state renderer The sls file should contain a function called run which returns high state data In this module, a few objects are defined for you, including the usual (with``__`` added) __salt__ dictionary, __grains__, __pillar__, __opts__, __env__, and __sls__.

salt.renderers.pydsl¶

A Python-based DSL
The pydsl renderer allows one to author salt formulas(.sls files) in pure Python using a DSL that's easy to write and easy to read. Here's an example:
Notice that any Python code is allow in the file as it's really a Python module, so you have the full power of Python at your disposal. In this module, a few objects are defined for you, including the usual(with __ added) __salt__ dictionary, __grains__, __pillar__, __opts__, __env__, and __sls__, plus a few more:
A state ID declaration is created with a state(id) function call. Subsequent state(id) call with the same id returns the same object. This singleton access pattern applies to all declaration objects created with the DSL.
The id argument is optional. If omitted, an UUID will be generated and used as the id. state(id) returns an object under which you can create a state declaration object by accessing an attribute named after any state module available in Salt.
Then, a function declaration object can be created from a state declaration object by one of the following two ways:



With either way of creating a function declaration object, any function arg declaration's can be passed as keyword arguments to the call. Subsequent calls of a function declaration will update the arg declarations.
As a shortcut, the special name argument can also be passed as the first(second if calling using the first way) positional argument.
Finally, a requisite declaration object with its requisite reference's can be created by invoking one of the requisite methods( require, watch, use, require_in, watch_in, and use_in) on either a function declaration object or a state declaration object. The return value of a requisite call is also a function declaration object, so you can chain several requisite calls together. Arguments to a requisite call can be a list of state declaration objects and/or a set of keyword arguments whose names are state modules and values are IDs of ID declaration's or names of name declaration's.
include declaration objects can be created with the include function, while extend declaration objects can be created with the extend function, whose arguments are just function declaration objects.
The include function, by default, causes the included sls file to be rendered as soon as the include function is called. It returns a list of rendered module objects; sls files not rendered with the pydsl renderer return None's. This behavior creates no include declaration's in the resulting high state data structure.
Notice how you can define a reusable function in your pydsl sls module and then call it via the module returned by include. It's still possible to do late includes by passing the delayed=True keyword argument to include.
Above will just create a include declaration in the rendered result, and such call always returns None.

Special integration with the cmd state¶

Taking advantage of rendering a Python module, PyDSL allows you to declare a state that calls a pre-defined Python function when the state is executed.
The cmd.call state function takes care of calling our helper function with the arguments we specified in the states, and translates the return value of our function into a structure expected by the state system. See salt.states.cmd.call() for more information.

Implicit ordering of states¶

Salt states are explicitly ordered via requisite declaration's. However, with pydsl it's possible to let the renderer track the order of creation for function declaration objects, and implicitly add require requisites for your states to enforce the ordering. This feature is enabled by setting the ordered option on __pydsl__. NOTE:

Notice that the ordered option needs to be set after any extend calls. This is to prevent pydsl from tracking the creation of a state function that's passed to an extend call. Above example should create states from 0 to 9 that will output 0, one, two, 3, ... 9, in that order. It's important to know that pydsl tracks the creations of function declaration objects, and automatically adds a require requisite to a function declaration object that requires the last function declaration object created before it in the sls file. This means later calls(perhaps to update the function's function arg declaration) to a previously created function declaration will not change the order.

Render time state execution¶

When Salt processes a salt formula file( .sls), the file is rendered to salt's high state data representation by a renderer before the states can be executed. In the case of the pydsl renderer, the .sls file is executed as a python module as it is being rendered which makes it easy to execute a state at render time. In pydsl, executing one or more states at render time can be done by calling a configured ID declaration object.
Once an ID declaration is called at render time it is detached from the sls module as if it was never defined. NOTE:

Integration with the stateconf renderer¶

The salt.renderers.stateconf renderer offers a few interesting features that can be leveraged by the pydsl renderer. In particular, when using with the pydsl renderer, we are interested in stateconf's sls namespacing feature(via dot-prefixed id declarations), as well as, the automatic start and goal states generation. Now you can use pydsl with stateconf like this:
-s enables the generation of a stateconf start state, and -p lets us pipe high state data rendered by pydsl to stateconf. This example shows that by require-ing or require_in-ing the included sls' start or goal states, it's possible to ensure that the included sls files can be made to execute before or after a state in the including sls file.

salt.renderers.stateconf¶

This module provides a custom renderer that processes a salt file with a specified templating engine (e.g., Jinja) and a chosen data renderer (e.g., YAML), extracts arguments for any stateconf.set state, and provides the extracted arguments (including Salt-specific args, such as require, etc) as template context. The goal is to make writing reusable/configurable/parameterized salt files easier and cleaner. To use this renderer, either set it as the default renderer via the renderer option in master/minion's config, or use the shebang line in each individual sls file, like so: #!stateconf. Note, due to the way this renderer works, it must be specified as the first renderer in a render pipeline. That is, you cannot specify #!mako|yaml|stateconf, for example. Instead, you specify them as renderer arguments: #!stateconf mako . yaml. Here's a list of features enabled by this renderer.
When writing sls files with this renderer, you should avoid using what can be defined in a name argument of a state as the state's id. That is, avoid writing your states like this:
Instead, you should define the state id and the name argument separately for each state, and the id should be something meaningful and easy to reference within a requisite (which I think is a good habit anyway, and such extra indirection would also makes your sls file easier to modify later). Thus, the above states should be written like this:
Moreover, when referencing a state from a requisite, you should reference the state's id plus the state name rather than the state name plus its name argument. (Yes, in the above example, you can actually require the file: /path/to/some/file, instead of the file: add-some-file). The reason is that this renderer will re-write or rename state id's and their references for state id's prefixed with .. So, if you reference name then there's no way to reliably rewrite such reference.

salt.renderers.wempy¶

salt.renderers.yaml¶

PILLARS¶

Salt includes a number of built-in external pillars, listed at all-salt.pillars. You may also wish to look at the standard pillar documentation, at pillar-configuration The source for the built-in Salt pillars can be found here: https://github.com/saltstack/salt/blob/develop/salt/pillar

FULL LIST OF BUILTIN PILLAR MODULES¶

cmd_json
cmd_yaml
cobbler
django_orm
git_pillar
hiera
libvirt	Mock out specified imports
mongo
pillar_ldap
puppet
reclass_adapter
virtkey

salt.pillar.cmd_json¶

Execute a command and read the output as JSON. The JSON data is then directly overlaid onto the minion's Pillar data.

salt.pillar.cmd_yaml¶

Execute a command and read the output as YAML. The YAML data is then directly overlaid onto the minion's Pillar data

salt.pillar.cobbler¶

A module to pull data from Cobbler via its API into the Pillar dictionary

Configuring the Cobbler ext_pillar¶

The same cobbler.* parameters are used for both the Cobbler tops and Cobbler pillar modules.

Module Documentation¶

salt.pillar.django_orm¶

Generate Pillar data from Django models through the Django ORM

Configuring the django_orm ext_pillar¶

To use this module, your Django project must be on the salt master server with database access. This assumes you are using virtualenv with all the project's requirements installed.
This would return pillar data that would look like
As another example, data from multiple database tables can be fetched using Django's regular lookup syntax. Note, using ManyToManyFields will not currently work since the return from values() changes if a ManyToMany is present.

Module Documentation¶

salt.pillar.git_pillar¶

Clone a remote git repository and use the filesystem as a Pillar source This external Pillar source can be configured in the master config file like so:
Note that this is not the same thing as configuring pillar data using the pillar_roots parameter. The branch referenced in the ext_pillar entry above ( master), would evaluate to the base environment, so this branch needs to contain a top.sls with a base section in it, like this:
To use other environments from the same git repo as git_pillar sources, just add additional lines, like so:
In this case, the dev branch would need its own top.sls with a dev section in it, like this:

salt.pillar.hiera¶

Use hiera data as a Pillar source

salt.pillar.libvirt¶

Load up the libvirt keys into Pillar for a given minion if said keys have been generated using the libvirt key runner

salt.pillar.mongo¶

Read Pillar data from a mongodb collection This module will load a node-specific pillar dictionary from a mongo collection. It uses the node's id for lookups and can load either the whole document, or just a specific field from that document as the pillar dictionary.

Salt Master Mongo Configuration¶

The module shares the same base mongo connection variables as salt.returners.mongo_return. These variables go in your master config file.

Configuring the Mongo ext_pillar¶

The Mongo ext_pillar takes advantage of the fact that the Salt Master configuration file is yaml. It uses a sub-dictionary of values to adjust specific features of the pillar. This is the explicit single-line dictionary notation for yaml. One may be able to get the easier-to-read multine dict to work correctly with some experimentation.
In the example above, we've decided to use the vm collection in the database to store the data. Minion ids are stored in the name field on documents in that collection. And, since minion ids are FQDNs in most cases, we'll need to trim the domain name in order to find the minion by hostname in the collection. When we find a minion, return only the customer_id, software, and apache_vhosts fields, as that will contain the data we want for a given node. They will be available directly inside the pillar dict in your SLS templates.

Module Documentation¶

salt.pillar.pillar_ldap¶

Use LDAP data as a Pillar source This pillar module parses a config file (specified in the salt master config), and executes a series of LDAP searches based on that config. Data returned by these searches is aggregated, with data items found later in the LDAP search order overriding data found earlier on. The final result set is merged with the pillar data.

salt.pillar.puppet¶

Execute an unmodified puppet_node_classifier and read the output as YAML. The YAML data is then directly overlaid onto the minion's Pillar data.

salt.pillar.reclass_adapter¶

Use the "reclass" database as a Pillar source This ext_pillar plugin provides access to the reclass database, such that Pillar data for a specific minion are fetched using reclass. You can find more information about reclass at http://reclass.pantsfullofunix.net. To use the plugin, add it to the ext_pillar list in the Salt master config and tell reclass by way of a few options how and where to find the inventory:
This would cause reclass to read the inventory from YAML files in /srv/salt/nodes and /srv/salt/classes. If you are also using reclass as master_tops plugin, and you want to avoid having to specify the same information for both, use YAML anchors (take note of the differing data types for ext_pillar and master_tops):
If you want to run reclass from source, rather than installing it, you can either let the master know via the PYTHONPATH environment variable, or by setting the configuration option, like in the example above.

salt.pillar.virtkey¶

Accept a key from a hypervisor if the virt runner has already submitted an authorization request

MASTER TOPS¶

Salt includes a number of built-in subsystems to generate top file data, they are listed listed at all-salt.tops. The source for the built-in Salt master tops can be found here: https://github.com/saltstack/salt/blob/develop/salt/tops

FULL LIST OF BUILTIN MASTER TOPS MODULES¶

cobbler
ext_nodes
mongo
reclass_adapter

salt.tops.cobbler¶

Cobbler Tops¶

Cobbler Tops is a master tops subsystem used to look up mapping information from Cobbler via its API. The same cobbler.* parameters are used for both the Cobbler tops and Cobbler pillar modules.

Module Documentation¶

salt.tops.ext_nodes¶

External Nodes Classifier¶

The External Nodes Classifier is a master tops subsystem that retrieves mapping information from major configuration management systems. One of the most common external nodes classifiers system is provided by Cobbler and is called cobbler-ext-nodes. The cobbler-ext-nodes command can be used with this configuration:
It is noteworthy that the Salt system does not directly ingest the data sent from the cobbler-ext-nodes command, but converts the data into information that is used by a Salt top file. Any command can replace the call to 'cobbler-ext-nodes' above, but currently the data must be formatted in the same way that the standard 'cobbler-ext-nodes' does. See (admittedly degenerate and probably not complete) example:

``

` classes:

``

`

The above essentially is the same as a top.sls containing

``

` base:

salt.tops.mongo¶

Read tops data from a mongodb collection This module will load tops data from a mongo collection. It uses the node's id for lookups.

Salt Master Mongo Configuration¶

The module shares the same base mongo connection variables as salt.returners.mongo_return. These variables go in your master config file.

Configuring the Mongo Tops Subsystem¶

Module Documentation¶

salt.tops.reclass_adapter¶

Read tops data from a reclass database This master_tops plugin provides access to the reclass database, such that state information (top data) are retrieved from reclass. You can find more information about reclass at http://reclass.pantsfullofunix.net. To use the plugin, add it to the master_tops list in the Salt master config and tell reclass by way of a few options how and where to find the inventory:
This would cause reclass to read the inventory from YAML files in /srv/salt/nodes and /srv/salt/classes. If you are also using reclass as ext_pillar plugin, and you want to avoid having to specify the same information for both, use YAML anchors (take note of the differing data types for ext_pillar and master_tops):
If you want to run reclass from source, rather than installing it, you can either let the master know via the PYTHONPATH environment variable, or by setting the configuration option, like in the example above.

SALT RUNNERS¶

SEE ALSO:
Salt runners are convenience applications executed with the salt-run command. Where as salt modules are sent out to minions for execution, salt runners are executed on the salt master. A Salt runner can be a simple client call, or a complex application. The use for a Salt runner is to build a frontend hook for running sets of commands via Salt or creating special formatted output.

Writing Salt Runners¶

Salt runners can be easily written, the work in a similar way to Salt modules except they run on the server side. A runner is a Python module that contains functions, each public function is a runner that can be executed via the salt-run command. If a Python module named test.py is created in the runners directory and contains a function called foo then the function could be called with:

Examples¶

The best examples of runners can be found in the Salt source: https://github.com/saltstack/salt/blob/develop/salt/runners A simple runner that returns a well-formatted list of the minions that are responding to Salt calls would look like this:

FULL LIST OF RUNNER MODULES¶

cache
doc
fileserver
jobs
launchd
lxc
manage
network
search
state
thin
virt
winrepo

salt.runners.cache¶

Return cached data from minions

salt.runners.doc¶

A runner module to collect and display the inline documentation from the various module types

salt.runners.fileserver¶

Directly manage the salt fileserver plugins

salt.runners.jobs¶

A convenience system to manage jobs, both active and already run

salt.runners.launchd¶

salt.runners.lxc¶

Control Linux Containers via Salt

salt.runners.manage¶

General management functions for salt, tools like seeing what hosts are up and what hosts are down

salt.runners.network¶

Network tools to run from the Master

salt.runners.search¶

Runner frontend to search system

salt.runners.state¶

Execute overstate functions

salt.runners.thin¶

The thin runner is used to manage the salt thin systems. Salt Thin is a transport-less version of Salt that can be used to run rouitines in a standalone way. This runner has tools which generate the standalone salt system for easy consumption.

salt.runners.virt¶

Control virtual machines via Salt

salt.runners.winrepo¶

Runner to manage Windows software repo

FULL LIST OF BUILTIN WHEEL MODULES¶

config
file_roots
key
pillar_roots

salt.wheel.config¶

Manage the master configuration file

salt.wheel.file_roots¶

Read in files from the file_root and save files to the file root

salt.wheel.key¶

Wheel system wrapper for key system

salt.wheel.pillar_roots¶

The pillar_roots wheel module is used to manage files under the pillar roots directories on the master server.

FULL LIST OF BUILTIN AUTH MODULES¶

auto
keystone
ldap
pam
stormpath_mod

salt.auth.auto¶

An "Always Approved" eauth interface to test against, not intended for production use

salt.auth.keystone¶

Provide authentication using OpenStack Keystone

salt.auth.ldap¶

Provide authentication using simple LDAP binds

salt.auth.pam¶

Authenticate against PAM Provides an authenticate function that will allow the caller to authenticate a user against the Pluggable Authentication Modules (PAM) on the system. Implemented using ctypes, so no compilation is necessary. NOTE:

salt.auth.stormpath_mod¶

Salt Stormpath Authentication Module to provide authentication using Stormpath as the backend.

FULL LIST OF BUILTIN OUTPUT MODULES¶

grains
highstate
json_out
key
nested
no_out
no_return
overstatestage
pprint_out
raw
txt
virt_query
yaml_out

salt.output.grains¶

Special outputter for grains

salt.output.highstate¶

The return data from the Highstate command is a standard data structure which is parsed by the highstate outputter to deliver a clean and readable set of information about the HighState run on minions. Two configurations can be set to modify the highstate outputter. These values can be set in the master config to change the output of the salt command or set in the minion config to change the output of the salt-call command.

salt.output.json_out¶

Display return data in JSON format¶

Salt's outputters operate on a per-minion basis. Each minion return will be output as a single JSON object once it comes in to the master. Some JSON parsers can guess when an object ends and a new one begins but many can not. A good way to differentiate between each minion return is to use the single-line output format and to parse each line individually. Example output (truncated):

salt.output.key¶

Salt Key makes use of the outputter system to format information sent to the salt-key command. This outputter is geared towards ingesting very specific data and should only be used with the salt-key command.

salt.output.nested¶

Recursively display nested data, this is the default outputter.

salt.output.no_out¶

Display no output.

salt.output.no_return¶

Display output for minions that did not return

salt.output.overstatestage¶

Display clean output of an overstate stage

salt.output.pprint_out¶

The python pretty print system was the default outputter. This outputter simply passed the data passed into it through the pprint module.

salt.output.raw¶

The raw outputter outputs the data via the python print function and is shown in a raw state. This was the original outputter used by Salt before the outputter system was developed.

salt.output.txt¶

The txt outputter has been developed to make the output from shell commands on minions appear as they do when the command is executed on the minion.

salt.output.virt_query¶

virt.query outputter

salt.output.yaml_out¶

Output data in YAML, this outputter defaults to printing in YAML block mode for better readability.

FULL LIST OF SALT CLOUD MODULES¶

botocore_aws
cloudstack
digital_ocean
ec2
gce
gogrid
ibmsce
joyent
libcloud_aws
linode
msazure
nova
openstack
parallels
rackspace
saltify
softlayer

salt.cloud.clouds.botocore_aws¶

The AWS Cloud Module¶

The AWS cloud module is used to interact with the Amazon Web Services system. This module has been replaced by the EC2 cloud module, and is no longer supported. The documentation shown here is for reference only; it is highly recommended to change all usages of this driver over to the EC2 driver.

salt.cloud.clouds.cloudstack¶

CloudStack Cloud Module¶

The CloudStack cloud module is used to control access to a CloudStack based Public Cloud. Use of this module requires the apikey, secretkey, host and path parameters.

salt.cloud.clouds.digital_ocean¶

Digital Ocean Cloud Module¶

The Digital Ocean cloud module is used to control access to the Digital Ocean VPS system. Use of this module only requires the api_key parameter to be set. Set up the cloud configuration at /etc/salt/cloud.providers or /etc/salt/cloud.providers.d/digital_ocean.conf:

salt.cloud.clouds.ec2¶

The EC2 Cloud Module¶

The EC2 cloud module is used to interact with the Amazon Elastic Cloud Computing. This driver is highly experimental! Use at your own risk!

salt.cloud.clouds.gce¶

Copyright 2013 Google Inc. All Rights Reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Google Compute Engine Module¶

The Google Compute Engine module. This module interfaces with Google Compute Engine. To authenticate to GCE, you will need to create a Service Account.

salt.cloud.clouds.gogrid¶

GoGrid Cloud Module¶

The GoGrid cloud module. This module interfaces with the gogrid public cloud service. To use Salt Cloud with GoGrid log into the GoGrid web interface and create an api key. Do this by clicking on "My Account" and then going to the API Keys tab. Set up the cloud configuration at /etc/salt/cloud.providers or /etc/salt/cloud.providers.d/gogrid.conf:

salt.cloud.clouds.ibmsce¶

IBM SCE Cloud Module¶

The IBM SCE cloud module. This module interfaces with the IBM SCE public cloud service. To use Salt Cloud with IBM SCE log into the IBM SCE web interface and create an SSH key. Set up the cloud configuration at /etc/salt/cloud.providers or /etc/salt/cloud.providers.d/ibmsce.conf:

salt.cloud.clouds.joyent¶

Joyent Cloud Module¶

The Joyent Cloud module is used to interact with the Joyent cloud system. Set up the cloud configuration at /etc/salt/cloud.providers or /etc/salt/cloud.providers.d/joyent.conf:
When creating your profiles for the joyent cloud, add the location attribute to the profile, this will automatically get picked up when performing tasks associated with that vm. An example profile might look like:

salt.cloud.clouds.libcloud_aws¶

The AWS Cloud Module¶

The AWS cloud module is used to interact with the Amazon Web Services system. This module has been replaced by the EC2 cloud module, and is no longer supported. The documentation shown here is for reference only; it is highly recommended to change all usages of this driver over to the EC2 driver.

salt.cloud.clouds.linode¶

Linode Cloud Module¶

The Linode cloud module is used to control access to the Linode VPS system Use of this module only requires the apikey parameter. Set up the cloud configuration at /etc/salt/cloud.providers or /etc/salt/cloud.providers.d/linode.conf:

salt.cloud.clouds.msazure¶

Azure Cloud Module¶

The Azure cloud module is used to control access to Microsoft Azure Use of this module only requires the apikey parameter. Set up the cloud configuration at /etc/salt/cloud.providers or /etc/salt/cloud.providers.d/azure.conf:
Information on creating the pem file to use, and uploading the associated cer file can be found at: http://www.windowsazure.com/en-us/develop/python/how-to-guides/service-management/

salt.cloud.clouds.nova¶

OpenStack Nova Cloud Module¶

PLEASE NOTE: This module is currently in early development, and considered to be experimental and unstable. It is not recommended for production use. Unless you are actively developing code in this module, you should use the OpenStack module instead. OpenStack is an open source project that is in use by a number a cloud providers, each of which have their own ways of using it. The OpenStack Nova module for Salt Cloud was bootstrapped from the OpenStack module for Salt Cloud, which uses a libcloud-based connection. The Nova module is designed to use the nova and glance modules already built into Salt. These modules use the Python novaclient and glanceclient libraries, respectively. In order to use this module, the proper salt configuration must also be in place. This can be specified in the master config, the minion config, a set of grains or a set of pillars.
Note that there is currently a dependency upon netaddr. This can be installed on Debian-based systems by means of the python-netaddr package. This module currently requires the latest develop branch of Salt to be installed. This module has been tested to work with HP Cloud and Rackspace. See the documentation for specific options for either of these providers. These examples could be set up in the cloud configuration at /etc/salt/cloud.providers or /etc/salt/cloud.providers.d/openstack.conf:
For local installations that only use private IP address ranges, the following option may be useful. Using the old syntax:

salt.cloud.clouds.openstack¶

OpenStack Cloud Module¶

OpenStack is an open source project that is in use by a number a cloud providers, each of which have their own ways of using it. OpenStack provides a number of ways to authenticate. This module uses password- based authentication, using auth v2.0. It is likely to start supporting other methods of authentication provided by OpenStack in the future. Note that there is currently a dependency upon netaddr. This can be installed on Debian-based systems by means of the python-netaddr package. This module has been tested to work with HP Cloud and Rackspace. See the documentation for specific options for either of these providers. Some examples, using the old cloud configuration syntax, are provided below: Set up in the cloud configuration at /etc/salt/cloud.providers or /etc/salt/cloud.providers.d/openstack.conf:
For in-house Openstack Essex installation, libcloud needs the service_type :
Either a password or an API key must also be specified:
For local installations that only use private IP address ranges, the following option may be useful. Using the old syntax:
It is possible to upload a small set of files (no more than 5, and nothing too large) to the remote server. Generally this should not be needed, as salt itself can upload to the server after it is spun up, with nowhere near the same restrictions.

salt.cloud.clouds.parallels¶

Parallels Cloud Module¶

The Parallels cloud module is used to control access to cloud providers using the Parallels VPS system.

salt.cloud.clouds.rackspace¶

Rackspace Cloud Module¶

The Rackspace cloud module. This module uses the preferred means to set up a libcloud based cloud module and should be used as the general template for setting up additional libcloud based modules. Please note that the rackspace driver is only intended for 1st gen instances, aka, "the old cloud" at Rackspace. It is required for 1st gen instances, but will not work with OpenStack-based instances. Unless you explicitly have a reason to use it, it is highly recommended that you use the openstack driver instead. The rackspace cloud module interfaces with the Rackspace public cloud service and requires that two configuration parameters be set for use, user and apikey. Set up the cloud configuration at /etc/salt/cloud.providers or /etc/salt/cloud.providers.d/rackspace.conf:

salt.cloud.clouds.saltify¶

Saltify Module¶

The Saltify module is designed to install Salt on a remote machine, virtual or bare metal, using SSH. This module is useful for provisioning machines which are already installed, but not Salted. Use of this module requires no configuration in the main cloud configuration file. However, profiles must still be configured, as described in the core config documentation.

salt.cloud.clouds.softlayer¶

SoftLayer Cloud Module¶

The SoftLayer cloud module is used to control access to the SoftLayer VPS system. Use of this module only requires the apikey parameter. Set up the cloud configuration at: /etc/salt/cloud.providers or /etc/salt/cloud.providers.d/softlayer.conf:
The SoftLayer Python Library needs to be installed in ordere to use the SoftLayer salt.cloud modules. See: https://pypi.python.org/pypi/SoftLayer

PYTHON CLIENT API¶

There are several ways to access Salt programatically.

