(Reprinted) Chinese translation of the saltstack master configuration file

Source: Workshop.

The configuration file of Salt-master is located in/etc/salt/master. Available options are as follows (incomplete ):

1. Master configuration #######################

Interface
Default Value: 0.0.0.0 (all network address interfaces)
An interface bound to a local network address

interface: 192.168.0.1

Publish_port
Default Value: 4505
Set the authentication communication port between the master and minion

publish_port: 4505

User
Default Value: Root
User who runs the salt process

user: root

Max_open_files
Default Value: 100000
Each minion connects to the master and must use at least one file descriptor. If enough minion connects to the master, you will see salt-master crashes on the console:
Too program open files (tcp_listener.cpp: 335)
Aborted (core dumped)
The default value depends on the ulimit-HN value, that is, the system's hard limit on the open file descriptor.
If you want to reset the value or cancel the setting, remember that the value cannot exceed the hard limit. Increasing the hard limit depends on your operating system or allocation, A good way is to find the hard limit settings of the corresponding operating system on the Internet, such as searching like this:
Raise Max open files hard limit Debian

max_open_files: 100000

Worker_threads
Default Value: 5
Number of threads started to receive or respond to minion. If you have a lot of minion and Minion delays your response, you can moderately increase this value.
In a point-to-point system environment, do not set this value to less than 3, but you can set it to 1.

worker_threads: 5

Ret_port
Default Value: 4506
This port is used by the master to send commands or receive information returned by the Command Execution of minions.

ret_port: 4506

Pidfile
Default:/var/run/salt-master.pid
Specify the PID File Location of the master

pidfile: /var/run/salt-master.pid

Root_dir
Default Value :/
Specify this directory as the root directory for running salt. Change it to run salt from another directory, such as chroot.

root_dir: /

Pki_dir
Default Value:/etc/salt/PKI
This directory is used to store the PKI authentication key.

pki_dir: /etc/salt/pki

Cachedir
Default Value:/var/Cache/salt
This directory is used to store cache information, especially the Command Information executed by salt.

cachedir: /var/cache/salt

Keep_jobs
Default Value: 24
Set the expiration time for keeping old work information, in hours
Job_cache
Default Value: True
Setting the working cache maintained by the master node is a good function. When your minons has more than 5000 servers, it will take on this large architecture and disable this option, the previous work execution and work system will not be used. It is generally not recommended to turn off the change option. It is wise to enable the change option, and it will enable the master to obtain a faster Io system.

Ext_job_cache
Default Value :"
Use the specified default returner for all minions. When this parameter is used to specify a returner and the configuration is correct, minions will always return the returned data to returner, this also disables the local cache of the master by default.

ext_job_cache: redis

Minion_data_cache
Default Value: True
Minion data cache is a parameter for storing minion information on the master. This information mainly includes pillar and grains data. the data is cached in the minion directory under the cachedir-defined directory and named minion in advance.

minion_cache_dir: True

Enforce_mine_cache
Default Value: false
By default, when minion_data_cache is disabled, mine stops working because mine is based on cached data. By enabling this option, we will enable the cache function for the mine system.

enforce_mine_cache: False

Sock_dir
Default Value:/tmp/salt-Unix
Specifies the socket Creation Path for the UNIX socket Main Process Communication

2. Master Security Configuration #######################

Open_mode
Default Value: false
Open_mode is a dangerous security feature. When the master encounters a PKI authentication system, key obfuscation and authentication fail, open open_mode, and the master will accept all authentication. This will clear the minions accepted by the PKI key. Generally, open_mode should not be enabled. It is only applicable to clearing PKI keys in a short period of time. To enable it, you can change the value to true.

open_mode: False

Auto_accept
Default Value: false
Enable auto_accept. This setting will enable the master to automatically accept the minions of all sent public keys.

auto_accept: False

Autosign_file
Default Value:/etc/salt/autosign. conf
If the value of autosign_file is specified, autosign_file will allow all matching items through this input. It will first search for strings for matching and then match by regular expression. This is insecure.

autosign_file: /etc/salt/autosign.conf

Client_acl
Default Value :{}
Enable special modules for non-root system users on the master. These module names can be expressed using regular expressions.

client_acl:  fred:    - test.ping    - pkg.*

Default Value :{}
Blacklist users or modules
In this example, all non-sudo users and root users cannot execute commands through the CMD module. By default, configuration change is completely disabled.

client_acl_blacklist:  users:    - root    - ‘^(?!sudo_).*$‘    # all non sudo users  modules:    - cmd

External_auth
Default Value :{}
The authentication module of salt uses an external authentication system to authenticate and verify the user's access area in the Salt System.

