Saltstack

The slides of a lecture/presentation on 2017-03-12 @ Chemnitzer Linux Tage

Christian Prior

#Intro

##Eventbus - 0mq implementation - almost invisible but powerful ``` #a first example how to use salt in the command line sudo salt-run state.event pretty=True ``` - accesible via REST API

## About Me ![](/business/marketing/presentation/images/about-cpr.svg) https://github.com/cprior http://helotism.de

## Usecase Industrial Solutions ![](/business/marketing/images/spareparts.svg) - long-term hard- and software support necessary

## Usecase Data Massaging ## https://github.com/helotism/helotism Installer script for a 250€-cluster solving basic sysadmin requirements ![](/business/marketing/images/helotism-scope.svg)

#Vocabulary

##ecosystem ![](/application/physical/images/saltstack-ecosystem-orbital.svg)

## Infrastructure as Code ![](/application/physical/images/oscfgmgt_demo-setup.svg)

#Overview

##Development [Github repo saltstack/salt](https://github.com/saltstack/salt) - Issues, PullRequests - Active project, supporters by Saltstack HQ - Good athmosphere

##support - GitHub [Issues](https://github.com/saltstack/salt/issues) - freenode \#salt - Google Group [salt-users](https://groups.google.com/forum/#!forum/salt-users) - commercial contracts

##technology - Python 2.6 < 3.0 - ZeroMQ - "dictionaries"/YAML

##installation 1/2 [Platform Guides](https://docs.saltstack.com/en/latest/topics/installation/) [Dependencies](https://docs.saltstack.com/en/latest/topics/installation/#dependencies) - PyYAML, ZeroMQ and a few more //PyGit is problematic: ArchLinux does it out of the box. (Later more.)

##bootstrap 2/2 [docs](https://docs.saltstack.com/en/latest/topics/tutorials/salt_bootstrap.html) [repo](https://github.com/saltstack/salt-bootstrap) [options](https://github.com/saltstack/salt-bootstrap/blob/develop/bootstrap-salt.sh#L277) ```bash curl -o bootstrap_salt.sh -L https://bootstrap.saltstack.com --silent -k; sleep 2; $_SUDO sh -s -- -U -P -M -L -A mysaltmasterid -i myminionid git v2016.11.3 ```

##dependencies Standard dependencies handled well with distros My personal killer feature 'source control integration' typically requires self-compiling libgit2. [pygit2 installation](http://www.pygit2.org/install.html) [libgit2 installation](https://libgit2.github.com/docs/guides/build-and-link/) [good hint](https://github.com/libgit2/pygit2/issues/603#issuecomment-219915880) ```python -c 'import pygit2'``` must work to use e.g. GitHub repos as "fileserver"

## default configuration - configuration: /etc/salt/ -> master & master.d, minion & minion.d - broadcasted data: /srv/salt - confidential data: /srv/pillar - packages: formulas [docu](https://docs.saltstack.com/en/latest/topics/development/conventions/formulas.html) [repo](https://github.com/saltstack-formulas)

##major functional components message queue, remote execution, [target](https://docs.saltstack.com/en/latest/topics/targeting/) state* runs, hard- and software inventory, [orchestration](https://docs.saltstack.com/en/latest/topics/orchestrate/orchestrate_runner.html) ##auxiliary functional components [event reactors](https://github.com/helotism/show-cgfmgt/tree/master/application/physical/saltstack/srv/salt/show-cfgmgt)*, to spin up cloud instances, proxy-control non-python-devices, salt via ssh

##SaltStack state file ```YAML #apache.sls {% if grains['os'] == 'Debian' %} apache: apache2 {% elif grains['os'] == 'RedHat' %} apache: httpd {% endif %} ``` - Jinja2 template language - one should read the fine manual: http://jinja.pocoo.org/docs/dev/

##Beacons on the minions ```YAML beacons: inotify: /opt/helotism/show-cfgmgt_venv/performance.yml: mask: - modify disable_during_state_run: True ``` ##Reactors on the master ```YAML reactor: - salt/beacon/*/inotify/opt/helotism/show-cfgmgt_venv/config.yml: - /srv/reactor/show-cfgmgt.sls ```

##features remote filesystems salt://, environments "base/qa/dev/...", API, access control "external_auth", file manipulation

##environments ![](/application/physical/images/saltstack-ecosystem.svg)

#Walkthrough: How does it look?

## Minion Management MinionID usually hostname ``` sudo salt-key -L salt-key -a``` ```sudo ls -R /etc/salt/pki/```

##Configuration Fileserver ```YAML fileserver_backend: - roots - git ```

##Configuration Fileserver Root Directories ```YAML file_roots: base: - /srv/salt - /srv/formulas/users-formula - /home/cpr/helotism/mypesp8266-formula ```

##Configuration gitfs ```YAML gitfs_remotes: - git@bitbucket.org:cprior_/cpr.git: - name: cpr - root: application/physical/saltstack/assets/srv/salt - base: master - pubkey: /etc/pki/id_saltmaster.pub - privkey: /etc/pki/id_saltmaster - https://github.com/cprior/saltstack-not-yet-formulas.git: - name: saltstack-not-yet-formulas - root: application/physical/saltstack/srv/salt - base: master ```

##remote execution ```sudo salt 'saltmaster' pkg.install emacs``` ```sudo salt 'saltmaster' pkg.version emacs``` ```sudo salt 'saltmaster' pkg.purge emacs && sudo apt-get autoremove```

##grains ```sudo salt 'saltmaster' grains.items```

## Simple State Files /srv/salt/top.sls with common.sls containing Jinja2

##Generic State File YAML ```YAML <ID Declaration>: <State Module>: - <Function> - <Function Arg> - <Function Arg> - <Function Arg> - <Name>: <name> - <Requisite Declaration>: - <Requisite Reference> - <Requisite Reference> ```

##Sample nginx proxy cache [github repo](https://github.com/helotism/helotism/blob/master/application/physical/saltstack/assets/srv/salt/proxy-cache.sls)

##formulas - pre-written Salt States - clone and change file_roots - adjust pillar.example into own /srv/pillar file Example: My user configuration

##proxy-minion Interface to devices with e.g. an API

##salt-cloud ```salt-cloud --list-locations digitalocean``` ```salt-cloud -p minion test2``` ```salt-cloud -d minion test2```

#hints

##Jinja2 Python template engine - state files are by default parsed as Jinja templates [control structures](http://jinja.pocoo.org/docs/2.9/templates/#list-of-control-structures) [whitespace control](http://jinja.pocoo.org/docs/2.9/templates/#whitespace-control)

##Troubleshooting - ```-l debug``` - ```--out=pprint```

##Pythonic gotchas dictionaries everywhere

##Windows minion Really easy to install! [Windows repository](https://docs.saltstack.com/en/latest/topics/windows/windows-package-manager.html) ```sudo salt 'mywinnb' pkg.install blender``` [salt-winrepo-ng](https://github.com/saltstack/salt-winrepo-ng)

##state vs. remote execution [remote execution](https://docs.saltstack.com/en/latest/ref/modules/all/index.html) [state modules](https://docs.saltstack.com/en/latest/ref/states/all/index.html)

#Questions? slides linked tomorrow on http://helotism.de