Calling Salt from shell scripts¶

Salt CLI tools can, of course, be called from shell scripts. Reference the help output to see what structured output formats are supported. For example:

Calling Salt via a REST API¶

Salt provides a REST API, currently as a separate sister-project. It will be merged into Salt core. https://github.com/saltstack/salt-api This API utilizes Salt's Python interface documented below. It is also useful as a reference implementation.

Calling Salt from a Python application¶

Salt provides several entry points for interfacing with Python applications. These entry points are often referred to as *Client() APIs.

opts¶

Some clients require access to Salt's opts dictionary. (The dictionary representation of the master or minion config files.) A common pattern for fetching the opts dictionary is to defer to environment variables if they exist or otherwise fetch the config from the default location.

Salt's Python interface¶

LocalClient¶

Salt Caller¶

RunnerClient¶

WheelClient¶

CloudClient¶

PEER COMMUNICATION¶

Salt 0.9.0 introduced the capability for Salt minions to publish commands. The intent of this feature is not for Salt minions to act as independent brokers one with another, but to allow Salt minions to pass commands to each other. In Salt 0.10.0 the ability to execute runners from the master was added. This allows for the master to return collective data from runners back to the minions via the peer interface. The peer interface is configured through two options in the master configuration file. For minions to send commands from the master the peer configuration is used. To allow for minions to execute runners from the master the peer_run configuration is used. Since this presents a viable security risk by allowing minions access to the master publisher the capability is turned off by default. The minions can be allowed access to the master publisher on a per minion basis based on regular expressions. Minions with specific ids can be allowed access to certain Salt modules and functions.

Peer Configuration¶

The configuration is done under the peer setting in the Salt master configuration file, here are a number of configuration possibilities. The simplest approach is to enable all communication for all minions, this is only recommended for very secure environments.
This configuration will allow minions with IDs ending in example.com access to the test, ps, and pkg module functions.
The configuration logic is simple, a regular expression is passed for matching minion ids, and then a list of expressions matching minion functions is associated with the named minion. For instance, this configuration will also allow minions ending with foo.org access to the publisher.

Peer Runner Communication¶

Configuration to allow minions to execute runners from the master is done via the peer_run option on the master. The peer_run configuration follows the same logic as the peer option. The only difference is that access is granted to runner modules. To open up access to all minions to all runners:
This configuration will allow minions with IDs ending in example.com access to the manage and jobs runner functions.

Using Peer Communication¶

The publish module was created to manage peer communication. The publish module comes with a number of functions to execute peer communication in different ways. Currently there are three functions in the publish module. These examples will show how to test the peer system via the salt-call command. To execute test.ping on all minions:
To execute the manage.up runner:
To match minions using other matchers, use expr_form:

CLIENT ACL SYSTEM¶

The salt client ACL system is a means to allow system users other than root to have access to execute select salt commands on minions from the master. The client ACL system is configured in the master configuration file via the client_acl configuration option. Under the client_acl configuration option the users open to send commands are specified and then a list of regular expressions which specify the minion functions which will be made available to specified user. This configuration is much like the peer configuration:

Permission Issues¶

Directories required for client_acl must be modified to be readable by the users specified:
NOTE:
If you are upgrading from earlier versions of salt you must also remove any existing user keys and re-start the Salt master:

SALT SYNDIC¶

The Salt Syndic interface is a powerful tool which allows for the construction of Salt command topologies. A basic Salt setup has a Salt Master commanding a group of Salt Minions. The Syndic interface is a special passthrough minion, it is run on a master and connects to another master, then the master that the Syndic minion is listening to can control the minions attached to the master running the syndic. The intent for supporting many layouts is not presented with the intent of supposing the use of any single topology, but to allow a more flexible method of controlling many systems.

Configuring the Syndic¶

Since the Syndic only needs to be attached to a higher level master the configuration is very simple. On a master that is running a syndic to connect to a higher level master the syndic_master option needs to be set in the master config file. The syndic_master option contains the hostname or IP address of the master server that can control the master that the syndic is running on. The master that the syndic connects to sees the syndic as an ordinary minion, and treats it as such. the higher level master will need to accept the syndic's minion key like any other minion. This master will also need to set the order_masters value in the configuration to True. The order_masters option in the config on the higher level master is very important, to control a syndic extra information needs to be sent with the publications, the order_masters option makes sure that the extra data is sent out. To sum up, you have those configuration options available on the master side:
Each Syndic must provide its own file_roots directory. Files will not be automatically transferred from the master-master.

Running the Syndic¶

The Syndic is a separate daemon that needs to be started on the master that is controlled by a higher master. Starting the Syndic daemon is the same as starting the other Salt daemons.
NOTE:

FILE SERVER BACKENDS¶

Salt version 0.12.0 introduced the ability for the Salt Master to integrate different file server backends. File server backends allows the Salt file server to act as a transparent bridge to external resources. The primary example of this is the git backend which allows for all of the Salt formulas and files to be maintained in a remote git repository. The fileserver backend system can accept multiple backends as well. This makes it possible to have the environments listed in the file_roots configuration available in addition to other backends, or the ability to mix multiple backends. This feature is managed by the fileserver_backend option in the master config. The desired backend systems are listed in order of search priority:
With this configuration, the environments and files defined in the file_roots parameter will be searched first, if the referenced environment and file is not found then the git backend will be searched.

Environments¶

The concept of environments is followed in all backend systems. The environments in the classic roots backend are defined in the file_roots option. Environments map differently based on the backend, for instance the git backend translated branches and tags in git to environments. This makes it easy to define environments in git by just setting a tag or forking a branch.

DYNAMIC MODULE DISTRIBUTION¶

New in version 0.9.5. Salt Python modules can be distributed automatically via the Salt file server. Under the root of any environment defined via the file_roots option on the master server directories corresponding to the type of module can be used.
The directories are prepended with an underscore:
The contents of these directories need to be synced over to the minions after Python modules have been created in them. There are a number of ways to sync the modules.

Sync Via States¶

The minion configuration contains an option autoload_dynamic_modules which defaults to True. This option makes the state system refresh all dynamic modules when states are run. To disable this behavior set autoload_dynamic_modules to False in the minion config. When dynamic modules are autoloaded via states, modules only pertinent to the environments matched in the master's top file are downloaded. This is important to remember, because modules can be manually loaded from any specific environment that environment specific modules will be loaded when a state run is executed.

Sync Via the saltutil Module¶

The saltutil module has a number of functions that can be used to sync all or specific dynamic modules. The saltutil module function saltutil.sync_all will sync all module types over to a minion. For more information see: salt.modules.saltutil

FILE SERVER CONFIGURATION¶

The Salt file server is a high performance file server written in ZeroMQ. It manages large files quickly and with little overhead, and has been optimized to handle small files in an extremely efficient manner. The Salt file server is an environment aware file server. This means that files can be allocated within many root directories and accessed by specifying both the file path and the environment to search. The individual environments can span across multiple directory roots to create overlays and to allow for files to be organized in many flexible ways.

Environments¶

The Salt file server defaults to the mandatory base environment. This environment MUST be defined and is used to download files when no environment is specified. Environments allow for files and sls data to be logically separated, but environments are not isolated from each other. This allows for logical isolation of environments by the engineer using Salt, but also allows for information to be used in multiple environments.

Directory Overlay¶

The environment setting is a list of directories to publish files from. These directories are searched in order to find the specified file and the first file found is returned. This means that directory data is prioritized based on the order in which they are listed. In the case of this file_roots configuration:
If a file's URI is salt://httpd/httpd.conf, it will first search for the file at /srv/salt/base/httpd/httpd.conf. If the file is found there it will be returned. If the file is not found there, then /srv/salt/failover/httpd/httpd.conf will be used for the source. This allows for directories to be overlaid and prioritized based on the order they are defined in the configuration. It is also possible to have file_roots which supports multiple environments:
This example ensures that each environment will check the associated environment directory for files first. If a file is not found in the appropriate directory, the system will default to using the base directory.

Local File Server¶

New in version 0.9.8. The file server can be rerouted to run from the minion. This is primarily to enable running Salt states without a Salt master. To use the local file server interface, copy the file server data to the minion and set the file_roots option on the minion to point to the directories copied from the master. Once the minion file_roots option has been set, change the file_client option to local to make sure that the local file server interface is used.

SALT FILE SERVER¶

Salt comes with a simple file server suitable for distributing files to the Salt minions. The file server is a stateless ZeroMQ server that is built into the Salt master. The main intent of the Salt file server is to present files for use in the Salt state system. With this said, the Salt file server can be used for any general file transfer from the master to the minions.

The cp Module¶

The cp module is the home of minion side file server operations. The cp module is used by the Salt state system, salt-cp and can be used to distribute files presented by the Salt file server.

Environments¶

Since the file server is made to work with the Salt state system, it supports environments. The environments are defined in the master config file and when referencing an environment the file specified will be based on the root directory of the environment.

get_file¶

The cp.get_file function can be used on the minion to download a file from the master, the syntax looks like this:
This will instruct all Salt minions to download the vimrc file and copy it to /etc/vimrc Template rendering can be enabled on both the source and destination file names like so:
This example would instruct all Salt minions to download the vimrc from a directory with the same name as their OS grain and copy it to /etc/vimrc For larger files, the cp.get_file module also supports gzip compression. Because gzip is CPU-intensive, this should only be used in scenarios where the compression ratio is very high (e.g. pretty-printed JSON or YAML files). Use the gzip named argument to enable it. Valid values are 1..9, where 1 is the lightest compression and 9 the heaviest. 1 uses the least CPU on the master (and minion), 9 uses the most.
Finally, note that by default cp.get_file does not create new destination directories if they do not exist. To change this, use the makedirs argument:
In this example, /etc/vim/ would be created if it didn't already exist.

get_dir¶

The cp.get_dir function can be used on the minion to download an entire directory from the master. The syntax is very similar to get_file:
cp.get_dir supports template rendering and gzip compression arguments just like get_file:

File Server Client API¶

A client API is available which allows for modules and applications to be written which make use of the Salt file server. The file server uses the same authentication and encryption used by the rest of the Salt system for network communication.

FileClient Class¶

The FileClient class is used to set up the communication from the minion to the master. When creating a FileClient object the minion configuration needs to be passed in. When using the FileClient from within a minion module the built in __opts__ data can be passed:
Using the FileClient class outside of a minion module where the __opts__ data is not available, it needs to be generated:

FULL LIST OF BUILTIN FILESERVER MODULES¶

gitfs
hgfs
roots
s3fs
minionfs

salt.fileserver.gitfs¶

The backend for the git based file server system. After enabling this backend, branches and tags in a remote git repository are exposed to salt as different environments. This feature is managed by the fileserver_backend option in the salt master config.

salt.fileserver.hgfs¶

The backed for the mercurial based file server system. After enabling this backend, branches, bookmarks, and tags in a remote mercurial repository are exposed to salt as different environments. This feature is managed by the fileserver_backend option in the salt master config file. This fileserver has an additional option hgfs_branch_method that will set the desired branch method. Possible values are: branches, bookmarks, or mixed. If using branches or mixed, the default branch will be mapped to base. Changed in version 2014.1.0: (Hydrogen) The hgfs_base master config parameter was added, allowing for a branch other than default to be used for the base environment, and allowing for a base environment to be specified when using an hgfs_branch_method of bookmarks.

salt.fileserver.roots¶

The default file server backend Based on the environments in the file_roots configuration option.

salt.fileserver.s3fs¶

The backend for a fileserver based on Amazon S3 SEE ALSO:
This backend exposes directories in S3 buckets as Salt environments. This feature is managed by the fileserver_backend option in the Salt Master config. S3 credentials can be set in the master config file like so:
Alternatively, if on EC2 these credentials can be automatically loaded from instance metadata. Additionally, s3fs must be included in the fileserver_backend config parameter in the master config file:
This fileserver supports two modes of operation for the buckets:
Note that bucket names must be all lowercase both in the AWS console and in Salt, otherwise you may encounter SignatureDoesNotMatch errors. A multiple-environment bucket must adhere to the following root directory structure:

salt.fileserver.minionfs¶

The backend for serving files pushed to master by cp.push (file_recv). file_recv needs to be enabled in the master config file.

CONFIGURATION FILE EXAMPLES¶

Example master configuration file¶

Example minion configuration file¶

CONFIGURING THE SALT MASTER¶

The Salt system is amazingly simple and easy to configure, the two components of the Salt system each have a respective configuration file. The salt-master is configured via the master configuration file, and the salt-minion is configured via the minion configuration file. SEE ALSO:
The configuration file for the salt-master is located at /etc/salt/master. The available options are as follows:

Primary Master Configuration¶

interface¶

Default: 0.0.0.0 (all interfaces) The local interface to bind to.

publish_port¶

Default: 4505 The network port to set up the publication interface

user¶

Default: root The user to run the Salt processes

max_open_files¶

Default: max_open_files Each minion connecting to the master uses AT LEAST one file descriptor, the master subscription connection. If enough minions connect you might start seeing on the console(and then salt-master crashes):
By default this value will be the one of ulimit -Hn, i.e., the hard limit for max open files. If you wish to set a different value than the default one, uncomment and configure this setting. Remember that this value CANNOT be higher than the hard limit. Raising the hard limit depends on your OS and/or distribution, a good way to find the limit is to search the internet for(for example):

worker_threads¶

Default: 5 The number of threads to start for receiving commands and replies from minions. If minions are stalling on replies because you have many minions, raise the worker_threads value. Worker threads should not be put below 3 when using the peer system, but can drop down to 1 worker otherwise.

ret_port¶

Default: 4506 The port used by the return server, this is the server used by Salt to receive execution returns and command executions.

pidfile¶

Default: /var/run/salt-master.pid Specify the location of the master pidfile

root_dir¶

Default: / The system root directory to operate from, change this to make Salt run from an alternative root.
NOTE:

pki_dir¶

Default: /etc/salt/pki The directory to store the pki authentication keys.

cachedir¶

Default: /var/cache/salt The location used to store cache information, particularly the job information for executed salt commands.

keep_jobs¶

Default: 24 Set the number of hours to keep old job information

job_cache¶

Default: True The master maintains a job cache, while this is a great addition it can be a burden on the master for larger deployments (over 5000 minions). Disabling the job cache will make previously executed jobs unavailable to the jobs system and is not generally recommended. Normally it is wise to make sure the master has access to a faster IO system or a tmpfs is mounted to the jobs dir

ext_job_cache¶

Default: '' Used to specify a default returner for all minions, when this option is set the specified returner needs to be properly configured and the minions will always default to sending returns to this returner. This will also disable the local job cache on the master

minion_data_cache¶

Default: True The minion data cache is a cache of information about the minions stored on the master, this information is primarily the pillar and grains data. The data is cached in the Master cachedir under the name of the minion and used to pre determine what minions are expected to reply from executions.

enforce_mine_cache¶

Default: False By-default when disabling the minion_data_cache mine will stop working since it is based on cached data, by enabling this option we explicitly enabling only the cache for the mine system.

sock_dir¶

Default: /tmp/salt-unix Set the location to use for creating Unix sockets for master process communication

Master Security Settings¶

open_mode¶

Default: False Open mode is a dangerous security feature. One problem encountered with pki authentication systems is that keys can become "mixed up" and authentication begins to fail. Open mode turns off authentication and tells the master to accept all authentication. This will clean up the pki keys received from the minions. Open mode should not be turned on for general use. Open mode should only be used for a short period of time to clean up pki keys. To turn on open mode set this value to True.

auto_accept¶

Default: False Enable auto_accept. This setting will automatically accept all incoming public keys from minions.

autosign_file¶

Default: not defined If the autosign_file is specified incoming keys specified in the autosign_file will be automatically accepted. Matches will be searched for first by string comparison, then by globbing, then by full-string regex matching. This is insecure!

autoreject_file¶

New in version 2014.1.0: (Hydrogen) Default: not defined Works like autosign_file, but instead allows you to specify minion IDs for which keys will automatically be rejected. Will override both membership in the autosign_file and the auto_accept setting.

client_acl¶

Default: {} Enable user accounts on the master to execute specific modules. These modules can be expressed as regular expressions

client_acl_blacklist¶

Default: {} Blacklist users or modules This example would blacklist all non sudo users, including root from running any commands. It would also blacklist any use of the "cmd" module. This is completely disabled by default.

external_auth¶

Default: {} The external auth system uses the Salt auth modules to authenticate and validate users to access areas of the Salt system.

token_expire¶

Default: 43200 Time (in seconds) for a newly generated token to live. Default: 12 hours

file_recv¶

Default: False Allow minions to push files to the master. This is disabled by default, for security purposes.

Master Module Management¶

runner_dirs¶

Default: [] Set additional directories to search for runner modules

cython_enable¶

Default: False Set to true to enable cython modules (.pyx files) to be compiled on the fly on the Salt master

Master State System Settings¶

state_verbose¶

Default: False state_verbose allows for the data returned from the minion to be more verbose. Normally only states that fail or states that have changes are returned, but setting state_verbose to True will return all states that were checked

state_output¶

Default: full The state_output setting changes if the output is the full multi line output for each changed state if set to 'full', but if set to 'terse' the output will be shortened to a single line. If set to 'mixed', the output will be terse unless a state failed, in which case that output will be full. If set to 'changes', the output will be full unless the state didn't change.

state_top¶

Default: top.sls The state system uses a "top" file to tell the minions what environment to use and what modules to use. The state_top file is defined relative to the root of the base environment

external_nodes¶

Default: None The external_nodes option allows Salt to gather data that would normally be placed in a top file from and external node controller. The external_nodes option is the executable that will return the ENC data. Remember that Salt will look for external nodes AND top files and combine the results if both are enabled and available!

renderer¶

Default: yaml_jinja The renderer to use on the minions to render the state data

failhard¶

Default: False Set the global failhard flag, this informs all states to stop running states at the moment a single state fails

yaml_utf8¶

Default: False Enable extra yaml render routines for states containing UTF characters

test¶

Default: False Set all state calls to only test if they are going to actually make changes or just post what changes are going to be made

Master File Server Settings¶

fileserver_backend¶

Default:
Salt supports a modular fileserver backend system, this system allows the salt master to link directly to third party systems to gather and manage the files available to minions. Multiple backends can be configured and will be searched for the requested file in the order in which they are defined here. The default setting only enables the standard backend roots, which is configured using the file_roots option. Example:

file_roots¶

Default:
Salt runs a lightweight file server written in ZeroMQ to deliver files to minions. This file server is built into the master daemon and does not require a dedicated port. The file server works on environments passed to the master. Each environment can have multiple root directories. The subdirectories in the multiple file roots cannot match, otherwise the downloaded files will not be able to be reliably ensured. A base environment is required to house the top file. Example:

hash_type¶

Default: md5 The hash_type is the hash to use when discovering the hash of a file on the master server. The default is md5, but sha1, sha224, sha256, sha384 and sha512 are also supported.

file_buffer_size¶

Default: 1048576 The buffer size in the file server in bytes

file_ignore_regex¶

Default: '' A regular expression (or a list of expressions) that will be matched against the file path before syncing the modules and states to the minions. This includes files affected by the file.recurse state. For example, if you manage your custom modules and states in subversion and don't want all the '.svn' folders and content synced to your minions, you could set this to '/.svn($|/)'. By default nothing is ignored.

file_ignore_glob¶

Default '' A file glob (or list of file globs) that will be matched against the file path before syncing the modules and states to the minions. This is similar to file_ignore_regex above, but works on globs instead of regex. By default nothing is ignored.

fileserver_backend¶

Default:
Salt supports a modular fileserver backend system, this system allows the salt master to link directly to third party systems to gather and manage the files available to minions. Multiple backends can be configured and will be searched for the requested file in the order in which they are defined here. The default setting only enables the standard backend roots, which is configured using the file_roots option. Example:

gitfs_provider¶

New in version Helium. Gitfs can be provided by one of two python modules: GitPython or pygit2. If using pygit2, both libgit2 and git itself must also be installed. More information can be found in the gitfs backend documentation.

gitfs_remotes¶

Default: [] When using the git fileserver backend at least one git remote needs to be defined. The user running the salt master will need read access to the repo. The repos will be searched in order to find the file requested by a client and the first repo to have the file will return it. Branches and tags are translated into salt environments.
NOTE:

gitfs_ssl_verify¶

Default: [] The gitfs_ssl_verify option specifies whether to ignore ssl certificate errors when contacting the gitfs backend. You might want to set this to false if you're using a git backend that uses a self-signed certificate but keep in mind that setting this flag to anything other than the default of True is a security concern, you may want to try using the ssh transport.

gitfs_root¶

Default: '' Serve files from a subdirectory within the repository, instead of the root. This is useful when there are files in the repository that should not be available to the Salt fileserver.

gitfs_base¶

Default: master Defines which branch/tag should be used as the base environment.

hgfs_remotes¶

New in version 0.17.0. Default: [] When using the hg fileserver backend at least one mercurial remote needs to be defined. The user running the salt master will need read access to the repo. The repos will be searched in order to find the file requested by a client and the first repo to have the file will return it. Branches and/or bookmarks are translated into salt environments, as defined by the hgfs_branch_method parameter.

hgfs_branch_method¶

New in version 0.17.0. Default: branches Defines the objects that will be used as fileserver environments.