external_auth:  pam:    fred:    - test.*

Token_expire
Default Value: 43200
Time Interval of New Token Generation, in seconds. The default value is 12 hours.

token_expire: 43200

File_recv
Default Value: false
Allow minions to push files to the Master. This option is disabled by default. For security reasons

file_recv: False

 

3. master module management #######################

Runner_dirs
Default Value: [] set the extra path for searching the runner Module

runner_dirs: []

Cython_enable
Default Value: false
Set to true to enable the compilation of the cython module.

cython_enable: False

 

4. Master Status system settings #######################

State_verbose
Default Value: false
State_verbose allows more detailed information to be returned from minions. Generally, only failed or changed information is returned when it is cleared. However, if state_verbose is set to true, all status checks are returned.

state_verbose: True

State_output
Default Value: full
The state_output setting changes the information output format. When it is set to "full", it displays the output of all rows. When it is set to "terse, it will be shortened to one line for output; when it is set to "mixed", the output style will be concise, unless the status fails, in which case all will be output; when it is set to "change", the output will be completely output unless the status has not changed

state_output: full

State_top
Default Value: Top. SLS
The State system uses an entry file to tell minions what modules are used in the environment. This state entry file is defined under the relative root path of the basic environment.

state_top: top.sls

External_nodes
Default Value: None
This external node parameter allows the salt to collect some data, which is usually placed in an entry file or an external Node Controller. the external node selection is executable and will return the ENC data. Remember that if both are enabled, salt will summarize the results of the external node and the entry file.

external_nodes: cobbler-ext-nodes

Renderer
Default Value: yaml_jinja.
Use Renderer to render the State data of minions

renderer: yaml_jinja

Failhard
Default Value: false
Set a global failhard to indicate that when a single State fails to be executed, all statuses will be notified to stop running.

failhard: False

Test
Default Value: false
If you really want to make a change or only notify you of the changes to be executed, set all the status calls to test.

test: False

 

5. Master File Server Settings #######################

Fileserver_backend
Default Value:

fileserver_backend:  - roots

Salt supports Modular Back-end file system servers. It allows salt to manage and collect files through a third-party system and provide them to minions. You can configure multiple back-end file systems, here, gitfs, HGFS, roots, and s3fs file calls can be searched in the order configured by the background file system. By default, only standard backend server roots is enabled, the specific root option is configured using the file_roots parameter.

fileserver_backend:  - roots  - gitfs

File_roots
Default Value:

base:  - /srv/salt

Salt runs a lightweight file server to transmit minions files through zeromq. Therefore, this file server is constructed in the master daemon and does not need to rely on dedicated ports.
The working environment of the file server is passed to the Master. Each environment can have multiple directories, but the subdirectories of multiple files in the same environment cannot be the same, otherwise, the downloaded file cannot be reliably guaranteed. A basic environment depends on the main entry file, such:

file_roots:  base:     - /srv/salt  dev:     - /srv/salt/dev/services     - /srv/salt/dev/states  prod:     - /srv/salt/prod/services     - /srv/salt/prod/states

Hash_type
Default Value: MD5
Hash_type is an algorithm used for hash when a file needs to be hashed on the master node. The default value is MD5. but it also supports sha1, sha1_, shar256, shar384, shar512

hash_type: md5

File_buffer_size
Default Value: 1048576
File Server cache size

file_buffer_size: 1048576

6. Pillar configuration #######################

Pillar_roots
Default Value:

base:  - /srv/pillar

Set the directory for storing pillar data in different environments. This configuration is the same as the file_roots parameter configuration.

pillar_roots:  base:    - /srv/pillar  dev:    - /srv/pillar/dev  prod:    - /srv/pillar/prod

Ext_pillar
This ext_pillar parameter allows you to call any number of external pillar interfaces when collecting pillar data. This configuration is based on the ext_pillar function from which you can find this function https://github.com/saltstack/salt/blob/develop/salt/pillar
By default, this ext_pillar interface is not configured to run.
Default Value: None

ext_pillar:  - hiera: /etc/hiera.yaml  - cmd_yaml: cat /etc/salt/yaml  - reclass:    inventory_base_uri: /etc/reclass

Here we can find some extra details about pillar.

7. syndic server configuration #######################

Syncdic is an intermediate role in which the salt master receives commands and passes them to the minions through a master or syndic higher than its own level in the overall architecture. It is very easy to use syndic. If the master has a syndic server in its lower level in the overall architecture, set the "order_master" value in the master configuration file to true, if the master still needs to run a syndic process and assume another role, you need to set the information of the master server (master level 1)
Never forget it. This means it will share its minion ID and pki_dir with other masters.

