mirror of
https://github.com/saltstack-formulas/salt-formula.git
synced 2024-12-25 09:16:09 +01:00
2761d90626
Remove commented version and associated comment, as we still have the same option earlier in config with an other valid comment.
1250 lines
50 KiB
Plaintext
1250 lines
50 KiB
Plaintext
# This file managed by Salt, do not edit by hand!!
|
|
# Based on salt version 2016.11 default config
|
|
#
|
|
{% set reserved_keys = ['master', 'minion', 'cloud', 'salt_cloud_certs', 'engines', 'beacons', 'reactors'] -%}
|
|
{% set cfg_salt = pillar.get('salt', {}) -%}
|
|
{% set cfg_minion = cfg_salt.get('minion', {}) -%}
|
|
{% set default_keys = [] -%}
|
|
{%- macro get_config(configname, default_value) -%}
|
|
{%- do default_keys.append(configname) %}
|
|
{%- if configname in cfg_minion -%}
|
|
{{ configname }}: {{ cfg_minion[configname]|json }}
|
|
{%- elif configname in cfg_salt and configname not in reserved_keys -%}
|
|
{{ configname }}: {{ cfg_salt[configname]|json }}
|
|
{%- else -%}
|
|
#{{ configname }}: {{ default_value|json }}
|
|
{%- endif -%}
|
|
{%- endmacro -%}
|
|
{%- from 'salt/formulas.jinja' import file_roots, formulas with context -%}
|
|
|
|
##### Primary configuration settings #####
|
|
##########################################
|
|
# This configuration file is used to manage the behavior of the Salt Minion.
|
|
# With the exception of the location of the Salt Master Server, values that are
|
|
# commented out but have an empty line after the comment are defaults that need
|
|
# not be set in the config. If there is no blank line after the comment, the
|
|
# value is presented as an example and is not the default.
|
|
|
|
# Per default the minion will automatically include all config files
|
|
# from minion.d/*.conf (minion.d is a directory in the same directory
|
|
# as the main minion config file).
|
|
{{ get_config('default_include', 'minion.d/*.conf') }}
|
|
|
|
# Set the location of the salt master server. If the master server cannot be
|
|
# resolved, then the minion will fail to start.
|
|
{%- if 'master' in cfg_minion and cfg_minion['master'] is not string %}
|
|
master:
|
|
{% for name in cfg_minion['master'] -%}
|
|
- {{ name }}
|
|
{% endfor -%}
|
|
{%- else %}
|
|
{{ get_config('master', 'salt') }}
|
|
{%- endif %}
|
|
|
|
# Set http proxy information for the minion when doing requests
|
|
{% if 'proxy_host' in cfg_minion -%}
|
|
{%- do default_keys.append('proxy_host') %}
|
|
proxy_host: {{ cfg_minion['proxy_host'] }}
|
|
{% else -%}
|
|
#proxy_host:
|
|
{%- endif %}
|
|
{% if 'proxy_port' in cfg_minion -%}
|
|
{%- do default_keys.append('proxy_port') %}
|
|
proxy_port: {{ cfg_minion['proxy_port'] }}
|
|
{% else -%}
|
|
#proxy_port:
|
|
{%- endif %}
|
|
{% if 'proxy_username' in cfg_minion -%}
|
|
{%- do default_keys.append('proxy_username') %}
|
|
proxy_username: {{ cfg_minion['proxy_username'] }}
|
|
{% else -%}
|
|
#proxy_username:
|
|
{%- endif %}
|
|
{% if 'proxy_password' in cfg_minion -%}
|
|
{%- do default_keys.append('proxy_password') %}
|
|
proxy_password: {{ cfg_minion['proxy_password'] }}
|
|
{% else -%}
|
|
#proxy_password:
|
|
{%- endif %}
|
|
|
|
# If multiple masters are specified in the 'master' setting, the default behavior
|
|
# is to always try to connect to them in the order they are listed. If random_master is
|
|
# set to True, the order will be randomized instead. This can be helpful in distributing
|
|
# the load of many minions executing salt-call requests, for example, from a cron job.
|
|
# If only one master is listed, this setting is ignored and a warning will be logged.
|
|
# NOTE: If master_type is set to failover, use master_shuffle instead.
|
|
{{ get_config('random_master', 'False') }}
|
|
|
|
# Use if master_type is set to failover.
|
|
{{ get_config('master_shuffle', 'False') }}
|
|
|
|
# Minions can connect to multiple masters simultaneously (all masters
|
|
# are "hot"), or can be configured to failover if a master becomes
|
|
# unavailable. Multiple hot masters are configured by setting this
|
|
# value to "str". Failover masters can be requested by setting
|
|
# to "failover". MAKE SURE TO SET master_alive_interval if you are
|
|
# using failover.
|
|
# Setting master_type to 'disable' let's you have a running minion (with engines and
|
|
# beacons) without a master connection
|
|
{{ get_config('master_type', 'str') }}
|
|
|
|
# verify_master_pubkey_sign
|
|
{{ get_config('verify_master_pubkey_sign', 'False') }}
|
|
|
|
# Poll interval in seconds for checking if the master is still there. Only
|
|
# respected if master_type above is "failover". To disable the interval entirely,
|
|
# set the value to -1. (This may be necessary on machines which have high numbers
|
|
# of TCP connections, such as load balancers.)
|
|
{{ get_config('master_alive_interval', '30') }}
|
|
|
|
# If the minion is in multi-master mode and the master_type configuration option
|
|
# is set to "failover", this setting can be set to "True" to force the minion
|
|
# to fail back to the first master in the list if the first master is back online.
|
|
{{ get_config('master_fallback', 'False') }}
|
|
|
|
# If the minion is in multi-master mode, the "master_type" configuration is set to
|
|
# "failover", and the "master_failback" option is enabled, the master failback
|
|
# interval can be set to ping the top master with this interval, in seconds.
|
|
{{ get_config('master_fallback_interval', '0') }}
|
|
|
|
# Set whether the minion should connect to the master via IPv6:
|
|
{{ get_config('ipv6', 'False') }}
|
|
|
|
# Set the number of seconds to wait before attempting to resolve
|
|
# the master hostname if name resolution fails. Defaults to 30 seconds.
|
|
# Set to zero if the minion should shutdown and not retry.
|
|
{{ get_config('retry_dns', '30') }}
|
|
|
|
# Set the port used by the master reply and authentication server.
|
|
{{ get_config('master_port', '4506') }}
|
|
|
|
# The user to run salt.
|
|
{{ get_config('user', 'root') }}
|
|
|
|
# The user to run salt remote execution commands as via sudo. If this option is
|
|
# enabled then sudo will be used to change the active user executing the remote
|
|
# command. If enabled the user will need to be allowed access via the sudoers
|
|
# file for the user that the salt minion is configured to run as. The most
|
|
# common option would be to use the root user. If this option is set the user
|
|
# option should also be set to a non-root user. If migrating from a root minion
|
|
# to a non root minion the minion cache should be cleared and the minion pki
|
|
# directory will need to be changed to the ownership of the new user.
|
|
{{ get_config('sudo_user', 'saltdev') }}
|
|
|
|
# Specify the location of the daemon process ID file.
|
|
{{ get_config('pidfile', '/var/run/salt-minion.pid') }}
|
|
|
|
# The root directory prepended to these options: pki_dir, cachedir, log_file,
|
|
# sock_dir, pidfile.
|
|
{{ get_config('root_dir', '/') }}
|
|
|
|
# The path to the minion's configuration file.
|
|
{{ get_config('conf_file', '/etc/salt/minion') }}
|
|
|
|
# The directory to store the pki information in
|
|
{{ get_config('pki_dir', '/etc/salt/pki/minion') }}
|
|
|
|
# Explicitly declare the id for this minion to use, if left commented the id
|
|
# will be the hostname as returned by the python call: socket.getfqdn()
|
|
# Since salt uses detached ids it is possible to run multiple minions on the
|
|
# same machine but with different ids, this can be useful for salt compute
|
|
# clusters.
|
|
{% if 'id' in cfg_minion -%}
|
|
{%- do default_keys.append('id') %}
|
|
id: {{ cfg_minion['id'] }}
|
|
{% else -%}
|
|
#id:
|
|
{%- endif %}
|
|
|
|
# Cache the minion id to a file when the minion's id is not statically defined
|
|
# in the minion config. Defaults to "True". This setting prevents potential
|
|
# problems when automatic minion id resolution changes, which can cause the
|
|
# minion to lose connection with the master. To turn off minion id caching,
|
|
# set this config to ``False``.
|
|
{{ get_config('minion_id_caching', 'True') }}
|
|
|
|
# Append a domain to a hostname in the event that it does not exist. This is
|
|
# useful for systems where socket.getfqdn() does not actually result in a
|
|
# FQDN (for instance, Solaris).
|
|
{{ get_config('append_domain', '') }}
|
|
|
|
# Custom static grains for this minion can be specified here and used in SLS
|
|
# files just like all other grains. This example sets 4 custom grains, with
|
|
# the 'roles' grain having two values that can be matched against.
|
|
#grains:
|
|
# roles:
|
|
# - webserver
|
|
# - memcache
|
|
# deployment: datacenter4
|
|
# cabinet: 13
|
|
# cab_u: 14-15
|
|
{{ get_config('grains', '{}') }}
|
|
|
|
# Where cache data goes.
|
|
# This data may contain sensitive data and should be protected accordingly.
|
|
{{ get_config('cachedir', '/var/cache/salt/minion') }}
|
|
|
|
# Append minion_id to these directories. Helps with
|
|
# multiple proxies and minions running on the same machine.
|
|
# Allowed elements in the list: pki_dir, cachedir, extension_modules
|
|
# Normally not needed unless running several proxies and/or minions on the same machine
|
|
# Defaults to ['cachedir'] for proxies, [] (empty list) for regular minions
|
|
{% if 'append_minionid_config_dirs' in cfg_minion -%}
|
|
append_minionid_config_dirs:
|
|
{% for dir in cfg_minion['append_minionid_config_dirs'] -%}
|
|
- {{ dir }}
|
|
{% endfor -%}
|
|
{%- else %}
|
|
#append_minionid_config_dirs:
|
|
{%- endif %}
|
|
|
|
# Verify and set permissions on configuration directories at startup.
|
|
{{ get_config('verify_env', 'True') }}
|
|
|
|
# The minion can locally cache the return data from jobs sent to it, this
|
|
# can be a good way to keep track of jobs the minion has executed
|
|
# (on the minion side). By default this feature is disabled, to enable, set
|
|
# cache_jobs to True.
|
|
{{ get_config('cache_jobs', 'False') }}
|
|
|
|
# Set the directory used to hold unix sockets.
|
|
{{ get_config('sock_dir', '/var/run/salt/minion') }}
|
|
|
|
# Set the default outputter used by the salt-call command. The default is
|
|
# "nested".
|
|
{{ get_config('output', 'nested') }}
|
|
|
|
# By default output is colored. To disable colored output, set the color value
|
|
# to False.
|
|
{{ get_config('color', 'True') }}
|
|
|
|
# Do not strip off the colored output from nested results and state outputs
|
|
# (true by default).
|
|
{{ get_config('strip_colors', 'False') }}
|
|
|
|
# Backup files that are replaced by file.managed and file.recurse under
|
|
# 'cachedir'/file_backups relative to their original location and appended
|
|
# with a timestamp. The only valid setting is "minion". Disabled by default.
|
|
#
|
|
# Alternatively this can be specified for each file in state files:
|
|
# /etc/ssh/sshd_config:
|
|
# file.managed:
|
|
# - source: salt://ssh/sshd_config
|
|
# - backup: minion
|
|
#
|
|
{{ get_config('backup_mode', 'minion') }}
|
|
|
|
# When waiting for a master to accept the minion's public key, salt will
|
|
# continuously attempt to reconnect until successful. This is the time, in
|
|
# seconds, between those reconnection attempts.
|
|
{{ get_config('acceptance_wait_time', '10') }}
|
|
|
|
# If this is nonzero, the time between reconnection attempts will increase by
|
|
# acceptance_wait_time seconds per iteration, up to this maximum. If this is
|
|
# set to zero, the time between reconnection attempts will stay constant.
|
|
{{ get_config('acceptance_wait_time_max', '0') }}
|
|
|
|
# If the master rejects the minion's public key, retry instead of exiting.
|
|
# Rejected keys will be handled the same as waiting on acceptance.
|
|
{{ get_config('rejected_retry', 'False') }}
|
|
|
|
# When the master key changes, the minion will try to re-auth itself to receive
|
|
# the new master key. In larger environments this can cause a SYN flood on the
|
|
# master because all minions try to re-auth immediately. To prevent this and
|
|
# have a minion wait for a random amount of time, use this optional parameter.
|
|
# The wait-time will be a random number of seconds between 0 and the defined value.
|
|
{{ get_config('random_reauth_delay', '60') }}
|
|
|
|
# When waiting for a master to accept the minion's public key, salt will
|
|
# continuously attempt to reconnect until successful. This is the timeout value,
|
|
# in seconds, for each individual attempt. After this timeout expires, the minion
|
|
# will wait for acceptance_wait_time seconds before trying again. Unless your master
|
|
# is under unusually heavy load, this should be left at the default.
|
|
{{ get_config('auth_timeout', '60') }}
|
|
|
|
# Number of consecutive SaltReqTimeoutError that are acceptable when trying to
|
|
# authenticate.
|
|
{{ get_config('auth_tries', '7') }}
|
|
|
|
# The number of attempts to connect to a master before giving up.
|
|
# Set this to -1 for unlimited attempts. This allows for a master to have
|
|
# downtime and the minion to reconnect to it later when it comes back up.
|
|
# In 'failover' mode, it is the number of attempts for each set of masters.
|
|
# In this mode, it will cycle through the list of masters for each attempt.
|
|
#
|
|
# This is different than auth_tries because auth_tries attempts to
|
|
# retry auth attempts with a single master. auth_tries is under the
|
|
# assumption that you can connect to the master but not gain
|
|
# authorization from it. master_tries will still cycle through all
|
|
# the masters in a given try, so it is appropriate if you expect
|
|
# occasional downtime from the master(s).
|
|
{{ get_config('master_tries', '1') }}
|
|
|
|
# If authentication fails due to SaltReqTimeoutError during a ping_interval,
|
|
# cause sub minion process to restart.
|
|
{{ get_config('auth_safemode', 'False') }}
|
|
|
|
# Ping Master to ensure connection is alive (minutes).
|
|
{{ get_config('ping_interval', '0') }}
|
|
|
|
{%- if 'mine_functions' in cfg_minion %}
|
|
{%- do default_keys.append('mine_functions') %}
|
|
mine_functions:
|
|
{%- for func, args in cfg_minion['mine_functions'].items() %}
|
|
{{ func }}: {{ args }}
|
|
{%- endfor %}
|
|
{%- endif %}
|
|
|
|
|
|
# To auto recover minions if master changes IP address (DDNS)
|
|
# auth_tries: 10
|
|
# auth_safemode: False
|
|
# ping_interval: 90
|
|
#
|
|
# Minions won't know master is missing until a ping fails. After the ping fail,
|
|
# the minion will attempt authentication and likely fails out and cause a restart.
|
|
# When the minion restarts it will resolve the masters IP and attempt to reconnect.
|
|
|
|
# If you don't have any problems with syn-floods, don't bother with the
|
|
# three recon_* settings described below, just leave the defaults!
|
|
#
|
|
# The ZeroMQ pull-socket that binds to the masters publishing interface tries
|
|
# to reconnect immediately, if the socket is disconnected (for example if
|
|
# the master processes are restarted). In large setups this will have all
|
|
# minions reconnect immediately which might flood the master (the ZeroMQ-default
|
|
# is usually a 100ms delay). To prevent this, these three recon_* settings
|
|
# can be used.
|
|
# recon_default: the interval in milliseconds that the socket should wait before
|
|
# trying to reconnect to the master (1000ms = 1 second)
|
|
#
|
|
# recon_max: the maximum time a socket should wait. each interval the time to wait
|
|
# is calculated by doubling the previous time. if recon_max is reached,
|
|
# it starts again at recon_default. Short example:
|
|
#
|
|
# reconnect 1: the socket will wait 'recon_default' milliseconds
|
|
# reconnect 2: 'recon_default' * 2
|
|
# reconnect 3: ('recon_default' * 2) * 2
|
|
# reconnect 4: value from previous interval * 2
|
|
# reconnect 5: value from previous interval * 2
|
|
# reconnect x: if value >= recon_max, it starts again with recon_default
|
|
#
|
|
# recon_randomize: generate a random wait time on minion start. The wait time will
|
|
# be a random value between recon_default and recon_default +
|
|
# recon_max. Having all minions reconnect with the same recon_default
|
|
# and recon_max value kind of defeats the purpose of being able to
|
|
# change these settings. If all minions have the same values and your
|
|
# setup is quite large (several thousand minions), they will still
|
|
# flood the master. The desired behavior is to have timeframe within
|
|
# all minions try to reconnect.
|
|
#
|
|
# Example on how to use these settings. The goal: have all minions reconnect within a
|
|
# 60 second timeframe on a disconnect.
|
|
# recon_default: 1000
|
|
# recon_max: 59000
|
|
# recon_randomize: True
|
|
#
|
|
# Each minion will have a randomized reconnect value between 'recon_default'
|
|
# and 'recon_default + recon_max', which in this example means between 1000ms
|
|
# 60000ms (or between 1 and 60 seconds). The generated random-value will be
|
|
# doubled after each attempt to reconnect. Lets say the generated random
|
|
# value is 11 seconds (or 11000ms).
|
|
# reconnect 1: wait 11 seconds
|
|
# reconnect 2: wait 22 seconds
|
|
# reconnect 3: wait 33 seconds
|
|
# reconnect 4: wait 44 seconds
|
|
# reconnect 5: wait 55 seconds
|
|
# reconnect 6: wait time is bigger than 60 seconds (recon_default + recon_max)
|
|
# reconnect 7: wait 11 seconds
|
|
# reconnect 8: wait 22 seconds
|
|
# reconnect 9: wait 33 seconds
|
|
# reconnect x: etc.
|
|
#
|
|
# In a setup with ~6000 thousand hosts these settings would average the reconnects
|
|
# to about 100 per second and all hosts would be reconnected within 60 seconds.
|
|
{{ get_config('recon_default', '100') }}
|
|
{{ get_config('recon_max', '5000') }}
|
|
{{ get_config('recon_randomize', 'False') }}
|
|
|
|
# The loop_interval sets how long in seconds the minion will wait between
|
|
# evaluating the scheduler and running cleanup tasks. This defaults to 1
|
|
# second on the minion scheduler.
|
|
{{ get_config('loop_interval', '1') }}
|
|
|
|
|
|
# When using the scheduler at least one schedule needs to be
|
|
# defined. The user running the salt master will need read access to the repo.
|
|
{% if 'schedule' in cfg_minion -%}
|
|
{%- do default_keys.append('schedule') %}
|
|
schedule:
|
|
{%- for schedule in cfg_minion['schedule'] %}
|
|
{%- if schedule is iterable and schedule is not string %}
|
|
{%- for name, children in schedule.items() %}
|
|
{{ name }}:
|
|
{%- for child in children %}
|
|
{%- for key, value in child.items() %}
|
|
{{ key }}: {{ value }}
|
|
{%- endfor -%}
|
|
{%- endfor -%}
|
|
{%- endfor -%}
|
|
{%- endif -%}
|
|
{%- endfor -%}
|
|
{%- endif %}
|
|
|
|
|
|
# Some installations choose to start all job returns in a cache or a returner
|
|
# and forgo sending the results back to a master. In this workflow, jobs
|
|
# are most often executed with --async from the Salt CLI and then results
|
|
# are evaluated by examining job caches on the minions or any configured returners.
|
|
# WARNING: Setting this to False will **disable** returns back to the master.
|
|
{{ get_config('pub_ret', 'True') }}
|
|
|
|
|
|
# The grains can be merged, instead of overridden, using this option.
|
|
# This allows custom grains to defined different subvalues of a dictionary
|
|
# grain. By default this feature is disabled, to enable set grains_deep_merge
|
|
# to ``True``.
|
|
{{ get_config('grains_deep_merge', 'False') }}
|
|
|
|
# The grains_refresh_every setting allows for a minion to periodically check
|
|
# its grains to see if they have changed and, if so, to inform the master
|
|
# of the new grains. This operation is moderately expensive, therefore
|
|
# care should be taken not to set this value too low.
|
|
#
|
|
# Note: This value is expressed in __minutes__!
|
|
#
|
|
# A value of 10 minutes is a reasonable default.
|
|
#
|
|
# If the value is set to zero, this check is disabled.
|
|
{{ get_config('grains_refresh_every', '1') }}
|
|
|
|
# Cache grains on the minion. Default is False.
|
|
{{ get_config('grains_cache', 'False') }}
|
|
|
|
# Cache rendered pillar data on the minion. Default is False.
|
|
# This may cause 'cachedir'/pillar to contain sensitive data that should be
|
|
# protected accordingly.
|
|
{{ get_config('minion_pillar_cache', 'False') }}
|
|
|
|
# Grains cache expiration, in seconds. If the cache file is older than this
|
|
# number of seconds then the grains cache will be dumped and fully re-populated
|
|
# with fresh data. Defaults to 5 minutes. Will have no effect if 'grains_cache'
|
|
# is not enabled.
|
|
{{ get_config('grains_cache_expiration', '300') }}
|
|
|
|
# Determines whether or not the salt minion should run scheduled mine updates.
|
|
# Defaults to "True". Set to "False" to disable the scheduled mine updates
|
|
# (this essentially just does not add the mine update function to the minion's
|
|
# scheduler).
|
|
{{ get_config('mine_enabled', 'True') }}
|
|
|
|
# Determines whether or not scheduled mine updates should be accompanied by a job
|
|
# return for the job cache. Defaults to "False". Set to "True" to include job
|
|
# returns in the job cache for mine updates.
|
|
{{ get_config('mine_return_job', 'False') }}
|
|
|
|
# Example functions that can be run via the mine facility
|
|
# NO mine functions are established by default.
|
|
# Note these can be defined in the minion's pillar as well.
|
|
#mine_functions:
|
|
# test.ping: []
|
|
# network.ip_addrs:
|
|
# interface: eth0
|
|
# cidr: '10.0.0.0/8'
|
|
|
|
# Windows platforms lack posix IPC and must rely on slower TCP based inter-
|
|
# process communications. Set ipc_mode to 'tcp' on such systems
|
|
{{ get_config('ipc_mode', 'ipc') }}
|
|
|
|
# Overwrite the default tcp ports used by the minion when in tcp mode
|
|
{{ get_config('tcp_pub_port', '4510') }}
|
|
{{ get_config('tcp_pull_port', '4511') }}
|
|
|
|
# Passing very large events can cause the minion to consume large amounts of
|
|
# memory. This value tunes the maximum size of a message allowed onto the
|
|
# minion event bus. The value is expressed in bytes.
|
|
{{ get_config('max_event_size', '1048576') }}
|
|
|
|
# The minion can include configuration from other files. To enable this,
|
|
# pass a list of paths to this option. The paths can be either relative or
|
|
# absolute; if relative, they are considered to be relative to the directory
|
|
# the main minion configuration file lives in (this file). Paths can make use
|
|
# of shell-style globbing. If no files are matched by a path passed to this
|
|
# option then the minion will log a warning message.
|
|
#
|
|
# Include a config file from some other path:
|
|
{% if 'include' in cfg_minion -%}
|
|
{% do default_keys.append('include') -%}
|
|
{% if cfg_minion['include'] is iterable and cfg_minion['include'] is not string -%}
|
|
include:
|
|
{%- for include in cfg_minion['include'] %}
|
|
- {{ include }}
|
|
{%- endfor -%}
|
|
{% else -%}
|
|
include: {{ cfg_minion['include'] }}
|
|
{%- endif -%}
|
|
{% elif 'include' in cfg_salt -%}
|
|
{% if cfg_salt['include'] is iterable and cfg_salt['include'] is not string -%}
|
|
include:
|
|
{%- for include in cfg_salt['include'] %}
|
|
- {{ include }}
|
|
{%- endfor -%}
|
|
{% else -%}
|
|
include: {{ cfg_salt['include'] }}
|
|
{%- endif -%}
|
|
{% endif %}
|
|
|
|
# The syndic minion can verify that it is talking to the correct master via the
|
|
# key fingerprint of the higher-level master with the "syndic_finger" config.
|
|
{{ get_config('syndic_finger', '') }}
|
|
|
|
|
|
##### Minion module management #####
|
|
##########################################
|
|
# Disable specific modules. This allows the admin to limit the level of
|
|
# access the master has to the minion. The default here is the empty list,
|
|
# below is an example of how this needs to be formatted in the config file
|
|
#disable_modules:
|
|
# - cmdmod
|
|
# - test
|
|
#disable_returners: []
|
|
{{ get_config('disable_modules', '[]') }}
|
|
{{ get_config('disable_returners', '[]') }}
|
|
|
|
# This is the reverse of disable_modules. The default, like disable_modules, is the empty list,
|
|
# but if this option is set to *anything* then *only* those modules will load.
|
|
# Note that this is a very large hammer and it can be quite difficult to keep the minion working
|
|
# the way you think it should since Salt uses many modules internally itself. At a bare minimum
|
|
# you need the following enabled or else the minion won't start.
|
|
#whitelist_modules:
|
|
# - cmdmod
|
|
# - test
|
|
# - config
|
|
{{ get_config('whitelist_modules', '[]') }}
|
|
|
|
# Modules can be loaded from arbitrary paths. This enables the easy deployment
|
|
# of third party modules. Modules for returners and minions can be loaded.
|
|
# Specify a list of extra directories to search for minion modules and
|
|
# returners. These paths must be fully qualified!
|
|
{{ get_config('module_dirs', '[]') }}
|
|
{{ get_config('returner_dirs', '[]') }}
|
|
{{ get_config('states_dirs', '[]') }}
|
|
{{ get_config('render_dirs', '[]') }}
|
|
{{ get_config('utils_dirs', '[]') }}
|
|
|
|
# A module provider can be statically overwritten or extended for the minion
|
|
# via the providers option, in this case the default module will be
|
|
# overwritten by the specified module. In this example the pkg module will
|
|
# be provided by the yumpkg5 module instead of the system default.
|
|
#providers:
|
|
# pkg: yumpkg5
|
|
{{ get_config('providers', '{}') }}
|
|
|
|
# Enable Cython modules searching and loading. (Default: False)
|
|
{{ get_config('cython_enable', 'False') }}
|
|
|
|
# Specify a max size (in bytes) for modules on import. This feature is currently
|
|
# only supported on *nix operating systems and requires psutil.
|
|
{{ get_config('modules_max_memory', '-1') }}
|
|
|
|
##### State Management Settings #####
|
|
###########################################
|
|
# The state management system executes all of the state templates on the minion
|
|
# to enable more granular control of system state management. The type of
|
|
# template and serialization used for state management needs to be configured
|
|
# on the minion, the default renderer is yaml_jinja. This is a yaml file
|
|
# rendered from a jinja template, the available options are:
|
|
# yaml_jinja
|
|
# yaml_mako
|
|
# yaml_wempy
|
|
# json_jinja
|
|
# json_mako
|
|
# json_wempy
|
|
#
|
|
{{ get_config('renderer', 'yaml_jinja') }}
|
|
|
|
# The failhard option tells the minions to stop immediately after the first
|
|
# failure detected in the state execution. Defaults to False.
|
|
{{ get_config('failhard', 'False') }}
|
|
|
|
# Reload the modules prior to a highstate run.
|
|
{{ get_config('autoload_dynamic_modules', 'True') }}
|
|
|
|
# clean_dynamic_modules keeps the dynamic modules on the minion in sync with
|
|
# the dynamic modules on the master, this means that if a dynamic module is
|
|
# not on the master it will be deleted from the minion. By default, this is
|
|
# enabled and can be disabled by changing this value to False.
|
|
{{ get_config('clean_dynamic_modules', 'True') }}
|
|
|
|
# Normally, the minion is not isolated to any single environment on the master
|
|
# when running states, but the environment can be isolated on the minion side
|
|
# by statically setting it. Remember that the recommended way to manage
|
|
# environments is to isolate via the top file.
|
|
{{ get_config('environment', 'None') }}
|
|
#
|
|
# Isolates the pillar environment on the minion side. This functions the same
|
|
# as the environment setting, but for pillar instead of states.
|
|
{{ get_config('pillarenv', 'None') }}
|
|
#
|
|
# Set this option to 'True' to force a 'KeyError' to be raised whenever an
|
|
# attempt to retrieve a named value from pillar fails. When this option is set
|
|
# to 'False', the failed attempt returns an empty string. Default is 'False'.
|
|
{{ get_config('pillar_raise_on_missing', 'False') }}
|
|
#
|
|
# If using the local file directory, then the state top file name needs to be
|
|
# defined, by default this is top.sls.
|
|
{{ get_config('state_top', 'top.sls') }}
|
|
|
|
# Run states when the minion daemon starts. To enable, set startup_states to:
|
|
# 'highstate' -- Execute state.highstate
|
|
# 'sls' -- Read in the sls_list option and execute the named sls files
|
|
# 'top' -- Read top_file option and execute based on that file on the Master
|
|
{{ get_config('startup_states', "''") }}
|
|
|
|
# List of states to run when the minion starts up if startup_states is 'sls':
|
|
#sls_list:
|
|
# - edit.vim
|
|
# - hyper
|
|
{{ get_config('sls_list', '[]') }}
|
|
|
|
# Top file to execute if startup_states is 'top':
|
|
{{ get_config('top_file', "''") }}
|
|
|
|
# Automatically aggregate all states that have support for mod_aggregate by
|
|
# setting to True. Or pass a list of state module names to automatically
|
|
# aggregate just those types.
|
|
#
|
|
# state_aggregate:
|
|
# - pkg
|
|
#
|
|
#state_aggregate: False
|
|
{{ get_config('state_aggregate', '{}') }}
|
|
|
|
##### File Directory Settings #####
|
|
##########################################
|
|
# The Salt Minion can redirect all file server operations to a local directory,
|
|
# this allows for the same state tree that is on the master to be used if
|
|
# copied completely onto the minion. This is a literal copy of the settings on
|
|
# the master but used to reference a local directory on the minion.
|
|
|
|
# Set the file client. The client defaults to looking on the master server for
|
|
# files, but can be directed to look at the local file directory setting
|
|
# defined below by setting it to "local". Setting a local file_client runs the
|
|
# minion in masterless mode.
|
|
{%- if standalone %}
|
|
file_client: local
|
|
{%- else %}
|
|
{{ get_config('file_client', 'remote') }}
|
|
{%- endif %}
|
|
|
|
# The file directory works on environments passed to the minion, each environment
|
|
# can have multiple root directories, the subdirectories in the multiple file
|
|
# roots cannot match, otherwise the downloaded files will not be able to be
|
|
# reliably ensured. A base environment is required to house the top file.
|
|
# Example:
|
|
# file_roots:
|
|
# base:
|
|
# - /srv/salt/
|
|
# dev:
|
|
# - /srv/salt/dev/services
|
|
# - /srv/salt/dev/states
|
|
# prod:
|
|
# - /srv/salt/prod/services
|
|
# - /srv/salt/prod/states
|
|
{% if 'file_roots' in cfg_minion -%}
|
|
{%- do default_keys.append('file_roots') %}
|
|
{{ file_roots(cfg_minion['file_roots']) }}
|
|
{%- elif 'file_roots' in cfg_salt -%}
|
|
{{ file_roots(cfg_salt['file_roots']) }}
|
|
{%- elif formulas|length -%}
|
|
{{ file_roots({'base': ['/srv/salt']}) }}
|
|
{%- else -%}
|
|
#file_roots:
|
|
# base:
|
|
# - /srv/salt
|
|
{%- endif %}
|
|
|
|
# Uncomment the line below if you do not want the file_server to follow
|
|
# symlinks when walking the filesystem tree. This is set to True
|
|
# by default. Currently this only applies to the default roots
|
|
# fileserver_backend.
|
|
{{ get_config('fileserver_followsymlinks', 'True') }}
|
|
#
|
|
# Uncomment the line below if you do not want symlinks to be
|
|
# treated as the files they are pointing to. By default this is set to
|
|
# False. By uncommenting the line below, any detected symlink while listing
|
|
# files on the Master will not be returned to the Minion.
|
|
{{ get_config('fileserver_ignoresymlinks', 'False') }}
|
|
#
|
|
# To use multiple backends list them in the order they are searched:
|
|
#fileserver_backend:
|
|
# - git
|
|
# - roots
|
|
{% if 'fileserver_backend' in cfg_minion -%}
|
|
{%- do default_keys.append('fileserver_backend') %}
|
|
fileserver_backend:
|
|
{%- for backend in cfg_minion['fileserver_backend'] %}
|
|
- {{ backend }}
|
|
{%- endfor -%}
|
|
{%- endif %}
|
|
|
|
# By default, the Salt fileserver recurses fully into all defined environments
|
|
# to attempt to find files. To limit this behavior so that the fileserver only
|
|
# traverses directories with SLS files and special Salt directories like _modules,
|
|
# enable the option below. This might be useful for installations where a file root
|
|
# has a very large number of files and performance is negatively impacted. Default
|
|
# is False.
|
|
{{ get_config('fileserver_limit_traversal', 'False') }}
|
|
|
|
# The hash_type is the hash to use when discovering the hash of a file on
|
|
# the local fileserver. The default is md5, but sha1, sha224, sha256, sha384
|
|
# and sha512 are also supported.
|
|
#
|
|
# WARNING: While md5 and sha1 are also supported, do not use it due to the high chance
|
|
# of possible collisions and thus security breach.
|
|
#
|
|
# Warning: Prior to changing this value, the minion should be stopped and all
|
|
# Salt caches should be cleared.
|
|
{{ get_config('hash_type', 'md5') }}
|
|
|
|
# gitfs provider
|
|
{{ get_config('gitfs_provider', 'pygit2') }}
|
|
|
|
# Along with gitfs_password, is used to authenticate to HTTPS remotes.
|
|
{{ get_config('gitfs_user', 'git') }}
|
|
|
|
# Along with gitfs_user, is used to authenticate to HTTPS remotes.
|
|
# This parameter is not required if the repository does not use authentication.
|
|
{{ get_config('gitfs_password', '') }}
|
|
|
|
# By default, Salt will not authenticate to an HTTP (non-HTTPS) remote.
|
|
# This parameter enables authentication over HTTP. Enable this at your own risk.
|
|
{{ get_config('gitfs_insecure_auth', 'False') }}
|
|
|
|
# Along with gitfs_privkey (and optionally gitfs_passphrase), is used to
|
|
# authenticate to SSH remotes. This parameter (or its per-remote counterpart)
|
|
# is required for SSH remotes.
|
|
{{ get_config('gitfs_pubkey', '') }}
|
|
|
|
# Along with gitfs_pubkey (and optionally gitfs_passphrase), is used to
|
|
# authenticate to SSH remotes. This parameter (or its per-remote counterpart)
|
|
# is required for SSH remotes.
|
|
{{ get_config('gitfs_privkey', '') }}
|
|
|
|
# This parameter is optional, required only when the SSH key being used to
|
|
# authenticate is protected by a passphrase.
|
|
{{ get_config('gitfs_passphrase', '') }}
|
|
# When using the git fileserver backend at least one git remote needs to be
|
|
# defined. The user running the salt master will need read access to the repo.
|
|
#
|
|
# The repos will be searched in order to find the file requested by a client
|
|
# and the first repo to have the file will return it.
|
|
# When using the git backend branches and tags are translated into salt
|
|
# environments.
|
|
# Note: file:// repos will be treated as a remote, so refs you want used must
|
|
# exist in that repo as *local* refs.
|
|
{% if 'gitfs_remotes' in cfg_minion -%}
|
|
{%- do default_keys.append('gitfs_remotes') %}
|
|
gitfs_remotes:
|
|
{%- for remote in cfg_minion['gitfs_remotes'] %}
|
|
{%- if remote is iterable and remote is not string %}
|
|
{%- for repo, children in remote.items() %}
|
|
- {{ repo }}:
|
|
{%- for child in children %}
|
|
{%- for key, value in child.items() %}
|
|
- {{ key }}: {{ value }}
|
|
{%- endfor -%}
|
|
{%- endfor -%}
|
|
{%- endfor -%}
|
|
{%- else %}
|
|
- {{ remote }}
|
|
{%- endif -%}
|
|
{%- endfor -%}
|
|
{%- endif %}
|
|
|
|
# The gitfs_ssl_verify option specifies whether to ignore ssl certificate
|
|
# errors when contacting the gitfs backend. You might want to set this to
|
|
# false if you're using a git backend that uses a self-signed certificate but
|
|
# keep in mind that setting this flag to anything other than the default of True
|
|
# is a security concern, you may want to try using the ssh transport.
|
|
{{ get_config('gitfs_ssl_verify', 'True') }}
|
|
|
|
# The gitfs_root option gives the ability to serve files from a subdirectory
|
|
# within the repository. The path is defined relative to the root of the
|
|
# repository and defaults to the repository root.
|
|
{{ get_config('gitfs_root', 'somefolder/otherfolder') }}
|
|
|
|
# The gitfs_env_whitelist and gitfs_env_blacklist parameters allow for greater
|
|
# control over which branches/tags are exposed as fileserver environments.
|
|
{% if 'gitfs_env_whitelist' in cfg_minion -%}
|
|
{%- do default_keys.append('gitfs_env_whitelist') %}
|
|
gitfs_env_whitelist:
|
|
{%- for git_env in cfg_minion['gitfs_env_whitelist'] %}
|
|
- {{ git_env }}
|
|
{%- endfor -%}
|
|
{% else -%}
|
|
# gitfs_env_whitelist:
|
|
# - base
|
|
# - v1.*
|
|
{% endif %}
|
|
|
|
{% if 'gitfs_env_blacklist' in cfg_minion -%}
|
|
{%- do default_keys.append('gitfs_env_blacklist') %}
|
|
gitfs_env_blacklist:
|
|
{%- for git_env in cfg_minion['gitfs_env_blacklist'] %}
|
|
- {{ git_env }}
|
|
{%- endfor -%}
|
|
{% else -%}
|
|
# gitfs_env_blacklist:
|
|
# - bug/*
|
|
# - feature/*
|
|
{% endif %}
|
|
|
|
##### Pillar settings #####
|
|
##########################################
|
|
# The Salt pillar is searched for locally if file_client is set to local. If
|
|
# this is the case, and pillar data is defined, then the pillar_roots need to
|
|
# also be configured on the minion:
|
|
{% if 'pillar_roots' in cfg_minion -%}
|
|
{%- do default_keys.append('pillar_roots') %}
|
|
pillar_roots:
|
|
{%- for name, roots in cfg_minion['pillar_roots']|dictsort %}
|
|
{{ name }}:
|
|
{%- for dir in roots %}
|
|
- {{ dir }}
|
|
{%- endfor -%}
|
|
{%- endfor -%}
|
|
{% elif 'pillar_roots' in cfg_salt -%}
|
|
pillar_roots:
|
|
{%- for name, roots in cfg_salt['pillar_roots']|dictsort %}
|
|
{{ name }}:
|
|
{%- for dir in roots %}
|
|
- {{ dir }}
|
|
{%- endfor -%}
|
|
{%- endfor -%}
|
|
{%- else -%}
|
|
#pillar_roots:
|
|
# base:
|
|
# - /srv/pillar
|
|
{%- endif %}
|
|
|
|
# Set a hard-limit on the size of the files that can be pushed to the master.
|
|
# It will be interpreted as megabytes. Default: 100
|
|
{{ get_config('file_recv_max_size', '100') }}
|
|
|
|
{% if 'ext_pillar' in cfg_minion %}
|
|
{%- do default_keys.append('ext_pillar') %}
|
|
ext_pillar:
|
|
{%- for pillar in cfg_minion['ext_pillar'] -%}
|
|
{%- for key in pillar -%}
|
|
{%- if pillar[key] is string %}
|
|
- {{ key }}: {{ pillar[key] }}
|
|
{#- Workaround for missing `is mapping` on CentOS 6, see #193: #}
|
|
{%- elif pillar[key] is iterable and 'dict' not in pillar[key].__class__.__name__ %}
|
|
- {{ key }}:
|
|
{%- for parameter in pillar[key] %}
|
|
- {{ parameter }}
|
|
{%- endfor -%}
|
|
{#- Workaround for missing `is mapping` on CentOS 6, see #193: #}
|
|
{%- elif 'dict' in pillar[key].__class__.__name__ and pillar[key] is not string %}
|
|
- {{ key }}:
|
|
{%- for parameter in pillar[key] %}
|
|
{{ parameter }}: {{pillar[key][parameter]}}
|
|
{%- endfor %}
|
|
{%- else %}
|
|
# Error in rendering {{ key }}, please read https://docs.saltstack.com/en/latest/topics/development/external_pillars.html#configuration
|
|
{% endif %}
|
|
{%- endfor -%}
|
|
{%- endfor %}
|
|
{% elif 'ext_pillar' in cfg_salt %}
|
|
ext_pillar:
|
|
{% for pillar in cfg_salt['ext_pillar'] %}
|
|
- {{ pillar.items()[0][0] }}: {{ pillar.items()[0][1] }}
|
|
{% endfor %}
|
|
{% else %}
|
|
#ext_pillar:
|
|
# - hiera: /etc/hiera.yaml
|
|
# - cmd_yaml: cat /etc/salt/yaml
|
|
{% endif %}
|
|
|
|
# The ext_pillar_first option allows for external pillar sources to populate
|
|
# before file system pillar. This allows for targeting file system pillar from
|
|
# ext_pillar.
|
|
{{ get_config('ext_pillar_first', 'False') }}
|
|
|
|
# The pillar_gitfs_ssl_verify option specifies whether to ignore ssl certificate
|
|
# errors when contacting the pillar gitfs backend. You might want to set this to
|
|
# false if you're using a git backend that uses a self-signed certificate but
|
|
# keep in mind that setting this flag to anything other than the default of True
|
|
# is a security concern, you may want to try using the ssh transport.
|
|
{{ get_config('pillar_gitfs_ssl_verify', 'True') }}
|
|
|
|
# The pillar_opts option adds the master configuration file data to a dict in
|
|
# the pillar called "master". This is used to set simple configurations in the
|
|
# master config file that can then be used on minions.
|
|
{{ get_config('pillar_opts', 'True') }}
|
|
|
|
# The pillar_safe_render_error option prevents the master from passing pillar
|
|
# render errors to the minion. This is set on by default because the error could
|
|
# contain templating data which would give that minion information it shouldn't
|
|
# have, like a password! When set true the error message will only show:
|
|
# Rendering SLS 'my.sls' failed. Please see master log for details.
|
|
{{ get_config('pillar_safe_render_error', 'True') }}
|
|
|
|
# The pillar_source_merging_strategy option allows you to configure merging strategy
|
|
# between different sources. It accepts four values: recurse, aggregate, overwrite,
|
|
# or smart. Recurse will merge recursively mapping of data. Aggregate instructs
|
|
# aggregation of elements between sources that use the #!yamlex renderer. Overwrite
|
|
# will verwrite elements according the order in which they are processed. This is
|
|
# behavior of the 2014.1 branch and earlier. Smart guesses the best strategy based
|
|
# on the "renderer" setting and is the default value.
|
|
{{ get_config('pillar_source_merging_strategy', 'smart') }}
|
|
|
|
# Recursively merge lists by aggregating them instead of replacing them.
|
|
{{ get_config('pillar_merge_lists', False) }}
|
|
|
|
# Git External Pillar (git_pillar) Configuration Options
|
|
#
|
|
# Specify the provider to be used for git_pillar. Must be either pygit2 or
|
|
# gitpython. If unset, then both will be tried in that same order, and the
|
|
# first one with a compatible version installed will be the provider that
|
|
# is used.
|
|
{{ get_config('git_pillar_provider', 'pygit2') }}
|
|
|
|
# If the desired branch matches this value, and the environment is omitted
|
|
# from the git_pillar configuration, then the environment for that git_pillar
|
|
# remote will be base.
|
|
{{ get_config('git_pillar_base', 'master') }}
|
|
|
|
# If the branch is omitted from a git_pillar remote, then this branch will
|
|
# be used instead.
|
|
{{ get_config('git_pillar_branch', 'master') }}
|
|
|
|
# Environment to use for git_pillar remotes. This is normally derived from
|
|
# the branch/tag (or from a per-remote env parameter), but if set this will
|
|
# override the process of deriving the env from the branch/tag name.
|
|
{{ get_config('git_pillar_env', '') }}
|
|
|
|
# Path relative to the root of the repository where the git_pillar top file
|
|
# and SLS files are located.
|
|
{{ get_config('git_pillar_root', 'pillar') }}
|
|
|
|
# Specifies whether or not to ignore SSL certificate errors when contacting
|
|
# the remote repository.
|
|
{{ get_config('git_pillar_ssl_verify', True) }}
|
|
|
|
# When set to False, if there is an update/checkout lock for a git_pillar
|
|
# remote and the pid written to it is not running on the master, the lock
|
|
# file will be automatically cleared and a new lock will be obtained.
|
|
{{ get_config('git_pillar_global_lock', False) }}
|
|
|
|
# Git External Pillar Authentication Options
|
|
#
|
|
# Along with git_pillar_password, is used to authenticate to HTTPS remotes.
|
|
{{ get_config('git_pillar_user', '') }}
|
|
|
|
# Along with git_pillar_user, is used to authenticate to HTTPS remotes.
|
|
# This parameter is not required if the repository does not use authentication.
|
|
{{ get_config('git_pillar_password', '') }}
|
|
|
|
# By default, Salt will not authenticate to an HTTP (non-HTTPS) remote.
|
|
# This parameter enables authentication over HTTP.
|
|
{{ get_config('git_pillar_insecure_auth', False) }}
|
|
|
|
# Along with git_pillar_privkey (and optionally git_pillar_passphrase),
|
|
# is used to authenticate to SSH remotes.
|
|
{{ get_config('git_pillar_pubkey', '') }}
|
|
|
|
# Along with git_pillar_pubkey (and optionally git_pillar_passphrase),
|
|
# is used to authenticate to SSH remotes.
|
|
{{ get_config('git_pillar_privkey', '') }}
|
|
|
|
# This parameter is optional, required only when the SSH key being used
|
|
# to authenticate is protected by a passphrase.
|
|
{{ get_config('git_pillar_passphrase', '') }}
|
|
|
|
|
|
###### Security settings #####
|
|
###########################################
|
|
# Enable "open mode", this mode still maintains encryption, but turns off
|
|
# authentication, this is only intended for highly secure environments or for
|
|
# the situation where your keys end up in a bad state. If you run in open mode
|
|
# you do so at your own risk!
|
|
{{ get_config('open_mode', 'False') }}
|
|
|
|
# Enable permissive access to the salt keys. This allows you to run the
|
|
# master or minion as root, but have a non-root group be given access to
|
|
# your pki_dir. To make the access explicit, root must belong to the group
|
|
# you've given access to. This is potentially quite insecure.
|
|
{{ get_config('permissive_pki_access', 'False') }}
|
|
|
|
# The state_verbose and state_output settings can be used to change the way
|
|
# state system data is printed to the display. By default all data is printed.
|
|
# The state_verbose setting can be set to True or False, when set to False
|
|
# all data that has a result of True and no changes will be suppressed.
|
|
{{ get_config('state_verbose', 'True') }}
|
|
|
|
# The state_output setting changes if the output is the full multi line
|
|
# output for each changed state if set to 'full', but if set to 'terse'
|
|
# the output will be shortened to a single line.
|
|
{{ get_config('state_output', 'full') }}
|
|
|
|
# The state_output_diff setting changes whether or not the output from
|
|
# successful states is returned. Useful when even the terse output of these
|
|
# states is cluttering the logs. Set it to True to ignore them.
|
|
{{ get_config('state_output_diff', 'False') }}
|
|
|
|
# The state_output_profile setting changes whether profile information
|
|
# will be shown for each state run.
|
|
{{ get_config('state_output_profile', 'True') }}
|
|
|
|
# Fingerprint of the master public key to validate the identity of your Salt master
|
|
# before the initial key exchange. The master fingerprint can be found by running
|
|
# "salt-key -F master" on the Salt master.
|
|
{{ get_config('master_finger', "''") }}
|
|
|
|
# Use TLS/SSL encrypted connection between master and minion.
|
|
# Can be set to a dictionary containing keyword arguments corresponding to Python's
|
|
# 'ssl.wrap_socket' method.
|
|
# Default is None.
|
|
#ssl:
|
|
# keyfile: <path_to_keyfile>
|
|
# certfile: <path_to_certfile>
|
|
# ssl_version: PROTOCOL_TLSv1_2
|
|
|
|
|
|
###### Thread settings #####
|
|
###########################################
|
|
# Disable multiprocessing support, by default when a minion receives a
|
|
# publication a new process is spawned and the command is executed therein.
|
|
#
|
|
# WARNING: Disabling multiprocessing may result in substantial slowdowns
|
|
# when processing large pillars. See https://github.com/saltstack/salt/issues/38758
|
|
# for a full explanation.
|
|
{{ get_config('multiprocessing', 'True') }}
|
|
|
|
|
|
##### Logging settings #####
|
|
##########################################
|
|
# The location of the minion log file
|
|
# The minion log can be sent to a regular file, local path name, or network
|
|
# location. Remote logging works best when configured to use rsyslogd(8) (e.g.:
|
|
# ``file:///dev/log``), with rsyslogd(8) configured for network logging. The URI
|
|
# format is: <file|udp|tcp>://<host|socketpath>:<port-if-required>/<log-facility>
|
|
#log_file: /var/log/salt/minion
|
|
#log_file: file:///dev/log
|
|
#log_file: udp://loghost:10514
|
|
#
|
|
{{ get_config('log_file', '/var/log/salt/minion') }}
|
|
{{ get_config('key_logfile', ' /var/log/salt/key') }}
|
|
|
|
# The level of messages to send to the console.
|
|
# One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'.
|
|
#
|
|
# The following log levels are considered INSECURE and may log sensitive data:
|
|
# ['garbage', 'trace', 'debug']
|
|
#
|
|
# Default: 'warning'
|
|
{{ get_config('log_level', 'warning') }}
|
|
|
|
# The level of messages to send to the log file.
|
|
# One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'.
|
|
# If using 'log_granular_levels' this must be set to the highest desired level.
|
|
# Default: 'warning'
|
|
{{ get_config('log_level_logfile', '') }}
|
|
|
|
# The date and time format used in log messages. Allowed date/time formating
|
|
# can be seen here: http://docs.python.org/library/time.html#time.strftime
|
|
{{ get_config('log_datefmt', "'%H:%M:%S'") }}
|
|
{{ get_config('log_datefmt_logfile', "'%Y-%m-%d %H:%M:%S'") }}
|
|
|
|
# The format of the console logging messages. Allowed formatting options can
|
|
# be seen here: http://docs.python.org/library/logging.html#logrecord-attributes
|
|
#
|
|
# Console log colors are specified by these additional formatters:
|
|
#
|
|
# %(colorlevel)s
|
|
# %(colorname)s
|
|
# %(colorprocess)s
|
|
# %(colormsg)s
|
|
#
|
|
# Since it is desirable to include the surrounding brackets, '[' and ']', in
|
|
# the coloring of the messages, these color formatters also include padding as
|
|
# well. Color LogRecord attributes are only available for console logging.
|
|
#
|
|
{{ get_config('log_fmt_console', "'%(colorlevel)s %(colormsg)s'") }}
|
|
{{ get_config('log_fmt_console', "'[%(levelname)-8s] %(message)s'") }}
|
|
#
|
|
{{ get_config('log_fmt_logfile', "'%(asctime)s,%(msecs)03.0f [%(name)-17s][%(levelname)-8s] %(message)s'") }}
|
|
|
|
# This can be used to control logging levels more specificically. This
|
|
# example sets the main salt library at the 'warning' level, but sets
|
|
# 'salt.modules' to log at the 'debug' level:
|
|
# log_granular_levels:
|
|
# 'salt': 'warning'
|
|
# 'salt.modules': 'debug'
|
|
#
|
|
{{ get_config('log_granular_levels', '{}') }}
|
|
|
|
# To diagnose issues with minions disconnecting or missing returns, ZeroMQ
|
|
# supports the use of monitor sockets to log connection events. This
|
|
# feature requires ZeroMQ 4.0 or higher.
|
|
#
|
|
# To enable ZeroMQ monitor sockets, set 'zmq_monitor' to 'True' and log at a
|
|
# debug level or higher.
|
|
#
|
|
# A sample log event is as follows:
|
|
#
|
|
# [DEBUG ] ZeroMQ event: {'endpoint': 'tcp://127.0.0.1:4505', 'event': 512,
|
|
# 'value': 27, 'description': 'EVENT_DISCONNECTED'}
|
|
#
|
|
# All events logged will include the string 'ZeroMQ event'. A connection event
|
|
# should be logged as the minion starts up and initially connects to the
|
|
# master. If not, check for debug log level and that the necessary version of
|
|
# ZeroMQ is installed.
|
|
#
|
|
{{ get_config('zmq_monitor', 'False') }}
|
|
|
|
###### Module configuration #####
|
|
###########################################
|
|
# Salt allows for modules to be passed arbitrary configuration data, any data
|
|
# passed here in valid yaml format will be passed on to the salt minion modules
|
|
# for use. It is STRONGLY recommended that a naming convention be used in which
|
|
# the module name is followed by a . and then the value. Also, all top level
|
|
# data must be applied via the yaml dict construct, some examples:
|
|
#
|
|
# You can specify that all modules should run in test mode:
|
|
{{ get_config('test', 'True') }}
|
|
|
|
# A simple value for the test module:
|
|
#test.foo: foo
|
|
#
|
|
# A list for the test module:
|
|
#test.bar: [baz,quo]
|
|
#
|
|
# A dict for the test module:
|
|
#test.baz: {spam: sausage, cheese: bread}
|
|
#
|
|
|
|
|
|
{%- if 'module_config' in cfg_minion %}
|
|
{%- do default_keys.append('module_config') %}
|
|
{%- for modkey, modval in cfg_minion.module_config.items() %}
|
|
{{ modkey }}: {{ modval }}
|
|
{%- endfor %}
|
|
{%- endif %}
|
|
|
|
#
|
|
###### Update settings ######
|
|
###########################################
|
|
# Using the features in Esky, a salt minion can both run as a frozen app and
|
|
# be updated on the fly. These options control how the update process
|
|
# (saltutil.update()) behaves.
|
|
#
|
|
# The url for finding and downloading updates. Disabled by default.
|
|
{{ get_config('update_url', 'False') }}
|
|
#
|
|
# The list of services to restart after a successful update. Empty by default.
|
|
{{ get_config('update_restart_services', '[]') }}
|
|
|
|
|
|
###### Keepalive settings ######
|
|
############################################
|
|
# ZeroMQ now includes support for configuring SO_KEEPALIVE if supported by
|
|
# the OS. If connections between the minion and the master pass through
|
|
# a state tracking device such as a firewall or VPN gateway, there is
|
|
# the risk that it could tear down the connection the master and minion
|
|
# without informing either party that their connection has been taken away.
|
|
# Enabling TCP Keepalives prevents this from happening.
|
|
|
|
# Overall state of TCP Keepalives, enable (1 or True), disable (0 or False)
|
|
# or leave to the OS defaults (-1), on Linux, typically disabled. Default True, enabled.
|
|
{{ get_config('tcp_keepalive', 'True') }}
|
|
|
|
# How long before the first keepalive should be sent in seconds. Default 300
|
|
# to send the first keepalive after 5 minutes, OS default (-1) is typically 7200 seconds
|
|
# on Linux see /proc/sys/net/ipv4/tcp_keepalive_time.
|
|
{{ get_config('tcp_keepalive_idle', '300') }}
|
|
|
|
# How many lost probes are needed to consider the connection lost. Default -1
|
|
# to use OS defaults, typically 9 on Linux, see /proc/sys/net/ipv4/tcp_keepalive_probes.
|
|
{{ get_config('tcp_keepalive_cnt', '-1') }}
|
|
|
|
# How often, in seconds, to send keepalives after the first one. Default -1 to
|
|
# use OS defaults, typically 75 seconds on Linux, see
|
|
# /proc/sys/net/ipv4/tcp_keepalive_intvl.
|
|
{{ get_config('tcp_keepalive_intvl', '-1') }}
|
|
|
|
###### Windows Software settings ######
|
|
############################################
|
|
# Location of the repository cache file on the master:
|
|
{{ get_config('win_repo_cachefile', 'salt://win/repo/winrepo.p') }}
|
|
|
|
###### Returner settings ######
|
|
############################################
|
|
# Default Minion returners. Can be a comma delimited string or a list:
|
|
#
|
|
#return: mysql
|
|
#
|
|
#return: mysql,slack,redis
|
|
#
|
|
#return:
|
|
# - mysql
|
|
# - hipchat
|
|
# - slack
|
|
{%- if 'return' in cfg_minion and cfg_minion['return'] is not string %}
|
|
return:
|
|
{% for name in cfg_minion['return'] -%}
|
|
- {{ name }}
|
|
{% endfor -%}
|
|
{%- else %}
|
|
{{ get_config('return', '') }}
|
|
{%- endif %}
|
|
|
|
###### Miscellaneous settings ######
|
|
############################################
|
|
# Default match type for filtering events tags: startswith, endswith, find, regex, fnmatch
|
|
#event_match_type: startswith
|
|
{{ get_config('event_match_type', 'startswith') }}
|
|
|
|
{% if 'elasticsearch' in cfg_minion -%}
|
|
{%- do default_keys.append('elasticsearch') %}
|
|
{%- do default_keys.append('return') %}
|
|
|
|
##### elasticsearch connection settings #####
|
|
##########################################
|
|
elasticsearch:
|
|
{%- for name, value in cfg_minion['elasticsearch'].items() %}
|
|
{%- if value is list %}
|
|
{{ name }}:
|
|
{%- for objvalue in value %}
|
|
- {{ objvalue }}
|
|
{%- endfor %}
|
|
{%- else %}
|
|
{{ name }}: {{ value }}
|
|
{%- endif %}
|
|
{%- endfor %}
|
|
{%- endif %}
|
|
|
|
|
|
{% if 'mongo' in cfg_minion -%}
|
|
{%- do default_keys.append('mongo') %}
|
|
##### mongodb connection settings #####
|
|
##########################################
|
|
{%- for name, value in cfg_minion['mongo'].items() %}
|
|
mongo.{{ name }}: {{ value }}
|
|
{%- endfor %}
|
|
|
|
{% if 'alternative.mongo' in cfg_minion -%}
|
|
{%- do default_keys.append('alternative.mongo') %}
|
|
{%- for name, value in cfg_minion['alternative.mongo'].items() %}
|
|
alternative.mongo.{{ name }}: {{ value }}
|
|
{%- endfor %}
|
|
{% endif %}
|
|
{%- endif %}
|
|
|
|
{%- for configname in cfg_minion %}
|
|
{%- if configname not in reserved_keys and configname not in default_keys %}
|
|
{{ configname }}: {{ cfg_minion[configname]|json }}
|
|
{%- endif %}
|
|
{%- endfor %}
|