NOTE:

hgfs_root¶

New in version 0.17.0. Default: '' Serve files from a subdirectory within the repository, instead of the root. This is useful when there are files in the repository that should not be available to the Salt fileserver.

hgfs_base¶

New in version 2014.1.0: (Hydrogen) Default: default Defines which branch should be used as the base environment. Change this if hgfs_branch_method is set to bookmarks to specify which bookmark should be used as the base environment.

Pillar Configuration¶

pillar_roots¶

Default:
Set the environments and directories used to hold pillar sls data. This configuration is the same as file_roots:

ext_pillar¶

The ext_pillar option allows for any number of external pillar interfaces to be called when populating pillar data. The configuration is based on ext_pillar functions. The available ext_pillar functions can be found herein: https://github.com/saltstack/salt/blob/develop/salt/pillar By default, the ext_pillar interface is not configured to run. Default: None
There are additional details at salt-pillars

Syndic Server Settings¶

A Salt syndic is a Salt master used to pass commands from a higher Salt master to minions below the syndic. Using the syndic is simple. If this is a master that will have syndic servers(s) below it, set the "order_masters" setting to True. If this is a master that will be running a syndic daemon for passthrough the "syndic_master" setting needs to be set to the location of the master server Do not not forget that in other word it means that it shares with the local minion it's ID and PKI_DIR.

order_masters¶

Default: False Extra data needs to be sent with publications if the master is controlling a lower level master via a syndic minion. If this is the case the order_masters value must be set to True

syndic_master¶

Default: None If this master will be running a salt-syndic to connect to a higher level master, specify the higher level master with this configuration value

syndic_master_port¶

Default: 4506 If this master will be running a salt-syndic to connect to a higher level master, specify the higher level master port with this configuration value

syndic_log_file¶

Default: syndic.log If this master will be running a salt-syndic to connect to a higher level master, specify the log_file of the syndic daemon.

syndic_pidfile¶

Default: salt-syndic.pid If this master will be running a salt-syndic to connect to a higher level master, specify the pidfile of the syndic daemon.

Peer Publish Settings¶

Salt minions can send commands to other minions, but only if the minion is allowed to. By default "Peer Publication" is disabled, and when enabled it is enabled for specific minions and specific commands. This allows secure compartmentalization of commands based on individual minions.

peer¶

Default: {} The configuration uses regular expressions to match minions and then a list of regular expressions to match functions. The following will allow the minion authenticated as foo.example.com to execute functions from the test and pkg modules
This will allow all minions to execute all commands:
This is not recommended, since it would allow anyone who gets root on any single minion to instantly have root on all of the minions! By adding an additional layer you can limit the target hosts in addition to the accessible commands:

peer_run¶

Default: {} The peer_run option is used to open up runners on the master to access from the minions. The peer_run configuration matches the format of the peer configuration. The following example would allow foo.example.com to execute the manage.up runner:

Node Groups¶

Default: {} Node groups allow for logical groupings of minion nodes. A group consists of a group name and a compound target.

Master Logging Settings¶

log_file¶

Default: /var/log/salt/master The master log can be sent to a regular file, local path name, or network location. See also log_file. Examples:

log_level¶

Default: warning The level of messages to send to the console. See also log_level.

log_level_logfile¶

Default: warning The level of messages to send to the log file. See also log_level_logfile.

log_datefmt¶

Default: %H:%M:%S The date and time format used in console log messages. See also log_datefmt.

log_datefmt_logfile¶

Default: %Y-%m-%d %H:%M:%S The date and time format used in log file messages. See also log_datefmt_logfile.

log_fmt_console¶

Default: [%(levelname)-8s] %(message)s The format of the console logging messages. See also log_fmt_console.

log_fmt_logfile¶

Default: %(asctime)s,%(msecs)03.0f [%(name)-17s][%(levelname)-8s] %(message)s The format of the log file logging messages. See also log_fmt_logfile.

log_granular_levels¶

Default: {} This can be used to control logging levels more specifically. See also log_granular_levels.

Include Configuration¶

default_include¶

Default: master.d/*.conf The master can include configuration from other files. Per default the master will automatically include all config files from master.d/*.conf where master.d is relative to the directory of the master configuration file.

include¶

Default: not defined The master can include configuration from other files. To enable this, pass a list of paths to this option. The paths can be either relative or absolute; if relative, they are considered to be relative to the directory the main minion configuration file lives in. Paths can make use of shell-style globbing. If no files are matched by a path passed to this option then the master will log a warning message.

CONFIGURING THE SALT MINION¶

The Salt system is amazingly simple and easy to configure, the two components of the Salt system each have a respective configuration file. The salt-master is configured via the master configuration file, and the salt-minion is configured via the minion configuration file. SEE ALSO:
The Salt Minion configuration is very simple, typically the only value that needs to be set is the master value so the minion can find its master.

Minion Primary Configuration¶

master¶

Default: salt The hostname or ipv4 of the master.

master_port¶

Default: 4506 The port of the master ret server, this needs to coincide with the ret_port option on the Salt master.

user¶

Default: root The user to run the Salt processes

pidfile¶

Default: /var/run/salt-minion.pid The location of the daemon's process ID file

root_dir¶

Default: / This directory is prepended to the following options: pki_dir, cachedir, log_file, sock_dir, and pidfile.

pki_dir¶

Default: /etc/salt/pki The directory used to store the minion's public and private keys.

id¶

Default: the system's hostname SEE ALSO:
Explicitly declare the id for this minion to use. Since Salt uses detached ids it is possible to run multiple minions on the same machine but with different ids.

append_domain¶

Default: None Append a domain to a hostname in the event that it does not exist. This is useful for systems where socket.getfqdn() does not actually result in a FQDN (for instance, Solaris).

cachedir¶

Default: /var/cache/salt The location for minion cache data.

verify_env¶

Default: True Verify and set permissions on configuration directories at startup.
NOTE:

cache_jobs¶

Default: False The minion can locally cache the return data from jobs sent to it, this can be a good way to keep track of the minion side of the jobs the minion has executed. By default this feature is disabled, to enable set cache_jobs to True.

sock_dir¶

Default: /var/run/salt/minion The directory where Unix sockets will be kept.

backup_mode¶

Default: [] Backup files replaced by file.managed and file.recurse under cachedir.

acceptance_wait_time¶

Default: 10 The number of seconds to wait until attempting to re-authenticate with the master.

random_reauth_delay¶

When the master key changes, the minion will try to re-auth itself to receive the new master key. In larger environments this can cause a syn-flood on the master because all minions try to re-auth immediately. To prevent this and have a minion wait for a random amount of time, use this optional parameter. The wait-time will be a random number of seconds between 0 and the defined value.

acceptance_wait_time_max¶

Default: None The maximum number of seconds to wait until attempting to re-authenticate with the master. If set, the wait will increase by acceptance_wait_time seconds each iteration.

dns_check¶

Default: True When healing, a dns_check is run. This is to make sure that the originally resolved dns has not changed. If this is something that does not happen in your environment, set this value to False.

ipc_mode¶

Default: ipc Windows platforms lack POSIX IPC and must rely on slower TCP based inter- process communications. Set ipc_mode to tcp on such systems.

tcp_pub_port¶

Default: 4510 Publish port used when ipc_mode is set to tcp.

tcp_pull_port¶

Default: 4511 Pull port used when ipc_mode is set to tcp.

Minion Module Management¶

disable_modules¶

Default: [] (all modules are enabled by default) The event may occur in which the administrator desires that a minion should not be able to execute a certain module. The sys module is built into the minion and cannot be disabled. This setting can also tune the minion, as all modules are loaded into ram disabling modules will lover the minion's ram footprint.

disable_returners¶

Default: [] (all returners are enabled by default) If certain returners should be disabled, this is the place

module_dirs¶

Default: [] A list of extra directories to search for Salt modules

returner_dirs¶

Default: [] A list of extra directories to search for Salt returners

states_dirs¶

Default: [] A list of extra directories to search for Salt states

render_dirs¶

Default: [] A list of extra directories to search for Salt renderers

cython_enable¶

Default: False Set this value to true to enable auto-loading and compiling of .pyx modules, This setting requires that gcc and cython are installed on the minion

providers¶

Default: (empty) A module provider can be statically overwritten or extended for the minion via the providers option. This can be done on an individual basis in an SLS file, or globally here in the minion config, like below.

State Management Settings¶

renderer¶

Default: yaml_jinja The default renderer used for local state executions

state_verbose¶

Default: False state_verbose allows for the data returned from the minion to be more verbose. Normally only states that fail or states that have changes are returned, but setting state_verbose to True will return all states that were checked

state_output¶

Default: full The state_output setting changes if the output is the full multi line output for each changed state if set to 'full', but if set to 'terse' the output will be shortened to a single line.

autoload_dynamic_modules¶

Default: True autoload_dynamic_modules Turns on automatic loading of modules found in the environments on the master. This is turned on by default, to turn of auto-loading modules when states run set this value to False
Default: True clean_dynamic_modules keeps the dynamic modules on the minion in sync with the dynamic modules on the master, this means that if a dynamic module is not on the master it will be deleted from the minion. By default this is enabled and can be disabled by changing this value to False

environment¶

Default: None Normally the minion is not isolated to any single environment on the master when running states, but the environment can be isolated on the minion side by statically setting it. Remember that the recommended way to manage environments is to isolate via the top file.

File Directory Settings¶

file_client¶

Default: remote The client defaults to looking on the master server for files, but can be directed to look on the minion by setting this parameter to local.

file_roots¶

Default:
When using a local file_client, this parameter is used to setup the fileserver's environments. This parameter operates identically to the master config parameter of the same name.

hash_type¶

Default: md5 The hash_type is the hash to use when discovering the hash of a file on the local fileserver. The default is md5, but sha1, sha224, sha256, sha384 and sha512 are also supported.

pillar_roots¶

Default:
When using a local file_client, this parameter is used to setup the pillar environments.

Security Settings¶

open_mode¶

Default: False Open mode can be used to clean out the PKI key received from the Salt master, turn on open mode, restart the minion, then turn off open mode and restart the minion to clean the keys.

Thread Settings¶

Default: True Disable multiprocessing support by default when a minion receives a publication a new process is spawned and the command is executed therein.

Minion Logging Settings¶

log_file¶

Default: /var/log/salt/minion The minion log can be sent to a regular file, local path name, or network location. See also log_file. Examples:

log_level¶

Default: warning The level of messages to send to the console. See also log_level.

log_level_logfile¶

Default: warning The level of messages to send to the log file. See also log_level_logfile.

log_datefmt¶

Default: %H:%M:%S The date and time format used in console log messages. See also log_datefmt.

log_datefmt_logfile¶

Default: %Y-%m-%d %H:%M:%S The date and time format used in log file messages. See also log_datefmt_logfile.

log_fmt_console¶

Default: [%(levelname)-8s] %(message)s The format of the console logging messages. See also log_fmt_console.

log_fmt_logfile¶

Default: %(asctime)s,%(msecs)03.0f [%(name)-17s][%(levelname)-8s] %(message)s The format of the log file logging messages. See also log_fmt_logfile.

log_granular_levels¶

Default: {} This can be used to control logging levels more specifically. See also log_granular_levels.

Include Configuration¶

default_include¶

Default: minion.d/*.conf The minion can include configuration from other files. Per default the minion will automatically include all config files from minion.d/*.conf where minion.d is relative to the directory of the minion configuration file.

include¶

Default: not defined The minion can include configuration from other files. To enable this, pass a list of paths to this option. The paths can be either relative or absolute; if relative, they are considered to be relative to the directory the main minion configuration file lives in. Paths can make use of shell-style globbing. If no files are matched by a path passed to this option then the minion will log a warning message.

Frozen Build Update Settings¶

These options control how salt.modules.saltutil.update() works with esky frozen apps. For more information look at https://github.com/cloudmatrix/esky/.

update_url¶

Default: False (Update feature is disabled) The url to use when looking for application updates. Esky depends on directory listings to search for new versions. A webserver running on your Master is a good starting point for most setups.

update_restart_services¶

Default: [] (service restarting on update is disabled) A list of services to restart when the minion software is updated. This would typically just be a list containing the minion's service name, but you may have other services that need to go with it.

SALT CODE AND INTERNALS¶

Reference documentation on Salt's internal code.

Contents¶

Exceptions¶

Salt-specific exceptions should be thrown as often as possible so the various interfaces to Salt (CLI, API, etc) can handle those errors appropriately and display error messages appropriately.

salt.exceptions	Python's standard exception class hierarchy.

salt.exceptions¶

This module is a central location for all salt exceptions

salt.exceptions¶

This module is a central location for all salt exceptions

NETWORK TOPOLOGY¶

Salt is based on a powerful, asynchronous, network topology using ZeroMQ. Many ZeroMQ systems are in place to enable communication. The central idea is to have the fastest communication possible.

Servers¶

The Salt Master runs 2 network services. First is the ZeroMQ PUB system. This service by default runs on port 4505 and can be configured via the publish_port option in the master configuration. Second is the ZeroMQ REP system. This is a separate interface used for all bi-directional communication with minions. By default this system binds to port 4506 and can be configured via the ret_port option in the master.

PUB/SUB¶

The commands sent out via the salt client are broadcast out to the minions via ZeroMQ PUB/SUB. This is done by allowing the minions to maintain a connection back to the Salt Master and then all connections are informed to download the command data at once. The command data is kept extremely small (usually less than 1K) so it is not a burden on the network.

Return¶

The PUB/SUB system is a one way communication, so once a publish is sent out the PUB interface on the master has no further communication with the minion. The minion, after running the command, then sends the command's return data back to the master via the ret_port.

WINDOWS SOFTWARE REPOSITORY¶

The Salt Windows Software Repository provides a package manager and software repository similar to what is provided by yum and apt on Linux. It permits the installation of software using the installers on remote windows machines. In many senses, the operation is similar to that of the other package managers salt is aware of:
High level differences to yum and apt are:

Operation¶

The install state/module function of the windows package manager works roughly as follows:
If there are any problems in using the package manager it is likely to be due to the data in your sls files not matching the difference between the pre and post pkg.list_pkgs results.

Usage¶

By default, the Windows software repository is found at /srv/salt/win/repo This can be changed in the master config file (default location is /etc/salt/master) by modifying the win_repo variable. Each piece of software should have its own directory which contains the installers and a package definition file. This package definition file is a YAML file named init.sls. The package definition file should look similar to this example for Firefox: /srv/salt/win/repo/firefox/init.sls
More examples can be found here: https://github.com/saltstack/salt-winrepo The version number and full_name need to match the output from pkg.list_pkgs so that the status can be verfied when running highstate. Note: It is still possible to successfully install packages using pkg.install even if they don't match which can make this hard to troubleshoot.
If any of these preinstalled packages already exist in winrepo the full_name will be automatically renamed to their package name during the next update (running highstate or installing another package).
Add msiexec: True if using an MSI installer requiring the use of msiexec /i to install and msiexec /x to uninstall. The install_flags and uninstall_flags are flags passed to the software installer to cause it to perform a silent install. These can often be found by adding /? or /h when running the installer from the command line. A great resource for finding these silent install flags can be found on the WPKG project's wiki:

Generate Repo Cache File¶

Once the sls file has been created, generate the repository cache file with the winrepo runner:
Then update the repository cache file on your minions, exactly how it's done for the Linux package managers:

Install Windows Software¶

Now you can query the available version of Firefox using the Salt pkg module.
As you can see, there are three versions of Firefox available for installation.
The above line will install the latest version of Firefox.
The above line will install version 16.0.2 of Firefox. If a different version of the package is already installed it will be replaced with the version in winrepo (only if the package itself supports live updating)

Uninstall Windows Software¶

Uninstall software using the pkg module:
pkg.purge just executes pkg.remove on Windows. At some point in the future pkg.purge may direct the installer to remove all configs and settings for software packages that support that option.

Standalone Minion Salt Windows Repo Module¶

In order to facilitate managing a Salt Windows software repo with Salt on a Standalone Minion on Windows, a new module named winrepo has been added to Salt. winrepo matches what is available in the salt runner and allows you to manage the Windows software repo contents. Example: salt '*' winrepo.genrepo

Git Hosted Repo¶

Windows software package definitions can also be hosted in one or more git repositories. The default repo is one hosted on Github.com by SaltStack,Inc., which includes package definitions for open source software. This repo points to the HTTP or ftp locations of the installer files. Anyone is welcome to send a pull request to this repo to add new package definitions. Browse the repo here: https://github.com/saltstack/salt-winrepo . Configure which git repos the master can search for package definitions by modifying or extending the win_gitrepos configuration option list in the master config. Checkout each git repo in win_gitrepos, compile your package repository cache and then refresh each minion's package cache:

Troubleshooting¶

Incorrect name/version¶

If the package seems to install properly, but salt reports a failure then it is likely you have a version or full_name mismatch. Check the exact full_name and version used by the package. Use pkg.list_pkgs to check that the names and version exactly match what is installed.

Changes to sls files not being picked up¶

Ensure you have (re)generated the repository cache file and then updated the repository cache on the relevant minions:

Packages management under Windows 2003¶

On windows server 2003, you need to install optional windows component "wmi windows installer provider" to have full list of installed packages. If you don't have this, salt-minion can't report some installed software.

COMMAND LINE REFERENCE¶

Salt can be controlled by a command line client by the root user on the Salt master. The Salt command line client uses the Salt client API to communicate with the Salt master server. The Salt client is straightforward and simple to use. Using the Salt client commands can be easily sent to the minions. Each of these commands accepts an explicit --config option to point to either the master or minion configuration file. If this option is not provided and the default configuration file does not exist then Salt falls back to use the environment variables SALT_MASTER_CONFIG and SALT_MINION_CONFIG. SEE ALSO:

Using the Salt Command¶

The Salt command needs a few components to send information to the Salt minions. The target minions need to be defined, the function to call and any arguments the function requires.

Defining the Target Minions¶

The first argument passed to salt, defines the target minions, the target minions are accessed via their hostname. The default target type is a bash glob:
Salt can also define the target minions with regular expressions:
Or to explicitly list hosts, salt can take a list:

More Powerful Targets¶

The simple target specifications, glob, regex and list will cover many use cases, and for some will cover all use cases, but more powerful options exist.

Targeting with Grains¶

The Grains interface was built into Salt to allow minions to be targeted by system properties. So minions running on a particular operating system can be called to execute a function, or a specific kernel. Calling via a grain is done by passing the -G option to salt, specifying a grain and a glob expression to match the value of the grain. The syntax for the target is the grain key followed by a globexpression: "os:Arch*".
Will return True from all of the minions running Fedora. To discover what grains are available and what the values are, execute the grains.item salt function:

Targeting with Executions¶

As of 0.8.8 targeting with executions is still under heavy development and this documentation is written to reference the behavior of execution matching in the future. Execution matching allows for a primary function to be executed, and then based on the return of the primary function the main function is executed. Execution matching allows for matching minions based on any arbitrary running data on the minions.

Compound Targeting¶

New in version 0.9.5. Multiple target interfaces can be used in conjunction to determine the command targets. These targets can then be combined using and or or statements. This is well defined with an example:
In this example any minion who's id starts with webser and is running Debian, or any minion who's id starts with db will be matched. The type of matcher defaults to glob, but can be specified with the corresponding letter followed by the @ symbol. In the above example a grain is used with G@ as well as a regular expression with E@. The webser* target does not need to be prefaced with a target type specifier because it is a glob.

Node Group Targeting¶

New in version 0.9.5. Often the convenience of having a predefined group of minions to execute targets on is desired. This can be accomplished with the new nodegroups feature. Nodegroups allow for predefined compound targets to be declared in the master configuration file:

Calling the Function¶

The function to call on the specified target is placed after the target specification. New in version 0.9.8. Functions may also accept arguments, space-delimited:
Optional, keyword arguments are also supported:
They are always in the form of kwarg=argument. Arguments are formatted as YAML:
Note: dictionaries must have curly braces around them (like the env keyword argument above). This was changed in 0.15.1: in the above example, the first argument used to be parsed as the dictionary {'echo "Hello': '$FIRST_NAME"'}. This was generally not the expected behavior. If you want to test what parameters are actually passed to a module, use the test.arg_repr command:

Finding available minion functions¶

The Salt functions are self documenting, all of the function documentation can be retried from the minions via the sys.doc() function:

Compound Command Execution¶

If a series of commands needs to be sent to a single target specification then the commands can be sent in a single publish. This can make gathering groups of information faster, and lowers the stress on the network for repeated commands. Compound command execution works by sending a list of functions and arguments instead of sending a single function and argument. The functions are executed on the minion in the order they are defined on the command line, and then the data from all of the commands are returned in a dictionary. This means that the set of commands are called in a predictable way, and the returned data can be easily interpreted. Executing compound commands if done by passing a comma delimited list of functions, followed by a comma delimited list of arguments:
The trick to look out for here, is that if a function is being passed no arguments, then there needs to be a placeholder for the absent arguments. This is why in the above example, there are two commas right next to each other. test.ping takes no arguments, so we need to add another comma, otherwise Salt would attempt to pass "foo" to test.ping. If you need to pass arguments that include commas, then make sure you add spaces around the commas that separate arguments. For example:
You may change the arguments separator using the --args-separator option:

SALT¶

Synopsis¶

Description¶

Salt allows for commands to be executed across a swath of remote systems in parallel. This means that remote systems can be both controlled and queried with ease.