Order_masters
Default Value: false
When extra data needs to be sent and transmitted, and the minions controlled by this master are directly managed by a low-level master or syndic, the value of "order_masters" must be set to true.

order_master: False

Syndic_master
Default Value: None
If the salt-syndic running on this master node is connected to a higher-level master node, this parameter needs to be configured as the address of the master node to be connected.

syndic_master: masterofmasters

Syndic_master_port
Default Value: 4506
If the salt-syndic running on this master node is connected to a higher-level master, this parameter needs to be configured as the listening port of the connected master.

syndic_master_port: 4506

Syndic_log_file
Default Value: syndic. Log
Specify a log file for the syndic Process

syndic_log_file: salt-syndic.log

Syndic_pidfile
Default: salt-syndic.pid
Specify the PID file for the syndic Process

syndic_pidfile: syndic.pid

8. Peer publish settings #######################

Salt minions can send commands to other minions, but only when minion permits them. By default, "peer publication" is disabled. To enable it, you need to enable the corresponding minion and command. This allows you to divide commands based on personal minions security.

Peer
Default Value :{}
This configuration uses a regular expression to match minions and is a regular expression list function. The following example will allow minion named foo.example.com to pass authentication and then execute the functions in the test and PKG modules.

peer:  foo.example.com:    - test.*    - pkg.*

This will allow all minion to execute all commands

peer:  .*:    - .*

This configuration is not recommended because anyone who gets any minion in the architecture can have all the minions, Which is insecure.

Peer_run
Default Value :{}
The peer_run parameter is used to enable runners on the minions allowed by the master. The configuration format of peer_run is the same as that of the Peer parameter.
The following example allows minion of foo.example.com to execute manage. Up runner

peer_run:  foo.example.com:    - manage.up

Node groups
Default Value :{}
Minions allows node groups to be divided into multiple logical groups. Each group consists of a group name and a composite mode.

nodegroups:  group1: ‘[email protected],bar.domain.com,baz.domain.com or bl*.domain.com‘  group2: ‘[email protected]:Debian and foo.domain.com‘

9. master log settings #######################

LOG_FILE
Default Value:/var/log/salt/Master
Master logs can be sent to a common file, local path name or network location. For more information, see
For example:

log_file: /var/log/salt/masterlog_file: file:///dev/loglog_file: udp://loghost:10514

Log_level
Default Value: Warning
Send information to the console at the log level. For more information, see

log_level: warning

Log_level_logfile
Default Value: Warning
Send information to the log file at the log level. For more information, see

log_level_logfile: warning

Log_datefmt
Default Value: % H: % m: % s
The date and time format used to send the information to the console. For more information, see

log_datefmt: ‘%H:%M:%S‘

Log_datefmt_logfile
Default Value: % Y-% m-% d % H: % m: % s
The date and time format used to send log file information. For more information, see

log_datefmt_logfile: ‘%Y-%m-%d %H:%M:%S‘

Log_fmt_console
Default Value: [% (levelname)-8 s] % (Message) S
Console log information format, more details

log_fmt_console: ‘[%(levelname)-8s] %(message)s‘

Log_fmt_logfile
Default Value: % (asctime) s, % (msecs) 03.0f [% (name)-17 S] [% (levelname)-8 s] % (Message) S
% (Asctime) S: 16:49:45
% (Msecs) 03.0f: Current Time in milliseconds
% (Name): log record the name of the caller
% (Levelname): log record level
% (Message) S: log details
Log File Information Format. For more information

log_fmt_logfile: ‘%(asctime)s,%(msecs)03.0f [%(name)-17s][%(levelname)-8s] %(message)s‘

Log_granular_levels
Default Value :{}
This allows you to control the log record level more specifically. For more details

10. include configuration #######################

Default_include
Default Value: Master. d/*. conf
The master can read configurations from other files. By default, the master will automatically. d /*. the configuration in conf is read and applied. d directory is relative to the directory where the main configuration file is located

Include
Default Value: Not Defined
The master can contain configurations in other files. To enable this function, you can use this parameter to define the path or file. This path can be relative or absolute, it will be seen as relative to the directory where the main configuration file is located. You can also use shell-style wildcards in the path. If no file matching path is passed to this option, then the master will record a warning message in the log.

# Include files from a master.d directory in the same# directory as the master config fileinclude: master.d/* # Include a single extra file into the configurationinclude: /etc/roles/webserver # Include several files and the master.d directoryinclude:  - extra_config  - master.d/*  - /etc/roles/webserver