Options¶

Logging Options¶

Logging options which override any settings defined on the configuration files.

Target Selection¶

Output Options¶

See also¶

salt(7) salt-master(1) salt-minion(1)

SALT-MASTER¶

The Salt master daemon, used to control the Salt minions

Synopsis¶

salt-master [ options ]

Description¶

The master daemon controls the Salt minions

Options¶

Logging Options¶

Logging options which override any settings defined on the configuration files.

See also¶

salt(1) salt(7) salt-minion(1)

SALT-MINION¶

The Salt minion daemon, receives commands from a remote Salt master.

Synopsis¶

salt-minion [ options ]

Description¶

The Salt minion receives commands from the central Salt master and replies with the results of said commands.

Options¶

Logging Options¶

Logging options which override any settings defined on the configuration files.

See also¶

salt(1) salt(7) salt-master(1)

SALT-KEY¶

Synopsis¶

salt-key [ options ]

Description¶

Salt-key executes simple management of Salt server public keys used for authentication.

Options¶

Logging Options¶

Logging options which override any settings defined on the configuration files.

Output Options¶

Actions¶

Key Generation Options¶

See also¶

salt(7) salt-master(1) salt-minion(1)

SALT-CP¶

Copy a file to a set of systems

Synopsis¶

Description¶

Salt copy copies a local file out to all of the Salt minions matched by the given target.

Options¶

Logging Options¶

Logging options which override any settings defined on the configuration files.

Target Selection¶

See also¶

salt(1) salt-master(1) salt-minion(1)

SALT-CALL¶

Synopsis¶

Description¶

The salt-call command is used to run module functions locally on a minion instead of executing them from the master.

Options¶

Logging Options¶

Logging options which override any settings defined on the configuration files.

Output Options¶

See also¶

salt(1) salt-master(1) salt-minion(1)

SALT-RUN¶

Execute a Salt runner

Synopsis¶

Description¶

salt-run is the frontend command for executing Salt Runners. Salt runners are simple modules used to execute convenience functions on the master

Options¶

Logging Options¶

Logging options which override any settings defined on the configuration files.

See also¶

salt(1) salt-master(1) salt-minion(1)

SALT-SSH¶

Synopsis¶

Description¶

Salt SSH allows for salt routines to be executed using only SSH for transport

Options¶

Target Selection¶

Logging Options¶

Logging options which override any settings defined on the configuration files.

Output Options¶

See also¶

salt(7) salt-master(1) salt-minion(1)

SALT-SYNDIC¶

The Salt syndic daemon, a special minion that passes through commands from a higher master

Synopsis¶

salt-syndic [ options ]

Description¶

The Salt syndic daemon, a special minion that passes through commands from a higher master.

Options¶

Logging Options¶

Logging options which override any settings defined on the configuration files.

See also¶

salt(1) salt-master(1) salt-minion(1)

SALT-CLOUD¶

Provision virtual machines in the cloud with Salt

Synopsis¶

Description¶

Salt Cloud is the system used to provision virtual machines on various public clouds via a cleanly controlled profile and mapping system.

Options¶

Examples¶

To create 4 VMs named web1, web2, db1 and db2 from specified profiles:
To read in a map file and create all VMs specified therein:
To read in a map file and create all VMs specified therein in parallel:
To delete any VMs specified in the map file:
To delete any VMs NOT specified in the map file:
To display the status of all VMs specified in the map file:

See also¶

salt-cloud(7) salt(7) salt-master(1) salt-minion(1)

RELEASE NOTES AND UPGRADE INSTRUCTIONS¶

Salt 0.10.0 Release Notes¶

0.10.0 has arrived! This release comes with MANY bug fixes, and new capabilities which greatly enhance performance and reliability. This release is primarily a bug fix release with many new tests and many repaired bugs. This release also introduces a few new key features which were brought in primarily to repair bugs and some limitations found in some of the components of the original architecture.

Major Features¶

Event System¶

The Salt Master now comes equipped with a new event system. This event system has replaced some of the back end of the Salt client and offers the beginning of a system which will make plugging external applications into Salt. The event system relies on a local ZeroMQ publish socket and other processes can connect to this socket and listen for events. The new events can be easily managed via Salt's event library.

Unprivileged User Updates¶

Some enhancements have been added to Salt for running as a user other than root. These new additions should make switching the user that the Salt Master is running as very painless, simply change the user option in the master configuration and restart the master, Salt will take care of all of the particulars for you.

Peer Runner Execution¶

Salt has long had the peer communication system used to allow minions to send commands via the salt master. 0.10.0 adds a new capability here, now the master can be configured to allow for minions to execute Salt runners via the peer_run option in the salt master configuration.

YAML Parsing Updates¶

In the past the YAML parser for sls files would return the incorrect numbers when the file mode was set with a preceding 0. The YAML parser used in Salt has been modified to no longer convert these number into octal but to keep them as the correct value so that sls files can be a little cleaner to write.

State Call Data Files¶

It was requested that the minion keep a local cache of the most recent executed state run. This has been added and now with state runs the data is stored in a msgpack file in the minion's cachedir.

Turning Off the Job Cache¶

A new option has been added to the master configuration file. In previous releases the Salt client would look over the Salt job cache to read in the minion return data. With the addition of the event system the Salt client can now watch for events directly from the master worker processes. This means that the job cache is no longer a hard requirement. Keep in mind though, that turning off the job cache means that historic job execution data cannot be retrieved.

Test Updates¶

Minion Swarms Are Faster¶

To continue our efforts with testing Salt's ability to scale the minionswarm script has been updated. The minionswarm can now start up minions much faster than it could before and comes with a new feature allowing modules to be disabled, thus lowering the minion's footprint when making a swarm. These new updates have allows us to test

Many Fixes¶

To get a good idea for the number of bugfixes this release offers take a look at the closed tickets for 0.10.0, this is a very substantial update: https://github.com/saltstack/salt/issues?milestone=12&state=closed

Master and Minion Stability Fixes¶

As Salt deployments grow new ways to break Salt are discovered. 0.10.0 comes with a number of fixes for the minions and master greatly improving Salt stability.

Salt 0.10.1 Release Notes¶

Salt 0.10.2 Release Notes¶

0.10.2 is out! This release comes with enhancements to the pillar interface, cleaner ways to access the salt-call capabilities in the API, minion data caching and the event system has been added to salt minions. There have also been updates to the ZeroMQ functions, many more tests (thanks to sponsors, the code sprint and many contributors) and a swath of bug fixes.

Major Features¶

Ext Pillar Modules¶

The ranks of available Salt modules directories sees a new member in 0.10.2. With the popularity of pillar a higher demand has arisen for ext_pillar interfaces to be more like regular Salt module additions. Now ext_pillar interfaces can be added in the same way as other modules, just drop it into the pillar directory in the salt source.

Minion Events¶

In 0.10.0 an event system was added to the Salt master. 0.10.2 adds the event system to the minions as well. Now event can be published on a local minion as well. The minions can also send events back up to the master. This means that Salt is able to communicate individual events from the minions back up to the Master which are not associated with command.

Minion Data Caching¶

When pillar was introduced the landscape for available data was greatly enhanced. The minion's began sending grain data back to the master on a regular basis. The new config option on the master called minion_data_cache instructs the Salt master to maintain a cache of the minion's grains and pillar data in the cachedir. This option is turned off by default to avoid hitting the disk more, but when enabled the cache is used to make grain matching from the salt command more powerful, since the minions that will match can be predetermined.

Backup Files¶

By default all files replaced by the file.managed and file.recurse states we simply deleted. 0.10.2 adds a new option. By setting the backup option to minion the files are backed up before they are replaced. The backed up files are located in the cachedir under the file_backup directory. On a default system this will be at: /var/cache/salt/file_backup

Configuration files¶

salt-master and salt-minion automatically load additional configuration files from master.d/*.conf respective minion.d/*.conf where master.d/minion.d is a directory in the same directory as the main configuration file.

Salt Key Verification¶

A number of users complained that they had inadvertently deleted the wrong salt authentication keys. 0.10.2 now displays what keys are going to be deleted and verifies that they are the keys that are intended for deletion.

Key auto-signing¶

If autosign_file is specified in the configuration file incoming keys will be compared to the list of keynames in autosign_file. Regular expressions as well as globbing is supported. The file must only be writable by the user otherwise the file will be ignored. To relax the permission and allow group write access set the permissive_pki_access option.

Module changes¶

Improved OpenBSD support¶

New modules for managing services and packages were provided by Joshua Elsasser to further improve the support for OpenBSD. Existing modules like the disk module were also improved to support OpenBSD.

SQL Modules¶

The MySQL and PostgreSQL modules have both received a number of additions thanks to the work of Avi Marcus and Roman Imankulov.

ZFS Support on FreeBSD¶

A new ZFS module has been added by Kurtis Velarde for FreeBSD supporting various ZFS operations like creating, extending or removing zpools.

Augeas¶

A new Augeas module by Ulrich Dangel for editing and verifying config files.

Native Debian Service module¶

The support for the Debian was further improved with an new service module for Debian by Ahmad Khayyat supporting disable and enable.

Cassandra¶

Cassandra support has been added by Adam Garside. Currently only status and diagnostic information are supported.

Networking¶

The networking support for RHEL has been improved and supports bonding support as well as zeroconf configuration.

Monit¶

Basic monit support by Kurtis Velarde to control services via monit.

nzbget¶

Basic support for controlling nzbget by Joseph Hall

Bluetooth¶

Baisc bluez support for managing and controlling Bluetooth devices. Supports scanning as well as pairing/unpairing by Joseph Hall.

Test Updates¶

Consistency Testing¶

Another testing script has been added. A bug was found in pillar when many minions generated pillar data at the same time. The new consist.py script is the tests directory was created to reproduce bugs where data should always be consistent.

Many Fixes¶

To get a good idea for the number of bugfixes this release offers take a look at the closed tickets for 0.10.2, this is a very substantial update: https://github.com/saltstack/salt/issues?milestone=24&page=1&state=closed

Master and Minion Stability Fixes¶

As Salt deployments grow new ways to break Salt are discovered. 0.10.2 comes with a number of fixes for the minions and master greatly improving Salt stability.

Salt 0.10.3 Release Notes¶

The latest taste of Salt has come, this release has many fixes and feature additions. Modifications have been made to make ZeroMQ connections more reliable, the beginning of the ACL system is in place, a new command line parsing system has been added, dynamic module distribution has become more environment aware, the new master_finger option and many more!

Major Features¶

ACL System¶

The new ACL system has been introduced. The ACL system allows for system users other than root to execute salt commands. Users can be allowed to execute specific commands in the same way that minions are opened up to the peer system. The configuration value to open up the ACL system is called client_acl and is configured like so:
Where fred is allowed access to functions in the test module and to the pkg.list_pkgs function.

Master Finger Option¶

The master_finger option has been added to improve the security of minion provisioning. The master_finger option allows for the fingerprint of the master public key to be set in the configuration file to double verify that the master is valid. This option was added in response to a motivation to pre-authenticate the master when provisioning new minions to help prevent man in the middle attacks in some situations.

Salt Key Fingerprint Generation¶

The ability to generate fingerprints of keys used by Salt has been added to salt-key. The new option finger accepts the name of the key to generate and display a fingerprint for.
Will display the fingerprints for the master public and private keys.

Parsing System¶

Pedro Algavio, aka s0undt3ch, has added a substantial update to the command line parsing system that makes the help message output much cleaner and easier to search through. Salt parsers now have --versions-report besides usual --version info which you can provide when reporting any issues found.

Key Generation¶

We have reduced the requirements needed for salt-key to generate minion keys. You're no longer required to have salt configured and it's common directories created just to generate keys. This might prove useful if you're batch creating keys to pre-load on minions.

Startup States¶

A few configuration options have been added which allow for states to be run when the minion daemon starts. This can be a great advantage when deploying with Salt because the minion can apply states right when it first runs. To use startup states set the startup_states configuration option on the minion to highstate.

New Exclude Declaration¶

Some users have asked about adding the ability to ensure that other sls files or ids are excluded from a state run. The exclude statement will delete all of the data loaded from the specified sls file or will delete the specified id:

Max Open Files¶

While we're currently unable to properly handle ZeroMQ's abort signals when the max open files is reached, due to the way that's handled on ZeroMQ's, we have minimized the chances of this happening without at least warning the user.

More State Output Options¶

Some major changes have been made to the state output system. In the past state return data was printed in a very verbose fashion and only states that failed or made changes were printed by default. Now two options can be passed to the master and minion configuration files to change the behavior of the state output. State output can be set to verbose (default) or non-verbose with the state_verbose option:
It is noteworthy that the state_verbose option used to be set to False by default but has been changed to True by default in 0.10.3 due to many requests for the change. Te next option to be aware of new and called state_output. This option allows for the state output to be set to full (default) or terse. The full output is the standard state output, but the new terse output will print only one line per state making the output much easier to follow when executing a large state system.

state.file.append Improvements¶

The salt state file.append() tries not to append existing text. Previously the matching check was being made line by line. While this kind of check might be enough for most cases, if the text being appended was multi-line, the check would not work properly. This issue is now properly handled, the match is done as a whole ignoring any white space addition or removal except inside commas. For those thinking that, in order to properly match over multiple lines, salt will load the whole file into memory, that's not true. For most cases this is not important but an erroneous order to read a 4GB file, if not properly handled, like salt does, could make salt chew that amount of memory. Salt has a buffered file reader which will keep in memory a maximum of 256KB and iterates over the file in chunks of 32KB to test for the match, more than enough, if not, explain your usage on a ticket. With this change, also salt.modules.file.contains(), salt.modules.file.contains_regex(), salt.modules.file.contains_glob() and salt.utils.find now do the searching and/or matching using the buffered chunks approach explained above. Two new keyword arguments were also added, makedirs and source. The first, makedirs will create the necessary directories in order to append to the specified file, of course, it only applies if we're trying to append to a non-existing file on a non-existing directory:
The second, source, allows one to append the contents of a file instead of specifying the text.

Security Fix¶

A timing vulnerability was uncovered in the code which decrypts the AES messages sent over the network. This has been fixed and upgrading is strongly recommended.

Salt 0.10.4 Release Notes¶

Salt 0.10.4 is a monumental release for the Salt team, with two new module systems, many additions to allow granular access to Salt, improved platform support and much more. This release is also exciting because we have been able to shorten the release cycle back to under a month. We are working hard to keep up the aggressive pace and look forward to having releases happen more frequently! This release also includes a serious security fix and all users are very strongly recommended to upgrade. As usual, upgrade the master first, and then the minion to ensure that the process is smooth.

Major Features¶

External Authentication System¶

The new external authentication system allows for Salt to pass through authentication to any authentication system to determine if a user has permission to execute a Salt command. The Unix PAM system is the first supported system with more to come! The external authentication system allows for specific users to be granted access to execute specific functions on specific minions. Access is configured in the master configuration file, and uses the new access control system:
The configuration above allows the user thatch to execute functions in the test and network modules on minions that match the web* target.

Access Control System¶

All Salt systems can now be configured to grant access to non-administrative users in a granular way. The old configuration continues to work. Specific functions can be opened up to specific minions from specific users in the case of external auth and client ACLs, and for specific minions in the case of the peer system. Access controls are configured like this:

Target by Network¶

A new matcher has been added to the system which allows for minions to be targeted by network. This new matcher can be called with the -S flag on the command line and is available in all places that the matcher system is available. Using it is simple:

Nodegroup Nesting¶

Previously a nodegroup was limited by not being able to include another nodegroup, this restraint has been lifted and now nodegroups will be expanded within other nodegroups with the N@ classifier.

Salt Key Delete by Glob¶

The ability to delete minion keys by glob has been added to salt-key. To delete all minion keys whose minion name starts with 'web':

Master Tops System¶

The external_nodes system has been upgraded to allow for modular subsystems to be used to generate the top file data for a highstate run. The external_nodes option still works but will be deprecated in the future in favor of the new master_tops option. Example of using master_tops:

Next Level Solaris Support¶

A lot of work has been put into improved Solaris support by Romeo Theriault. Packaging modules (pkgadd/pkgrm and pkgutil) and states, cron support and user and group management have all been added and improved upon. These additions along with SMF (Service Management Facility) service support and improved Solaris grain detection in 0.10.3 add up to Salt becoming a great tool to manage Solaris servers with.

Security¶

A vulnerability in the security handshake was found and has been repaired, old minions should be able to connect to a new master, so as usual, the master should be updated first and then the minions.

Pillar Updates¶

The pillar communication has been updated to add some extra levels of verification so that the intended minion is the only one allowed to gather the data. Once all minions and the master are updated to salt 0.10.4 please activate pillar 2 by changing the pillar_version in the master config to 2. This will be set to 2 by default in a future release.

Salt 0.10.5 Release Notes¶

Salt 0.10.5 is ready, and comes with some great new features. A few more interfaces have been modularized, like the outputter system. The job cache system has been made more powerful and can now store and retrieve jobs archived in external databases. The returner system has been extended to allow minions to easily retrieve data from a returner interface. As usual, this is an exciting release, with many noteworthy additions!

Major Features¶

External Job Cache¶

The external job cache is a system which allows for a returner interface to also act as a job cache. This system is intended to allow users to store job information in a central location for longer periods of time and to make the act of looking up information from jobs executed on other minions easier. Currently the external job cache is supported via the mongo and redis returners:
Once the external job cache is turned on the new ret module can be used on the minions to retrieve return information from the job cache. This can be a great way for minions to respond and react to other minions.

OpenStack Additions¶

OpenStack integration with Salt has been moving forward at a blistering pace. The new nova, glance and keystone modules represent the beginning of ongoing OpenStack integration. The Salt team has had many conversations with core OpenStack developers and is working on linking to OpenStack in powerful new ways.

Wheel System¶

A new API was added to the Salt Master which allows the master to be managed via an external API. This new system allows Salt API to easily hook into the Salt Master and manage configs, modify the state tree, manage the pillar and more. The main motivation for the wheel system is to enable features needed in the upcoming web UI so users can manage the master just as easily as they manage minions. The wheel system has also been hooked into the external auth system. This allows specific users to have granular access to manage components of the Salt Master.

Render Pipes¶

Jack Kuan has added a substantial new feature. The render pipes system allows Salt to treat the render system like unix pipes. This new system enables sls files to be passed through specific render engines. While the default renderer is still recommended, different engines can now be more easily merged. So to pipe the output of Mako used in YAML use this shebang line: #!mako|yaml

Salt Key Overhaul¶

The Salt Key system was originally developed as only a CLI interface, but as time went on it was pressed into becoming a clumsy API. This release marks a complete overhaul of Salt Key. Salt Key has been rewritten to function purely from an API and to use the outputter system. The benefit here is that the outputter system works much more cleanly with Salt Key now, and the internals of Salt Key can be used much more cleanly.

Modular Outputters¶

The outputter system is now loaded in a modular way. This means that output systems can be more easily added by dropping a python file down on the master that contains the function output.

Gzip from Fileserver¶

Gzip compression has been added as an option to the cp.get_file and cp.get_dir commands. This will make file transfers more efficient and faster, especially over slower network links.

Unified Module Configuration¶

In past releases of Salt, the minions needed to be configured for certain modules to function. This was difficult because it required pre-configuring the minions. 0.10.5 changes this by making all module configs on minions search the master config file for values. Now if a single database server is needed, then it can be defined in the master config and all minions will become aware of the configuration value.

Salt Call Enhancements¶

The salt-call command has been updated in a few ways. Now, salt-call can take the --return option to send the data to a returner. Also, salt-call now reports executions in the minion proc system, this allows the master to be aware of the operation salt-call is running.

Death to pub_refresh and sub_timeout¶

The old configuration values pub_refresh and sub_timeout have been removed. These options were in place to alleviate problems found in earlier versions of ZeroMQ which have since been fixed. The continued use of these options has proven to cause problems with message passing and have been completely removed.

Git Revision Versions¶

When running Salt directly from git (for testing or development, of course) it has been difficult to know exactly what code is being executed. The new versioning system will detect the git revision when building and how many commits have been made since the last release. A release from git will look like this: 0.10.4-736-gec74d69

Svn Module Addition¶

Anthony Cornehl (twinshadow) contributed a module that adds Subversion support to Salt. This great addition helps round out Salt's VCS support.

Noteworthy Changes¶

Arch Linux Defaults to Systemd¶

Arch Linux recently changed to use systemd by default and discontinued support for init scripts. Salt has followed suit and defaults to systemd now for managing services in Arch.

Salt, Salt Cloud and Openstack¶

With the releases of Salt 0.10.5 and Salt Cloud 0.8.2, OpenStack becomes the first (non-OS) piece of software to include support both on the user level (with Salt Cloud) and the admin level (with Salt). We are excited to continue to extend support of other platforms at this level.

Salt 0.11.0 Release Notes¶

Salt 0.11.0 is here, with some highly sought after and exciting features. These features include the new overstate system, the reactor system, a new state run scope component called __context__, the beginning of the search system (still needs a great deal of work), multiple package states, the MySQL returner and a better system to arbitrarily reference outputters. It is also noteworthy that we are changing how we mark release numbers. For the life of the project we have been pushing every release with features and fixes as point releases. We will now be releasing point releases for only bug fixes on a more regular basis and major feature releases on a slightly less regular basis. This means that the next release will be a bugfix only release with a version number of 0.11.1. The next feature release will be named 0.12.0 and will mark the end of life for the 0.11 series.

Major Features¶

OverState¶

The overstate system is a simple way to manage rolling state executions across many minions. The overstate allows for a state to depend on the successful completion of another state.

Reactor System¶

The new reactor system allows for a reactive logic engine to be created which can respond to events within a salted environment. The reactor system uses sls files to match events fired on the master with actions, enabling Salt to react to problems in an infrastructure. Your load-balanced group of webservers is under extra load? Spin up a new VM and add it to the group. Your fileserver is filling up? Send a notification to your sysadmin on call. The possibilities are endless!

Module Context¶

A new component has been added to the module loader system. The module context is a data structure that can hold objects for a given scope within the module. This allows for components that are initialized to be stored in a persistent context which can greatly speed up ongoing connections. Right now the best example can be found in the cp execution module.

Multiple Package Management¶

A long desired feature has been added to package management. By definition Salt States have always installed packages one at a time. On most platforms this is not the fastest way to install packages. Erik Johnson, aka terminalmage, has modified the package modules for many providers and added new capabilities to install groups of packages. These package groups can be defined as a list of packages available in repository servers:
or specify based on the location of specific packages:

Search System¶

The bones to the search system have been added. This is a very basic interface that allows for search backends to be added as search modules. The first supported search module is the whoosh search backend. Right now only the basic paths for the search system are in place, making this very experimental. Further development will involve improving the search routines and index routines for whoosh and other search backends. The search system has been made to allow for searching through all of the state and pillar files, configuration files and all return data from minion executions.

Notable Changes¶

All previous versions of Salt have shared many directories between the master and minion. The default locations for keys, cached data and sockets has been shared by master and minion. This has created serious problems with running a master and a minion on the same systems. 0.11.0 changes the defaults to be separate directories. Salt will also attempt to migrate all of the old key data into the correct new directories, but if it is not successful it may need to be done manually. If your keys exhibit issues after updating make sure that they have been moved from /etc/salt/pki to /etc/salt/pki/{master,minion}. The old setup will look like this:
With the accepted minion keys in /etc/salt/pki/minions, the new setup places the accepted minion keys in /etc/salt/pki/master/minions.

Salt 0.11.1 Release Notes¶

Salt 0.12.0 Release Notes¶

Another feature release of Salt is here! Some exciting additions are included with more ways to make salt modular and even easier management of the salt file server.

Major Features¶

Modular Fileserver Backend¶

The new modular fileserver backend allows for any external system to be used as a salt file server. The main benefit here is that it is now possible to tell the master to directly use a git remote location, or many git remote locations, automatically mapping git branches and tags to salt environments.

Windows is First Class!¶

A new Salt Windows installer is now available! Much work has been put in to improve Windows support. With this much easier method of getting Salt on your Windows machines, we hope even more development and progress will occur. Please file bug reports on the Salt GitHub repo issue tracker so we can continue improving. One thing that is missing on Windows that Salt uses extensively is a software package manager and a software package repository. The Salt pkg state allows sys admins to install software across their infrastructure and across operating systems. Software on Windows can now be managed in the same way. The SaltStack team built a package manager that interfaces with the standard Salt pkg module to allow for installing and removing software on Windows. In addition, a software package repository has been built on top of the Salt fileserver. A small YAML file provides the information necessary for the package manager to install and remove software. An interesting feature of the new Salt Windows software package repository is that one or more remote git repositories can supplement the master's local repository. The repository can point to software on the master's fileserver or on an HTTP, HTTPS, or ftp server.

New Default Outputter¶

Salt displays data to the terminal via the outputter system. For a long time the default outputter for Salt has been the python pretty print library. While this has been a generally reasonable outputter, it did have many failings. The new default outputter is called "nested", it recursively scans return data structures and prints them out cleanly. If the result of the new nested outputter is not desired any other outputter can be used via the --out option, or the output option can be set in the master and minion configs to change the default outputter.

Internal Scheduler¶

The internal Salt scheduler is a new capability which allows for functions to be executed at given intervals on the minion, and for runners to be executed at given intervals on the master. The scheduler allows for sequences such as executing state runs (locally on the minion or remotely via an overstate) or continually gathering system data to be run at given intervals. The configuration is simple, add the schedule option to the master or minion config and specify jobs to run, this in the master config will execute the state.over runner every 60 minutes:
This example for the minion configuration will execute a highstate every 30 minutes:

Optional DSL for SLS Formulas¶

Jack Kuan, our renderer expert, has created something that is astonishing. Salt, now comes with an optional Python based DSL, this is a very powerful interface that makes writing SLS files in pure python easier than it was with the raw py renderer. As usual this can be used with the renderer shebang line, so a single sls can be written with the DSL if pure python power is needed while keeping other sls files simple with YAML.

Set Grains Remotely¶

A new execution function and state module have been added that allows for grains to be set on the minion. Now grains can be set via a remote execution or via states. Use the grains.present state or the grains.setval execution functions.

Gentoo Additions¶

Major additions to Gentoo specific components have been made. The encompasses executions modules and states ranging from supporting the make.conf file to tools like layman.

Salt 0.12.1 Release Notes¶

Salt 0.13.0 Release Notes¶

The lucky number 13 has turned the corner! From CLI notifications when quitting a salt command, to substantial improvements on Windows, Salt 0.13.0 has arrived!

Major Features¶

Improved file.recurse Performance¶

The file.recurse system has been deployed and used in a vast array of situations. Fixes to the file state and module have led towards opening up new ways of running file.recurse to make it faster. Now the file.recurse state will download fewer files and will run substantially faster.

Windows Improvements¶

Minion stability on Windows has improved. Many file operations, including file.recurse, have been fixed and improved. The network module works better, to include network.interfaces. Both 32bit and 64bit installers are now available.

Nodegroup Targeting in Peer System¶

In the past, nodegroups were not available for targeting via the peer system. This has been fixed, allowing the new nodegroup expr_form argument for the publish.publish function:

Blacklist Additions¶

Additions allowing more granular blacklisting are available in 0.13.0. The ability to blacklist users and functions in client_acl have been added, as well as the ability to exclude state formulas from the command line.

Command Line Pillar Embedding¶

Pillar data can now be embedded on the command line when calling state.sls and state.highstate. This allows for on the fly changes or settings to pillar and makes parameterizing state formulas even easier. This is done via the keyword argument:
The above example will extend the existing pillar to hold the cheese key with a value of spam. If the cheese key is already specified in the minion's pillar then it will be overwritten.

CLI Notifications¶

In the past hitting ctrl-C and quitting from the salt command would just drop to a shell prompt, this caused confusion with users who expected the remote executions to also quit. Now a message is displayed showing what command can be used to track the execution and what the job id is for the execution.

Version Specification in Multiple-Package States¶

Versions can now be specified within multiple-package pkg.installed states. An example can be found below:

Noteworthy Changes¶

The configuration subsystem in Salt has been overhauled to make the opts dict used by Salt applications more portable, the problem is that this is an incompatible change with salt-cloud, and salt-cloud will need to be updated to the latest git to work with Salt 0.13.0. Salt Cloud 0.8.5 will also require Salt 0.13.0 or later to function. The SaltStack team is sorry for the inconvenience here, we work hard to make sure these sorts of things do not happen, but sometimes hard changes get in.

Salt 0.13.1 Release Notes¶

Salt 0.13.2 Release Notes¶

Salt 0.13.3 Release Notes¶

Salt 0.14.0 Release Notes¶

Salt 0.14.0 is here! This release was held up primarily by PyCon, Scale and illness, but has arrived! 0.14.0 comes with many new features and is breaking ground for Salt in the area of cloud management with the introduction of Salt providing basic cloud controller functionality.

Major Features¶

Salt - As a Cloud Controller¶

This is the first primitive inroad to using Salt as a cloud controller is available in 0.14.0. Be advised that this is alpha, only tested in a few very small environments. The cloud controller is built using kvm and libvirt for the hypervisors. Hypervisors are autodetected as minions and only need to have libvirt running and kvm installed to function. The features of the Salt cloud controller are as follows:
It is noteworthy that this feature is still Alpha, meaning that all rights are reserved to change the interface if needs be in future releases!

Libvirt State¶

One of the problems with libvirt is management of certificates needed for live migration and cross communication between hypervisors. The new libvirt state makes the Salt Master hold a CA and manage the signing and distribution of keys onto hypervisors, just add a call to the libvirt state in the sls formulas used to set up a hypervisor:

New get Functions¶

An easier way to manage data has been introduced. The pillar, grains and config execution modules have been extended with the new get function. This function works much in the same way as the get method in a python dict, but with an enhancement, nested dict components can be extracted using a : delimiter. If a structure like this is in pillar:
Extracting it from the raw pillar in an sls formula or file template is done this way:
Now with the new get function the data can be safely gathered and a default can be set allowing the template to fall back if the value is not available:
This makes handling nested structures much easier, and defaults can be cleanly set. This new function is being used extensively in the new formulae repository of salt sls formulas.

Salt 0.14.1 Release Notes¶

Salt 0.15.0 Release Notes¶

The many new features of Salt 0.15.0 have arrived! Salt 0.15.0 comes with many smaller features and a few larger ones. These features range from better debugging tools to the new Salt Mine system.

Major Features¶

The Salt Mine¶

First there was the peer system, allowing for commands to be executed from a minion to other minions to gather data live. Then there was the external job cache for storing and accessing long term data. Now the middle ground is being filled in with the Salt Mine. The Salt Mine is a system used to execute functions on a regular basis on minions and then store only the most recent data from the functions on the master, then the data is looked up via targets. The mine caches data that is public to all minions, so when a minion posts data to the mine all other minions can see it.

IPV6 Support¶

0.13.0 saw the addition of initial IPV6 support but errors were encountered and it needed to be stripped out. This time the code covers more cases and must be explicitly enabled. But the support is much more extensive than before.

Copy Files From Minions to the Master¶

Minions have long been able to copy files down from the master file server, but until now files could not be easily copied from the minion up to the master. A new function called cp.push can push files from the minions up to the master server. The uploaded files are then cached on the master in the master cachedir for each minion.

Better Template Debugging¶

Template errors have long been a burden when writing states and pillar. 0.15.0 will now send the compiled template data to the debug log, this makes tracking down the intermittent stage templates much easier. So running state.sls or state.highstate with -l debug will now print out the rendered templates in the debug information.

State Event Firing¶

The state system is now more closely tied to the master's event bus. Now when a state fails the failure will be fired on the master event bus so that the reactor can respond to it.

Major Syndic Updates¶

The Syndic system has been basically re-written. Now it runs in a completely asynchronous way and functions primarily as an event broker. This means that the events fired on the syndic are now pushed up to the higher level master instead of the old method used which waited for the client libraries to return. This makes the syndic much more accurate and powerful, it also means that all events fired on the syndic master make it up the pipe as well making a reactor on the higher level master able to react to minions further downstream.

Peer System Updates¶

The Peer System has been updated to run using the client libraries instead of firing directly over the publish bus. This makes the peer system much more consistent and reliable.

Minion Key Revocation¶

In the past when a minion was decommissioned the key needed to be manually deleted on the master, but now a function on the minion can be used to revoke the calling minion's key:

Function Return Codes¶

Functions can now be assigned numeric return codes to determine if the function executed successfully. While not all functions have been given return codes, many have and it is an ongoing effort to fill out all functions that might return a non-zero return code.

Functions in Overstate¶

The overstate system was originally created to just manage the execution of states, but with the addition of return codes to functions, requisite logic can now be used with respect to the overstate. This means that an overstate stage can now run single functions instead of just state executions.

Pillar Error Reporting¶

Previously if errors surfaced in pillar, then the pillar would consist of only an empty dict. Now all data that was successfully rendered stays in pillar and the render error is also made available. If errors are found in the pillar, states will refuse to run.

Using Cached State Data¶

Sometimes states are executed purely to maintain a specific state rather than to update states with new configs. This is grounds for the new cached state system. By adding cache=True to a state call the state will not be generated fresh from the master but the last state data to be generated will be used. If no previous state data is available then fresh data will be generated.

Monitoring States¶

The new monitoring states system has been started. This is very young but allows for states to be used to configure monitoring routines. So far only one monitoring state is available, the disk.status state. As more capabilities are added to Salt UI the monitoring capabilities of Salt will continue to be expanded.

Salt 0.15.1 Release Notes¶

The 0.15.1 release has been posted, this release includes fixes to a number of bugs in 0.15.1 and a three security patches.

Security Updates¶

A number of security issues have been resolved via the 0.15.1 release.

Path Injection in Minion IDs¶

Salt masters did not properly validate the id of a connecting minion. This can lead to an attacker uploading files to the master in arbitrary locations. In particular this can be used to bypass the manual validation of new unknown minions. Exploiting this vulnerability does not require authentication. This issue affects all known versions of Salt. This issue was reported by Ronald Volgers.

Patch¶

The issue is fixed in Salt 0.15.1. Updated packages are available in the usual locations. Specific commits: https://github.com/saltstack/salt/commit/5427b9438e452a5a8910d9128c6aafb45d8fd5d3 https://github.com/saltstack/salt/commit/7560908ee62351769c3cd43b03d74c1ca772cc52 https://github.com/saltstack/salt/commit/e200b8a7ff53780124e08d2bdefde7587e52bfca

RSA Key Generation Fault¶

RSA key generation was done incorrectly, leading to very insecure keys. It is recommended to regenerate all RSA keys. This issue can be used to impersonate Salt masters or minions, or decrypt any transferred data. This issue can only be exploited by attackers who are able to observe or modify traffic between Salt minions and the legitimate Salt master. A tool was included in 0.15.1 to assist in mass key regeneration, the manage.regen_keys runner. This issue affects all known versions of Salt. This issue was reported by Ronald Volgers.

Patch¶

The issue is fixed in Salt 0.15.1. Updated packages are available in the usual locations. Specific commits: https://github.com/saltstack/salt/commit/5dd304276ba5745ec21fc1e6686a0b28da29e6fc

Command Injection Via ext_pillar¶

Arbitrary shell commands could be executed on the master by an authenticated minion through options passed when requesting a pillar. Ext pillar options have been restricted to only allow safe external pillars to be called when prompted by the minion. This issue affects Salt versions from 0.14.0 to 0.15.0. This issue was reported by Ronald Volgers.

Patch¶

The issue is fixed in Salt 0.15.1. Updated packages are available in the usual locations. Specific commits: https://github.com/saltstack/salt/commit/43d8c16bd26159d827d1a945c83ac28159ec5865

Salt 0.15.2 Release Notes¶

Salt 0.15.3 Release Notes¶

Salt 0.16.0 Release Notes¶

The 0.16.0 release is an exciting one, with new features in master redundancy, and a new, powerful requisite.

Major Features¶

Multi-Master¶

This new capability allows for a minion to be actively connected to multiple salt masters at the same time. This allows for multiple masters to send out commands to minions and for minions to automatically reconnect to masters that have gone down. A tutorial is available to help get started here: Multi Master Tutorial

Prereq, the New Requisite¶

The new prereq requisite is very powerful! It allows for states to execute based on a state that is expected to make changes in the future. This allows for a change on the system to be preempted by another execution. A good example is needing to shut down a service before modifying files associated with it, allowing, for instance, a webserver to be shut down allowing a load balancer to stop sending requests while server side code is updated. In this case, the prereq will only run if changes are expected to happen in the prerequired state, and the prerequired state will always run after the prereq state and only if the prereq state succeeds.

Peer System Improvements¶

The peer system has been revamped to make it more reliable, faster, and like the rest of Salt, async. The peer calls when an updated minion and master are used together will be much faster!

Relative Includes¶

The ability to include an sls relative to the defined sls has been added, the new syntax id documented here: Includes

More State Output Options¶

The state_output option in the past only supported full and terse, 0.16.0 add the mixed and changes modes further refining how states are sent to users' eyes.

Improved Windows Support¶

Support for Salt on Windows continues to improve. Software management on Windows has become more seamless with Linux/UNIX/BSD software management. Installed software is now recognized by the short names defined in the repository SLS. This makes it possible to run salt '*' pkg.version firefox and get back results from Windows and non-Windows minions alike. When templating files on Windows, Salt will now correctly use Windows appropriate line endings. This makes it much easier to edit and consume files on Windows. When using the cmd state the shell option now allows for specifying Windows Powershell as an alternate shell to execute cmd.run and cmd.script. This opens up Salt to all the power of Windows Powershell and its advanced Windows management capabilities. Several fixes and optimizations were added for the Windows networking modules, especially when working with IPv6. A system module was added that makes it easy to restart and shutdown Windows minions. The Salt Minion will now look for its config file in c:\salt\conf by default. This means that it's no longer necessary to specify the -c option to specify the location of the config file when starting the Salt Minion on Windows in a terminal.

Muliple Targets for pkg.removed, pkg.purged States¶

Both pkg.removed and pkg.purged now support the pkgs argument, which allow for multiple packages to be targeted in a single state. This, as in pkg.installed, helps speed up these states by reducing the number of times that the package management tools (apt, yum, etc.) need to be run.

Random Times in Cron States¶

The temporal parameters in cron.present states (minute, hour, etc.) can now be randomized by using random instead of a specific value. For example, by using the random keyword in the minute parameter of a cron state, the same cron job can be pushed to hundreds or thousands of hosts, and they would each use a randomly-generated minute. This can be helpful when the cron job accesses a network resource, and it is not desirable for all hosts to run the job concurrently.
Since Salt assumes a value of * for unspecified temporal parameters, adding a parameter to the state and setting it to random will change that value from * to a randomized numeric value. However, if that field in the cron entry on the minion already contains a numeric value, then using the random keyword will not modify it.

Confirmation Prompt on Key Acceptance¶

When accepting new keys with salt-key -a minion-id or salt-key -A, there is now a prompt that will show the affected keys and ask for confirmation before proceeding. This prompt can be bypassed using the -y or --yes command line argument, as with other salt-key commands.

Support for Setting Password Hashes on BSD Minions¶

FreeBSD, NetBSD, and OpenBSD all now support setting passwords in user.present states.

Salt 0.16.1 Release Notes¶

Salt 0.16.2 Release Notes¶

Version 0.16.2 is a bugfix release for 0.16.0, and contains a number of fixes.

Windows¶

Grains¶

Pillar¶

Peer Publishing¶

Minion¶

User/Group Management¶

File Management¶

Package/Repository Management¶

Service Management¶

Networking¶

SSH¶

pip¶

MySQL¶

PostgreSQL¶

Miscellaneous¶

Salt 0.16.3 Release Notes¶

Version 0.16.3 is another bugfix release for 0.16.0. The changes include:

Salt 0.16.4 Release Notes¶

Version 0.16.4 is another bugfix release for 0.16.0, likely to be the last before 0.17.0 is released. The changes include:

Salt 0.17.0 Release Notes¶

The 0.17.0 release is a very exciting release of Salt, this brings to Salt some very powerful new features and advances. The advances range from the state system to the test suite, covering new transport capabilities and making states easier and more powerful, to extending Salt Virt and much more! The 0.17.0 release will also be the last release of Salt to follow the old 0.XX.X numbering system, the next release of Salt will change the numbering to be date based following this format: <Year>.<Month>.<Minor> So if the release happens in November of 2013 the number will be 13.11.0, the first bugfix release will be 13.11.1 and so forth.

Major Features¶

Halite¶

The new Halite web GUI is now available on PyPI. A great deal of work has been put into Halite to make it fully event driven and amazingly fast. The Halite UI can be started from within the Salt Master (after being installed from PyPI), or standalone, and does not require an external database to run. It is very lightweight! This initial release of Halite is primarily the framework for the UI and the communication systems, making it easy to extend and build the UI up. It presently supports watching the event bus and firing commands over Salt. At this time, Halite is not available as a package, but installation documentation is available at: http://docs.saltstack.com/topics/tutorials/halite.html Halite is, like the rest of Salt, Open Source! Much more will be coming in the future of Halite!

Salt SSH¶

The new salt-ssh command has been added to Salt. This system allows for remote execution and states to be run over ssh. The benefit here being, that salt can run relying only on the ssh agent, rather than requiring a minion to be deployed. The salt-ssh system runs states in a compatible way as Salt and states created and run with salt-ssh can be moved over to a standard salt deployment without modification. Since this is the initial release of salt-ssh, there is plenty of room for improvement, but it is fully operational, not just a bootstrap tool.

Rosters¶

Salt is designed to have the minions be aware of the master and the master does not need to be aware of the location of the minions. The new salt roster system was created and designed to facilitate listing the targets for salt-ssh. The roster system, like most of Salt, is a plugin system, allowing for the list of systems to target to be derived from any pluggable backend. The rosters shipping with 0.17.0 are flat and scan. Flat is a file which is read in via the salt render system and the scan roster does simple network scanning to discover ssh servers.

State Auto Order¶

This is a major change in how states are evaluated in Salt. State Auto Order is a new feature that makes states get evaluated and executed in the order in which they are defined in the sls file. This feature makes it very easy to see the finite order in which things will be executed, making Salt now, fully imperative AND fully declarative. The requisite system still takes precedence over the order in which states are defined, so no existing states should break with this change. But this new feature can be turned off by setting state_auto_order: False in the master config, thus reverting to the old lexicographical order.

state.sls Runner¶

The state.sls runner has been created to allow for a more powerful system for orchestrating state runs and function calls across the salt minions. This new system uses the state system for organizing executions. This allows for states to be defined that are executed on the master to call states on minions via salt-run state.sls.

Salt Thin¶

Salt Thin is an exciting new component of Salt, this is the ability to execute Salt routines without any transport mechanisms installed, it is a pure python subset of Salt. Salt Thin does not have any networking capability, but can be dropped into any system with Python installed and then salt-call can be called directly. The Salt Thin system, is used by the salt-ssh command, but can still be used to just drop salt somewhere for easy use.

Event Namespacing¶

Events have been updated to be much more flexible. The tags in events have all been namespaced allowing easier tracking of event names.

Mercurial Fileserver Backend¶

The popular git fileserver backend has been joined by the mercurial fileserver backend, allowing the state tree to be managed entirely via mercurial.

External Logging Handlers¶

The external logging handler system allows for Salt to directly hook into any external logging system. Currently supported are sentry and logstash.

Jenkins Testing¶

The testing systems in Salt have been greatly enhanced, tests for salt are now executed, via jenkins.saltstack.com, across many supported platforms. Jenkins calls out to salt-cloud to create virtual machines on Rackspace, then the minion on the virtual machine checks into the master running on Jenkins where a state run is executed that sets up the minion to run tests and executes the test suite. This now automates the sequence of running platform tests and allows for continuous destructive tests to be run.

Salt Testing Project¶

The testing libraries for salt have been moved out of the main salt code base and into a standalone codebase. This has been done to ease the use of the testing systems being used in salt based projects other than Salt itself.

StormPath External Authentication¶

The external auth system now supports the fantastic Stormpath cloud based authentication system.

LXC Support¶

Extensive additions have been added to Salt for LXC support. This included the backend libs for managing LXC containers. Addition into the salt-virt system is still in the works.

Mac OS X User/Group Support¶

Salt is now able to manage users and groups on Minions running Mac OS X. However, at this time user passwords cannot be managed.

Django ORM External Pillar¶

Pillar data can now be derived from Django managed databases.

Fixes from RC to release¶

Salt 0.17.1 Release Notes¶

NOTE:
The 0.17.1 release comes with a number of improvements to salt-ssh, many bugfixes, and a number of security updates. Salt SSH has been improved to be faster, more featureful and more secure. Since the original release of Salt SSH was primarily a proof of concept, it has been very exciting to see its rapid adoption. We appreciate the willingness of security experts to review Salt SSH and help discover oversights and ensure that security issues only exist for such a tiny window of time.

SSH Enhancements¶

Shell Improvements¶

Improvements to Salt SSH's communication have been added that improve routine execution regardless of the target system's login shell.

Performance¶

Deployment of routines is now faster and takes fewer commands to execute.

Security Updates¶

Be advised that these security issues all apply to a small subset of Salt users and mostly apply to Salt SSH.

Insufficient Argument Validation¶

This issue allowed for a user with limited privileges to embed executions inside of routines to execute routines that should be restricted. This applies to users using external auth or client ACL and opening up specific routines. Be advised that these patches address the direct issue. Additional commits have been applied to help mitigate this issue from resurfacing.

CVE¶

CVE-2013-4435

Affected Versions¶

0.15.0 - 0.17.0

Patches¶

https://github.com/saltstack/salt/commit/6d8ef68b605fd63c36bb8ed96122a75ad2e80269 https://github.com/saltstack/salt/commit/ebdef37b7e5d2b95a01d34b211c61c61da67e46a https://github.com/saltstack/salt/commit/7f190ff890e47cdd591d9d7cefa5126574660824 https://github.com/saltstack/salt/commit/8e5afe59cef6743fe5dbd510dcf463dbdfca1ced https://github.com/saltstack/salt/commit/aca78f314481082862e96d4f0c1b75fa382bb885 https://github.com/saltstack/salt/commit/6a9752cdb1e8df2c9505ea910434c79d132eb1e2 https://github.com/saltstack/salt/commit/b73677435ba54ecfc93c1c2d840a7f9ba6f53410 https://github.com/saltstack/salt/commit/07972eb0a6f985749a55d8d4a2e471596591c80d https://github.com/saltstack/salt/commit/1e3f197726aa13ac5c3f2416000089f477f489b5

Found By¶

Feth Arezki, of Majerti

MITM SSH attack in salt-ssh¶

SSH host keys were being accepted by default and not enforced on future SSH connections. These patches set SSH host key checking by default and can be overridden by passing the -i flag to salt-ssh.

CVE¶

CVE-2013-4436

Affected Versions¶

0.17.0

Found By¶

Michael Scherer, Red Hat

Insecure Usage of /tmp in salt-ssh¶

The initial release of salt-ssh used the /tmp directory in an insecure way. These patches not only secure usage of files under /tmp in salt-ssh, but also add checksum validation for all packages sent into the now secure locations on target systems.

CVE¶

CVE-2013-4438

Affected Versions¶

0.17.0

Patches¶

https://github.com/saltstack/salt/commit/aa4bb77ef230758cad84381dde0ec660d2dc340a https://github.com/saltstack/salt/commit/8f92b6b2cb2e4ec3af8783eb6bf4ff06f5a352cf https://github.com/saltstack/salt/commit/c58e56811d5a50c908df0597a0ba0b643b45ebfd https://github.com/saltstack/salt/commit/0359db9b46e47614cff35a66ea6a6a76846885d2 https://github.com/saltstack/salt/commit/4348392860e0fd43701c331ac3e681cf1a8c17b0 https://github.com/saltstack/salt/commit/664d1a1cac05602fad2693f6f97092d98a72bf61 https://github.com/saltstack/salt/commit/bab92775a576e28ff9db262f32db9cf2375bba87 https://github.com/saltstack/salt/commit/c6d34f1acf64900a3c87a2d37618ff414e5a704e

Found By¶

Michael Scherer, Red Hat

YAML Calling Unsafe Loading Routine¶

It has been argued that this is not a valid security issue, as the YAML loading that was happening was only being called after an initial gateway filter in Salt has already safely loaded the YAML and would fail if non-safe routines were embedded. Nonetheless, the CVE was filed and patches applied.

CVE¶

CVE-2013-4438

Patches¶

https://github.com/saltstack/salt/commit/339b0a51befae6b6b218ebcb55daa9cd3329a1c5

Found By¶

Michael Scherer, Red Hat

Failure to Drop Supplementary Group on Salt Master¶

If a salt master was started as a non-root user by the root user, root's groups would still be applied to the running process. This fix changes the process to have only the groups of the running user.

CVE¶

CVE not considered necessary by submitter.

Affected Versions¶

0.11.0 - 0.17.0

Patches¶

https://github.com/saltstack/salt/commit/b89fa9135822d029795ab1eecd68cce2d1ced715

Found By¶

Michael Scherer, Red Hat

Failure to Validate Minions Posting Data¶

This issue allowed a minion to pose as another authorized minion when posting data such as the mine data. All minions now pass through the id challenge before posting such data.

CVE¶

CVE-2013-4439

Affected Versions¶

0.15.0 - 0.17.0

Patches¶

https://github.com/saltstack/salt/commit/7b850ff3d07ef6782888914ac4556c01e8a1c482 https://github.com/saltstack/salt/commit/151759b2a1e1c6ce29277aa81b054219147f80fd

Found By¶

David Anderson

Fix Reference¶

Version 0.17.1 is the first bugfix release for 0.17.0. The changes include:

Salt 0.17.2 Release Notes¶

Version 0.17.2 is another bugfix release for 0.17.0. The changes include:

Salt 0.17.3 Release Notes¶

NOTE:
Version 0.17.3 is another bugfix release for 0.17.0. The changes include:

Salt 0.17.4 Release Notes¶

Version 0.17.4 is another bugfix release for 0.17.0. The changes include:

Salt 0.17.5 Release Notes¶

Version 0.17.5 is another bugfix release for 0.17.0. The changes include:

Salt 0.6.0 release notes¶

The Salt remote execution manager has reached initial functionality! Salt is a management application which can be used to execute commands on remote sets of servers. The whole idea behind Salt is to create a system where a group of servers can be remotely controlled from a single master, not only can commands be executed on remote systems, but salt can also be used to gather information about your server environment. Unlike similar systems, like Func and MCollective, Salt is extremely simple to setup and use, the entire application is contained in a single package, and the master and minion daemons require no running dependencies in the way that Func requires Certmaster and MCollective requires activeMQ. Salt also manages authentication and encryption. Rather than using SSL for encryption, salt manages encryption on a payload level, so the data sent across the network is encrypted with fast AES encryption, and authentication uses RSA keys. This means that Salt is fast, secure, and very efficient. Messaging in Salt is executed with ZeroMQ, so the message passing interface is built into salt and does not require an external ZeroMQ server. This also adds speed to Salt since there is no additional bloat on the networking layer, and ZeroMQ has already proven itself as a very fast networking system. The remote execution in Salt is "Lazy Execution", in that once the command is sent the requesting network connection is closed. This makes it easier to detach the execution from the calling process on the master, it also means that replies are cached, so that information gathered from historic commands can be queried in the future. Salt also allows users to make execution modules in Python. Writers of these modules should also be pleased to know that they have access to the impressive information gathered from PuppetLabs' Facter application, making Salt module more flexible. In the future I hope to also allow Salt to group servers based on Facter information as well. All in all Salt is fast, efficient and clean, can be used from a simple command line client or through an API, uses message queue technology to make network execution extremely fast, and encryption is handled in a very fast and efficient manner. Salt is also VERY easy to use and VERY easy to extend. You can find the source code for Salt on my GitHub page, I have also set up a few wiki pages explaining how to use and set up Salt. If you are using Arch Linux there is a package available in the Arch Linux AUR. Salt 0.6.0 Source: https://github.com/downloads/saltstack/salt/salt-0.6.0.tar.gz GitHub page: https://github.com/saltstack/salt Wiki: https://github.com/saltstack/salt/wiki Arch Linux Package: https://aur.archlinux.org/packages.php?ID=47512 I am very open to contributions, for instance I need packages for more Linux distributions as well as BSD packages and testers. Give Salt a try, this is the initial release and is not a 1.0 quality release, but it has been working well for me! I am eager to get your feedback!

Salt 0.7.0 release notes¶

I am pleased to announce the release of Salt 0.7.0! This release marks what is the first stable release of salt, 0.7.0 should be suitable for general use. 0.7.0 Brings the following new features to Salt:
0.7.0 Fixes the following major bugs:
The next release of Salt should see the following features:
Coming up next is a higher level management framework for salt called Butter. I want salt to stay as a simple and effective communication framework, and allow for more complicated executions to be managed via Butter. Right now Butter is being developed to act as a cloud controller using salt as the communication layer, but features like system monitoring and advanced configuration control (a puppet manager) are also in the pipe. Special thanks to Joseph Hall for the status and network modules, and thanks to Matthias Teege for tracking down some configuration bugs! Salt can be downloaded from the following locations; Source Tarball: https://github.com/downloads/saltstack/salt/salt-0.7.0.tar.gz Arch Linux Package: https://aur.archlinux.org/packages.php?ID=47512 Please enjoy the latest Salt release!

Salt 0.8.0 release notes¶

Salt 0.8.0 is ready for general consumption! The source tarball is available on GitHub for download: https://github.com/downloads/saltstack/salt/salt-0.8.0.tar.gz A lot of work has gone into salt since the last release just 2 weeks ago, and salt has improved a great deal. A swath of new features are here along with performance and threading improvements! The main new features of salt 0.8.0 are: Salt-cp Cython minion modules Dynamic returners Faster return handling Lowered required Python version to 2.6 Advanced minion threading Configurable minion modules

Salt-cp -¶

The salt-cp command introduces the ability to copy simple files via salt to targeted servers. Using salt-cp is very simple, just call salt-cp with a target specification, the source file(s) and where to copy the files on the minions. For instance: # salt-cp ‘*’ /etc/hosts /etc/hosts Will copy the local /etc/hosts file to all of the minions. Salt-cp is very young, in the future more advanced features will be added, and the functionality will much more closely resemble the cp command.

Cython minion modules -¶

Cython is an amazing tool used to compile Python modules down to c. This is arguably the fastest way to run Python code, and since pyzmq requires cython, adding support to salt for cython adds no new dependencies. Cython minion modules allow minion modules to be written in cython and therefore executed in compiled c. Simply write the salt module in cython and use the file extension “.pyx” and the minion module will be compiled when the minion is started. An example cython module is included in the main distribution called cytest.pyx: https://github.com/saltstack/salt/blob/develop/salt/modules/cytest.pyx

Dynamic Returners -¶

By default salt returns command data back to the salt master, but now salt can return command data to any system. This is enabled via the new returners modules feature for salt. The returners modules take the return data and sends it to a specific module. The returner modules work like minion modules, so any returner can be added to the minions. This means that a custom data returner can be added to communicate the return data so anything from MySQL, Redis, MongoDB and more! There are 2 simple stock returners in the returners directory: https://github.com/saltstack/salt/blob/develop/salt/returners The documentation on writing returners will be added to the wiki shortly, and returners can be written in pure Python, or in cython.

Configurable Minion Modules -¶

Minion modules may need to be configured, now the options passed to the minion configuration file can be accessed inside of the minion modules via the __opt__ dict. Information on how to use this simple addition has been added to the wiki: https://github.com/thatch45/salt/wiki/Writing-Salt-Modules The test module has an example of using the __opts__ dict, and how to set default options: https://github.com/saltstack/salt/blob/develop/salt/modules/test.py

Advanced Minion Threading:¶

In 0.7.0 the minion would block after receiving a command from the master, now the minion will spawn a thread or multiprocess. By default Python threads are used because for general use they have proved to be faster, but the minion can now be configured to use the Python multiprocessing module instead. Using multiprocessing will cause executions that are CPU bound or would otherwise exploit the negative aspects of the Python GIL to run faster and more reliably, but simple calls will still be faster with Python threading. The configuration option can be found in the minion configuration file: https://github.com/saltstack/salt/blob/develop/conf/minion Lowered Supported Python to 2.6 - The requirement for Python 2.7 has been removed to support Python 2.6. I have received requests to take the minimum Python version back to 2.4, but unfortunately this will not be possible, since the ZeroMQ Python bindings do not support Python 2.4. Salt 0.8.0 is a very major update, it also changes the network protocol slightly which makes communication with older salt daemons impossible, your master and minions need to be upgraded together! I could use some help bringing salt to the people! Right now I only have packages for Arch Linux, Fedora 14 and Gentoo. We need packages for Debian and people willing to help test on more platforms. We also need help writing more minion modules and returner modules. If you want to contribute to salt please hop on the mailing list and send in patches, make a fork on GitHub and send in pull requests! If you want to help but are not sure where you can, please email me directly or post tot he mailing list! I hope you enjoy salt, while it is not yet 1.0 salt is completely viable and usable! -Thomas S. Hatch

Salt 0.8.7 release notes¶

It has been a month since salt 0.8.0, and it has been a long month! But Salt is still coming along strong. 0.8.7 has a lot of changes and a lot of updates. This update makes Salt’s ZeroMQ back end better, strips Facter from the dependencies, and introduces interfaces to handle more capabilities. Many of the major updates are in the background, but the changes should shine through to the surface. A number of the new features are still a little thin, but the back end to support expansion is in place. I also recently gave a presentation to the Utah Python users group in Salt Lake City, the slides from this presentation are available here: https://github.com/downloads/saltstack/salt/Salt.pdf The video from this presentation will be available shortly. The major new features and changes in Salt 0.8.7 are:
The new ZeroMQ topology allows for better scalability, this will be required by the need to execute massive file transfers to multiple machines in parallel and state management. The new ZeroMQ topology is available in the aforementioned presentation. 0.8.7 introduces the capability to declare states, this is similar to the capabilities of Puppet. States in salt are declared via state data structures. This system is very young, but the core feature set is available. Salt states work around rendering files which represent Salt high data. More on the Salt state system will be documented in the near future. The system for loading salt modules has been pulled out of the minion class to be a standalone module, this has enabled more dynamic loading of Salt modules and enables many of the updates in 0.8.7 – https://github.com/saltstack/salt/blob/develop/salt/loader.py Salt Job ids are now microsecond precise, this was needed to repair a race condition unveiled by the speed improvements in the new ZeroMQ topology. The new grains interface replaces the functionality of Facter, the idea behind grains differs from Facter in that the grains are only used for static system data, dynamic data needs to be derived from a call to a salt module. This makes grains much faster to use, since the grains data is generated when the minion starts. Virtual salt modules allows for a salt module to be presented as something other than its module name. The idea here is that based on information from the minion decisions about which module should be presented can be made. The best example is the pacman module. The pacman module will only load on Arch Linux minions, and will be called pkg. Similarly the yum module will be presented as pkg when the minion starts on a Fedora/RedHat system. The new salt-call command allows for minion modules to be executed from the minion. This means that on the minion a salt module can be executed, this is a great tool for testing Salt modules. The salt-call command can also be used to view the grains data. In previous releases when a minion module threw an exception very little data was returned to the master. Now the stack trace from the failure is returned making debugging of minion modules MUCH easier. Salt is nearing the goal of 1.0, where the core feature set and capability is complete! Salt 0.8.7 can be downloaded from GitHub here: https://github.com/downloads/saltstack/salt/salt-0.8.7.tar.gz -Thomas S Hatch

Salt 0.8.8 release notes¶

Salt 0.8.8 is here! This release adds a great deal of code and some serious new features. The latest release can be downloaded here: https://github.com/downloads/saltstack/salt/salt-0.8.8.tar.gz Improved Documentation has been set up for salt using sphinx thanks to the efforts of Seth House. This new documentation system will act as the back end to the salt website which is still under heavy development. The new sphinx documentation system has also been used to greatly clean up the salt manpages. The salt 7 manpage in particular now contains extensive information which was previously only in the wiki. The new documentation can be found at: http://thatch45.github.com/salt-www/ We still have a lot to add, and when the domain is set up I will post another announcement. More additions have been made to the ZeroMQ setup, particularly in the realm of file transfers. Salt 0.8.8 introduces a built in, stateless, encrypted file server which allows salt minions to download files from the salt master using the same encryption system used for all other salt communications. The main motivation for the salt file server has been to facilitate the new salt state system. Much of the salt code has been cleaned up and a new cleaner logging system has been introduced thanks to the efforts of Pedro Algarvio. These additions will allow for much more flexible logging to be executed by salt, and fixed a great deal of my poor spelling in the salt docstrings! Pedro Algarvio has also cleaned up the API, making it easier to embed salt into another application. The biggest addition to salt found in 0.8.8 is the new state system. The salt module system has received a new front end which allows salt to be used as a configuration management system. The configuration management system allows for system configuration to be defined in data structures. The configuration management system, or as it is called in salt, the “salt state system” supports many of the features found in other configuration managers, but allows for system states to be written in a far simpler format, executes at blazing speeds, and operates via the salt minion matching system. The state system also operates within the normal scope of salt, and requires no additional configuration to use. The salt state system can enforce the following states with many more to come: Packages Files Services Executing commands Hosts The system used to define the salt states is based on a data structure, the data structure used to define the salt states has been made to be as easy to use as possible. The data structure is defined by default using a YAML file rendered via a Jinja template. This means that the state definition language supports all of the data structures that YAML supports, and all of the programming constructs and logic that Jinja supports. If the user does not like YAML or Jinja the states can be defined in yaml-mako, json-jinja, or json-mako. The system used to render the states is completely dynamic, and any rendering system can be added to the capabilities of Salt, this means that a rendering system that renders XML data in a cheetah template, or whatever you can imagine, can be easily added to the capabilities of salt. The salt state system also supports isolated environments, as well as matching code from several environments to a single salt minion. The feature base for Salt has grown quite a bit since my last serious documentation push. As we approach 0.9.0 the goals are becoming very clear, and the documentation needs a lot of work. The main goals for 0.9.0 are to further refine the state system, fix any bugs we find, get Salt running on as many platforms as we can, and get the documentation filled out. There is a lot more to come as Salt moves forward to encapsulate a much larger scope, while maintaining supreme usability and simplicity. If you would like a more complete overview of Salt please watch the Salt presentation: Flash Video: http://blip.tv/thomas-s-hatch/salt-0-8-7-presentation-5180182 OGV Video Download: http://blip.tv/file/get/Thatch45-Salt087Presentation416.ogv Slides: https://github.com/downloads/saltstack/salt/Salt.pdf -Thomas S Hatch

Salt 0.8.9 Release Notes¶

Salt 0.8.9 has finally arrived! Unfortunately this is much later than I had hoped to release 0.8.9, life has been very crazy over the last month. But despite challenges, Salt has moved forward! This release, as expected, adds few new features and many refinements. One of the most exciting aspect of this release is that the development community for salt has grown a great deal and much of the code is from contributors. Also, I have filled out the documentation a great deal. So information on States is properly documented, and much of the documentation that was out of date has been filled in.

Download!¶

The Salt source can be downloaded from the salt GitHub site: https://github.com/downloads/saltstack/salt/salt-0.8.9.tar.gz Or from PyPI: http://pypi.python.org/packages/source/s/salt/salt-0.8.9.tar.gz Here s the md5sum: 7d5aca4633bc22f59045f59e82f43b56 For instructions on how to set up Salt please see the installation instructions.

New Features¶

Salt Run¶

A big feature is the addition of Salt run, the salt-run command allows for master side execution modules to be made that gather specific information or execute custom routines from the master. Documentation for salt-run can be found here: http://saltstack.org/ref/runners.html

Refined Outputters¶

One problem often complained about in salt was the fact that the output was so messy. Thanks to help from Jeff Schroeder a cleaner interface for the command output for the Salt CLI has been made. This new interface makes adding new printout formats easy and additions to the capabilities of minion modules makes it possible to set the printout mode or outputter for functions in minion modules.

Cross Calling Salt Modules¶

Salt modules can now call each other, the __salt__ dict has been added to the predefined references in minion modules. This new feature is documented in the modules documentation: http://saltstack.org/ref/modules/index.html

Watch Option Added to Salt State System¶

Now in Salt states you can set the watch option, this will allow watch enabled states to change based on a change in the other defined states. This is similar to subscribe and notify statements in puppet.

Root Dir Option¶

Travis Cline has added the ability to define the option root_dir which allows the salt minion to operate in a subdir. This is a strong move in supporting the minion running as an unprivileged user

Config Files Defined in Variables¶

Thanks again to Travis Cline, the master and minion configuration file locations can be defined in environment variables now.

New Modules¶

Quite a few new modules, states, returners and runners have been made.

New Minion Modules¶

apt¶

Support for apt-get has been added, this adds greatly improved Debian and Ubuntu support to Salt!

useradd and groupadd¶

Support for manipulating users and groups on Unix-like systems.

moosefs¶

Initial support for reporting on aspects of the distributed file system, MooseFS. For more information on MooseFS please see: http://moosefs.org Thanks to Joseph Hall for his work on MooseFS support.

mount¶

Manage mounts and the fstab.

puppet¶

Execute puppet on remote systems.

shadow¶

Manipulate and manage the user password file.

ssh¶

Interact with ssh keys.

New States¶

user and group¶

Support for managing users and groups in Salt States.

mount¶

Enforce mounts and the fstab.

New Returners¶

mongo_return¶

Send the return information to a MongoDB server.

New Runners¶

manage¶

Display minions that are up or down.

Salt 0.9.0 Release Notes¶

Salt 0.9.0 is here. This is an exciting release, 0.9.0 includes the new network topology features allowing peer salt commands and masters of masters via the syndic interface. 0.9.0 also introduces many more modules, improvements to the API and improvements to the ZeroMQ systems.

Download!¶

The Salt source can be downloaded from the salt GitHub site: https://github.com/downloads/saltstack/salt/salt-0.9.0.tar.gz Or from PyPI: http://pypi.python.org/packages/source/s/salt/salt-0.9.0.tar.gz Here is the md5sum: 9a925da04981e65a0f237f2e77ddab37 For instructions on how to set up Salt please see the installation instructions.

New Features¶

Salt Syndic¶

The new Syndic interface allows a master to be commanded via another higher level salt master. This is a powerful solution allowing a master control structure to exist, allowing salt to scale to much larger levels then before.

Peer Communication¶

0.9.0 introduces the capability for a minion to call a publication on the master and receive the return from another set of minions. This allows salt to act as a communication channel between minions and as a general infrastructure message bus. Peer communication is turned off by default but can be enabled via the peer option in the master configuration file. Documentation on the new Peer interface.

Easily Extensible API¶

The minion and master classes have been redesigned to allow for specialized minion and master servers to be easily created. An example on how this is done for the master can be found in the master.py salt module: https://github.com/saltstack/salt/blob/develop/salt/master.py The Master class extends the SMaster class and set up the main master server. The minion functions can now also be easily added to another application via the SMinion class, this class can be found in the minion.py module: https://github.com/saltstack/salt/blob/develop/salt/minion.py

Cleaner Key Management¶

This release changes some of the key naming to allow for multiple master keys to be held based on the type of minion gathering the master key. The -d option has also been added to the salt-key command allowing for easy removal of accepted public keys. The --gen-keys option is now available as well for salt-key, this allows for a salt specific RSA key pair to be easily generated from the command line.

Improved 0MQ Master Workers¶

The 0MQ worker system has been further refined to be faster and more robust. This new system has been able to handle a much larger load than the previous setup. The new system uses the IPC protocol in 0MQ instead of TCP.

New Modules¶

Quite a few new modules have been made.

New Minion Modules¶

apache¶

Work directly with apache servers, great for managing balanced web servers

cron¶

Read out the contents of a systems crontabs

mdadm¶

Module to manage raid devices in Linux, appears as the raid module

mysql¶

Gather simple data from MySQL databases

ps¶

Extensive utilities for managing processes

publish¶

Used by the peer interface to allow minions to make publications

Salt 0.9.1 Release Notes¶

Salt 0.9.2 Release Notes¶

Salt 0.9.2 has arrived! 0.9.2 is primarily a bugfix release, the exciting component in 0.9.2 is greatly improved support for salt states. All of the salt states interfaces have been more thoroughly tested and the new salt-states git repo is growing with example of how to use states. This release introduces salt states for early developers and testers to start helping us clean up the states interface and make it ready for the world! 0.9.2 also fixes a number of bugs found on Python 2.6.

Download!¶

The Salt source can be downloaded from the salt GitHub site: https://github.com/downloads/saltstack/salt/salt-0.9.2.tar.gz Or from PyPI: http://pypi.python.org/packages/source/s/salt/salt-0.9.2.tar.gz For instructions on how to set up Salt please see the installation instructions.

New Features¶

Salt-Call Additions¶

The salt-call command has received an overhaul, it now hooks into the outputter system so command output looks clean, and the logging system has been hooked into salt-call, so the -l option allows the logging output from salt minion functions to be displayed. The end result is that the salt-call command can execute the state system and return clean output:

State System Fixes¶

The state system has been tested and better refined. As of this release the state system is ready for early testers to start playing with. If you are interested in working with the state system please check out the (still very small) salt-states GitHub repo: https://github.com/thatch45/salt-states This git repo is the active development branch for determining how a clean salt-state database should look and act. Since the salt state system is still very young a lot of help is still needed here. Please fork the salt-states repo and help us develop a truly large and scalable system for configuration management!

Notable Bug Fixes¶

Python 2.6 String Formatting¶

Python 2.6 does not support format strings without an index identifier, all of them have been repaired.

Cython Loading Disabled by Default¶

Cython loading requires a development tool chain to be installed on the minion, requiring this by default can cause problems for most Salt deployments. If Cython auto loading is desired it will need to be turned on in the minion config.

Salt 0.9.3 Release Notes¶

Salt 0.9.3 is finally arrived. This is another big step forward for Salt, new features range from proper FreeBSD support to fixing issues seen when attaching a minion to a master over the Internet. The biggest improvements in 0.9.3 though can be found in the state system, it has progressed from something ready for early testers to a system ready to compete with platforms such as Puppet and Chef. The backbone of the state system has been greatly refined and many new features are available.

Download!¶

The Salt source can be downloaded from the salt GitHub site: https://github.com/downloads/saltstack/salt/salt-0.9.3.tar.gz Or from PyPI: http://pypi.python.org/packages/source/s/salt/salt-0.9.3.tar.gz For instructions on how to set up Salt please see the installation instructions.

New Features¶

WAN Support¶

Recently more people have been testing Salt minions connecting to Salt Masters over the Internet. It was found that Minions would commonly loose their connection to the master when working over the internet. The minions can now detect if the connection has been lost and reconnect to the master, making WAN connections much more reliable.

State System Fixes¶

Substantial testing has gone into the state system and it is ready for real world usage. A great deal has been added to the documentation for states and the modules and functions available to states have been cleanly documented. A number of State System bugs have also been founds and repaired, the output from the state system has also been refined to be extremely clear and concise. Error reporting has also been introduced, issues found in sls files will now be clearly reported when executing Salt States.

Extend Declaration¶

The Salt States have also gained the extend declaration. This declaration allows for states to be cleanly modified in a post environment. Simply said, if there is an apache.sls file that declares the apache service, then another sls can include apache and then extend it:
The notable behavior with the extend functionality is that it literally extends or overwrites a declaration set up in another sls module. This means that Salt will behave as though the modifications were made directly to the apache sls. This ensures that the apache service in this example is directly tied to all requirements.

Highstate Structure Specification¶

This release comes with a clear specification of the Highstate data structure that is used to declare Salt States. This specification explains everything that can be declared in the Salt SLS modules. The specification is extremely simple, and illustrates how Salt has been able to fulfill the requirements of a central configuration manager within a simple and easy to understand format and specification.

SheBang Renderer Switch¶

It came to our attention that having many renderers means that there may be a situation where more than one State Renderer should be available within a single State Tree. The method chosen to accomplish this was something already familiar to developers and systems administrators, a SheBang. The Python State Renderer displays this new capability.

Python State Renderer¶

Until now Salt States could only be declared in yaml or json using Jinja or Mako. A new, very powerful, renderer has been added, making it possible to write Salt States in pure Python:
This renderer is used by making a run function that returns the Highstate data structure. Any capabilities of Python can be used in pure Python sls modules. This example of a pure Python sls module is the same as this example in yaml:

FreeBSD Support¶

Additional support has been added for FreeBSD, this is Salt's first branch out of the Linux world and proves the viability of Salt on non-Linux platforms. Salt remote execution already worked on FreeBSD, and should work without issue on any Unix-like platform. But this support comes in the form of package management and user support, so Salt States also work on FreeBSD now. The new freebsdpkg module provides package management support for FreeBSD and the new pw_user and pw_group provide user and group management.

Module and State Additions¶

Cron Support¶

Support for managing the system crontab has been added, declaring a cron state can be done easily:

File State Additions¶

The file state has been given a number of new features, primarily the directory, recurse, symlink and absent functions.

Sysctl Module and State¶

The sysctl module and state allows for sysctl components in the kernel to be managed easily. the sysctl module contains the following functions:
The sysctl state allows for sysctl parameters to be assigned:

Kernel Module Management¶

A module for managing Linux kernel modules has been added. The new functions are as follows:
The kmod state can enforce modules be either present or absent:

Ssh Authorized Keys¶

The ssh_auth state can distribute ssh authorized keys out to minions. Ssh authorized keys can be present or absent.

Salt 0.9.4 Release Notes¶

Salt 0.9.4 has arrived. This is a critical update that repairs a number of key bugs found in 0.9.3. But this update is not without feature additions as well! 0.9.4 adds support for Gentoo portage to the pkg module and state system. Also there are 2 major new state additions, the failhard option and the ability to set up finite state ordering with the order option. This release also sees our largest increase in community contributions. These contributors have and continue to be the life blood of the Salt project, and the team continues to grow. I want to put out a big thanks to our new and existing contributors.

Download!¶

The Salt source can be downloaded from the salt GitHub site: https://github.com/downloads/saltstack/salt/salt-0.9.4.tar.gz Or from PyPI: http://pypi.python.org/packages/source/s/salt/salt-0.9.4.tar.gz For instructions on how to set up Salt please see the installation instructions.

New Features¶

Failhard State Option¶

Normally, when a state fails Salt continues to execute the remainder of the defined states and will only refuse to execute states that require the failed state. But the situation may exist, where you would want all state execution to stop if a single state execution fails. The capability to do this is called failing hard.

State Level Failhard¶

A single state can have a failhard set, this means that if this individual state fails that all state execution will immediately stop. This is a great thing to do if there is a state that sets up a critical config file and setting a require for each state that reads the config would be cumbersome. A good example of this would be setting up a package manager early on:
In this situation, the yum repo is going to be configured before other states, and if it fails to lay down the config file, than no other states will be executed.

Global Failhard¶

It may be desired to have failhard be applied to every state that is executed, if this is the case, then failhard can be set in the master configuration file. Setting failhard in the master configuration file will result in failing hard when any minion gathering states from the master have a state fail. This is NOT the default behavior, normally Salt will only fail states that require a failed state. Using the global failhard is generally not recommended, since it can result in states not being executed or even checked. It can also be confusing to see states failhard if an admin is not actively aware that the failhard has been set. To use the global failhard set failhard: True in the master configuration

Finite Ordering of State Execution¶

When creating salt sls files, it is often important to ensure that they run in a specific order. While states will always execute in the same order, that order is not necessarily defined the way you want it. A few tools exist in Salt to set up the correct state ordering, these tools consist of requisite declarations and order options.

The Order Option¶

Before using the order option, remember that the majority of state ordering should be done with requisite statements, and that a requisite statement will override an order option. The order option is used by adding an order number to a state declaration with the option order:
By adding the order option to 1 this ensures that the vim package will be installed in tandem with any other state declaration set to the order 1. Any state declared without an order option will be executed after all states with order options are executed. But this construct can only handle ordering states from the beginning. Sometimes you may want to send a state to the end of the line, to do this set the order to last:
Substantial testing has gone into the state system and it is ready for real world usage. A great deal has been added to the documentation for states and the modules and functions available to states have been cleanly documented. A number of State System bugs have also been founds and repaired, the output from the state system has also been refined to be extremely clear and concise. Error reporting has also been introduced, issues found in sls files will now be clearly reported when executing Salt States.

Gentoo Support¶

Additional experimental support has been added for Gentoo. This is found in the contribution from Doug Renn, aka nestegg.

Salt 0.9.5 Release Notes¶

Salt 0.9.5 is one of the largest steps forward in the development of Salt. 0.9.5 comes with many milestones, this release has seen the community of developers grow out to an international team of 46 code contributors and has many feature additions, feature enhancements, bug fixes and speed improvements. WARNING:

Community¶

Nothing has proven to have more value to the development of Salt that the outstanding community that has been growing at such a great pace around Salt. This has proven not only that Salt has great value, but also the expandability of Salt is as exponential as I originally intended. 0.9.5 has received over 600 additional commits since 0.9.4 with a swath of new committers. The following individuals have contributed to the development of 0.9.5:
This makes 21 new developers since 0.9.4 was released! To keep up with the growing community follow Salt on Ohloh ( http://www.ohloh.net/p/salt), to join the Salt development community, fork Salt on Github, and get coding ( https://github.com/saltstack/salt)!

Major Features¶

SPEED! Pickle to msgpack¶

For a few months now we have been talking about moving away from Python pickles for network serialization, but a preferred serialization format had not yet been found. After an extensive performance testing period involving everything from JSON to protocol buffers, a clear winner emerged. Message Pack ( http://msgpack.org/) proved to not only be the fastest and most compact, but also the most "salt like". Message Pack is simple, and the code involved is very small. The msgpack library for Python has been added directly to Salt. This move introduces a few changes to Salt. First off, Salt is no longer a "noarch" package, since the msgpack lib is written in C. Salt 0.9.5 will also have compatibility issues with 0.9.4 with the default configuration. We have gone through great lengths to avoid backwards compatibility issues with Salt, but changing the serialization medium was going to create issues regardless. Salt 0.9.5 is somewhat backwards compatible with earlier minions. A 0.9.5 master can command older minions, but only if the serial config value in the master is set to pickle. This will tell the master to publish messages in pickle format and will allow the master to receive messages in both msgpack and pickle formats. Therefore the suggested methods for upgrading are either to just upgrade everything at once, or:
Since pickles can be used as a security exploit the ability for a master to accept pickles from minions at all will be removed in a future release.

C Bindings for YAML¶

All of the YAML rendering is now done with the YAML C bindings. This speeds up all of the sls files when running states.

Experimental Windows Support¶

David Boucha has worked tirelessly to bring initial support to Salt for Microsoft Windows operating systems. Right now the Salt Minion can run as a native Windows service and accept commands. In the weeks and months to come Windows will receive the full treatment and will have support for Salt States and more robust support for managing Windows systems. This is a big step forward for Salt to move entirely outside of the Unix world, and proves Salt is a viable cross platform solution. Big Thanks to Dave for his contribution here!

Dynamic Module Distribution¶

Many Salt users have expressed the desire to have Salt distribute in-house modules, states, renderers, returners, and grains. This support has been added in a number of ways:

Modules via States¶

Now when salt modules are deployed to a minion via the state system as a file, then the modules will be automatically loaded into the active running minion - no restart required - and into the active running state. So custom state modules can be deployed and used in the same state run.

Modules via Module Environment Directories¶

Under the file_roots each environment can now have directories that are used to deploy large groups of modules. These directories sync modules at the beginning of a state run on the minion, or can be manually synced via the Salt module salt.modules.saltutil.sync_all. The directories are named:
The modules are pushed to their respective scopes on the minions.

Module Reloading¶

Modules can now be reloaded without restarting the minion, this is done by calling the salt.modules.sys.reload_modules function. But wait, there's more! Now when a salt module of any type is added via states the modules will be automatically reloaded, allowing for modules to be laid down with states and then immediately used. Finally, all modules are reloaded when modules are dynamically distributed from the salt master.

Enable / Disable Added to Service¶

A great deal of demand has existed for adding the capability to set services to be started at boot in the service module. This feature also comes with an overhaul of the service modules and initial systemd support. This means that the service state can now accept - enable: True to make sure a service is enabled at boot, and - enable: False to make sure it is disabled.

Compound Target¶

A new target type has been added to the lineup, the compound target. In previous versions the desired minions could only be targeted via a single specific target type, but now many target specifications can be declared. These targets can also be separated by and/or operators, so certain properties can be used to omit a node:
will match all minions with ids starting with webserv via a glob and minions matching the os:Debian grain. Or minions that match the db.* regular expression.

Node Groups¶

Often the convenience of having a predefined group of minions to execute targets on is desired. This can be accomplished with the new nodegroups feature. Nodegroups allow for predefined compound targets to be declared in the master configuration file:
And then used via the -N option:

Minion Side Data Store¶

The data module introduces the initial approach into storing persistent data on the minions, specific to the minions. This allows for data to be stored on minions that can be accessed from the master or from the minion. The Minion datastore is young, and will eventually provide an interface similar to a more mature key/value pair server.

Major Grains Improvement¶

The Salt grains have been overhauled to include a massive amount of extra data. this includes hardware data, os data and salt specific data.

Salt -Q is Useful Now¶

In the past the salt query system, which would display the data from recent executions would be displayed in pure Python, and it was unreadable. 0.9.5 has added the outputter system to the -Q option, thus enabling the salt query system to return readable output.

Packaging Updates¶

Huge strides have been made in packaging Salt for distributions. These additions are thanks to our wonderful community where the work to set up packages has proceeded tirelessly.

FreeBSD¶

Salt on FreeBSD? There a port for that: http://www.freebsd.org/cgi/cvsweb.cgi/ports/sysutils/salt/pkg-descr This port was developed and added by Christer Edwards. This also marks the first time Salt has been included in an upstream packaging system!

Fedora and Red Hat Enterprise¶

Salt packages have been prepared for inclusion in the Fedora Project and in EPEL for Red Hat Enterprise 5 and 6. These packages are the result of the efforts made by Clint Savage (herlo).

Debian/Ubuntu¶

A team of many contributors have assisted in developing packages for Debian and Ubuntu. Salt is still actively seeking inclusion in upstream Debian and Ubuntu and the package data that has been prepared is being pushed through the needed channels for inclusion. These packages have been prepared with the help of:

More to Come¶

We are actively seeking inclusion in more distributions. Primarily getting Salt into Gentoo, SUSE, OpenBSD and preparing Solaris support are all turning into higher priorities.

Refinement¶

Salt continues to be refined into a faster, more stable and more usable application. 0.9.5 comes with more debug logging, more bug fixes and more complete support.

More Testing, More BugFixes¶

0.9.5 comes with more bugfixes due to more testing than any previous release. The growing community and the introduction a a dedicated QA environment have unearthed many issues that were hiding under the covers. This has further refined and cleaned the state interface, taking care of things from minor visual issues to repairing misleading data.

Custom Exceptions¶

A custom exception module has been added to throw salt specific exceptions. This allows Salt to give much more granular error information.

New Modules¶

data¶

The new data module manages a persistent datastore on the minion. Big thanks to bastichelaar for his help refining this module

freebsdkmod¶

FreeBSD kernel modules can now be managed in the same way Salt handles Linux kernel modules. This module was contributed thanks to the efforts of Christer Edwards

gentoo_service¶

Support has been added for managing services in Gentoo. Now Gentoo services can be started, stopped, restarted, enabled, disabled and viewed.

pip¶

The pip module introduces management for pip installed applications. Thanks goes to whitinge for the addition of the pip module

rh_service¶

The rh_service module enables Red Hat and Fedora specific service management. Now Red Hat like systems come with extensive management of the classic init system used by Red Hat

saltutil¶

The saltutil module has been added as a place to hold functions used in the maintenance and management of salt itself. Saltutil is used to salt the salt minion. The saltutil module is presently used only to sync extension modules from the master server.

systemd¶

Systemd support has been added to Salt, now systems using this next generation init system are supported on systems running systemd.

virtualenv¶

The virtualenv module has been added to allow salt to create virtual Python environments. Thanks goes to whitinge for the addition of the virtualenv module

win_disk¶

Support for gathering disk information on Microsoft Windows minions The windows modules come courtesy of Utah_Dave

win_service¶

The win_service module adds service support to Salt for Microsoft Windows services

win_useradd¶

Salt can now manage local users on Microsoft Windows Systems

yumpkg5¶

The yumpkg module introduces in 0.9.4 uses the yum API to interact with the yum package manager. Unfortunately, on Red Hat 5 systems salt does not have access to the yum API because the yum API is running under Python 2.4 and Salt needs to run under Python 2.6. The yumpkg5 module bypasses this issue by shelling out to yum on systems where the yum API is not available.

New States¶

mysql_database¶

The new mysql_database state adds the ability to systems running a mysql server to manage the existence of mysql databases. The mysql states are thanks to syphernl

mysql_user¶

The mysql_user state enables mysql user management.

virtualenv¶

The virtualenv state can manage the state of Python virtual environments. Thanks to Whitinge for the virtualenv state

New Returners¶

cassandra_returner¶

A returner allowing Salt to send data to a cassandra server. Thanks to Byron Clark for contributing this returner

Salt 0.9.6 Release Notes¶

Salt 0.9.6 is a release targeting a few bugs and changes. This is primarily targeting an issue found in the names declaration in the state system. But a few other bugs were also repaired, like missing support for grains in extmods. Due to a conflict in distribution packaging msgpack will no longer be bundled with Salt, and is required as a dependency.

New Features¶

HTTP and ftp support in files.managed¶

Now under the source option in the file.managed state a HTTP or ftp address can be used instead of a file located on the salt master.

Allow Multiple Returners¶

Now the returner interface can define multiple returners, and will also return data back to the master, making the process less ambiguous.

Minion Memory Improvements¶

A number of modules have been taken out of the minion if the underlying systems required by said modules are not present on the minion system. A number of other modules need to be stripped out in this same way which should continue to make the minion more efficient.

Minions Can Locally Cache Return Data¶

A new option, cache_jobs, has been added to the minion to allow for all of the historically run jobs to cache on the minion, allowing for looking up historic returns. By default cache_jobs is set to False.

Pure Python Template Support For file.managed¶

Templates in the file.managed state can now be defined in a Python script. This script needs to have a run function that returns the string that needs to be in the named file.

Salt 0.9.7 Release Notes¶

Salt 0.9.7 is here! The latest iteration of Salt brings more features and many fixes. This release is a great refinement over 0.9.6, adding many conveniences under the hood, as well as some features that make working with Salt much better. A few highlights include the new Job system, refinements to the requisite system in states, the mod_init interface for states, external node classification, search path to managed files in the file state, and refinements and additions to dynamic module loading. 0.9.7 also introduces the long developed (and oft changed) unit test framework and the initial unit tests.

Major Features¶

Salt Jobs Interface¶

The new jobs interface makes the management of running executions much cleaner and more transparent. Building on the existing execution framework the jobs system allows clear introspection into the active running state of the running Salt interface. The Jobs interface is centered in the new minion side proc system. The minions now store msgpack serialized files under /var/cache/salt/proc. These files keep track of the active state of processes on the minion.

Functions in the saltutil Module¶

A number of functions have been added to the saltutil module to manage and view the jobs: running - Returns the data of all running jobs that are found in the proc directory. find_job - Returns specific data about a certain job based on job id. signal_job - Allows for a given jid to be sent a signal. term_job - Sends a termination signal (SIGTERM, 15) to the process controlling the specified job. kill_job Sends a kill signal (SIGKILL, 9) to the process controlling the specified job.

The jobs Runner¶

A convenience runner front end and reporting system has been added as well. The jobs runner contains functions to make viewing data easier and cleaner. The jobs runner contains a number of functions...

active¶

The active function runs saltutil.running on all minions and formats the return data about all running jobs in a much more usable and compact format. The active function will also compare jobs that have returned and jobs that are still running, making it easier to see what systems have completed a job and what systems are still being waited on.

lookup_jid¶

When jobs are executed the return data is sent back to the master and cached. By default is is cached for 24 hours, but this can be configured via the keep_jobs option in the master configuration. Using the lookup_jid runner will display the same return data that the initial job invocation with the salt command would display.

list_jobs¶

Before finding a historic job, it may be required to find the job id. list_jobs will parse the cached execution data and display all of the job data for jobs that have already, or partially returned.

External Node Classification¶

Salt can now use external node classifiers like Cobbler's cobbler-ext-nodes. Salt uses specific data from the external node classifier. In particular the classes value denotes which sls modules to run, and the environment value sets to another environment. An external node classification can be set in the master configuration file via the external_nodes option: http://salt.readthedocs.org/en/latest/ref/configuration/master.html#external-nodes External nodes are loaded in addition to the top files. If it is intended to only use external nodes, do not deploy any top files.

State Mod Init System¶

An issue arose with the pkg state. Every time a package was run Salt would need to refresh the package database. This made systems with slower package metadata refresh speeds much slower to work with. To alleviate this issue the mod_init interface has been added to salt states. The mod_init interface is a function that can be added to a state file. This function is called with the first state called. In the case of the pkg state, the mod_init function sets up a tag which makes the package database only refresh on the first attempt to install a package. In a nutshell, the mod_init interface allows a state to run any command that only needs to be run once, or can be used to set up an environment for working with the state.

Source File Search Path¶

The file state continues to be refined, adding speed and capabilities. This release adds the ability to pass a list to the source option. This list is then iterated over until the source file is found, and the first found file is used. The new syntax looks like this:
The source option can take sources in the list from the salt file server as well as an arbitrary web source. If using an arbitrary web source the checksum needs to be passed as well for file verification.

Refinements to the Requisite System¶

A few discrepancies were still lingering in the requisite system, in particular, it was not possible to have a require and a watch requisite declared in the same state declaration. This issue has been alleviated, as well as making the requisite system run more quickly.

Initial Unit Testing Framework¶

Because of the module system, and the need to test real scenarios, the development of a viable unit testing system has been difficult, but unit testing has finally arrived. Only a small amount of unit testing coverage has been developed, much more coverage will be in place soon. A huge thanks goes out to those who have helped with unit testing, and the contributions that have been made to get us where we are. Without these contributions unit tests would still be in the dark.

Compound Targets Expanded¶

Originally only support for and and or were available in the compound target. 0.9.7 adds the capability to negate compound targets with not.

Nodegroups in the Top File¶

Previously the nodegroups defined in the master configuration file could not be used to match nodes for states. The nodegroups support has been expanded and the nodegroups defined in the master configuration can now be used to match minions in the top file.

Salt 0.9.8 Release Notes¶

Salt 0.9.8 is a big step forward, with many additions and enhancements, as well as a number of precursors to advanced future developments. This version of Salt adds much more power to the command line, making the old hard timeout issues a thing of the past and adds keyword argument support. These additions are also available in the salt client API, making the available API tools much more powerful. The new pillar system allows for data to be stored on the master and assigned to minions in a granular way similar to the state system. It also allows flexibility for users who want to keep data out of their state tree similar to 'external lookup' functionality in other tools. A new way to extend requisites was added, the "requisite in" statement. This makes adding requires or watch statements to external state decs much easier. Additions to requisites making them much more powerful have been added as well as improved error checking for sls files in the state system. A new provider system has been added to allow for redirecting what modules run in the background for individual states. Support for OpenSUSE has been added and support for Solaris has begun serious development. Windows support has been significantly enhanced as well. The matcher and target systems have received a great deal of attention. The default behavior of grain matching has changed slightly to reflect the rest of salt and the compound matcher system has been refined. A number of impressive features with keyword arguments have been added to both the CLI and to the state system. This makes states much more powerful and flexible while maintaining the simple configuration everyone loves. The new batch size capability allows for executions to be rolled through a group of targeted minions a percentage or specific number at a time. This was added to prevent the "thundering herd" problem when targeting large numbers of minions for things like service restarts or file downloads.

Upgrade Considerations¶

Upgrade Issues¶

There was a previously missed oversight which could cause a newer minion to crash an older master. That oversight has been resolved so the version incompatibility issue will no longer occur. When upgrading to 0.9.8 make sure to upgrade the master first, followed by the minions.

Debian/Ubuntu Packages¶

The original Debian/Ubuntu packages were called salt and included all salt applications. New packages in the ppa are split by function. If an old salt package is installed then it should be manually removed and the new split packages need to be freshly installed. On the master:
On the minions:
And on any Syndics:
The official Salt PPA for Ubuntu is located at: https://launchpad.net/~saltstack/+archive/salt

Major Features¶

Pillar¶

Pillar offers an interface to declare variable data on the master that is then assigned to the minions. The pillar data is made available to all modules, states, sls files etc. It is compiled on the master and is declared using the existing renderer system. This means that learning pillar should be fairly trivial to those already familiar with salt states.

CLI Additions¶

The salt command has received a serious overhaul and is more powerful than ever. Data is returned to the terminal as it is received, and the salt command will now wait for all running minions to return data before stopping. This makes adding very large --timeout arguments completely unnecessary and gets rid of long running operations returning empty {} when the timeout is exceeded. When calling salt via sudo, the user originally running salt is saved to the log for auditing purposes. This makes it easy to see who ran what by just looking through the minion logs. The salt-key command gained the -D and --delete-all arguments for removing all keys. Be careful with this one!

Running States Without a Master¶

The addition of running states without a salt-master has been added to 0.9.8. This feature allows for the unmodified salt state tree to be read locally from a minion. The result is that the UNMODIFIED state tree has just become portable, allowing minions to have a local copy of states or to manage states without a master entirely. This is accomplished via the new file client interface in Salt that allows for the salt:// URI to be redirected to custom interfaces. This means that there are now two interfaces for the salt file server, calling the master or looking in a local, minion defined file_roots. This new feature can be used by modifying the minion config to point to a local file_roots and setting the file_client option to local.

Keyword Arguments and States¶

State modules now accept the **kwargs argument. This results in all data in a sls file assigned to a state being made available to the state function. This passes data in a transparent way back to the modules executing the logic. In particular, this allows adding arguments to the pkg.install module that enable more advanced and granular controls with respect to what the state is capable of. An example of this along with the new debconf module for installing ldap client packages on Debian:

Keyword Arguments and the CLI¶

In the past it was required that all arguments be passed in the proper order to the salt and salt-call commands. As of 0.9.8, keyword arguments can be passed in the form of kwarg=argument.

Matcher Refinements and Changes¶

A number of fixes and changes have been applied to the Matcher system. The most noteworthy is the change in the grain matcher. The grain matcher used to use a regular expression to match the passed data to a grain, but now defaults to a shell glob like the majority of match interfaces in Salt. A new option is available that still uses the old style regex matching to grain data called grain-pcre. To use regex matching in compound matches use the letter P. For example, this would match any ArchLinux or Fedora minions:
And the associated compound matcher suitable for top.sls is P:
NOTE: Changing the grains matcher from pcre to glob is backwards incompatible. Support has been added for matching minions with Yahoo's range library. This is handled by passing range syntax with -R or --range arguments to salt. More information at: https://github.com/grierj/range/wiki/Introduction-to-Range-with-YAML-files

Requisite in¶

A new means to updating requisite statements has been added to make adding watchers and requires to external states easier. Before 0.9.8 the only way to extend the states that were watched by a state outside of the sls was to use an extend statement:
But the new Requisite in statement allows for easier extends for requisites:
Requisite in is part of the extend system, so still remember to always include the sls that is being extended!

Providers¶

Salt predetermines what modules should be mapped to what uses based on the properties of a system. These determinations are generally made for modules that provide things like package and service management. The apt module maps to pkg on Debian and the yum module maps to pkg on Fedora for instance. Sometimes in states, it may be necessary for a non-default module to be used for the desired functionality. For instance, an Arch Linux system may have been set up with systemd support. Instead of using the default service module detected for Arch Linux, the systemd module can be used:
Default providers can also be defined in the minion config file:
When default providers are passed in the minion config, then those providers will be applied to all functionality in Salt, this means that the functions called by the minion will use these modules, as well as states.

Requisite Glob Matching¶

Requisites can now be defined with glob expansion. This means that if there are many requisites, they can be defined on a single line. To watch all files in a directory:
This example will watch all defined files that match the glob /etc/http/conf.d/*

Batch Size¶

The new batch size option allows commands to be executed while maintaining that only so many hosts are executing the command at one time. This option can take a percentage or a finite number:
This will only run test.ping on 10 of the targeted minions at a time and then restart apache on 25% of the minions matching os:RedHat at a time and work through them all until the task is complete. This makes jobs like rolling web server restarts behind a load balancer or doing maintenance on BSD firewalls using carp much easier with salt.

Module Updates¶

This is a list of notable, but non-exhaustive updates with new and existing modules. Windows support has seen a flurry of support this release cycle. We've gained all new file, network, and shadow modules. Please note that these are still a work in progress. For our ruby users, new rvm and gem modules have been added along with the associated states The virt module gained basic Xen support. The yum module gained Scientific Linux support. The pkg module on Debian, Ubuntu, and derivatives force apt to run in a non-interactive mode. This prevents issues when package installation waits for confirmation. A pkg module for OpenSUSE's zypper was added. The service module on Ubuntu natively supports upstart. A new debconf module was contributed by our community for more advanced control over deb package deployments on Debian based distributions. The mysql.user state and mysql module gained a password_hash argument. The cmd module and state gained a shell keyword argument for specifying a shell other than /bin/sh on Linux / Unix systems. New git and mercurial modules have been added for fans of distributed version control.

In Progress Development¶

Master Side State Compiling¶

While we feel strongly that the advantages gained with minion side state compiling are very critical, it does prevent certain features that may be desired. 0.9.8 has support for initial master side state compiling, but many more components still need to be developed, it is hoped that these can be finished for 0.9.9. The goal is that states can be compiled on both the master and the minion allowing for compilation to be split between master and minion. Why will this be great? It will allow storing sensitive data on the master and sending it to some minions without all minions having access to it. This will be good for handling ssl certificates on front-end web servers for instance.

Solaris Support¶

Salt 0.9.8 sees the introduction of basic Solaris support. The daemon runs well, but grains and more of the modules need updating and testing.

Windows Support¶

Salt states on windows are now much more viable thanks to contributions from our community! States for file, service, local user, and local group management are more fully fleshed out along with network and disk modules. Windows users can also now manage registry entries using the new "reg" module.

Salt 0.9.9 Release Notes¶

0.9.9 is out and comes with some serious bug fixes and even more serious features. This release is the last major feature release before 1.0.0 and could be considered the 1.0.0 release candidate. A few updates include more advanced kwargs support, the ability for salt states to more safely configure a running salt minion, better job directory management and the new state test interface. Many new tests have been added as well, including the new minion swarm test that allows for easier testing of Salt working with large groups of minions. This means that if you have experienced stability issues with Salt before, particularly in larger deployments, that these bugs have been tested for, found, and killed.

Major Features¶

State Test Interface¶

Until 0.9.9 the only option when running states to see what was going to be changed was to print out the highstate with state.show_highstate and manually look it over. But now states can be run to discover what is going to be changed. Passing the option test=True to many of the state functions will now cause the salt state system to only check for what is going to be changed and report on those changes.
Now states that would have made changes report them back in yellow.

State Syntax Update¶

A shorthand syntax has been added to sls files, and it will be the default syntax in documentation going forward. The old syntax is still fully supported and will not be deprecated, but it is recommended to move to the new syntax in the future. This change moves the state function up into the state name using a dot notation. This is in-line with how state functions are generally referred to as well: The new way:

Use and Use_in Requisites¶

Two new requisite statements are available in 0.9.9. The use and use_in requisite and requisite-in allow for the transparent duplication of data between states. When a state "uses" another state it copies the other state's arguments as defaults. This was created in direct response to the new network state, and allows for many network interfaces to be configured in the same way easily. A simple example:
This makes the 2 lower state decs inherit the options from their respectively "used" state decs.

Network State¶

The new network state allows for the configuration of network devices via salt states and the ip salt module. This addition has been given to the project by Jeff Hutchins and Bret Palsson from Jive Communications. Currently the only network configuration backend available is for Red Hat based systems, like Red Hat Enterprise, CentOS, and Fedora.

Exponential Jobs¶

Originally the jobs executed were stored on the master in the format: <cachedir>/jobs/jid/{minion ids} But this format restricted the number of jobs in the cache to the number of subdirectories allowed on the filesystem. Ext3 for instance limits subdirectories to 32000. To combat this the new format for 0.9.9 is: <cachedir>/jobs/jid_hash[:2]/jid_hash[2:]/{minion ids} So that now the number of maximum jobs that can be run before the cleanup cycle hits the job directory is substantially higher.

ssh_auth Additions¶

The original ssh_auth state was limited to accepting only arguments to apply to a public key, and the key itself. This was restrictive due to the way the we learned that many people were using the state, so the key section has been expanded to accept options and arguments to the key that over ride arguments passed in the state. This gives substantial power to using ssh_auth with names:

LocalClient Additions¶

To follow up the recent additions in 0.9.8 of additional kwargs support, 0.9.9 also adds the capability to send kwargs into commands via a dict. This addition to the LocalClient api can be used like so:
This update has been added to all cmd methods in the LocalClient class.

Better Self Salting¶

One problem faced with running Salt states, is that it has been difficult to manage the Salt minion via states, this is due to the fact that if the minion is called to restart while a state run is happening then the state run would be killed. 0.9.9 slightly changes the process scope of the state runs, so now when salt is executing states it can safely restart the salt-minion daemon. In addition to daemonizing the state run, the apt module also daemonizes. This update makes it possible to cleanly update the salt-minion package on Debian/Ubuntu systems without leaving apt in an inconsistent state or killing the active minion process mid-execution.

Wildcards for SLS Modules¶

Now, when including sls modules in include statements or in the top file, shell globs can be used. This can greatly simplify listing matched sls modules in the top file and include statements:

External Pillar¶

Since the pillar data is just, data, it does not need to come expressly from the pillar interface. The external pillar system allows for hooks to be added making it possible to extract pillar data from any arbitrary external interface. The external pillar interface is configured via the ext_pillar option. Currently interfaces exist to gather external pillar data via hiera or via a shell command that sends yaml data to the terminal:
The initial external pillar interfaces and extra interfaces can be added to the file salt/pillar.py, it is planned to add more external pillar interfaces. If the need arises a new module loader interface will be created in the future to manage external pillar interfaces.

Single State Executions¶

The new state.single function allows for single states to be cleanly executed. This is a great tool for setting up a small group of states on a system or for testing out the behavior of single states:
The test interface functions here as well, so changes can also be tested against as:

New Tests¶

A few exciting new test interfaces have been added, the minion swarm allows not only testing of larger loads, but also allows users to see how Salt behaves with large groups of minions without having to create a large deployment.

Minion Swarm¶

The minion swarm test system allows for large groups of minions to be tested against easily without requiring large numbers of servers or virtual machines. The minion swarm creates as many minions as a system can handle and roots them in the /tmp directory and connects them to a master. The benefit here is that we were able to replicate issues that happen only when there are large numbers of minions. A number of elusive bugs which were causing stability issues in masters and minions have since been hunted down. Bugs that used to take careful watch by users over several days can now be reliably replicated in minutes, and fixed in minutes. Using the swarm is easy, make sure a master is up for the swarm to connect to, and then use the minionswarm.py script in the tests directory to spin up as many minions as you want. Remember, this is a fork bomb, don't spin up more than your hardware can handle!

Shell Tests¶

The new Shell testing system allows us to test the behavior of commands executed from a high level. This allows for the high level testing of salt runners and commands like salt-key.

Client Tests¶

Tests have been added to test the aspects of the client APIs and ensure that the client calls work, and that they manage passed data, in a desirable way.

Salt 2014.1.0 Release Notes - Codename Hydrogen¶

NOTE:

The 2014.1.0 release of Salt is a major release which not only increases stability but also brings new capabilities in virtualization, cloud integration, and more. This release brings a great focus on the expansion of testing making roughly double the coverage in the Salt tests, and comes with many new features. 2014.1.0 is the first release to follow the new date-based release naming system.

Major Features¶

Salt Cloud Merged into Salt¶

Salt Cloud is a tool for provisioning salted minions across various cloud providers. Prior to this release, Salt Cloud was a separate project but this marks its full integration with the Salt distribution. A Getting Started guide and additional documentation for Salt Cloud can be found here:

Google Compute Engine¶

Alongside Salt Cloud comes new support for the Google Compute Engine. Salt Stack can now deploy and control GCE virtual machines and the application stacks that they run. For more information on Salt Stack and GCE, please see this blog post. Documentation for Salt and GCE can be found here.

Salt Virt¶

Salt Virt is a cloud controller that supports virtual machine deployment, inspection, migration and integration with many aspects of Salt. Salt Virt has undergone a major overhaul with this release and now supports many more features and includes a number of critical improvements.

Docker Integration¶

Salt now ships with states and an execution module to manage Docker containers.

Substantial Testing Expansion¶

Salt continues to increase its unit/regression test coverage. This release includes over 300 new tests.

BSD Package Management¶

BSD package management has been entirely rewritten. FreeBSD 9 and older now default to using pkg_add, while FreeBSD 10 and newer will use pkgng. FreeBSD 9 can be forced to use pkgng, however, by specifying the following option in the minion config file:
In addition, support for installing software from the ports tree has been added. See the documentation for the ports state and execution module for more information.

Network Management for Debian/Ubuntu¶

Initial support for management of network interfaces on Debian-based distros has been added. See the documentation for the network state and the debian_ip for more information.

IPv6 Support for iptables State/Module¶

The iptables state and module now have IPv6 support. A new parameter family has been added to the states and execution functions, to distinguish between IPv4 and IPv6. The default value for this parameter is ipv4, specifying ipv6 will use ip6tables to manage firewall rules.

GitFS Improvements¶

Several performance improvements have been made to the Git fileserver backend. Additionally, file states can now use any any SHA1 commit hash as a fileserver environment:
This applies to the functions in the cp module as well:

MinionFS¶

This new fileserver backend allows files which have been pushed from the minion to the master (using cp.push) to be served up from the salt fileserver. The path for these files takes the following format:
minion-id is the id of the "source" minion, the one from which the files were pushed to the master. /path/to/file is the full path of the file. The MinionFS Walkthrough contains a more thorough example of how to use this backend.

saltenv¶

To distinguish between fileserver environments and execution functions which deal with environment variables, fileserver environments are now specified using the saltenv parameter. env will continue to work, but is deprecated and will be removed in a future release.

Grains Caching¶

A caching layer has been added to the Grains system, which can help speed up minion startup. Disabled by default, it can be enabled by setting the minion config option grains_cache:
If set to True, the grains loader will read from/write to a msgpack-serialized file containing the grains data. Additional command-line parameters have been added to salt-call, mainly for testing purposes:

Improved Command Logging Control¶

When using the cmd module, either on the CLI or when developing Salt execution modules, a new keyword argument output_loglevel allows for greater control over how (or even if) the command and its output are logged. For example:
The package management modules ( apt, yumpkg, etc.) have been updated to log the copious output generated from these commands at loglevel debug. NOTE:

PagerDuty Support¶

Initial support for firing events via PagerDuty has been added. See the documentation for the pagerduty module.

Virtual Terminal¶

Sometimes the subprocess module is not good enough, and, in fact, not even askpass is. This virtual terminal is still in it's infant childhood, needs quite some love, and was originally created to replace askpass, but, while developing it, it immediately proved that it could do so much more. It's currently used by salt-cloud when bootstrapping salt on clouds which require the use of a password. Proxy Minions¬ -------------¬ ¬ Initial basic support for Proxy Minions is in this release. Documentation can¬ be found here.⌴⌴¬ ¬ Proxy minions are a developing feature in Salt that enables control of¬ devices that cannot run a minion. Examples include network gear like switches¬ and routers that run a proprietary OS but offer an API, or "dumb"¬ devices that just don't have the horsepower or ability to handle a Python VM.¬ ¬ Proxy minions can be difficult to write, so a simple REST-based example proxy¬ is included. A Python bottle-based webserver can be found at⌴¬ http://github.com/cro/salt-proxy-rest as an endpoint for this proxy.¬ This is an ALPHA-quality feature. There are a number of issues with it currently, mostly centering around process control, logging, and inability to work in a masterless configuration.

Additional Bugfixes (Release Candidate Period)¶

Below are many of the fixes that were implemented in salt during the release candidate phase.

Salt 2014.1.1 Release Notes¶

Version 2014.1.1 is another bugfix release for 2014.1.0. The changes include:

Salt 2014.1.10 Release Notes¶

NOTE:
Version 2014.1.10 is another bugfix release for 2014.1.0. Changes include:

Salt 2014.1.11 Release Notes¶

Version 2014.1.11 is another bugfix release for 2014.1.0. Changes include:

Salt 2014.1.12 Release Notes¶

Version 2014.1.12 is another bugfix release for 2014.1.0. Changes include:

Salt 2014.1.13 Release Notes¶

Version 2014.1.13 is another bugfix release for 2014.1.0. Changes include:

Salt 2014.1.2 Release Notes¶

Version 2014.1.2 is another bugfix release for 2014.1.0. The changes include:

Salt 2014.1.2 Release Notes¶

Version 2014.1.3 is another bugfix release for 2014.1.0. It was created as a hotfix for a regression found in 2014.1.2, which was not distributed. The only change made was as follows:
Changes in the not-distributed 2014.1.2, also included in 2014.1.3:

Salt 2014.1.4 Release Notes¶

Version 2014.1.4 is another bugfix release for 2014.1.0. Changes include:

Salt 2014.1.5 Release Notes¶

Version 2014.1.5 is another bugfix release for 2014.1.0. Changes include:

Salt 2014.1.6 Release Notes¶

Version 2014.1.6 is another bugfix release for 2014.1.0. Changes include:

Salt 2014.1.7 Release Notes¶

Version 2014.1.7 is another bugfix release for 2014.1.0. Changes include:
This release was a hotfix release for the regression listed above which was present in the 2014.1.6 release. The changes included in 2014.1.6 are listed below:

Salt 2014.1.8 Release Notes¶

NOTE:
Version 2014.1.8 is another bugfix release for 2014.1.0. Changes include:

Salt 2014.1.9 Release Notes¶

NOTE:
NOTE:
Version 2014.1.9 is another bugfix release for 2014.1.0. Changes include:
SEE ALSO:

AUTHOR¶

Thomas S. Hatch <thatch45@gmail.com> and many others, please see the Authors file

COPYRIGHT¶

2013 SaltStack, Inc.